Using CA Tape Encryption in Your z/OS Environment › DFSMS Data Classes

DFSMS Data Classes

CA Tape Encryption uses DFSMS data classes to identify which tape files to encrypt. A data class may be assigned by coding the DATACLAS JCL parameter or the data class may be assigned dynamically by the DFSMS ACS routines. During tape OPEN for output processing, each file is checked to see whether a data class was assigned. If a data class is assigned to the file, CA Tape Encryption checks the data class description field to see whether it includes the unique character string indicating that encryption is required. This string includes the symmetric key name or the information required to create a B2B tape.

Note: If you are using your security system instead of DFSMS to control tape encryption processing, use the CA@BES class. For more information about using this class with your security system, see the chapter “Using Your Security System for Tape Encryption.”

You must determine the different types of data classes you need for the data in your environment:

• Direct in-house tapes to one or more data classes and B2B tapes to other data classes.
• Assign tapes that require different types and levels of encryption to different data classes.
• Ensure that each data class defined has an associated key name, a code book name, or references a digital certificate on a key ring defined to CA Tape Encryption.
• Define as many data classes as you want for encryption purposes. The only requirement is that each data class point to a valid symmetric key label, code book name, or a digital certificate on a B2B key ring defined to the BES started task.
• Note: For detailed explanation of SMS data classes, how to update them, and the exact format of the CA Tape Encryption parameters to be encoded in the data class, see Data Class Characteristics for Encryption in the chapter “Selecting Tape Files for Encryption Using DFSMS.”

When an eligible tape file is opened, flags are set to activate the encryption calls at the I/O intercept as the data is processed.