General Considerations for Encryption Key Protection

Using Your Security System › Encryption Key Protection Profiles › General Considerations for Encryption Key Protection

General Considerations for Encryption Key Protection

Keep in mind the following points for managing encryption key protection:

When enabled, key protection is active for all data sets selected for encryption regardless of whether they are selected using security profiles or DFSMS.
CA ACF2 supports only the definition and control of local encryption key resource profiles.
Regardless of the access levels assigned to individual ACIDs, CA Top Secret requires an additional PERMIT statement for each encryption key profile defined. This PERMIT statement should grant the ACID defined on the BES.TSS.ACID parameter an access level of at least (READ).
If the data set has been selected for encryption (or decryption) by either the external security manager or the DFSMS data class, the user submitting the job must have access to the encryption key. If the access is not granted the batch job will be abended.

If you are familiar with using control statements for your security system to manage security, you can create your own control statements to define these protection profiles.

Note: You can use the TBESAF99 command generation utility to create these control statements. For information about this utility, see the chapter “Using the TBESAF99 Utility to Generate Security Profiles.”

Tell Technical Publications how we can improve this information