Hi Radoslaw, Yes, they are being ejected and sent offsite for DR purposes. We have other tapes not being sent offsite so see no compelling reason for encrypting them at this point.
Rex -----Original Message----- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of R.S. Sent: Thursday, November 13, 2014 10:56 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: TS3584 and TS1120 encryption Out of curiosity: The tapes reside in the library. Do you plan to move them out or there is another reason to switch on the encryption ? Regards -- Radoslaw Skorupka Lodz, Poland W dniu 2014-11-13 o 17:39, Pommier, Rex pisze: > Hi Dave, > > Actually I have the older EKM running, configured to use certs located within > the RACF DB. I was told the library manager was already ready to do > encryption but I'll check that out. > > Rex > > > > -----Original Message----- > From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On > Behalf Of Jousma, David > Sent: Thursday, November 13, 2014 6:29 AM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Re: TS3584 and TS1120 encryption > > Rex, > > Did you install and configure ISKLM to serve up the certificates needed to > perform the encryption? Also there are library manager changes needed to > tell the library where to go to get the certs. > > _________________________________________________________________ > Dave Jousma > Assistant Vice President, Mainframe Engineering > david.jou...@53.com > 1830 East Paris, Grand Rapids, MI 49546 MD RSCB2H > p 616.653.8429 > f 616.653.2717 > > > -----Original Message----- > From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On > Behalf Of Pommier, Rex > Sent: Wednesday, November 12, 2014 6:12 PM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Re: TS3584 and TS1120 encryption > > Russ, > > Thanks for confirming how I thought it was supposed to work. I am missing > something else, then because when I run a very simple job to attempt to > encrypt a tape, I get a JCL error as follows: > > > > 16.57.46 JOB03624 IRR010I USERID RRP4912 IS ASSIGNED TO THIS JOB. > 16.57.47 JOB03624 IGD306I UNEXPECTED ERROR DURING CBRXLCS PROCESSING 671 > 671 RETURN CODE 12 REASON CODE 49 > 671 THE MODULE THAT DETECTED THE ERROR IS IGDIDMUS > 671 SMS MODULE TRACE BACK - IDMUS IDMSU IDM00 SSIRT > 671 SYMPTOM RECORD CREATED, PROBLEM ID IS IGD01599 > 16.57.47 JOB03624 IEF452I RRPIEBG - JOB NOT RUN - JCL ERROR > 16.57.47 JOB03624 $HASP396 RRPIEBG TERMINATED > > 1 //RRPIEBG JOB (040423,495),RRP,CLASS=T,MSGCLASS=X,MSGLEVEL=(1,1), > JOB03624 > // NOTIFY=&SYSUID > IEFC653I SUBSTITUTION JCL - > (040423,495),RRP,CLASS=T,MSGCLASS=X,MSGLEVEL=(1,1),NOTIFY=RRP4912 > 2 //STEP1 EXEC PGM=IEBGENER > 3 //SYSPRINT DD SYSOUT=* > 4 //SYSUT1 DD DSN=SFG1B.SCRTOOL.JCL,DISP=SHR > 5 //SYSUT2 DD > DSN=RRP4912.TEST.ENCRYP,DISP=(,CATLG,DELETE),UNIT=ECART > 6 //SYSIN DD DUMMY > STMT NO. MESSAGE > > > IGD330I ERROR OCCURRED DURING CBRXLCS PROCESSING- > NO DEVICE POOLS EXIST TO FULFILL REQUEST FOR TDSI SPECIFICATION > IGD306I UNEXPECTED ERROR DURING CBRXLCS PROCESSING > RETURN CODE 12 REASON CODE 49 > THE MODULE THAT DETECTED THE ERROR IS IGDIDMUS > SMS MODULE TRACE BACK - IDMUS IDMSU IDM00 SSIRT > SYMPTOM RECORD CREATED, PROBLEM ID IS IGD01599 > > > > I defined ECART as a new ESOTERIC pointing to the same tape devices (my 3584 > with the TS1120s) as the esoteric CART. If I change the JCL to use > UNIT=CART, it works just fine. So I thought maybe my ECART hadn't taken, so > I tried changing the JCL to UNIT=JUNK (a non-existent ESOTERIC) and got a > completely different error. > > //STEP1 EXEC PGM=IEBGENER > //SYSPRINT DD SYSOUT=* > //SYSUT1 DD DSN=SFG1B.SCRTOOL.JCL,DISP=SHR > //SYSUT2 DD DSN=RRP4912.TEST.ENCRYP,DISP=(,CATLG,DELETE),UNIT=JUNK > //SYSIN DD DUMMY > ICH70001I RRP4912 LAST ACCESS AT 16:56:48 ON WEDNESDAY, NOVEMBER 12, 2014 > IEF344I RRPIEBG STEP1 SYSUT2 - ALLOCATION FAILED DUE TO DATA FACILITY SYSTEM > ERROR > IGD17045I SPACE NOT SPECIFIED FOR ALLOCATION OF DATA SET > RRP4912.TEST.ENCRYP > > > My encryption data class is identical to my non-encryption DC except it > defined the format as EEFMT2 and the other EFMT2. I am using the same > management class, storage class, and storage group for both data classes > (tested through the SMS test routines). > > Any idea what I'm missing? I'm sure it will be something of a head-slapper > when it is pointed out to me, but for now I can't see the forest for the > trees! > > Thanks, > > Rex > > -----Original Message----- > From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On > Behalf Of Russell Witt > Sent: Wednesday, November 12, 2014 4:05 PM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Re: TS3584 and TS1120 encryption > > Rex, > > > I don't know of a need to make any changes to CBRUXENT for what you are > planning on doing, especially if all the TS1120 drives inside the robot and > encryption capable. Even if a TS1120 is EJECTED (to go offsite) and is then > returned (INSERTED) and the VOLCAT (TCDB) entry for that specific volume had > been deleted after it had been EJECTED it won't make a difference. If the > INSERT assigns it to a non-encrypted Data Class, that will not affect it's > ability to be read on any of the TS1120 drives inside the robot. If some of > your drives were the original 3592 non-encryption drives; that might be an > issue. But since all your existing TS1120 drives are already > encryption-capable - no problem. > > > Likewise there is no need for two separate ranges of tapes. Doesn't matter if > volume V12345 was originally a non-encrypted tape, then was used for > encryption and later was used-again (after going scratch of course) as a > non-encrypted tape. Just like Virtual-WORM and Replication. If controlled by > Data Class it can switch on and off, so each usage is different. > > > Russell Witt > > > On 11/12/14, Pommier, Rex<rpomm...@sfgmembers.com> wrote: > > Hi list, > > We have an existing 3584 tape library with encryption-capable TS1120 tape > drives installed in it. We haven't used encryption up to this point, but are > trying to get encryption started. We don't want to encrypt everything going > to the TS1120s, but want to, for example, encrypt our backup tapes, but leave > our HSM ML2 tapes unencrypted. We also obviously need to read older > unencrypted tapes. From reading several manuals, I thought I would need to > set up a new data class specifying EEFMT2 as the data format instead of the > EFMT2 format we are currently using. The doc also seemed to indicate that I > could use the same physical library and drives to read/write both data > formats. > > It appears as though I need to make changes to the CBRUXENT OAM exit to allow > use of encrypted tape format. Is this correct? > > Do I need to set a range of tapes to be used solely for encryption and a > separate range for unencrypted tapes? Do I need to define which tapes will be > used for encryption ahead of time and define that into the CBRUXENT exit? > > Any help will be greatly appreciated. > > TIA, > > --- Treść tej wiadomości może zawierać informacje prawnie chronione Banku przeznaczone wyłącznie do użytku służbowego adresata. Odbiorcą może być jedynie jej adresat z wyłączeniem dostępu osób trzecich. Jeżeli nie jesteś adresatem niniejszej wiadomości lub pracownikiem upoważnionym do jej przekazania adresatowi, informujemy, że jej rozpowszechnianie, kopiowanie, rozprowadzanie lub inne działanie o podobnym charakterze jest prawnie zabronione i może być karalne. Jeżeli otrzymałeś tę wiadomość omyłkowo, prosimy niezwłocznie zawiadomić nadawcę wysyłając odpowiedź oraz trwale usunąć tę wiadomość włączając w to wszelkie jej kopie wydrukowane lub zapisane na dysku. This e-mail may contain legally privileged information of the Bank and is intended solely for business use of the addressee. This e-mail may only be received by the addressee and may not be disclosed to any third parties. If you are not the intended addressee of this e-mail or the employee authorized to forward it to the addressee, be advised that any dissemination, copying, distribution or any other similar activity is legally prohibited and may be punishable. If you received this e-mail by mistake please advise the sender immediately by using the reply facility in your e-mail software and delete permanently this e-mail including any copies of it either printed or saved to hard drive. mBank S.A. z siedzibą w Warszawie, ul. Senatorska 18, 00-950 Warszawa, www.mBank.pl, e-mail: kont...@mbank.pl Sąd Rejonowy dla m. st. Warszawy XII Wydział Gospodarczy Krajowego Rejestru Sądowego, nr rejestru przedsiębiorców KRS 0000025237, NIP: 526-021-50-88. Według stanu na dzień 01.01.2014 r. kapitał zakładowy mBanku S.A. (w całości wpłacony) wynosi 168.696.052 złote. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN The information contained in this message is confidential, protected from disclosure and may be legally privileged. If the reader of this message is not the intended recipient or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any disclosure, distribution, copying, or any action taken or action omitted in reliance on it, is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to this message and destroy the material in its entirety, whether in electronic or hard copy format. Thank you. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN