It depends on the application. If you are using IEBGENER to copy DSNA (clear text) to DSNB, and DSNB is flagged as requiring encryption and key label KEYB is associated with DSNB, then you must have write access to DSNB and read access to KEYB. IEBGENER will complete successfully if you have both. But if your RACF admin forgot to give you access to KEYB, then the operation will fail.
Once DSNB is created (ciphertext), if an application issues a read, using standard I/O protocols, against the data set, then that app will need read access to DSNB and to key label KEYB before it can read the data in the clear. Without key access, the operation will fail. Now suppost that your storage admin wants to backup/dump DSNB using DFSMSdss, which is not using standard application Read/Write protocols, but preforming the I/O at the track or cylinder level. He will have read authority at the track or cylinder level, probably from a STGADMIN profile, but he won't have access to the key material. And that's ok, because DFSMSdss will simply read the ciphertext as input and write that same ciphertext as output. IBM has modified the I/O interfaces to require the appropriate access to both data set and key when data will be processed in the clear, and only to require data set access when the ciphertext will be preserved. Greg [email protected] www.mainframecrypto.com ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
