Re: CA-TSS Question
Thanks for the information. The example command ' TSS PER(USER1) DSNAME(ACCT.FILE.DATA) DSKEY(AES_SECURE_KEY) SYMCPACFRET(YES)' the SYMCPACFRET option does not work The command without the SYMCPACFRET option is successful. Waiting for customer to test. Thank You -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Charles Mills Sent: Wednesday, March 07, 2018 9:05 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: CA-TSS Question Took a little bit, but I have an answer from TSS development: DSKEY Keyword-Dataset Encryption Key Label Last update September 28, 2017 Valid on z/OS. Use the DSKEY keyword to specify the key label that encrypts/decrypts the data in the z/OS Integrated Cryptographic Service Facility (ICSF) cryptographic key data set (CKDS). This keyword has the following format: TSS PER(acid) DSNAME(dataset_resource) DSKEY(key_label) key_label Specifies a 1- to 64-character data set key label. This keyword is used with: PERMIT command ACID types User, DCA, VCA, ZCA, LSCA, and SCA DSNAME resource class only Resource(XAUTH) authority to specify ACTION for resources that are owned within their scope Example: Associate a Key Label with a Data Set This example associates a data set key label with ACCT.FILE.DATA and-through the SYMCPACFRET setting-allows ICSF to return a protected key in a wrapped form: TSS PER(USER1) DSNAME(ACCT.FILE.DATA) DSKEY(AES_SECURE_KEY) SYMCPACFRET(YES) And here is the link to our doc on the enhancement: https://docops.ca.com/ca-top-secret-for-z-os/16-0/en/product-information/ca- top-secret-version-16-product-enhancements#CATopSecretVersion16ProductEnhanc ements-DataSetEncryptionSupport(RO97892) Sorry if IBMMAIN breaks that link. Try this one if so: http://bit.ly/2FgCxbr Charles -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Steely.Mark Sent: Tuesday, March 6, 2018 10:07 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: CA-TSS Question We are z/OS v2.2 and CA-TSS V16. Does CA-TSS support the encryption key label in the DFP segment. This is the sample for RACF. /*---*/ /* Specify the encryption key label in the DFP segment. */ /*---*/ ALTDSD 'EYSHA.ICSF.ENCRYPT.ME.*' + DFP(DATAKEY(DATASET.EYSHA.ICSF.ENCRYPT.ME.ENCRKEY.0001)) All my searches came up empty. Any help would be appreciated. Thank You *** Disclaimer *** This communication (including all attachments) is solely for the use of the person to whom it is addressed and is a confidential AAA communication. If you are not the intended recipient, any use, distribution, printing, or copying is prohibited. If you received this email in error, please immediately delete it and notify the sender. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN *** Disclaimer *** This communication (including all attachments) is solely for the use of the person to whom it is addressed and is a confidential AAA communication. If you are not the intended recipient, any use, distribution, printing, or copying is prohibited. If you received this email in error, please immediately delete it and notify the sender. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: CA-TSS Question
Took a little bit, but I have an answer from TSS development: DSKEY Keyword-Dataset Encryption Key Label Last update September 28, 2017 Valid on z/OS. Use the DSKEY keyword to specify the key label that encrypts/decrypts the data in the z/OS Integrated Cryptographic Service Facility (ICSF) cryptographic key data set (CKDS). This keyword has the following format: TSS PER(acid) DSNAME(dataset_resource) DSKEY(key_label) key_label Specifies a 1- to 64-character data set key label. This keyword is used with: PERMIT command ACID types User, DCA, VCA, ZCA, LSCA, and SCA DSNAME resource class only Resource(XAUTH) authority to specify ACTION for resources that are owned within their scope Example: Associate a Key Label with a Data Set This example associates a data set key label with ACCT.FILE.DATA and-through the SYMCPACFRET setting-allows ICSF to return a protected key in a wrapped form: TSS PER(USER1) DSNAME(ACCT.FILE.DATA) DSKEY(AES_SECURE_KEY) SYMCPACFRET(YES) And here is the link to our doc on the enhancement: https://docops.ca.com/ca-top-secret-for-z-os/16-0/en/product-information/ca- top-secret-version-16-product-enhancements#CATopSecretVersion16ProductEnhanc ements-DataSetEncryptionSupport(RO97892) Sorry if IBMMAIN breaks that link. Try this one if so: http://bit.ly/2FgCxbr Charles -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Steely.Mark Sent: Tuesday, March 6, 2018 10:07 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: CA-TSS Question We are z/OS v2.2 and CA-TSS V16. Does CA-TSS support the encryption key label in the DFP segment. This is the sample for RACF. /*---*/ /* Specify the encryption key label in the DFP segment. */ /*---*/ ALTDSD 'EYSHA.ICSF.ENCRYPT.ME.*' + DFP(DATAKEY(DATASET.EYSHA.ICSF.ENCRYPT.ME.ENCRKEY.0001)) All my searches came up empty. Any help would be appreciated. Thank You *** Disclaimer *** This communication (including all attachments) is solely for the use of the person to whom it is addressed and is a confidential AAA communication. If you are not the intended recipient, any use, distribution, printing, or copying is prohibited. If you received this email in error, please immediately delete it and notify the sender. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: CA-TSS Question
I have downloaded the latest 2811 page document. In the product enhancements section, on page 98: Data Set Encryption Support (RO97892) New z/OS DFSMS capabilities for data encryption require key labels when allocating encrypted data sets. These labels identify a protected data key in the ICSF key repository (CKDS). A new field (DSKEY) in ACIDs contains the ICSF key label to use for encryption. The following keywords are now available for managing keys and labels: SYMCPACFWRAP (see page 742) makes keys eligible to be rewrapped (protected) by CP Assist for Cryptographic Functions (CPACF). SYMCPACFRET (see page 741) determines whether ICSF can return a key in a wrapped (protected) form. DSKEY (see page 518) specifies the key label that encrypts/decrypts data in the ICSF cryptographic key data set (CKDS). CRITERIA (see page 489) (used with PERMIT) defines criteria to determine a user's access to a resource (such as a key label). Tom Chicklon - > Probably need to pull the latest TSS doc and look for changes in there. This e-mail transmission contains information that is confidential and may be privileged. It is intended only for the addressee(s) named above. If you receive this e-mail in error, please do not read, copy or disseminate it in any manner. If you are not the intended recipient, any disclosure, copying, distribution or use of the contents of this information is prohibited. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please erase it from your computer system. Your assistance in correcting this error is appreciated. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: CA-TSS Question
These may be of interest: CA opened a problem: https://support.ca.com/us/download-center/problem-detail.html?docid=650097&productcd=TSSMVS&problemnbr=9937 And has an enhancement PTF: https://support.ca.com/us/download-center/solution-detail.html?docid=650087&os=OS&aparno=RO97892 I've downloaded the PTF, but not much in its hold data to give any hints as to how to use it. Enhancement Description: z/OS DFSMS is providing a simple approach to enable extensive encryption of data at rest for data on disk through DFSMS access methods. Security and Storage Administrators who are required to protect customer data can leverage the z Systems hardware encryption for data at rest through existing policy management without application changes. Probably need to pull the latest TSS doc and look for changes in there. Tom Chicklon -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Steely.Mark Sent: Tuesday, March 06, 2018 1:07 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: CA-TSS Question **CAUTION EXTERNAL EMAIL** **DO NOT open attachments or click on links from unknown senders or unexpected emails** We are z/OS v2.2 and CA-TSS V16. Does CA-TSS support the encryption key label in the DFP segment. This is the sample for RACF. /*---*/ /* Specify the encryption key label in the DFP segment. */ /*---*/ ALTDSD 'EYSHA.ICSF.ENCRYPT.ME.*' + DFP(DATAKEY(DATASET.EYSHA.ICSF.ENCRYPT.ME.ENCRKEY.0001)) All my searches came up empty. Any help would be appreciated. Thank You *** Disclaimer *** This communication (including all attachments) is solely for the use of the person to whom it is addressed and is a confidential AAA communication. If you are not the intended recipient, any use, distribution, printing, or copying is prohibited. If you received this email in error, please immediately delete it and notify the sender. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN **CAUTION EXTERNAL EMAIL** **DO NOT open attachments or click on links from unknown senders or unexpected emails** This e-mail transmission contains information that is confidential and may be privileged. It is intended only for the addressee(s) named above. If you receive this e-mail in error, please do not read, copy or disseminate it in any manner. If you are not the intended recipient, any disclosure, copying, distribution or use of the contents of this information is prohibited. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please erase it from your computer system. Your assistance in correcting this error is appreciated. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
CA-TSS Question
We are z/OS v2.2 and CA-TSS V16. Does CA-TSS support the encryption key label in the DFP segment. This is the sample for RACF. /*---*/ /* Specify the encryption key label in the DFP segment. */ /*---*/ ALTDSD 'EYSHA.ICSF.ENCRYPT.ME.*' + DFP(DATAKEY(DATASET.EYSHA.ICSF.ENCRYPT.ME.ENCRKEY.0001)) All my searches came up empty. Any help would be appreciated. Thank You *** Disclaimer *** This communication (including all attachments) is solely for the use of the person to whom it is addressed and is a confidential AAA communication. If you are not the intended recipient, any use, distribution, printing, or copying is prohibited. If you received this email in error, please immediately delete it and notify the sender. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
