Ken, More responses to your helpful comments.
My IECIOS is set up like this - IP address of my Z LPAR that has the RACF DB I'm showing below - and has EKMSERV running on it, listening on port3081. Here's what I have for my key label information within my DC definition. Does this look correct? DC=DC3592E Media Interchange Media Type . . . . . . . . : MEDIA5 Recording Technology . . . : EEFMT2 Performance Scaling . . . . : Encryption Management Key Label 1: EKMS Encoding for Key Label 1 : L Key Label 2: EKMS Encoding for Key Label 2 : L I have my EKM set to use RACF and within RACF, I have this for a self-signed cert: Label:EKMS Certificate ID:xxxxxxxxxxxxxxxxxx Status:TRUST Start Date:2014/10/08 22:59:58 End Date: 2024/12/31 22:59:57 Serial Number:00 Issuer's Name:CN=TAPE.O=SFG.C=US Subject's Name:CN=TAPE.O=SFG.C=US Key Usage:CERTSIGN Key Type:RSA Key Size:1024 Private Key:YES Ring Associations: Ring Owner:EKMSERV Ring:EKMRING -----Original Message----- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Ken Smith Sent: Thursday, November 13, 2014 12:08 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: TS3584 and TS1120 encryption Encryption must work through a data class defined with EEFMT2 Recording Technology and with Key Lables pointing at your key label names. You don't need to segregate tapes. OAM is not involved. I couldn't get a unit name to work; may be possible though. I got it to work in the DC ACS routine by looking for a pattern in a DSN, and secondly by allowing a user to explicitly code a dataclass in JCL, e.g.: DATACLAS=ENCRYPT1. The DSN method good if your DSN standards are strong; if not coding a DC in JCL is easy. Here's relevant snippets from DC ACS: /* ADDED FOR TAPE ENCRYPTION $$ */ FILTLIST ENCRYPT_DSN INCLUDE( *.DR.EC.** , *.ENCRYPT*.** ) FILTLIST ENCRYPT_DC INCLUDE('DCENCRYP' , ENCRYPT* ) FILTLIST ENCRYPT_TAPEUNIT INCLUDE('3590-1','3590','CART','AFF=SMST','AFF=NSMS','TAPE') /* END OF TAPE ENCRYPTION */ ... /* ADDED FOR TAPE ENCRYPTION $$ */ IF &DSN EQ &ENCRYPT_DSN AND &UNIT EQ &ENCRYPT_TAPEUNIT THEN DO SET &DATACLAS = 'ENCRYPT1' EXIT END IF &DATACLAS EQ &ENCRYPT_DC AND &UNIT EQ &ENCRYPT_TAPEUNIT THEN DO SET &DATACLAS = &DATACLAS EXIT END /* END OF TAPE ENCRYPTION */ I also had to update Storage Class ACS to differentiate between ATL and stand-alone drives: /*********************************************************************/ /* 3B.1) - IF A TAPE DSN WAS ASSIGNED AN ENCRYPTION DATACLAS $$ */ /* DIRECT TO ATL UNLESS UNIT IS FOR STANDALONE TAPE DRIVE. */ /*********************************************************************/ WHEN ( &DATACLAS EQ &ENCRYPT_DC ) DO IF &UNIT EQ &TAPE_UNIT_STANDALONE THEN SET &STORCLAS EQ '' /* NOT ATL */ ELSE SET &STORCLAS EQ 'SC3500' /* ATL */ END I see now I updated Storage Group, however, it doesn't look right to me now and I've not included it. The key (haha!) is getting SMS to use the correct DC. Note that once there's an encrypted file on a tape all subsequent files are encrypted, so you just have to update existing JCL for the first file, or perhaps make the first file a "seed" file that the DC is looking for. Have you updated SYS1.PARMLIB(IECIOS00) to define your key managers? Ken Smith State of Maryland On Thu, Nov 13, 2014 at 11:39 AM, Pommier, Rex <rpomm...@sfgmembers.com> wrote: > Hi Dave, > > Actually I have the older EKM running, configured to use certs located > within the RACF DB. I was told the library manager was already ready to do > encryption but I'll check that out. > > Rex > > > > -----Original Message----- > From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On > Behalf Of Jousma, David > Sent: Thursday, November 13, 2014 6:29 AM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Re: TS3584 and TS1120 encryption > > Rex, > > Did you install and configure ISKLM to serve up the certificates needed to > perform the encryption? Also there are library manager changes needed to > tell the library where to go to get the certs. > > _________________________________________________________________ > Dave Jousma > Assistant Vice President, Mainframe Engineering > david.jou...@53.com > 1830 East Paris, Grand Rapids, MI 49546 MD RSCB2H > p 616.653.8429 > f 616.653.2717 > > > -----Original Message----- > From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On > Behalf Of Pommier, Rex > Sent: Wednesday, November 12, 2014 6:12 PM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Re: TS3584 and TS1120 encryption > > Russ, > > Thanks for confirming how I thought it was supposed to work. I am missing > something else, then because when I run a very simple job to attempt to > encrypt a tape, I get a JCL error as follows: > > > > 16.57.46 JOB03624 IRR010I USERID RRP4912 IS ASSIGNED TO THIS JOB. > 16.57.47 JOB03624 IGD306I UNEXPECTED ERROR DURING CBRXLCS PROCESSING 671 > 671 RETURN CODE 12 REASON CODE 49 > 671 THE MODULE THAT DETECTED THE ERROR IS IGDIDMUS > 671 SMS MODULE TRACE BACK - IDMUS IDMSU IDM00 SSIRT > 671 SYMPTOM RECORD CREATED, PROBLEM ID IS IGD01599 > 16.57.47 JOB03624 IEF452I RRPIEBG - JOB NOT RUN - JCL ERROR > 16.57.47 JOB03624 $HASP396 RRPIEBG TERMINATED > > 1 //RRPIEBG JOB > (040423,495),RRP,CLASS=T,MSGCLASS=X,MSGLEVEL=(1,1), JOB03624 > // NOTIFY=&SYSUID > IEFC653I SUBSTITUTION JCL - > (040423,495),RRP,CLASS=T,MSGCLASS=X,MSGLEVEL=(1,1),NOTIFY=RRP4912 > 2 //STEP1 EXEC PGM=IEBGENER > 3 //SYSPRINT DD SYSOUT=* > 4 //SYSUT1 DD DSN=SFG1B.SCRTOOL.JCL,DISP=SHR > 5 //SYSUT2 DD > DSN=RRP4912.TEST.ENCRYP,DISP=(,CATLG,DELETE),UNIT=ECART > 6 //SYSIN DD DUMMY > STMT NO. MESSAGE > > IGD330I ERROR OCCURRED DURING CBRXLCS PROCESSING- > NO DEVICE POOLS EXIST TO FULFILL REQUEST FOR TDSI SPECIFICATION > IGD306I UNEXPECTED ERROR DURING CBRXLCS PROCESSING > RETURN CODE 12 REASON CODE 49 > THE MODULE THAT DETECTED THE ERROR IS IGDIDMUS > SMS MODULE TRACE BACK - IDMUS IDMSU IDM00 SSIRT > SYMPTOM RECORD CREATED, PROBLEM ID IS IGD01599 > > > > I defined ECART as a new ESOTERIC pointing to the same tape devices (my > 3584 with the TS1120s) as the esoteric CART. If I change the JCL to use > UNIT=CART, it works just fine. So I thought maybe my ECART hadn't taken, > so I tried changing the JCL to UNIT=JUNK (a non-existent ESOTERIC) and got > a completely different error. > > //STEP1 EXEC PGM=IEBGENER > //SYSPRINT DD SYSOUT=* > //SYSUT1 DD DSN=SFG1B.SCRTOOL.JCL,DISP=SHR > //SYSUT2 DD DSN=RRP4912.TEST.ENCRYP,DISP=(,CATLG,DELETE),UNIT=JUNK > //SYSIN DD DUMMY > ICH70001I RRP4912 LAST ACCESS AT 16:56:48 ON WEDNESDAY, NOVEMBER 12, 2014 > IEF344I RRPIEBG STEP1 SYSUT2 - ALLOCATION FAILED DUE TO DATA FACILITY > SYSTEM ERROR > IGD17045I SPACE NOT SPECIFIED FOR ALLOCATION OF DATA SET > RRP4912.TEST.ENCRYP > > > My encryption data class is identical to my non-encryption DC except it > defined the format as EEFMT2 and the other EFMT2. I am using the same > management class, storage class, and storage group for both data classes > (tested through the SMS test routines). > > Any idea what I'm missing? I'm sure it will be something of a > head-slapper when it is pointed out to me, but for now I can't see the > forest for the trees! > > Thanks, > > Rex > > -----Original Message----- > From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On > Behalf Of Russell Witt > Sent: Wednesday, November 12, 2014 4:05 PM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Re: TS3584 and TS1120 encryption > > Rex, > > > I don't know of a need to make any changes to CBRUXENT for what you are > planning on doing, especially if all the TS1120 drives inside the robot and > encryption capable. Even if a TS1120 is EJECTED (to go offsite) and is then > returned (INSERTED) and the VOLCAT (TCDB) entry for that specific volume > had been deleted after it had been EJECTED it won't make a difference. If > the INSERT assigns it to a non-encrypted Data Class, that will not affect > it's ability to be read on any of the TS1120 drives inside the robot. If > some of your drives were the original 3592 non-encryption drives; that > might be an issue. But since all your existing TS1120 drives are already > encryption-capable - no problem. > > > Likewise there is no need for two separate ranges of tapes. Doesn't matter > if volume V12345 was originally a non-encrypted tape, then was used for > encryption and later was used-again (after going scratch of course) as a > non-encrypted tape. Just like Virtual-WORM and Replication. If controlled > by Data Class it can switch on and off, so each usage is different. > > > Russell Witt > > > On 11/12/14, Pommier, Rex<rpomm...@sfgmembers.com> wrote: > > Hi list, > > We have an existing 3584 tape library with encryption-capable TS1120 tape > drives installed in it. We haven't used encryption up to this point, but > are trying to get encryption started. We don't want to encrypt everything > going to the TS1120s, but want to, for example, encrypt our backup tapes, > but leave our HSM ML2 tapes unencrypted. We also obviously need to read > older unencrypted tapes. From reading several manuals, I thought I would > need to set up a new data class specifying EEFMT2 as the data format > instead of the EFMT2 format we are currently using. The doc also seemed to > indicate that I could use the same physical library and drives to > read/write both data formats. > > It appears as though I need to make changes to the CBRUXENT OAM exit to > allow use of encrypted tape format. Is this correct? > > Do I need to set a range of tapes to be used solely for encryption and a > separate range for unencrypted tapes? Do I need to define which tapes will > be used for encryption ahead of time and define that into the CBRUXENT exit? > > Any help will be greatly appreciated. > > TIA, > > Rex > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, send email > to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > The information contained in this message is confidential, protected from > disclosure and may be legally privileged. If the reader of this message is > not the intended recipient or an employee or agent responsible for > delivering this message to the intended recipient, you are hereby notified > that any disclosure, distribution, copying, or any action taken or action > omitted in reliance on it, is strictly prohibited and may be unlawful. If > you have received this communication in error, please notify us immediately > by replying to this message and destroy the material in its entirety, > whether in electronic or hard copy format. Thank you. > > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, send email > to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > This e-mail transmission contains information that is confidential and may > be privileged. It is intended only for the addressee(s) named above. If > you receive this e-mail in error, please do not read, copy or disseminate > it in any manner. If you are not the intended recipient, any disclosure, > copying, distribution or use of the contents of this information is > prohibited. Please reply to the message immediately by informing the sender > that the message was misdirected. After replying, please erase it from your > computer system. Your assistance in correcting this error is appreciated. > > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > The information contained in this message is confidential, protected from > disclosure and may be legally privileged. If the reader of this message is > not the intended recipient or an employee or agent responsible for > delivering this message to the intended recipient, you are hereby notified > that any disclosure, distribution, copying, or any action taken or action > omitted in reliance on it, is strictly prohibited and may be unlawful. If > you have received this communication in error, please notify us immediately > by replying to this message and destroy the material in its entirety, > whether in electronic or hard copy format. Thank you. > > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN The information contained in this message is confidential, protected from disclosure and may be legally privileged. If the reader of this message is not the intended recipient or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any disclosure, distribution, copying, or any action taken or action omitted in reliance on it, is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to this message and destroy the material in its entirety, whether in electronic or hard copy format. Thank you. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN