IBM Support

Determining if a dataset has been encrypted

Question & Answer


Question

Is it possible, using zSecure Audit, to report on those data sets that have had their contents encrypted?

Cause

Rising concern and audit findings related to documenting (and proving) a dataset (or list of datasets) have had their contents encrypted.

Answer

There are two CARLa fields within SMF reporting that may be used for this purpose:

KEY_LABEL


This repeated field contains the key label(s) associated with the event described by the SMF record. It is filled for record type 14 with the label(s) identifying the encryption key used to encrypt the data that was written to tape. For RACF processing records (type 80 and 83, subtype 1), this contains the PKDS key label from relocate section 398. This field can contain up to 64 bytes of text, and is by default shown with that length.

KEY_LABEL_ENCODING
This repeated field contains the encoding for key label(s) associated with the event described by the SMF record. It is filled for record type 14 with either H or L, indicating Hash or Label encoding.
Additionally, some key information may be collected via CKFCOLL. Some of this information is available for reporting via the KEY_USABLE field of the SENSDSN NEWLIST type.
KEY_USABLE
The flag shows the result of the usability test that CKFCOLL (v2.3 or later) performs on a data set when it takes the system snapshot. The flag is only
relevant to encrypted data sets.

This flag can be set to true, false, or it can be missing:
  • The flag is set to true if the test succeeded and the result is as expected. This indicates that the ICSF contains a key that can decrypt the corresponding data set.
  • The flag is set to false if the test was performed, but the result is not as expected. This can happen, for instance, if the data set was created on a different system, the CKDS is different, or the key label was not created with the same key. Another reason can be that the security databases are different and the SYMCPACFRET or SYMCPACFWRAP ICSF segment flags differ for the CSFKEYS resource.
  • The flag is missing if either the KEY_LABEL field is empty, so the data set is not encrypted, or the usability test is not executed. The latter can happen if the SYMKEYTEST CKFCOLL option is not specified, or if the collection task is insufficiently authorized to perform all of the required functions.
Additionally, there are functions to report on keys handled via ICSF. See the section on ICSF NEWLIST types and available fields in the licensed CARLa manual.

[{"Product":{"code":"SSRQ8D","label":"IBM Security zSecure Audit for RACF"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"--","Platform":[{"code":"PF035","label":"z\/OS"}],"Version":"Version Independent","Edition":"Enterprise","Line of Business":{"code":"","label":""}},{"Product":{"code":"SSRQGZ","label":"IBM Security zSecure Audit for ACF2"},"Business Unit":{"code":"BU008","label":"Security"},"Component":" ","Platform":[{"code":"PF035","label":"z\/OS"}],"Version":"Version Independent","Edition":"Enterprise","Line of Business":{"code":"","label":""}},{"Product":{"code":"SUNSET","label":"PRODUCT REMOVED"},"Business Unit":{"code":"BU008","label":"Security"},"Component":" ","Platform":[{"code":"PF035","label":"z\/OS"}],"Version":"Version Independent","Edition":"All Editions","Line of Business":{"code":"","label":""}}]

Document Information

Modified date:
03 June 2019

UID

swg21384777