Configure the data set encryption key for the queue manager

How you configure a data set encryption key for a queue manager.


This task is a prerequisite for Configure data set encryption for the log data sets.


Procedure

  1. Set up an AES-256 bit encryption DATA key with a label, for example, CSQ1DSKY, using the z/OS key generator utility program (KGUP).
  2. Define the RACF CSFKEYS profile for the CSQ1DSKY encryption key, by issuing the following command: 
    RDEFINE CSFKEYS CSQ1DSKY UACC(NONE)
  3. Configure the ICSF segment of the profile to allow the key to be used as a protected key, by issuing the following command: 
    RALTER CSFKEYS CSQ1DSKY ICSF(SYMCPACFWRAP(YES) SYMCPACFRET(YES))
  4. Allow the queue manager to use the encryption key by giving QMCSQ1 READ access to the profile, by issuing the following command: 
    PERMIT CSQ1DSKY CLASS(CSFKEYS) ID(QMCSQ1) ACCESS(READ)
    Give the same access to any administrative user that needs to read or write the encrypted data set.
  5. Refresh the CSFKEYS class by issuing the following command. 
    SETROPTS RACLIST(CSFKEYS) REFRESH


What to do next

Configure data set encryption for the data sets as described in Configure data set encryption for the log data sets Parent topic: Example of how to encrypt queue manager active logs