(My English is poor so maybe I did not understand it)
You can do your EXCP program or anything, but the only thing you can get
is encrypted data from the track.
Usually we don't want such data, we prefer decrypted data. However in
this case we discuss how to "IEBEYEBAL" or visually see the data in
encrypted form. Just to check.
IBM did the job to teach all possible tools to recognize the data is
encrypted and *cannot be read*. RC with proper reason code is IMHO
better than copying, then processing (i.e. sorting) encrypted data. Of
course encrypted data can be backed up or copied, but with no view option.
Regarding last question: no sniffering would help here.
Note, we have different flavours of encryption:
Pervasive encryption aka DSE aka Dataset Encryption. This is the case we
discuss. Data written on (emulated) 3390 tracks are already encrypted.
FICON end to end encryption. All communication between CHPid and CU box
adapter is encrypted. Switches, DWDMs, etc. transmit encrypted datagrams.
FDE aka full disk encryption. A feature of DASD box, which encrypts any
data written on physical disk modules (SSD as well). Stolen module
contains encrypted => unusable data. However any other CPC connected to
that DASD box will be able to read the data.
Three methods, independent one of each other. Which one to use? It is
good topic for discussion, however in general it is good to have all of
them available. In some cases all three used together can make sense.
--
Radoslaw Skorupka
Lodz, Poland
W dniu 19.10.2024 o 22:04, Mike Schwab pisze:
So you would have to do a excp I/o to read a track image and the
hardware will block or decrypt that?
A ficon sniffer on a single / quad cable pair for one storage box or
built into a switch for the entire network?
On Sat, Oct 19, 2024 at 10:05 AM Radoslaw Skorupka
<[email protected]> wrote:
To complement: File Manager will NOT show encrypted data in encrypted form.
I tried it many ways, including access from different LPAR with or
without same named key (same name, different key content).
The only way I know to view encrypted data in encrypted form is to use
dss PRINT TRACKS.
All popular tools like IDCAMS, IEBCOPY, IEBGENER, ISPF browse, FM will
not do it.
--
Radoslaw Skorupka
Lodz, Poland
W dniu 19.10.2024 o 13:10, Lennie Bradshaw pisze:
Colin,
Well yes, I can see the clear data if I grant access. However, I was looking to
see the encrypted data.
Lennie
-----Original Message-----
From: IBM Mainframe Discussion List<[email protected]> On Behalf Of
Colin Paice
Sent: 18 October 2024 22:30
To:[email protected]
Subject: Re: File Manager and viewing tracks
Does it work if you fix this problem ?
On Fri, 18 Oct 2024, 17:52 Lennie Bradshaw,<[email protected]>
wrote:
Colin,
This return code states,
186(X'BA') An error was returned from ICSF.
As I would expect.
No other messages other than this from RACF for the CSFKEYS resource,
ICH408I USER(LEN ) GROUP(SYS1 ) NAME(LENNIE D-B )
IEC161I SYS1.RACFDS.NEW.DATA,,CATALOG.Z31B.MASTER
RACF.MASTER.ENCRYPTION.KEY CL(CSFKEYS )
INSUFFICIENT ACCESS AUTHORITY
ACCESS INTENT(READ ) ACCESS ALLOWED(NONE )
Lennie
-----Original Message-----
From: IBM Mainframe Discussion List<[email protected]> On
Behalf Of Colin Paice
Sent: 18 October 2024 17:06
To:[email protected]
Subject: Re: File Manager and viewing tracks
Did you check out the return code ?
Were there any other messages on the console ?
Colin
On Fri, 18 Oct 2024, 16:58 Lennie Bradshaw,
<[email protected]>
wrote:
Colin,
How I wish it worked this way!
However, when I set things up with a user denied access to the key I
get the following message from FileMangler,
FMNBA375 VSAM OPEN RC X"08", Error Code X"BA"
Lennie
-----Original Message-----
From: IBM Mainframe Discussion List<[email protected]> On
Behalf Of Colin Paice
Sent: 14 October 2024 17:00
To:[email protected]
Subject: Re: File Manager and viewing tracks
If you have access to the encryption key you will see it in clear text.
If you do not have the encryption key you will not be allowed to
access the data set. You will not see the encrypted data.
Colin
On Mon, 14 Oct 2024 at 15:11, Schmitt, Michael
<[email protected]>
wrote:
If you want to look at the tracks for a data set, what was wrong
with File Manager Disk Browse? That's exactly what it does.
-----Original Message-----
From: IBM Mainframe Discussion List<[email protected]> On
Behalf Of Lennie Bradshaw
Sent: Saturday, October 12, 2024 4:34 AM
To:[email protected]
Subject: Re: File Manager and viewing tracks
Paul,
I just want to specify the data set name, rather than having to
work out track and cylinder addresses.
Lennie
-----Original Message-----
From: IBM Mainframe Discussion List<[email protected]> On
Behalf Of Paul Feller
Sent: 12 October 2024 01:41
To:[email protected]
Subject: Re: File Manager and viewing tracks
Lennie, forgive me I may have missed part of this email string.
So, the PRINT function of ADRDSSU does not satisfy your needs?
Are you wanting to just browse the DASD volume by tracks or do you
know an area on the DASD that you actually want to look at?
//*==================================================================*
//* ----------------------------------------------------------- *
//* | +-,0,c1,max head #--------------+ | *
//* +---TRACKS----(--c1--+-------------------------------+--)-+ *
//* +-TRKS---+ | +-,c1,max head #-------+ | *
//* +-,h1--+----------------------+-+ *
//* | +-,max head #-+ | *
//* +-,c2--+-------------+-+ *
//* +-,h2---------+ *
//* *
//* TRACKS specifies ranges of tracks to be printed. *
//* c1,h1 *
//* Specifies the cylinder and head number of the beginning of the *
//* range. Specify hexadecimal numbers as X'c1' or X'h1'. *
//* *
//* c2,h2 *
//* Specifies the cylinder and head number of the end of the range. *
//* Specify hexadecimal numbers as X'c2' or X'h2'. The c2 must be *
//* greater than or equal to c1. If c2 equals c1, h2 must be greater *
//* than or equal to h1. *
//* *
//* PRINT TRACKS(2,0,2,5) INDDNAME(DASD) CPVOLUME ADMINISTRATOR *
//*===============================================================
==
=*
//STEP0010 EXEC PGM=ADRDSSU
//SYSPRINT DD SYSOUT=*
//DASD DD UNIT=3390,VOL=(PRIVATE,SER=ZOSPLA),DISP=SHR
//SYSIN DD *
PRINT TRACKS(0,0,2,5) INDDNAME(DASD) ADMINISTRATOR
/*
Paul
-----Original Message-----
From: IBM Mainframe Discussion List<[email protected]> On
Behalf Of Lennie Bradshaw
Sent: Friday, October 11, 2024 6:47 PM
To:[email protected]
Subject: Re: File Manager and viewing tracks
Mike,
Thanks for your thoughts.
Yes, I realise I could use such a mechanism with maybe some REXX
to generate CCHHR values to use with DFDSS Print (rather than
AMASPZAP which does not support extended format data sets). The
CCHR values could even be found from an IEHLIST VTOC report. But
what I really want is a simple method to display via ISPF
(preferably) or in batch in a single step if not; i.e. a
recognisable utility that just does what I want (yes, I know I am picky).
So far, DFDSS is the only thing that comes close, but it insists I
print the entire data set, and so produces a *lot* of output
(actually far more for encrypted data sets than for unencrypted
data sets, as there are no repeated lines).
I have a very dirty way of printing only the start of a dataset
but it stinks. (Print to a data set of 1 track only, let it suffer
a B37 and then have a 2nd step to copy to a spool dataset with
EXEC PGM=IEBGENER,COND=EVEN).
Lennie
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
