Securing Wrapped and Container Files

Wrapping Sensitive Files

Wrapping files with the SENSITIVEDATA file attribute set does not propagate this attribute to the resulting wrapped or container file, therefore, removing the wrapped or container file does not result in scrubbing of the returned disk space.

You can apply the SENSITIVEDATA attribute to the wrapped or container file using the WFL ALTER statement. For example: 

WFL ALTER “BACKUP.CON” (SENSITIVEDATA = TRUE)

Wrapping SECURITYADMIN Restricted Files

Wrapping files with the SECURITYADMIN file attribute set does not propagate this attribute to the resulting wrapped or container file. Moving a wrapped or container file containing SECURITYADMIN restricted files to a system without security administrator status authorized no longer restricts their access to just users with SECADMIN privilege. In this situation, privileged users can access these files.

You can apply the SECURITYADMIN attribute to the wrapped or container file using the WFL ALTER statement. For example: 

WFL ALTER “SECLOG.CON” (SECURITYADMIN = TRUE)

Wrapping GUARDED or CONTROLLED Files

Wrapping files with the SECURITYTYPE attribute set to GUARDED or CONTROLLED does not automatically wrap the file’s GUARDFILE specified in its SECURITYGUARD attribute. The system also does not propagate the GUARDFILE protection to the resulting wrapped or container file. An UNWRAP attempt of a GUARDED or CONTROLLED file by a non-privileged user will require the corresponding GUARDFILE. If a non-privileged user’s attempt to UNWRAP on a different system fails, it may be due to a missing GUARDFILE.

You can apply the SECURITYTYPE attribute to the wrapped or container file using the WFL ALTER statement. For example: 

WFL ALTER “SECLOG.CON” (SECURITYTYPE = GUARDED)

For more information about the restrictions and requirements of using GUARDFILES, see the Security Operations Guide.

Unwrapping Files

When unwrapping files, the system enforces file access protection mechanisms for all files within a wrapped or container file. As a result, non-privileged users may be unable to unwrap some files within a wrapped or container file. For example, a non-privileged user cannot unwrap a file owned by a different user from a container.

Securing Wrapped and Container Files with Encryption

When creating wrapped or container files, the WFL WRAP statement supports options to secure the contents of the file using encryption. The system applies encryption to the file data and its disk file header information. For more information about using encryption with wrapped and container files, see the WRAP statement and UNWRAP statement in the Work Flow Language (WFL) Programming Reference Manual.

Prev  Up  Next
Using Permanent Directories  Home  Controlling Host Access