Data set encryption support for IMS

You can encrypt data sets that are accessed by DFSMS access methods by using z/OS data set encryption. Define the data set as SMS-managed extended format data sets with a key label associated with it.

The order in which the methods are listed is the order of precedence. For example, if you have an SAF rule that matches the data set that is being created and you also specify a key label on the DSKEYLBL parameter on the JCL DD statement, the SAF key label is used. For more information on data set encryption, see APAR OA50569: z/OS Data Set Encryption.

Existing data sets must be copied into a new extended format data set defined with a key label to become encrypted. Existing data sets do not become encrypted just because their DATACLAS has a key label that is added to it, or a RACF rule associates a key label with the data sets.

Access to the key label is checked by using SAF access rules when a data set is opened. The user ID of the address space where the open operation occurs is checked against the key label CSFKEYS class. The user ID must have READ authority to the resource key label in the CSFKEYS class to be able to access the encryption key for reading from and writing to the encrypted data set.

The following table lists the data sets that support z/OS data set encryption and the IMS address spaces whose user IDs need access to the key labels associated with the data sets.

Table 1. IMS data sets that support z/OS data set encryption

Data set types	IMS address spaces whose user IDs need access to the key labels
VSAM (HALDB, non-HALDB)	CTL, DLI, batch jobs, and utilities that access VSAM DBs
GSAM	IMS BMP and Batch jobs
Online log data sets (DFSOLPnn, DFSOLSnn)	CTL (including XRF alternate, FDBR regions), log archive utility, other utilities that access OLDS, and RSR transport manager
Batch log data sets	IMS batch jobs, utilities that access batch logs, and RSR transport manager
SLDS	CTL, log archive utility, Change Accumulation utility, DB recovery utilities, and other utilities that access SLDS and RSR transport manager
RLDS	Log archive utility, change accumulation utility, and DB recovery utilities
Change Accum data sets	Change accumulation utility and DB recovery utilities
Image copy data sets	Image copy utilities and DB recovery utilities
CQS SRDS	CQS
IMS Connect Recorder Trace	IMS Connect and utilities that process IMS recorder trace
BPE Trace data sets	Address spaces that use BPE, utilities that process BPE trace data (including IPCS TSO users)
Fast Path trace	Dependent region
IMS external trace data sets	CTL and utilities that process IMS external trace
z/OS log stream offload and staging data sets	z/OS logger address space
IMS repository data sets	Repository server
RRDS	CTL and utilities that access the RRDS
RECON data sets	DBRC, IMS batch jobs that use DBRC, and utilities and tools that access the RECON data sets
Monitor data sets	CTL, utilities that process monitor data output
CQS system checkpoint data sets	CQS
Write-ahead data sets (WADS)	CTL (including XRF alternate, FDBR regions), log recovery utility, and other utilities that access WADS
Fast Path DEDB area data sets (ADS)	CTL and utilities that access DEDB ADS

The following data sets cannot be encrypted either because they are accessed by using nonstandard access methods or because DFSMS does not support encryption for them:

• OSAM using sequential data sets (physical OSAM data sets)
• MSDB data sets, including dump, init, and checkpoint
• Queue manager data sets, including LGMSG, SHMSG, and QBLKS
• Restart data sets (RDS)
• All PDS/PDSE type data sets, including PSBLIB, DBDLIB, ACBLIB, MODBLKS, FMTLIB, IMSTFMTx, IMSDALIB, program libraries, PROCLIB or configuration data sets, catalog directory data sets, staging data sets, and BSDS
• Spool data sets