Encrypting Fast Path DEDB area data sets (ADS)

To encrypt Fast Path DEDB area data sets (ADS), define the data sets as extended format and specify key labels with the data sets.

DEDB ADS encryption requires Fast Path 64-bit buffers. This is specified by FPBP64=Y in the FASTPATH section of the DFSDFxxx member in the IMS PROCLIB data set. DEDB ADS encryption is not supported when you are using 31-bit Fast Path buffers.

Make sure all the IMS systems that share encrypted Fast Path ADS meet the following requirements:
  • All the IMS systems are IMS 14 or later with APAR PI83756 installed.
  • All the IMS systems are using Fast Path 64-bit buffers.
  • All the z/OS systems are z/OS 2.2 with OA50569 installed, or z/OS 2.3 and later.
If an encrypted Fast Path ADS is shared by an IMS system that is IMS 14 or earlier versions, or IMS 15 without APAR PI83756, this IMS system will not be able to open or access the ADS. Message IEC161I with return code 122 will be displayed.
To migrate from non-encrypted Fast Path DEDB ADS to encrypted Fast Path DEDB ADS, perform the following steps:
  1. Perform one of the following methods to create encrypted ADS:
    • Define the shadow ADS with the same attributes as the non-encrypted ADS and specify key labels with the shadow ADS. Run DEDB ALTER utility.
    • Define new ADS as SMS-managed extended format DASD and specify key labels with them. Register the new ADS to DBRC by using the following command:

      INIT.ADS DBD(xxxxxxxx) AREA(yyyyyyyy) ADSN(AREA data set name) UNAVAIL

      Run CREATE utility.
  2. Stop the non-encrypted ADS if necessary.
To fallback from encrypted Fast Path DEDB ADS to non-encrypted ADS, create new ADS without key label and use the DEDB ALTER and DEDB Area Data Set Create utilities to copy encrypted ADS to new ones.
Remember: If you use non-IMS tools or products to process the Fast Path ADS, confirm with the tool or product provider that the tool or product supports encrypted DEDBs before enabling encryption.

Additional Fast Path buffers are used when writing to an encrypted area data set. A temporary buffer is obtained at write I/O time to encrypt the data to be written. This buffer is released after the data has been written to the ADS. Each Fast Path buffer includes the buffer itself (64-bit storage) and a 31-bit ECSA control block called a DMHR, which is used to track the buffer. Therefore, encrypting ADS may increase Fast Path 64-bit buffer and ECSA usage. Use the FPBP64M= parameter in the FASTPATH section of the DFSDFxxx member to increase the limit for the amount of 64-bit Fast Path buffers to avoid buffer shortages if necessary. Monitor the 64-bit buffer usage statistics in the IMS 4516 statistics log records when migrating to encrypted ADS.

You must define all data sets that are encrypted by using z/OS data set encryption, including Fast Path DEDB ADS, as SMS-managed extended format data sets. Do not define Fast Path DEDB ADS with the extended addressability attribute. Ensure that the DATACLAS parameter that you use to allocate your ADS does not include the extended addressability attribute.