IBM MQ:
V2R3 Data Set Encryption and IBM MQ
Author: Lisa Dodaro
This topic discusses our experience with IBM MQ V8, V9 and V90x with Pervasive Encryption while testing z/OS V2R3 and IBM z14 hardware.
To test in our environment, we defined an SMS data class with the Extended Attribute enabled as well as a Data Set Key Label to encrypt our new BSDS and archive logs. The new bootstrap data set (BSDS) was created and we used Access Method Services REPRO command to copy the current BSDS into the new BSDS.
We also setup some of our QMGR archive logs to exploit COMPACTION using zEDC hardware along with Data Set Encryption by defining a separate SMS data class to also specify COMPRESSION = ZR
To encrypt our MQ coupling facility (CF) structure data we updated our CFRM policy to specify ENCRYPT(YES) for some our administration and application structures. Once the CFRM policy was updated and activated we rebuilt these structures to pick up the changes.
Please reference the following MQ documentation in IBM Knowledge center, particularly the section: z/OS Data Set Encryption
https://www.ibm.com/support/knowledgecenter/SSFKSJ_9.0.0/com.ibm.mq.pro.doc/q004180_.htm
IBM IMS:
V2R2 & V2R3 Data Set Encryption and IBM IMS
Author: Bob Fantom
We tested IMS exploitation of Z Pervasive Encryption on z/OS V2R2 and z/OS V2R3 systems using an IMS V14 6-way datasharing IMSplex.
No IMS product APARs or PTF's were needed to support Z Pervasive Encryption.
zPET tested with the following IMS data sets encrypted:
- VSAM non-HALDB databases
- VSAM HALDB databases
- IMS online log data sets (OLDS)
- IMS system log data sets (SLDS)
- IMS image copy data sets
- CQS structure recovery data sets (SRDS)
Note: The extended addressability attribute is not supported for IMS data sets. We encountered the following error and set extended addressability attribute to N in data class to disable extended addressability:
IIEC031I D37-04,IFG0554P,IMS8,IMS8,DFSOLP00,7D73,SUBS9A,DBS8.IMS8.OLP0
zPET tested with following IMS CF structures with CF structure data encryption enabled:
- IMS OSAM cache structure
- IMS VSAM cache structure
- IMS Full Function MSGQ structure
- IMS Fast Path MSGQ structure
- IMS virtual storage option (VSO) cache structures
For additional details of Z Pervasive Encryption and IMS support of Z Pervasive Encryption, please reference Data Set Encryption for IBM® z/OS® V2.2 Frequently Asked Questions: https://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/FQ131494
For IMS Data Set Encryption: https://www.ibm.com/support/knowledgecenter/en/SSEPH2_15.1.0/com.ibm.ims15.doc.sag/system_admin/ims_dataset_encryption.htm
CICS:
V2R2 & V2R3 Data Set Encryption and CICS
Author: Dan Roth
This topic discusses our experience with IBM CICS TS 5.3, z/OS V2R2 & V2R3, along with z14 hardware.
To test in our environment, we defined several SMS data classes to accommodate a varied set of database files using either encryption or encryption and compression:
- VSAM RLS datasets for CICS OLTP workloads
- VSAM non-RLS datasets for CICS OLTP workloads
- VSAM RLS datasets for CICS VSAM batch workloads
- VSAM non-RLS datasets for CICS VSAM batch workloads
We implemented CF structure data encryption on structures for RLSCACHE and CICS servers (temp storage, named counters, CF data tables) via the ENCRYPT(YES) CFRM policy parameter.
We implemented encryption on CICS system log and VSAM forward recovery data sets.
We chose to also encrypt our CICS system datasets, even if all of these may not contain sensitive data in a production environment: DFHBRNSF, DFHDPFMB, DFHGCD, DFHINTRA, DFHLCD, DFHLRQ, DFHPIDIR, DFHTEMP, FILEA
For CICS Data Set Encryption: https://www.ibm.com/support/knowledgecenter/SSGMCP_5.4.0/configuring/cics/data-set-encryption-process.html