Start of change

Encrypting log, catalog, and directory data sets with z/OS DFSMS data set encryption

Db2 supports z/OS DFSMS data set encryption for log, catalog, and directory data sets using a key label for encryption and decryption.

Procedure

  1. Start of change FL 502 Set the key label by choosing one of the following approaches:
    • Set the ENCRYPTION_KEYLABEL subsystem parameter value, then issue the SET SYSPARM command to cause the ENCRYPTION_KEYLABEL subsystem parameter to take effect. Db2 passes the ENCRYPTION_KEYLABEL value to DFSMS for allocation of new archive log data sets or catalog and directory data sets. If a key label is specified in the RACF data set profile, that key label overrides the Db2-provided key label.
    • Set a key label for the RACF data set profile or the DFSMS data class used to protect the log, catalog, and directory data sets. DFSMS encrypts the data set when Db2 allocates new data sets that match the RACF data set profile for the following types of data sets:
      • Archive log data sets on disk
      • Catalog data sets
      • Directory data sets
    End of change
  2. Run the REORG TABLESPACE utility against the catalog and directory table spaces.
    DSNDB01.SYSUTILX cannot be encrypted by running the REORG TABLESPACE utility.
  3. Encrypt the DSNDB01.SYSUTILX directory table space by running the RECOVER utility followed by REBUILD INDEX(ALL).
  4. Allocate new active log data sets as encrypted.

    The user who allocates the active log data sets must specify a key label that Db2 has permission to use. However, the user who allocates the active log data set is not required to have access to that key label. For details, see Data Set Encryption.

  5. Identify the encrypted data sets as the new active log using one of the following methods:
    • Issue the -STOP DB2 command, run the DSNJU003 NEWLOG statement, and restart Db2 to enable the use of encrypted active log data sets.
    • Issue the -SET LOG NEWLOG command. The active log data set is immediately available for use without recycling Db2.
Start of change

What to do next

To display the current key label information, you can:

  • Start of changeFL 502 Issue the DISPLAY ARCHIVE command for the updated archive log data sets.End of change
  • Start of changeFL 502 Issue the DISPLAY LOG command for active log data sets.End of change
  • Start of changeFL 502 Issue the DISPLAY GROUP command to display for current subsystem parameter.End of change
  • Start of changeRun the REPORT TABLESPACESET utility on catalog and directory table spaces.End of change
End of change
End of change