Encrypting your data with z/OS DFSMS data set encryption
Db2 for z/OS uses z/OS DFSMS data set encryption to transparently encrypt Db2 data sets.
Requirements for using z/OS DFSMS data set encryption
Before you can use z/OS DFSMS data set encryption to encrypt Db2 data sets, make sure that your system meets the following requirements:
- Required hardware is installed. For details, see Using the z/OS data set encryption enhancements.
- ICSF and RACF or equivalent security products.
- The Db2 started task user ID and any user ID that is required to read or write to an encrypted data set is permitted to use any key labels that are used to protect Db2 data sets.
- Any key label that is used to protect Db2 data sets is defined on all the members of a data sharing group and on any backup systems that might read or write from an encrypted data set.
- Any user ID that is required to run any of the stand-alone utilities is authorized to use any key label that is used to protect Db2 data sets.
- The prerequisite upgrades for your security product to support of z/OS data set encryption
Considerations for using z/OS DFSMS data set encryption
- When Db2 compression is enabled, compression is performed before encryption.
- z/OS DFSMS data set encryption is supported for extended format linear data sets, extended format sequential data sets, and sequential basic and large format data sets. z/OS DFSMS APAR OA56622 must be applied for sequential basic and large format data set support.
- The Db2 address space ID access to the key label is checked by DFSMS only during data set opening.
- For a disaster recovery situation, if the data has to be accessed at another physical site then the ICSF keys and RACF profiles must be set up similar to the originating site. The same rule applies to Db2 source and proxy sites in GDPS® Continuous Availability with zero data loss solution environment. Refer to the Sample procedure for setting up z/OS DFSMS data set encryption for procedure to configure ICSF and RACF.