How you configure the encryption on the log data sets.
Before you begin
Ensure that you have read:
About this task
This method uses the DFP segment of a RACF®
generic profile, so that you can use the encryption key for all new data sets that match the
profile. Alternatively, you can configure and use an SMS data class, or the key label can be
specified directly when allocating the data set.
As previously described, in this example,
queue manager CSQ1 is run under user QMCSQ1, and has active log data sets CSQ1.LOGS.LOGCOPY1.DS001,
CSQ1.LOGS.LOGCOPY1.DS002, and so on.
Procedure
-
Create the generic profile if it does not exist, by issuing the following command:
ADDSD 'CSQ1.LOGS.*' UACC(NONE)
- Permit the queue manager user alter access on the profile, by issuing the following
command:
PERMIT 'CSQ1.LOGS.*' ID(QMCSQ1) ACCESS(ALTER)
Also, permit the appropriate access needed for any administrative user.
- Add the DFP segment with the encryption key label by issuing the following command:
ALTDSD 'CSQ1.LOGS.*' DFP(RESOWNER(QMCSQ1) DATAKEY(CSQ1DSKY))
- Refresh the generic dataset profiles by issuing the following command:
SETROPTS GENERIC(DATASET) REFRESH
- Rename each log data set to a backup, then recreate and restore the data, using
IDCAMS. The following JCL fragment converts CSQ1.LOGS.LOGCOPY1.DS001:
- Rename the data set to a back-up
//RENAME EXEC PGM=IDCAMS,REGION=0M
//SYSPRINT DD SYSOUT=*
//SYSIN DD *
/*-------------------------------------------------------------*/
/* RENAME DATASET TO BACKUP */
/*-------------------------------------------------------------*/
ALTER 'CSQ1.LOGS.LOGCOPY1.DS001' -
NEWNAME('CSQ1.BAK.LOGS.LOGCOPY1.DS001')
- Redefine the data set.
The new data set will be encrypted due to the RACF
profile.
Note: Replace ++EXTDCLASS++ with the name of the extended format data class you want to use
for the data
set.
//REDEFINE EXEC PGM=IDCAMS,REGION=0M
//SYSPRINT DD SYSOUT=*
//SYSIN DD *
/*-------------------------------------------------------------*/
/* REDEFINE THE DATASET */
/*-------------------------------------------------------------*/
DEFINE CLUSTER -
(NAME(CSQ1.LOGS.LOGCOPY1.DS001) -
LINEAR -
SHAREOPTIONS(2 3) -
MODEL(CSQ1.BAK.LOGS.LOGCOPY1.DS001) -
DATACLAS(++EXTDCLASS++))
- Copy the data from the backup into the recreated data set.
This step
encrypts the
data:
//RESTORE EXEC PGM=IDCAMS,REGION=0M
//SYSPRINT DD SYSOUT=*
//SYSIN DD *
/*-------------------------------------------------------------*/
/* RESTORE DATA INTO ENCRYPTED LOG */
/*-------------------------------------------------------------*/
REPRO INDATASET(CSQ1.BAK.LOGS.LOGCOPY1.DS001) -
OUTDATASET(CSQ1.LOGS.LOGCOPY1.DS001)
What to do next
Repeat Step 5 for all active log data
sets.Only a single encryption key is required, and all data sets can be associated with the same
key label.
Restart queue manager CSQ1. Use the output from the DISPLAY LOG command to verify
that the log data sets have been encrypted.