IMS encryption and decryption

IMS encryption

The following figure shows the components and processing flow for data encryption in an IMS environment.

Figure 1. IMS data encryption – components and processing

As shown in the previous figure, the IMS data encryption process consists of these steps:

1. The IMS application program passes a segment REPL, ISRT, or LOAD request to the IMS control region.
2. IMS loads the encryption exit routine, which is a Segment Edit/Compression exit routine that is specified in the COMPRTN parameter of the SEGM statement of the DBD. IMS passes the segment to this exit routine.
3. The encryption exit routine uses Integrated Cryptographic Service Facility (ICSF) services to pass the cryptographic key label and the segment.
4. ICSF encrypts the segment and passes it back to the encryption exit routine, which passes it back to IMS.
5. IMS puts the encrypted segment in the database.

IMS decryption

The following figure shows the components and processing flow for data decryption in the IMS environment.

Figure 2. IMS data decryption – components and processing

As shown in the previous figure, the IMS decryption process consists of these steps:

1. The IMS application program passes the segment GET request to the IMS control region.
2. IMS loads the encryption exit routine, which is a Segment Edit/Compression exit routine that is specified in the COMPRTN parameter of the SEGM statement of the DBD.
3. IMS retrieves the encrypted segment from the database and passes it to the encryption exit routine.
4. The exit routine uses ICSF services to pass the cryptographic key label and the segment.
5. When the segment has been successfully decrypted, ICSF passes the segment back to the encryption exit routine, which passes it back to IMS.
6. IMS passes the decrypted segment back to the application.

IMS restrictions

The following restrictions apply to using InfoSphere® Guardium Data Encryption in an IMS environment:

• An IMS segment can be associated with only one Segment Edit/Compression exit routine. If your IMS segment is already associated with a Segment Edit/Compression exit routine and you want to implement InfoSphere Guardium Data Encryption, you must use the exit driver that is supplied with this product.
• HIDAM index databases cannot be encrypted. The IMS DBD COMPRTN parameter does not allow index databases to be specified on the Segment Edit/Compression exit routine.
• A cryptographic key data set (CKDS) that was initialized on a z990 or later processor that has the CPACF cannot be used on a z900 or earlier processor that has the CCF.
• InfoSphere Guardium Data Encryption generates Segment Edit/Compression exit routines that can support AES 128, 192, and 256 bits key lengths. However, the type of IBM® mainframe server determines the type of support that is available for each key length.

IMS considerations

The following considerations apply to using InfoSphere Guardium Data Encryption in an IMS environment:

• When you install and initialize ICSF, consider setting the CHECKAUTH installation option to NO. Setting CHECKAUTH to YES adds considerable CPU path length. Setting the KEYAUTH installation option to YES also adds CPU path length. If the CSFKEYS class is RACLISTed, the additional path length will be shortened.
• Depending on your security requirements, you can define different cryptographic key labels for as many segments as you need. Cryptographic key labels are set up by your security analyst.

  A separate encryption exit routine must be built for each cryptographic key label that you define. You must balance your security requirements against the increased maintenance of multiple encryption exit routines.

• The first time that you use Segment Edit/Compression exit routines at your installation, your system programmer must provide APF authorization for the exit library.

  If you are already using Segment Edit/Compression exit routines, you must ensure that the Segment Edit/Compression exit routines are stored in an APF-authorized exit library.

• IMS Control Region loads IMS Segment Edit/Compression exit routines below the 16 MB line. Having too many different exit routines can cause storage problems for the IMS Control Region.