Encrypting online log data sets (OLDS)

You can encrypt OLDS with IMS shutdown and restart. If the OLDS are specified in DD statements in the IMS control region JCL, for example, the OLDS are not dynamically allocated, you must shut down and restart IMS across the procedure. To encrypt OLDS without IMS shutdown and restart, either encrypt one data set at a time if you are using only 1 online log data set or more than 50 OLDS, or encrypt a set of OLDS at a time if the number of OLDS is more than 1 but not greater than 50.

Important: If you are running IMS on z/OS 2.4 or earlier and you want to enable encryption for the OLDS, ensure you install z/OS APAR OA60688.

Encrypting OLDS with IMS shutdown and restart

  1. Create a set of encrypted OLDS with key labels: one OLDS for each existing OLDS in the set that is used by IMS. The new OLDS must have the same attributes as the current OLDS. They must be extended format data sets.
  2. Preformat each new OLDS data sets as described in Formatting newly initialized (reinitialized) volumes for an OLDS. One way to preformat is to copy an existing full online log data set into one of the new encrypted OLDS. Then, copy the newly encrypted data set into all other new OLDS. This method ensures that all blocks in the new OLDS are initialized.
  3. If IMS is active, issue /CHE FREEZE and ensure that IMS shuts down normally. Ensure that all log archive jobs complete successfully.
  4. Remove the PRIOLD/SECOLD entries from DBRC by using the DSPURX00 utility with the following command issued for every online log data set:

    DELETE.LOG OLDS(DFSOLPxx) SSID(imsid)

    Specify the LASTCLOS parameter for the last OLDS that was active when you shut down IMS:

    DELETE.LOG OLDS(DFSOLPxx) SSID(imsid) LASTCLOS

    If dual OLDS are being used, this command removes both the PRIOLD and SECOLD entries from DBRC.

  5. Rename the original OLDS data sets to a backup name, and rename the new encrypted OLDS to the original OLDS data set names.
  6. Warm start IMS (SLDS is used during restart).
  7. Delete the old OLDS data sets when you complete the migration and confirm that all is operating correctly.

Encrypting one OLDS at a time without IMS shutdown and restart

This method requires that you use dynamic allocation for the OLDS because the old OLDS are deleted or renamed in the procedure and the encryption fails if the control region has an online log data set allocated.

Perform the following steps to migrate one OLDS at a time without shutdown and restart:

  1. Create one or a new set of encrypted OLDS with key labels: one for each existing data set that is used by IMS. The new OLDS must have the same attributes as the current OLDS. They must be extended format data sets.
  2. Preformat each new online log data set as described in Formatting newly initialized (reinitialized) volumes for an OLDS. One way is to copy an existing full online log data set into one of the newly encrypted OLDS. Then, copy the newly encrypted data set into all other new OLDS. This method ensures that all blocks in the new OLDS are initialized.
  3. Wait until a current online log data set fills and IMS switches to the next data set, or issue the /SWI OLDS command to force an immediate switch. Then, perform the following steps for the OLDS that you switched from:
    1. Wait until log archiving completes for the switched-from OLDS.
    2. Issue the /STO OLDS nn command for the switched-from OLDS.
    3. Delete the OLDS from DBRC by removing the PRIOLD/SECOLD entries by using one the following commands (DSPURX00 utility or online command):

      /DELETE.LOG OLDS(DFSOLPxx) SSID(imsid)LASTCLOS or /RMD DBRC='LOG OLDS(DFSOLPxx) SSID(imsid) LASTCLOS'

      Note: If dual OLDS are being used, this command removes both the PRIOLD and SECOLD entries from DBRC.
    4. Rename the old OLDS to another name. Rename both the primary and secondary OLDS that are switched from if you are using dual OLDS logging.
    5. Rename the newly encrypted OLDS data set to the old OLDS data set name. Rename both the primary and secondary OLDS if you are using dual OLDS logging.
    6. Issue the /STAOLDS nn command to start using the encrypted OLDS.
  4. Repeat step 3 for each OLDS until all OLDS become encrypted.
  5. You can delete the old OLDS when you complete the migration and confirm that all is operating correctly.

Encrypting a set of OLDS (2-50) without IMS shutdown and restart

IMS has a maximum of 100 OLDS that can be used and are numbered 0-99. If an IMS subsystem is using OLDS 0-20, then these OLDS are considered the original set. You will define another set of OLDS 21-41 as the extra set. You do not need to have each data set in the extra set already identified in the OLDSDEF statement in the DFSVSMxx IMS.PROCLIB member. Perform the following steps to migrate a set of non-encrypted OLDS to a set of encrypted OLDS while IMS is active:

  1. Create a set of extra OLDS with key labels. The new OLDS must have the same block size as the current OLDS. They must be extended format data sets.
  2. Preformat each new OLDS data sets as described in Formatting newly initialized (reinitialized) volumes for an OLDS. One way is to copy an existing full OLDS into one of the new encrypted OLDS data sets. Then, copy the newly encrypted data set into all other new OLDS. This method ensures that all blocks in the new OLDS are initialized.
  3. Create DFSMDA members for each new extra OLDS. If dual OLDS are being used, ensure that MDA members also exist for each secondary online log data set. The syntax for the DFSMDA statement for OLDS is

    DFSMDA TYPE=OLDS,DSNAME=dsname,DDNAME=DFSOLxnn

    Refer to DFSMDA macro for more information about the DFSMDA statement.

  4. Issue /STA OLDS nn commands for each extra online log data set that was defined.
  5. Issue /SWI OLDS commands repeatedly until the first one of the newly encrypted extra set of OLDS is in use by IMS.
  6. Issue /STO OLDS nn commands for each of the original OLDS.
  7. Remove the PRIOLD/SECOLD entries in each original online log data set from DBRC by using one of the following commands (DSPURX00 utility or online command):

    /DELETE.LOG OLDS(DFSOLPxx) SSID(imsid) or /RMD DBRC='LOG OLDS(DFSOLPxx) SSID(imsid)'.

    Specify the LASTCLOS parameter for the last online log data set that you stopped by using one of the following commands:

    /DELETE.LOG OLDS(DFSOLPxx) SSID(imsid) LASTCLOS or /RMD DBRC='LOG OLDS(DFSOLPxx) SSID(imsid) LASTCLOS.

    If dual OLDS are being used, this command removes both the PRIOLD and SECOLD entries from DBRC.

  8. Delete or rename and then redefine each original online log data set with a KEYLABEL and pre-format it as in step 2.
  9. Issue /STA OLDS nn commands for each original online log data set.
  10. All the OLDS are encrypted. If you want to remove the extra set of OLDS from being used by IMS, issue /STO OLDS x commands for each of the data set. Do not delete them from DBRC.