Overflow sequential access method (OSAM) data set encryption

Install PH16682/UI67505 to enable OSAM data set z/OS encryption, which allows you to enhance security without changes to applications and to reduce outages.

IMS OSAM database data sets can be defined as physical sequential data sets that are accessed by the IMS custom I/O driver code or as VSAM linear data sets (OSAM LDSs) that are accessed through IBM Media Manager services.

The database processing for an OSAM database is the same regardless of which physical format is used. This means that an OSAM database that uses a VSAM LDS as its physical data set is still an OSAM database, not a VSAM database. When using OSAM to access VSAM Linear data sets (LDS), the data is stored in the OSAM buffer pool. Check your OSAM buffer pool definitions (IOBF) to ensure there are enough buffers to hold these data sets.

OSAM physical sequential data sets cannot be encrypted by using z/OS data set encryption. However, OSAM LDS data sets can be encrypted using z/OS data set encryption if you specify a key label when the data set is defined.

With this APAR, you can also exploit other enhancements that are made available through Media Manager. This enhancement offers additional security benefits. For example, support personnel can have the authority to back up OSAM data sets without being given the ability to decrypt the data. This can be done without changes to applications, and in some cases, without database outages.

Prerequisites

You must have the following prerequisites before you start the process:

IMS 15.2 with PH16682/UI67505.
z/OS 2.2 with APAR OA50569 and dependent APARs installed, or z/OS 2.3 and later.
z196 and Crypto Express 3 or later.
All OSAM LDS-related APARs are flagged with the IMSOSAMLDS/K fixcat keyword. IBM recommends that you install any APARs with this keyword before using OSAM linear data sets.

Encrypting an OSAM data set

To encrypt OSAM database data sets, define them as VSAM extended format linear data sets (LDSs) and specify a key label. Other IMS OSAM data sets, such as Queue Manager (QMGR) or recovery data sets (RDS), cannot be encrypted by using z/OS data set encryption.

To encrypt an OSAM data set, follow these general steps:

Change the definition of the OSAM data set into a VSAM LDS.
When you create an OSAM data set, assign a key label to it by using one of the following methods:
- RACF data set profile
- JCL, dynamic allocation, TSO ALLOCATE, IDCAMS DEFINE
- SMS data class
Use HALDB online reorganization (or offline unload and reload) to convert to the encrypted data sets.

No application changes are required. Any program that accesses an OSAM data set continues to work with the encrypted OSAM data sets that are defined as VSAM LDS. Data stored in encrypted OSAM data sets are processed the same way as non-VSAM OSAM data sets.

Restrictions

VSAM linear data sets require a CI size that is a multiple of 4096 and from a minimum of 4096 to a maximum of 32786 bytes.

Any OSAM physical sequential data sets that use a block size smaller than 4096 bytes must be changed to a CI size of at least 4096 bytes when converted to OSAM LDS. This can affect current buffer pool definitions and randomization parameters for HDAM databases. Check that the rbn parameter times the new CI size does not exceed the OSAM data set maximum of 8 GB, (or 4 GB for OLR-capable PHDAM HALDBs).

IMS OSAM data sets that are not defined as VSAM LDSs, such as OSAM databases using sequential data sets, Queue Manager (QMGR) data sets, and recovery data sets (RDS), cannot be encrypted by using z/OS data set encryption.

Log record changes

In the x’62’ log record, the 1-byte field LIOESTYP is updated to indicate that the log record is for an OSAM I/O error reported by Media Manager.

Trace record changes

In the DL/I trace record, new trace entries were created to follow OSAM I/O activity when using Media Manager:

X’63’: OSAM MEDIA MANAGER I/O START
X’64’: OSAM MEDIA MANAGER I/O POST
X’65’: OSAM MEDIA MANAGER OPEN/CLOSE/EOV.

Documentation changes

The following table lists the publications that contain new or changed topics for the new function name enhancement. Publications that are not impacted by this enhancement are not included in the table.

Table 1. Links to topics that have new or changed content for this enhancement
Publication	New or changed topics
Release planning	IMS 15.2 enhancements IMS 15.2 system continuous delivery functions Overflow sequential access method (OSAM) data set encryption (new) (this topic)
Messages and Codes, Volume 1: DFS Messages	DFS0451I DFS686W DFS0730I DFS0762I DFS0842I DFS5100E (new)
Database Utilities	Database Recovery utility (DFSURDB0)
Diagnosis	Log records (added X'62 log record) X'63' trace entry (new) X'64' trace entry (new) X'65' trace entry (new)
Commands, Volume 3: IMS Component and z/OS Commands	CHANGE.DBDS command CHANGE.PART command INIT.DB command INIT.PART command NOTIFY.REORG command IBM-supplied skeletal JCL execution members Skeletal JCL syntax
Database Administration Guide	Allocating database data sets Using OSAM as the access method
System Administration Guide	Encrypting OSAM sequential data sets
System Definition	The specification of IMS procedures (two new modules: DFSAOSFM and DFSAOSIM)
System Utilities	IMS Catalog Populate utility (DFS3PU00)