Overflow sequential access method (OSAM) data set encryption

Install PH16682/UI67505 to enable OSAM data set z/OS encryption, which allows you to enhance security without changes to applications and to reduce outages.

IMS OSAM database data sets can be defined as physical sequential data sets that are accessed by the IMS custom I/O driver code or as VSAM linear data sets (OSAM LDSs) that are accessed through IBM Media Manager services.

The database processing for an OSAM database is the same regardless of which physical format is used. This means that an OSAM database that uses a VSAM LDS as its physical data set is still an OSAM database, not a VSAM database. When using OSAM to access VSAM Linear data sets (LDS), the data is stored in the OSAM buffer pool. Check your OSAM buffer pool definitions (IOBF) to ensure there are enough buffers to hold these data sets.

OSAM physical sequential data sets cannot be encrypted by using z/OS data set encryption. However, OSAM LDS data sets can be encrypted using z/OS data set encryption if you specify a key label when the data set is defined.

With this APAR, you can also exploit other enhancements that are made available through Media Manager. This enhancement offers additional security benefits. For example, support personnel can have the authority to back up OSAM data sets without being given the ability to decrypt the data. This can be done without changes to applications, and in some cases, without database outages.


You must have the following prerequisites before you start the process:
  • IMS 15.2 with PH16682/UI67505.
  • z/OS 2.2 with APAR OA50569 and dependent APARs installed, or z/OS 2.3 and later.
  • z196 and Crypto Express 3 or later.
  • All OSAM LDS-related APARs are flagged with the IMSOSAMLDS/K fixcat keyword. IBM recommends that you install any APARs with this keyword before using OSAM linear data sets.

Encrypting an OSAM data set

To encrypt OSAM database data sets, define them as VSAM extended format linear data sets (LDSs) and specify a key label. Other IMS OSAM data sets, such as Queue Manager (QMGR) or recovery data sets (RDS), cannot be encrypted by using z/OS data set encryption.

To encrypt an OSAM data set, follow these general steps:
  1. Change the definition of the OSAM data set into a VSAM LDS.
  2. When you create an OSAM data set, assign a key label to it by using one of the following methods:
    • RACF data set profile
    • JCL, dynamic allocation, TSO ALLOCATE, IDCAMS DEFINE
    • SMS data class
  3. Use HALDB online reorganization (or offline unload and reload) to convert to the encrypted data sets.

No application changes are required. Any program that accesses an OSAM data set continues to work with the encrypted OSAM data sets that are defined as VSAM LDS. Data stored in encrypted OSAM data sets are processed the same way as non-VSAM OSAM data sets.


VSAM linear data sets require a CI size that is a multiple of 4096 and from a minimum of 4096 to a maximum of 32786 bytes.

Any OSAM physical sequential data sets that use a block size smaller than 4096 bytes must be changed to a CI size of at least 4096 bytes when converted to OSAM LDS. This can affect current buffer pool definitions and randomization parameters for HDAM databases. Check that the rbn parameter times the new CI size does not exceed the OSAM data set maximum of 8 GB, (or 4 GB for OLR-capable PHDAM HALDBs).

IMS OSAM data sets that are not defined as VSAM LDSs, such as OSAM databases using sequential data sets, Queue Manager (QMGR) data sets, and recovery data sets (RDS), cannot be encrypted by using z/OS data set encryption.

Log record changes

In the x’62’ log record, the 1-byte field LIOESTYP is updated to indicate that the log record is for an OSAM I/O error reported by Media Manager.

Trace record changes

In the DL/I trace record, new trace entries were created to follow OSAM I/O activity when using Media Manager:

Documentation changes

The following table lists the publications that contain new or changed topics for the new function name enhancement. Publications that are not impacted by this enhancement are not included in the table.

Table 1. Links to topics that have new or changed content for this enhancement
Publication New or changed topics
Release planning
Messages and Codes, Volume 1: DFS Messages
Database Utilities
Commands, Volume 3: IMS Component and z/OS Commands
Database Administration Guide
System Administration Guide
System Definition
System Utilities