Encrypting OSAM sequential data sets
To use z/OS encryption for OSAM data sets, you must convert the OSAM data sets to VSAM linear data sets (LDSs). You can convert full-function OSAM database linear data sets for HALDB, non-HALDB, OLR-capable, or not OLR-capable.
- IMS 15.2 with PH16682/UI67505.
- z/OS 2.2 with APAR OA50569 and dependent APARs installed, or z/OS 2.3 and later.
- z196 and Crypto Express 3 or later.
- All OSAM LDS-related APARs are flagged with the IMSOSAMLDS/K fixcat keyword. IBM recommends that you install any APARs with this keyword before using OSAM linear data sets.
- Physical sequential data sets that are accessed by the IMS custom I/O driver code
- VSAM linear data sets (OSAM LDS) that are accessed through IBM Media Manager services
The database processing for an OSAM database is the same regardless of which physical format is used. This means that an OSAM database that uses a VSAM LDS as its physical data set is still an OSAM database, not a VSAM database.
OSAM physical sequential data sets cannot be encrypted by using z/OS data set encryption. However, OSAM LDSs can be encrypted using z/OS data set encryption if you specify a key label when the data set is defined.
To use z/OS encryption, you must first convert the OSAM data sets to VSAM linear data sets. Then, you must add a key label parameter to the data set definition.
The data sets must be in EXTENDED FORMAT, and if the data set is to extend beyond the 4 GB limit, it must also be EXTENDED ADDRESSABILITY. A DATACLAS can be used to define these attributes. The data class can also have the KEYLABEL defined to avoid defining the KEYLABEL on every data set. The encryption will be done as the data is copied into data sets with these correct attributes.
This process can be used to migrate OSAM to VSAM data sets whether the data sets are encrypted or not. The encryption can be done at a different time than when the conversion to LDS is done, but it will involve a second migration from an unencrypted LDS data set to an encrypted one.
- Convert online by using the Online Reorganization command; this is for OLR-capable HALDB only.
- Convert offline by using the standard reorganization utilities; this can be use for all OSAM databases.
No application changes are required. Any application that accesses an OSAM data set continues to work with the encrypted OSAM data sets that are defined as VSAM LDS. Data that is stored in encrypted OSAM data sets is processed the same way as non-VSAM OSAM data sets.
VSAM linear data sets require a CI size that is a multiple of 4096 and from a minimum of 4096 to a maximum of 32786 bytes. If you use DFSUDMP0, you must choose a smaller block size as the utility adds a 15 byte prefix to each image copy output record which cannot exceed 32767.
Any OSAM physical sequential data sets that use a block size smaller than 4096 bytes must be changed to a CI size of at least 4096 bytes when converted to OSAM LDS. This can affect current buffer pool definitions and randomization parameters for HDAM databases. Check that the rbn parameter times the new CI size does not exceed the OSAM data set maximum of 8 GB, (or 4 GB for OLR-capable PHDAM HALDBs).
IMS OSAM data sets that are not defined as VSAM LDSs, such as OSAM databases using sequential data sets, Queue Manager (QMGR) data sets, and recovery data sets (RDS), cannot be encrypted by using z/OS data set encryption.