Data set encryption support for IMS
z/OS data set encryption is available on z/OS 2.3 and later and on z/OS 2.2 after APAR OA50569 and dependent APARs are installed.
You can encrypt data sets that are accessed by DFSMS access methods by using z/OS data set encryption. Define the data set as SMS-managed extended format data sets with a key label associated with it.
- Create SAF rules that associate a key label with a data set name pattern by using the DATAKEY parameter of the DFP RACF segment.
- Specify a key label by using JCL, dynamic allocation, or TSO allocate (DSKEYLBL parameter).
- Specify a key label on the IDCAMS DEFINE command (KEYLABEL parameter).
- Use the DATACLAS parameter with a key label that is associated with it.
The order in which the methods are listed is the order of precedence. For example, if you have an SAF rule that matches the data set that is being created and you also specify a key label on the DSKEYLBL parameter on the JCL DD statement, the SAF key label is used. For more information on data set encryption, see APAR OA50569: z/OS Data Set Encryption.
Existing data sets must be copied into a new extended format data set defined with a key label to become encrypted. Existing data sets do not become encrypted just because their DATACLAS has a key label that is added to it, or a RACF rule associates a key label with the data sets.
Access to the key label is checked by using SAF access rules when a data set is opened. The user ID of the address space where the open operation occurs is checked against the key label CSFKEYS class. The user ID must have READ authority to the resource key label in the CSFKEYS class to be able to access the encryption key for reading from and writing to the encrypted data set.
The following table lists the data sets that support z/OS data set encryption and the IMS address spaces whose user IDs need access to the key labels associated with the data sets.
Data set types | IMS address spaces whose user IDs need access to the key labels |
---|---|
VSAM (HALDB, non-HALDB) | CTL, DLI, batch jobs, and utilities that access VSAM DBs |
GSAM | IMS BMP and Batch jobs |
Online log data sets (DFSOLPnn, DFSOLSnn) | CTL (including XRF alternate, FDBR regions), log archive utility, other utilities that access OLDS, and RSR transport manager |
Batch log data sets | IMS batch jobs, utilities that access batch logs, and RSR transport manager |
SLDS | CTL, log archive utility, Change Accumulation utility, DB recovery utilities, and other utilities that access SLDS and RSR transport manager |
RLDS | Log archive utility, change accumulation utility, and DB recovery utilities |
Change Accum data sets | Change accumulation utility and DB recovery utilities |
Image copy data sets | Image copy utilities and DB recovery utilities |
CQS SRDS | CQS |
IMS Connect Recorder Trace | IMS Connect and utilities that process IMS recorder trace |
BPE Trace data sets | Address spaces that use BPE, utilities that process BPE trace data (including IPCS TSO users) |
Fast Path trace | Dependent region |
IMS external trace data sets | CTL and utilities that process IMS external trace |
z/OS log stream offload and staging data sets | z/OS logger address space |
IMS repository data sets | Repository server |
RRDS | CTL and utilities that access the RRDS |
RECON data sets | DBRC, IMS batch jobs that use DBRC, and utilities and tools that access the RECON data sets |
Monitor data sets | CTL, utilities that process monitor data output |
CQS system checkpoint data sets | CQS |
Write-ahead data sets (WADS) | CTL (including XRF alternate, FDBR regions), log recovery utility, and other utilities that access WADS |
Fast Path DEDB area data sets (ADS) | CTL and utilities that access DEDB ADS |
The following data sets cannot be encrypted either because they are accessed by using nonstandard access methods or because DFSMS does not support encryption for them:
- OSAM using sequential data sets (physical OSAM data sets)
- MSDB data sets, including dump, init, and checkpoint
- Queue manager data sets, including LGMSG, SHMSG, and QBLKS
- Restart data sets (RDS)
- All PDS/PDSE type data sets, including PSBLIB, DBDLIB, ACBLIB, MODBLKS, FMTLIB, IMSTFMTx, IMSDALIB, program libraries, PROCLIB or configuration data sets, catalog directory data sets, staging data sets, and BSDS
- Spool data sets