Confidentiality for data at rest on IBM MQ for z/OS with data set encryption

IBM® MQ for z/OS® can harden customer and configuration data by writing the data to the active log data sets, the archive log data sets, page sets, boot strap data sets (BSDS), and [V9.1.5 Apr 2020] shared message data sets (SMDS).

z/OS provides efficient, policy-based encryption of data sets. IBM MQ for z/OS supports z/OS data set encryption for:

Active log data sets; see note 1
Archive log data sets; see note 2
Page sets; see note 1
BSDS; see note 2
CSQINP* data sets; see note 2
SMDS; see note 3

This provides confidentiality of data at rest on an individual z/OS queue manager.

Notes:

From IBM MQ 9.1.4, IBM MQ for z/OS supports z/OS data set encryption for active logs and page sets.
Data set encryption for archive logs, BSDS and CSQINP* data sets is supported on all versions of IBM MQ for z/OS.
From IBM MQ 9.1.5, IBM MQ for z/OS supports z/OS data set encryption for SMDS.
IBM MQ Advanced Message Security provides an alternative mechanism of protecting data at rest. In addition AMS also protects data in memory and in flight

See Using the z/OS data set encryption enhancements for more information about z/OS data set encryption.

Configuration of z/OS data set encryption is outside of the control of IBM MQ for z/OS. Encryption settings take effect when the data set is created.

This means that any existing data sets need to be recreated before a new data set encryption policy can be used.

IBM MQ for z/OS can run with a mixture of encrypted and non-encrypted data sets, but a standard configuration would encrypt all, or none, of the data sets used.