Planning for data set encryption
You can encrypt any data sets that you use with CICS® for which z/OS® data set encryption is supported. This includes user data sets that are accessed through CICS File Control APIs, queued sequential access method (QSAM) data sets used for CICS extrapartition transient data, basic sequential access method (BSAM) data sets used with CICS, and CICS system data sets that are appropriate candidates for encryption.
You can use data set encryption with any in-service release of CICS TS for z/OS.
Encrypted data sets must be storage management subsystem (SMS)-managed and extended format. To create an encrypted data set, you assign a key label to a data set when that new data set is allocated. The key label must point to an AES-256 bit encryption key in the integrated cryptographic service facility (ICSF) cryptographic key data set (CKDS) that will be used to encrypt or decrypt the data. The key label is not sensitive information, but the encryption key that it identifies is.
Encryption support for CICS user data sets
For user data sets defined to CICS, encryption support includes key-sequenced data sets (KSDS), entry-sequenced data sets (ESDS), relative record data sets (RRDS), and variable relative record data sets (VRRDS), accessed through base VSAM and VSAM Record Level Sharing (RLS). Encryption is also supported for the backing VSAM key-sequenced data sets that are used for shared data tables or coupling facility data tables.
Encryption support for CICS system data sets
- Data sets with the potential to contain sensitive data are candidates for encryption. You must assess which of your data sets might contain sensitive data and whether to encrypt them.
- Data sets that do not, and are unlikely to, contain sensitive data are not candidates for encryption.
The following table lists the CICS system data sets for which encryption is possible, and whether they are candidates for encryption. If you want to use an encrypt everything
approach, all the data set types that are listed in this table can be encrypted.
| CICS system data set | Candidate for encryption? | Special considerations |
|---|---|---|
| Temporary storage data set (DFHTEMP) | Yes, could contain sensitive data. | DFHTEMP supports extended format, but does not support extended addressing. |
| Intrapartition Transient Data (DFHINTRA) | Yes, could contain sensitive data. | DFHINTRA supports extended format, but does not support extended addressing. |
| Extrapartition Transient Data | Yes, could contain sensitive data. | Encryption is not supported for partitioned data sets (PDS). |
| Auxiliary Trace data sets (DFHAUXT and DFHBUXT) | Yes, can potentially include sensitive data in the diagnostics. Alternatively, use the CONFDATA system initialization parameter, which might provide sufficient protection. | If trace data is encrypted and you need to send it to IBM® for diagnostics, use CICS trace formatting or another method to ensure that you send decrypted data. |
| CICS dump data sets (DFHDMPA and DFHDMPB) | Yes, can potentially include sensitive data in the diagnostics. Alternatively, use the CONFDATA system initialization parameter, which might provide sufficient protection. | If dump data is encrypted and you need to send it to IBM for diagnostics, use CICS dump formatting or another method to ensure that you send decrypted data. CICS dump data sets support extended format, but do not support extended addressing. |
| Doctemplate resources | Yes, can potentially contain sensitive data. | Provided that the data set used is of a type for which encryption is supported. |
| URIMAP resources used for static delivery | Yes, can potentially contain sensitive data. | Provided that the data set used is of a type for which encryption is supported. |
| BTS repository data sets and BTS local request queue (LRQ) data set | No, contain only control data. | None. |
| Global and Local catalog data sets (DFHGCD and DFHLCD) | No, contain only configuration data. | Consider only if you believe that CICS configuration data is sensitive information. |
| CICS system definition data set (DFHCSD) | No, contains only information about resource configuration. | Consider only if you believe that your resource definitions include any sensitive information. |
| CMAC messages data set (DFHCMACD) | No, contains only message details. | Consider only if you added your own messages that you believe contain sensitive data. |
| zFS files used for bundle definitions and web services | No, contain only configuration information. | Consider only if you believe that your bundle definitions include any sensitive information. |