Considerations for encrypting log stream data sets

Data set encryption can be used for log stream data sets to enhance an installation's capability in securing their sensitive enterprise data. Both log stream offload and staging data set types can have data set level encryption.

The system programmer installs and applies the appropriate release levels and any required PTFs, and ensures that the necessary hardware features are established. Then, the security administrator works with the ICSF administrator and storage administrator to set up policies that enable the log stream data set encryption. For more information about using data set level encryption, refer to "Data Set Encryption" in z/OS DFSMS Using Data Sets.

Log stream data set encryption can be enabled through DFSMS data class definitions (or ACS routines), or through RACF data set profiles by naming KEYLABELS that define cryptographic keys to be used for data set level encryption.

IBM recommends that all systems in the sysplex must be at the appropriate release and/or PTF levels before enabling log data set encryption for log stream resources.

Some limitations and special considerations should be examined before enabling data set level encryption for log stream data sets.
  1. Multiple log streams can be defined to use the same CF structure, and separate z/OS images can connect to some but not all of these log streams. If some of these z/OS images are not at the appropriate release and/or PTF levels for encryption support, then do not enable data set level encryption for any of these log streams. System logger, on any system that is connected to a CF structure, recovers log stream data that is contained in that CF structure. z/OS systems without the appropriate support applied, encounter data set allocate and open access errors if/when they attempt to recover for a log stream that has encrypted data sets.
  2. System Logger does not support encrypted data sets for any DRXRC-type staging data sets. A structure-based log stream that has STG_DUPLEX DUPLEXMOD(DRXRC) specified as an allocated encrypted staging data set results in an open error when system logger attempts to use it.
  3. When a z/OS V2R1 release level system (with PTF applied) is connected to a log stream with encrypted data sets, system logger is able to access the log data that is contained in the encrypted data sets. However, these z/OS V2R1 systems cannot create any new encrypted log stream data sets. The installation needs to make certain any new log stream data sets created on the V2R1 system are not expected to be encrypted, for example: using an alternative DFSMS data class without a data set key label. Some of the log stream data sets can be encrypted, but any data sets created on the V2R1 systems would not be encrypted. Otherwise, the log stream can be used in a limited fashion only, with key aspects listed below:
    • Initial log stream connections on the V2R1 system that would normally cause the creation of a log stream staging data set can fail. This occurs for DASDONLY log streams and CF structure-based log streams with STG_DUPLEX(YES) DUPLEXMODE(UNCOND).
    • Log stream offload activity on the V2R1 system that requires the creation of an extra offload data set, will not succeed. This occurs during log stream log data recovery processing and/or during normal log stream use. The log stream offload activity on the V2R1 system performs a log stream offload if no new offload data sets were to be created. Also, other systems at the appropriate levels would continue to manage the log stream as expected.
The following lists the minimum required actions necessary to enable encrypting log stream data sets.
  • The Integrated Cryptographic Service Facility (ICSF) must be configured as follows. ICSF requires Cryptographic hardware to be available on the server. For details, refer to z/OS Cryptographic Services ICSF Administrator's Guide and z/OS Cryptographic Services ICSF System Programmer's Guide.
    • Activating the ICSF address space is mandatory.
    • Set up and maintain cryptographic keys and the KEYLABELS to be used for data set level encryption.
    • Ensure the Sysplex ICSF (database) repository is shared and maintained across all systems in the sysplex, and on any recovery site systems. For more information, refer to "Running in a Sysplex Environment" in z/OS Cryptographic Services ICSF Administrator's Guide and sysplex-related specifications of "Installation, initialization, and customization" in z/OS Cryptographic Services ICSF System Programmer's Guide.
    • Ensure that the catalogs are also shared across these same systems when data set level encryption is used.
    • The ICSF segment of the covering CSFKEYS general resource class profile must be updated with the following new options to ensure that wrapped keys can be returned:
      SYMCPACFWRAP(YES)
      Allows key label to be wrapped.
      SYMCPACFRET (YES)
      Allows the service to return the wrapped key.
    • For protected keys
      • Set up profiles in the CSFKEYS general resource class and set up groups and users to allow system logger address space (IXGLOGR) access to the key labels. Refer to "Setting up profiles in the CSFKEYS general resource class" in z/OS Cryptographic Services ICSF Administrator's Guide.
      • Also, refer to "Enabling use of encrypted keys in Symmetric Key Encipher and Symmetric Key Decipher callable services" in z/OS Cryptographic Services ICSF Administrator's Guide.
      • The following RACF commands provide an example of the two previous requirements:
        RDEFINE CSFKEYS * UACC(READ) ICSF(SYMCPACFWRAP(YES) SYMCPACFRET(YES)) 
 	 SETR RACLIST( CSFKEYS) REFRESH
    • Set up profiles in the CSFSERV general resource class and set up groups and users to allow system logger address space (IXGLOGR) access to the CSFKRR2 resource.
  • Data set encryption can be established for SMS-managed data sets defined with the Extended format option, allocated on (at least) 3390 device types.
    • Activate the SMS address space.
    • Ensure to specify ACSDEFAULTS(YES) in SYS1.PARMLIB(IGDSMSxx) member.
  • You can optionally use a key label in RACF DS profiles. For information about RACF, see z/OS Security Server RACF Security Administrator's Guide.
    • Create RACF data set profiles. In the DFP Segment, specify the key label wanted (see DATAKEY) to cover log stream data sets.
  • Or you can define DFSMS Data Classes with Extended format option by using the Interactive Storage Management Facility (ISMF) panels or via ACS routines. For information about ISMF, see z/OS DFSMS Using the Interactive Storage Management Facility.
    • Optionally, include a specification for a data set key label in the data class definition.
    • To allow the system to create encrypted data sets via DFSMS data class or ACS routine, the user must have at least READ authority to the following resource in the FACILITY class: STGADMIN.SMS.ALLOW.DATASET.ENCRYPT.
  • Specify on the log stream definition, or update an existing definition with, the corresponding DFSMS data class names established previously for the log stream offload and staging data sets. Refer to LS_DATACLAS and STG_DATACLAS log stream keyword specifications.
  • Take action for the subsystem or application to connect and write log data to the log stream. Any newly created log stream data sets that use the previous specifications will have data set level encryption.
  • For similar steps and guidance on changing a log stream staging data set's attribute when the log stream is already connected, see Change the staging data set size for coupling facility log streams and Changing the staging data set size for a DASD-only log stream.
Note: To stop using log stream data set encryption, first stop newly created log stream data sets from being encrypted data sets. Next, you must delete existing log stream data sets. Based on how you enabled the encryption, you can update your log stream definition to use a different DFSMS data class, change the DFSMS data class definition or ACS routines, or update the RACF profiles that cover the log stream data sets. This stops system logger from creating new encrypted log stream data sets, but does not alter any existing encrypted data sets. Depending upon each log stream exploiter, your options to cause the deletion of existing log stream data sets can vary greatly. For example, you might need to disconnect from the log stream from all the connected systems in the sysplex, or you might need to delete the log stream entirely.