Skip to Content

Pervasive encryption

IAM provides support for z/OS Pervasive Encryption. Encryption is automatically enabled when an IAM data set is defined using IDCAMS with a Keylabel parameter specified or via the assigned Dataclass. The JCL DD statement DSKEYLBL keyword is not supported. A Dataclass with the SMS Extended Format and Extended Addressability attributes turned on must be used. When IAM intercepts the Define for such an IAM data set, IAM will allocate a VSAM Linear data set instead of a non-VSAM DSORG=PS data set. All I/O to an IAM Linear data set will be executed through the use of IBM Media Manager, rather than EXCP. IBM Media Manager will ensure encrypting data for write operations and decrypting data for read operations. As a result, IAM’s support for Pervasive Encryption is 100% compatible with other z/OS component use of Pervasive Encryption. As IBM continues to enhance z/OS Pervasive Encryption functionality it is highly likely that IAM will inherit such enhancements without any new extensive enhancement needing to be made to IAM itself.

A block in an IAM DSORG=PS non-encrypted data set, is a Control Interval in an IAM linear data set that must be a multiple of 4K. For DSORG=PS non-encrypted data sets, IAM chooses a block size that is optimal for the geometry of the DASD type being used, most likely a 3390. IAM will choose a multiple of 4K for Linear data sets that is a best fit for the DASD type, but this fit might not be as optimal as for DSORG=PS non-encrypted data sets. Therefore, when converting an IAM file to being encrypted, the file might grow in size.

Warning

Important

IAM software or hardware compression is done prior to data being encrypted by Media Manager for writes and IAM decompression of data is done after data is decrypted by Media Manager for reads. Therefore, no changes in file size are expected as a result of compression-encryption order.

IAM KSDS, ESDS, and RRDS data sets can be defined with a Key Label and encrypted.

Applications that use ESDS data sets and are currently only capable of supporting 4-byte RBA ESDS data sets (non-Extended Addressability format) and wish to encrypt such ESDS data sets will need to specify either NOXESDS or PSEUDORBA on an IAM Override CREATE statement in the ESDS Define step. This is because the SMS Extended Addressability attribute will force ESDS/EA as a default.

IAM AIX data sets will automatically be encrypted if the base cluster is encrypted.

For Linear Encrypted Data Sets, an IAM Access Override option of FIX Access Option will also help to reduce CPU usage. PAGEFIX is available to minimize I/O response time. The PAGEFIX Access Option will cause IAM to page fix all file I/O buffers. If the use of 64-bit addressable virtual storage is enabled, then Large Memory Page Frames will be used if the z/OS system is configured to have Large Memory Page Frames available. The PAGEFIX Access Option will also help to reduce CPU usage.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*

BMC AMI Storage IAM 11.1