Pervasive Encryption

IAM provides support for z/OS Pervasive Encryption. Encryption is automatically enabled when an IAM data set is defined using IDCAMS with a Keylabel parameter specified or via the assigned Dataclas. The JCL DD statement DSKEYLBL keyword is not supported. A Dataclas with the SMS Extended Format and Extended Addressability attributes turned on must be used. When IAM intercepts the Define for such an IAM data set, IAM will allocate a VSAM Linear data set instead of a non-VSAM DSORG=PS data set. All I/O to an IAM Linear data set will be executed through the use of IBM Media Manager, rather than EXCP. IBM Media Manager will ensure encrypting data for write operations and decrypting data for read operations. As a result, IAM’s support for Pervasive Encryption is 100% compatible with other z/OS component use of Pervasive Encryption. As IBM continues to enhance z/OS Pervasive Encryption functionality it is highly likely that IAM will inherit such enhancements without any new extensive enhancement needing to be made to IAM itself.

What is a block in an IAM DSORG=PS non-encrypted data set, is a Control Interval in an IAM Linear data set. Control Intervals in a Linear data set must be a multiple of 4K. For DSORG=PS non-encrypted data sets, IAM chooses a block size that is optimal for the geometry of the DASD type being used, most likely a 3390. IAM will choose a multiple of 4K for Linear data sets that is a best fit for the DASD type, but this best fit may not be as optimal as for DSORG=PS non-encrypted data sets. Therefore, when converting an IAM file to being encrypted, the file may grow somewhat in size.

Note

 software or hardware compression is done prior to data being encrypted by Media Manager for writes and  decompression of data is done after data is decrypted by Media Manager for reads. Therefore, no changes in file size are expected as a result of compression-encryption order.

IAM KSDS, ESDS, and RRDS data sets can be defined with a Key Label and therefore be encrypted.

Applications that use ESDS data sets and are currently only capable of supporting 4 byte RBA ESDS data sets (non-Extended Addressability format) and wish to encrypt such ESDS data sets will need to specify either NOXESDS or PSEUDORBA on an IAM Override CREATE statement in the ESDS Define step. This is because the SMS Extended Addressability attribute will force ESDS/EA as a default.

IAM AIX data sets will automatically be encrypted if the base cluster is encrypted.

For Linear Encrypted Data Sets an IAM Access Override option of FIX Access Option will also help to reduce CPU usage. PAGEFIX is available to minimize I/O response time. The PAGEFIX Access Option will cause IAM to page fix all file I/O buffers. If the use of 64-bit addressable virtual storage is enabled, then Large Memory Page Frames will be used if the z/OS system is configured to have Large Memory Page Frames available. The PAGEFIX Access Option will also help to reduce CPU usage.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*