+

Search Tips | Advanced Search

Confidentiality for data at rest on IBM MQ for z/OS with data set encryption

IBM MQ for z/OS can harden customer and configuration data by writing the data to the active log data sets, the archive log data sets, page sets, boot strap data sets (BSDS), and shared message data sets (SMDS).

z/OS provides efficient, policy-based encryption of data sets. IBM MQ for z/OS supports z/OS data set encryption for:

  • Active log data sets; see note 1
  • Archive log data sets; see note 2
  • Page sets; see note 1
  • BSDS; see note 2
  • CSQINP* data sets; see note 2
  • SMDS; see note 1

This provides confidentiality of data at rest on an individual z/OS queue manager.Notes:

  1. From Version 9.2.0, IBM MQ for z/OS supports z/OS data set encryption for active logs. page sets, and SMDS.
  2. Data set encryption for archive logs, BSDS and CSQINP* data sets is supported on all versions of IBM MQ for z/OS.
  3. IBM MQ Advanced Message Security provides an alternative mechanism of protecting data at rest. In addition AMS also protects data in memory and in flight

See Use the z/OS data set encryption enhancements for more information about z/OS data set encryption.

Configuration of z/OS data set encryption is outside of the control of IBM MQ for z/OS. Encryption settings take effect when the data set is created.

This means that any existing data sets need to be recreated before a new data set encryption policy can be used.

IBM MQ for z/OS can run with a mixture of encrypted and non-encrypted data sets, but a standard configuration would encrypt all, or none, of the data sets used.

Parent topic: Securing IBM MQ

Last updated: 2020-10-04