Considerations for z/OS data set encryption in a queue sharing group
Each queue manager in a queue sharing group (QSG) must be able to read the logs, BSDS, and shared message data sets (SMDS), of every other queue manager in the QSG.
This means that each system on which a member of the QSG can run, must meet the requirements for z/OS data set encryption, and all the key labels and encryption keys used to protect the data sets for each queue manager in the QSG must be available on each system.
A queue manager prior to IBM MQ for z/OS Version 9.1.4 cannot access an encrypted active log data set.
A queue manager prior to IBM MQ for z/OS Version 9.1.5 cannot access an encrypted SMDS.
Before making use of z/OS data set encryption, we should migrate all queue managers in a QSG to at least IBM MQ for z/OS Version 9.1.5.
If a queue manager in a QSG is started with any encrypted active log data set, and any other queue manager in the QSG has been started, but was not last started with a version of IBM MQ for z/OS that supports encrypted active logs, the queue manager with the encrypted active log terminates abnormally with abend code 5C6-00F50033.
We can convert a QSG to use encrypted active logs and SMDS without a full outage, by:- Migrating each queue manager to at least Version 9.1.5 in turn.
- Convert active logs to encrypted data sets for each queue manager in turn. This requires the
queue manager to be shut down and then restarted.
At the same time, it is likely that page sets and archive logs would be enabled for encrypted data sets too, but this does not affect QSG migration.
The procedure for converting each data set is described in Example of how to encrypt queue manager active logs
- Convert SMDS to encrypted data sets for each individual CF structure in turn by:
- Issuing the command RESET SMDS(*) ACCESS(DISABLED) CFSTRUCT(structure-name) to suspend queue
manager access to the SMDS.
Note that during this time, the data on the shared queues associated with the SMDS is temporarily unavailable.
- Convert each data set that makes up the SMDS to encrypted data sets, using the procedure described in Example of how to encrypt queue manager active logs.
- Issuing the command RESET SMDS(*) ACCESS(ENABLED) CFSTRUCT(structure-name) to resume queue manager access to the SMDS.
- Issuing the command RESET SMDS(*) ACCESS(DISABLED) CFSTRUCT(structure-name) to suspend queue
manager access to the SMDS.
Attention: We should shut the queue manager down cleanly prior to converting the logs, and coupling facility structure recovery might not be possible during the conversion, as the active log data sets will be temporarily unavailable. Parent topic: Confidentiality for data at rest on IBM MQ for z/OS with data set encryption