Overview of steps to encrypt an IBM MQ for z/OS data set

How you encrypt an IBM MQ for z/OS data set.


Before starting

We must ensure that we have configured z/OS data set encryption correctly in your enterprise. If we are setting up data set encryption in a queue sharing group, we must configure z/OS data set encryption for data sharing.Note: A z/OS encrypted data set must be an extended format data set.


Procedure

  1. Set up encryption key and key-label in RACF to use to encrypt the data set.
  2. Create a profile for key-label in the RACF CSFKEYS class.
  3. Grant READ access to the user Id of the queue manager, and any other user Ids that need access to the encrypted data. This might include user IDs that are used to run print utilities against the data set. For example, the user running CSQUTIL SCOPY would need to decrypt the relevant page set.
  4. Associate the encryption key-label with the data set name. We can do this by using an SMS data class, or a RACF DFP segment, for the data set name or high-level qualifier.We can also associate the key-label with the data set when the data set is allocated.
  5. Rename any existing data set using IDCAMS ALTER.
  6. Re-allocate the data set with the appropriate attributes.
  7. Copy the contents of the renamed data set to the new data set using IDCAMS REPRO. The data is encrypted by the action of copying it into the data set.
  8. Repeat steps 4 to 6 for any other data sets that need to be encrypted.

Parent topic: Confidentiality for data at rest on IBM MQ for z/OS with data set encryption