Configure data set encryption for the log data sets

How you configure the encryption on the log data sets.

Before starting

Ensure that we have read:

Overview of steps to encrypt an IBM MQ for z/OS data set, and carried out the procedure in
Configure the data set encryption key for the queue manager

This method uses the DFP segment of a RACF generic profile, so that we can use the encryption key for all new data sets that match the profile.

Alternatively, we can configure and use an SMS data class, or the key label can be specified directly when allocating the data set.

As previously described, in this example, queue manager CSQ1 is run under user QMCSQ1, and has active log data sets CSQ1.LOGS.LOGCOPY1.DS001, CSQ1.LOGS.LOGCOPY1.DS002, and so on.

Procedure

Create the generic profile if it does not exist, by issuing the following command:
```
ADDSD 'CSQ1.LOGS.*' UACC(NONE)
```
Permit the queue manager user alter access on the profile, by issuing the following command:
```
PERMIT 'CSQ1.LOGS.*' ID(QMCSQ1) ACCESS(ALTER)
```
Also, permit the appropriate access needed for any administrative user.
Add the DFP segment with the encryption key label by issuing the following command:
```
ALTDSD 'CSQ1.LOGS.*' DFP(RESOWNER(QMCSQ1) DATAKEY(CSQ1DSKY))
```
Note: We must use the same encryption key that you used in configuring the data set encryption key for the queue manager.
Refresh the generic dataset profiles by issuing the following command:
```
SETROPTS GENERIC(DATASET) REFRESH
```

Rename each log data set to a backup, then recreate and restore the data, using IDCAMS. The following JCL fragment converts CSQ1.LOGS.LOGCOPY1.DS001:

Rename the data set to a back-up

//RENAME   EXEC PGM=IDCAMS,REGION=0M 
//SYSPRINT DD SYSOUT=* 
//SYSIN    DD * 
  /*-------------------------------------------------------------*/ 
  /* RENAME DATASET TO BACKUP                                    */ 
  /*-------------------------------------------------------------*/ 
  ALTER 'CSQ1.LOGS.LOGCOPY1.DS001'                   - 
         NEWNAME('CSQ1.BAK.LOGS.LOGCOPY1.DS001')

Redefine the data set. The new data set will be encrypted due to the RACF profile.Note: Replace ++EXTDCLASS++ with the name of the extended format data class we want to use for the data set.

//REDEFINE EXEC PGM=IDCAMS,REGION=0M 
//SYSPRINT DD SYSOUT=* 
//SYSIN    DD * 
  /*-------------------------------------------------------------*/ 
  /* REDEFINE THE DATASET                                        */ 
  /*-------------------------------------------------------------*/
  DEFINE CLUSTER                                     - 
         (NAME(CSQ1.LOGS.LOGCOPY1.DS001)             - 
         LINEAR                                      - 
         SHAREOPTIONS(2 3)                           - 
         MODEL(CSQ1.BAK.LOGS.LOGCOPY1.DS001)         - 
         DATACLAS(++EXTDCLASS++))

Copy the data from the backup into the recreated data set. This step encrypts the data:

//RESTORE  EXEC PGM=IDCAMS,REGION=0M 
//SYSPRINT DD SYSOUT=* 
//SYSIN    DD *
  /*-------------------------------------------------------------*/ 
  /* RESTORE DATA INTO ENCRYPTED LOG                             */ 
  /*-------------------------------------------------------------*/ 
  REPRO INDATASET(CSQ1.BAK.LOGS.LOGCOPY1.DS001)      - 
        OUTDATASET(CSQ1.LOGS.LOGCOPY1.DS001)

What to do next

Repeat Step 5 for all active log data sets.

Only a single encryption key is required, and all data sets can be associated with the same key label.

Restart queue manager CSQ1. Use the output from the DISPLAY LOG command to verify that the log data sets have been encrypted.

Parent topic: Example of how to encrypt queue manager active logs