IBM Information Management System (IMS) - Group home

Pushing the Limits of Modern Security: Pervasive Encryption for IMS OSAM Databases

Data breaches at large enterprises are becoming increasingly common. Every day, bad actors seek to take advantage of software vulnerabilities and gain unauthorized access to critical data. The need to secure sensitive information has never been greater.

The IMS team understands how valuable the information our clients store in their IMS databases is. We are committed to offering state-of-the-art encryption and security for our clients. To aid in that effort, in IMS version 15.2, we are excited to release our next significant advancement in modern security: Pervasive Encryption for IMS Overflow Sequential Access Method (OSAM) databases! This offering brings extensive encryption of data at-rest and in-flight for information stored in one of IMS's most popular databases.

OSAM Encryption
OSAM is an proprietary access method to IMS that consists of a series of channel programs that IMS runs so that it can use the standard operating system channel I/O interface. OSAM is used for databases, local message queue data sets, and restart data sets. 

OSAM encryption enables a greater portion of your data to be automatically encrypted, providing security-rich protection for your IMS data without you having to do additional work. 

IMS version 15.2 is enhanced to support Virtual Storage Access Method (VSAM) linear data sets (LDS) as an optional data set format for OSAM databases. By using linear data sets, database administrators can use z/OS data set encryption to encrypt OSAM data without changes to applications and without experiencing outages. 
Applications that access an OSAM database through IMS (online or batch) will continue to work with VSAM linear data sets. Additionally, utilities and Database Recovery Control (DBRC) commands have been enhanced to support VSAM linear data sets.

How it works
With z/OS data set encryption, you can identify new data sets or groups of data sets to be encrypted. This is done through SAF controls or RACF and SMS policies. 
You can specify key labels to identify encryption keys. The key label and encryption key reside in the Cryptographic Key Data Set (CKDS). When an encrypted data set is created, the key label is stored as an attribute of the data set.
Authorization to view the data set contents is based on access to the key label that is associated with the data set, which is used by Data Facility Storage Management Subsystem (DFSMS) to encrypt and decrypt the data.
Encrypted data sets must be in the SMS-managed extended format. They can also be in compressed format. If you simply want to test converting to MM LDS (without encryption), the data sets do not need to be SMS-managed.

Key changes to OSAM and VSAM
Here are some other important changes:
  • OSAM now supports a key label, encryption key, encryption, and decryption.
  • OSAM I/O has been converted to use Media Manager and VSAM linear data sets.
  • Although the IMS database code has been enhanced to support VSAM linear data (LDS) as an optional data set format for OSAM databases, traditional OSAM non-VSAM database data sets are still supported.
  • OSAM now uses Media Manager to access VSAM linear data sets instead of direct channel programs.
  • With VSAM linear data sets, you will be able to exploit newer technologies that are available through Media Manager, such as High Performance FICON® for z Systems™ (zHPF).
The IMS Performance team recently conducted a study on how OSAM Encryption affects IMS’s performance. You can read it here.

Can’t wait to get your hands on Pervasive Encryption for IMS OSAM databases? Here’s what you’ll need:
Software prerequisites:
  • z/OS 2.3 and later, or z/OS 2.2 with APAR OA50569 and dependent APARs installed
  • IMS version 15.2 PTF (APAR PH16682/PTF UI67505)
  • Follow-on APARs containing the FIXCAT keyword: IMSOSAMLDS/K
Hardware prerequisites:
  • Z196
  • Crypto Express 3
Our team is excited for you to try this offering. Client security has always been a top priority for us, and we are thrilled to continue adding additional layers of security so that you can be confident your data is secure in IMS.
For more information about Pervasive Encryption for IMS OSAM databases, be sure to check out the Knowledge Center. Also, don’t forget to check out our IMS Community page as well as subscribe to the eNews for the latest updates from the IMS team, such as this blog!
Happy encrypting!