Encryption: an alternative to access control
When preventing access to the data is difficult or impractical, encryption can protect data that is in files or data that is being communicated in a network. IMS™ offers some file encryption capability (through IMS Segment Edit/Compression exit routines, for example) but no communication encryption capability.
The following list provides additional information about encryption:
- Using cryptographic support
- The Programmed Cryptographic Facility, program number 5740-XY5, provides file and communications encryption under z/OS®. File encryption of the physical hierarchical database keeps unauthorized individuals from looking at the data when the physical disk pack containing the database is removed from its usual area. File encryption support extends to VSAM physical databases. Communications encryption supports ACF/VTAM supported terminals.
- Using the segment edit⁄compression exit routine (not DCCTL)
- You can use this routine to provide data encryption. By including the IBM® Programmed Cryptographic Facility within your exit routine, you can reduce your programming effort. The facility is executed by assembler macro calls. Segments are encrypted before being placed in the database buffer pool. The SEGM control statement in the IMS DBDGEN includes a keyword to specify the name of this exit routine.
- Using the ICSF/CCA interface
- You can use ICSF/CCA APIs in the IMS DB
Segment Edit/Compression exit. IMS supports
the Programmed Cryptographic Facility (PCF) interface transparently
through the ICSF/CCA interface. Programs that are written to the PCF
interface run, without modification, through the ICSF/CCA interface.
If you want your PCF programs to use the ICSF/CCA APIs, however, you
must modify those PCF programs.
The ICSF/CCA interface has two PCF compatibility modes.
- ICSF mode COMPAT(YES) means that programs written to the Programmed Cryptographic Facility interface run without change, as well as calls made directly to the ICSF/CCA API. There are some limitations for dynamic master key change in this mode.
- ICSF mode COMPAT(NO) means only programs coded to the CCA API run.