The Latest in z/OS UNIX and zFS Marna WALLE, [email protected] , Member of the IBM Academy of Technology z/OS System Installation IBM Z Systems, Poughkeepsie NY USA Thanks for material provided by Vivian Morabito, zFS Function Test, and Bill Schoen, z/OS UNIX Development. Agenda zFS: • Encryption and Compression • Shrink • SMF Recording • Implicit Format on mount • Online Salvage (verify / repair) • Supplemental: Dynamic Change Aggregate Attributes (chaggr), Miscellaneous updates, and zFS V2R3 Performance Measurements z/OS UNIX: • HFS to zFS utility • Automatic unmount of version file system in shared file system • Maintaining a single configuration file across the sysplex • Assigning default umask values to all z/OS UNIX users © Copyright IBM Corporation 2018. Materials may not be reproduced in whole or in 1 part without the prior written permission of IBM. 1 zFS Encryption AND compression V2R3 Encryption & Compression Support for zFS • New and Existing filesystems can be encrypted and / or compressed • User decides which operation, and in what order. HOWEVER, if you want to do both, compression before encryption is highly recommended. • After a filesystem is fully encrypted or compressed, additional new entries will automatically be encrypted or compressed © Copyright IBM Corporation 2018. Materials may not be reproduced in whole or in 2 part without the prior written permission of IBM. 2 zFS Encryption AND compression V2R3 Encryption & Compression Support for zFS… • Encrypting or compressing an existing filesystem is a long-running administrative command • Application access is fully allowed to the filesystem during the operation. • Progress may be monitored with FSINFO © Copyright IBM Corporation 2018. Materials may not be reproduced in whole or in 3 part without the prior written permission of IBM. 3 zFS Encryption AND compression zFS V2R3: New long running admin commands… • New thread pool created for long running commands • Foreground threads – handle overall long running operation(s) • Background threads – used by foreground thread to allow for parallelism • new configuration option long_cmd_threads • long_cmd_threads=foreground, background • (each value can be 1-64, default is 8,24) • Long running commands require an available foreground thread © Copyright IBM Corporation 2017. Technical University/Symposia materials may not 4 IBM Systems Technical Events | ibm.com /training/events be reproduced in whole or in part without the prior written permission of IBM. 4 zFS Encryption AND compression zFS V2R3: New long running admin commands… • Background tasks on the zFS owning system process every object in the filesystem. • Try not to use long running commands (encrypt, compress, shrink) during periods of high activity. • Best to use them during “off shift” time periods © Copyright IBM Corporation 2017. Technical University/Symposia materials may not 5 IBM Systems Technical Events | ibm.com /training/events be reproduced in whole or in part without the prior written permission of IBM. 5 zFS Encryption / Compression • zFS Encryption & Compression are both V2R3 ONLY • If there are V2R1 or V2R2 members in the sysplex: • Encryption or Compression may not be initiated. • If you mount an encrypted or compressed filesystem on a V2R3 member in a sysplex with V2R1 or V2R2 members, zFS will function ship to the downlevel members (significant performance impact) • Wait until you are fully on V2R3 on all systems (with no intent to go back) before using zFS encryption and compression services! © Copyright IBM Corporation 2017. Technical University/Symposia materials may not 6 IBM Systems Technical Events | ibm.com /training/events be reproduced in whole or in part without the prior written permission of IBM. 6 zFS Encryption / Compression commands: • Decryption & Decompression are supported • Allows you to back out, if pre-V2R3 members need to be brought back into the sysplex © Copyright IBM Corporation 2017. Technical University/Symposia materials may not 7 IBM Systems Technical Events | ibm.com /training/events be reproduced in whole or in part without the prior written permission of IBM. 7 zFS Encryption / Compression… • Consider pairing encryption with compression. • If the compression is done first the amount of data to be encrypted is smaller which may improve performance. • zFS does not perform a “dual” compression and encryption: user directs the actions separately. • You cannot encrypt or decrypt an aggregate that is partially compressed or partially decompressed. • You cannot compress / decompress an aggregate that is partially encrypted or partially decrypted. © Copyright IBM Corporation 2017. Technical University/Symposia materials may not 8 IBM Systems Technical Events | ibm.com /training/events be reproduced in whole or in part without the prior written permission of IBM. 8 zFS Encryption • Utilizes DFSMS Encryption for VSAM datasets • uses ICSF* to perform encryption and decryption and to manage cryptographic keys. Userid associated with zFS need access to those keys. • ICSF configuration is beyond the scope of this zFS-specific presentation. • Ensure that ICSF is running early in the IPL (COMMNDxx, not automation, S CSF,SUB=MSTR) before you exploit DFSMS data set encryption. • (zFS relaxes the DFSMS rule that the data set be SMS-managed and extended format.) • zFS encrypts: • file contents, • security information, • ACLs (Access Control Lists) • symbolic link contents • zFS does NOT encrypt the zFS cache * ICSF: z/OS Integrated Cryptographic Service Facility (ICSF) © Copyright IBM Corporation 2017. Technical University/Symposia materials may not 9 IBM Systems Technical Events | ibm.com /training/events be reproduced in whole or in part without the prior written permission of IBM. 9 zFS Encryption • Only V1.5 filesystems may be encrypted • Filesystem must be mounted R/W • new configuration option: EDC_BUFFER_POOL • Specifies size of real storage permanently fixed and reserved for encryption & compression I/O • Default: 32 M for zFS PFS, setting may range from 1 M to 1 G • ICSF must be active to encrypt • Ensure the PTF for APAR OA54005 is installed. © Copyright IBM Corporation 2017. Technical University/Symposia materials may not 10 IBM Systems Technical Events | ibm.com /training/events be reproduced in whole or in part without the prior written permission of IBM. 10 zFS Encryption – Key Label • Encryption required a key label • encryption key labels to identify encryption keys to be used to encrypt selected data sets. • The specified key label and encryption key must exist in the ICSF key repository (CKDS) © Copyright IBM Corporation 2017. Technical University/Symposia materials may not 11 IBM Systems Technical Events | ibm.com /training/events be reproduced in whole or in part without the prior written permission of IBM. 11 zFS Encryption – Key Label … • Key labels on a filesystem cannot be changed after you assign them • Even if filesystem has not yet been encrypted • The assignment of a key label does not encrypt a filesystem… it makes it eligible for encryption • Once a filesystem has a key label, it can never be owned by a member at a level lower than V2R3. © Copyright IBM Corporation 2017. Technical University/Symposia materials may not 12 IBM Systems Technical Events | ibm.com /training/events be reproduced in whole or in part without the prior written permission of IBM. 12 zFS Encryption Creating a NEW encrypted filesystem 1. Define filesystem 2. Assign a key label 3. Format for encryption Data will automatically encrypted on write © Copyright IBM Corporation 2017. Technical University/Symposia materials may not 13 IBM Systems Technical Events | ibm.com /training/events be reproduced in whole or in part without the prior written permission of IBM. 13 zFS Encryption New Encrypted filesystem: DEFINE and assign IDCAMS DEFINE CLUSTER (from JCL) • Must use new ZFS keyword • KEYLABEL( keylabel ) keyword zfsadm define (from the shell) • –keylabel keylabel © Copyright IBM Corporation 2017. Technical University/Symposia materials may not 14 IBM Systems Technical Events | ibm.com /training/events be reproduced in whole or in part without the prior written permission of IBM. 14 zFS Encryption IDCAMS DEFINE CLUSTER and assign example //ZDEFKEY JOB ,'DEFINE WITH KEYLABEL', // MSGCLASS=H, // CLASS=A, // TIME=(1440),MSGLEVEL=(1,1) //DEFINE EXEC PGM=IDCAMS //SYSPRINT DD SYSOUT=H //SYSUDUMP DD SYSOUT=H //AMSDUMP DD SYSOUT=H //DASD0 DD DISP=OLD,UNIT=3390,VOL=SER=POSIX1 //SYSIN DD * DEFINE CLUSTER (NAME(POSIX.DEFKEY.EXAMPLE) - VOLUMES(POSIX1) - ZFS CYL(25 0) SHAREOPTIONS(3) - KEYLABEL(PROTKEY.AES.SECURE.KEY.32BYTE) ) /* © Copyright IBM Corporation 2017. Technical University/Symposia materials may not 15 IBM Systems Technical Events | ibm.com /training/events be reproduced in whole or in part without the prior written permission of IBM. 15 zFS Encryption zfsadm define and assign example zfsadm define -aggr POSIX.DEFKEYL –cyl 3 -keylabel PROTKEY.AES.SECURE.KEY.32BYTE © Copyright IBM Corporation 2017. Technical University/Symposia materials may not 16 IBM Systems Technical Events | ibm.com /training/events be reproduced in whole or in part without the prior written permission of IBM. 16 zFS Encryption New Encrypted filesystem: FORMAT • New keyword(s) on format: (zfsadm format, IOEFSUTL format, IOEAGFMT) • -encrypt | -noencrypt • New zFS configuration variable introduced in V2R3 to set the installation default for encryption (IOEFSPRM): • FORMAT_ENCRYPTION ON | OFF • Specifying –encrypt or –noencrypt on define will override FORMAT_ENCRYPTION