The Adabas nucleus and utilities work with the following “database container datasets”:
| Container | Associated DD name(s) |
|---|---|
| ASSO | DDASSOR1 … DDASSORn, where 1 ≤
n ≤ 9
DDASSO10 … DDASSOnn, where 10 ≤ nn ≤ 99 |
| DATA | DDDATAR1 … DDDATARn, where 1 ≤ n ≤
9
DDDATA10 … DDDATAnn, where 10 ≤ nn ≤ 99 |
| WORK | DDWORKR1, DDWORKR4 |
| CLOG | DDCLOGR1 … DDCLOGRn, where 1 ≤ n ≤ 8 |
| PLOG | DDPLOGR1 … DDPLOGRn, where 1 ≤ n ≤ 8 |
| RLOG | DDRLOGR1 |
| DSIM | DDDSIMR1 |
| SORT | DDSORTR1, DDSORTR2 |
| TEMP | DDTEMPR1 |
When the selectable unit Adabas Encryption is used, any of the above container datasets can be encrypted.
The decision whether to encrypt a dataset or not is made at the dataset level when the dataset is created. One dataset can be encrypted while another dataset is left unencrypted.
Note:
It is possible to encrypt, say, DDASSOR1 and DDDATAR1, and to leave
DDASSOR2 and DDDATAR2 unencrypted, but such a setup has certain ramifications
and is not recommended. Refer to the section Operations
> Encrypting Only Parts of
ASSO and DATA.
A dataset can be changed from unencrypted to encrypted only by creating it anew and, if necessary, migrating the data it contains. The following table describes the state that each database container dataset must be in before it can be replaced by a new dataset:
| Container | Change state |
|---|---|
| ASSO | DDASSORn and DDASSOnn
datasets must be created from new.
Data in the database must be migrated to the new datasets, usually via an ADASAV SAVE and ADASAV RESTORE or RESTONL. Refer to the section Operations > Migrating to an Encrypted Database for information on the methods that can be used to migrate an existing database to a new, encrypted one, including methods with brief Adabas downtime. |
| DATA | DDDATARn and DDDATAnn
datasets must be created from new.
Data in the database must be migrated to the new datasets, usually via an ADASAV SAVE and ADASAV RESTORE or RESTONL. Refer to the section Operations > Migrating to an Encrypted Database for information on the methods that can be used to migrate an existing database to a new, encrypted one, including methods with brief Adabas downtime. |
| WORK | DDWORKR1 can be changed after the Adabas
nucleus has been shut down normally (that is, without a pending autorestart).
In a cluster, this can be done separately for each nucleus.
DDWORKR4 (used when Adabas is running with DTP=RM in conjunction with the Adabas Transaction Manager) can be changed after the nucleus has shut down normally, if there are no unresolved distributed transactions involving this database. In a cluster, all nuclei share the same DDWORKR4 dataset and must all be shut down. |
| PLOG | DDPLOGRn can be changed after the nucleus has been shut down normally and all outstanding PLCOPY operations have completed. In a cluster, this can be separately for each nucleus. |
| CLOG | DDCLOGRn can be changed after the nucleus has been shut down normally and all outstanding CLCOPY operations have completed. In a cluster, this can be separately for each nucleus. |
| RLOG | DDRLOGR1 (used by the Adabas Recovery Aid)
can be changed after the nucleus has been shut down normally and when no
utility is running. ADARAI PREPARE must be run with the new RLOG.
The contents of the old RLOG cannot be migrated to the new one. In a cluster, all nuclei share the same DDRLOGR1 and must all be shut down. |
| DSIM | DDDSIMR1 (used by the Adabas Delta Save Facility) can be changed when it contains no data from an online save that is still to be included in an outstanding ADASAV MERGE operation. |
| SORT | DDSORTR1 and DDSORTR2 can be changed between any utility operations that use them. |
| TEMP | DDTEMPR1 can be changed between any utility operations that use it. |
Refer to the section Operations > Migrating to an Encrypted Database for information on the methods that can be used to migrate an existing database to a new, encrypted one.
Once a database container dataset is encrypted, Adabas Encryption must be used for all nucleus and utility jobs working with that dataset. Without Adabas Encryption, the nucleus and utilities cannot read encrypted container datasets.
Adabas reads and writes database container datasets using EXCP, which is a low-level I/O interface. If a container dataset is encrypted, Adabas uses a z/OS service to encrypt the data before it is written to disk and to decrypt the data after it has been read from disk. The actual encryption, decryption and key management are performed by z/OS. The invocation and control of the encryption and decryption operations are performed by Adabas.
Adabas encrypts the blocks in encrypted container datasets already during formatting (ADAFRM ASSOFRM, DATAFRM, and so on) and again during each write with new data. Different blocks with the same plaintext data before encryption (for example, binary zeros) have different ciphertext data after encryption.