As of release 2.4 of z/OS, IBM have made AllowUserKeyCSA(NO) compulsory.

The instructions for what needs to be done to IDMS to support this can be found at Storage Key Considerations for z/OS CSA Subpools.

This article contains a list of frequently asked questions on this topic.

Release : All supported releases.
Component : CA IDMS

1. The STEPLIB of the CV must be APF authorized. What if there is more than one load library in STEPLIB ?

There is never any good reason to have more than one load library in the STEPLIB of a CV. For more information on that, see KD 140728: What must be in STEPLIB of an IDMS CV? However, if there is more than one load library in STEPLIB, they must all be authorized in order for the STEPLIB as a whole to be considered authorized.

2. Is the sysgen system statement clause ERUS FETCH PROTECT IS OFF (or ERUS_FETCH_PROTECT_OFF in SYSIDMS) necessary?

Almost certainly not. This is only necessary if you have user code in CICS accessing IDMS EREs. This is an unusual practice and very few clients do it. For more information, see KD 112619: The need for ERUS FETCH PROTECT IS OFF.

3. If this requires that a new KEY() value is set in the PPT entry, does CVKEY in the #SVCOPT also have to be changed?

Possibly. If CVKEY in #SVCOPT is not *, then it must be the same as the KEY() value set in the PPT entry.
See Generating the SVC and also point 3 in KD 117597: IDMS CV setup for ALLOWUSERKEYCSA(NO) clarification for more information.

4. Do these changes require that the CV be down?

The changes do not have to be made while the CV is down.
However, changes to the PPT entry will not take effect until the CV is cycled.
Furthermore, if the SVC has changed (see point 3 above), it must be reloaded with CAIRIM, and that must happen with all CVs down. See KD 13676: Which CVs need to be shut down when refreshing the SVC with CAIRIM? for more information.

5. Is it mandatory to use KEY(4)?

The KEY() must be a non-user key - between 1 and 7 inclusive. Broadcom strongly recommends using KEY(4).

6. Why is the PPT entry now required?

Without a PPT entry, the KEY() will default to 8.

7. Is the STORAGE KEY clause of the sysgen SYSTEM statement the same as the KEY() in the PPT entry?

No. The PRIMARY PROTECT KEY is specified in the KEY() clause of the PPT entry. The ALTERNATE PROTECT KEY is something different. It is specified in the STORAGE KEY IS clause of the SYSTEM statement in sysgen and should be set to 9. This is for the support of the High Performance Storage Protect feature.

8. Are these changes downward compatible?

Yes. The changes documented here for the support of AllowUserKeyCSA(NO) will work with AllowUserKeyCSA(YES), regardless of the z/OS release.

9. What happened to the "+" sign before IDMS messages on the CV jeslog?

With the CV steplib now authorized, messages written to the CV jeslog are no longer prefixed by a plus sign, "+", as they were when the steplib was not authorized. This is a z/OS feature and not related to anything that IDMS can influence. Be mindful of this in the event that you have any automation relying on the presence of the "+" sign.