Enabling ENCRYPTION for CA Datacom Databases

book

Article ID: 125582

calendar_today

Updated On:

Products

CA Datacom - DB CA Datacom CA Datacom - AD CA Datacom - Server CA CIS CA Common Services for z/OS CA 90s Services CA Database Management Solutions for DB2 for z/OS CA Common Product Services Component CA Common Services CA Datacom/AD CA ecoMeter Server Component FOC CA Easytrieve Report Generator for Common Services CA Infocai Maintenance CA IPC Unicenter CA-JCLCheck Common Component CA Mainframe VM Product Manager CA Chorus Software Manager CA On Demand Portal CA Service Desk Manager - Unified Self Service CA PAM Client for Linux for zSeries CA Mainframe Connector for Linux on System z CA Graphical Management Interface CA Web Administrator for Top Secret CA CA- Xpertware

Issue/Introduction

Is there any documentation that summarizes what needs to be done to enable ENCRYPTION for a CA Datacom database, e.g. y=the DBUTLTY steps, the DICTIONARY steps etc.

Environment

z/os, CA Datacom/DB 15.0 and higher

Resolution

Be careful, before implementing encryption:
A major point for clients to know is that implementing  table encryption requires the data to be backed up and loaded. It will take the same effort and time to remove encryption, should that ever be desired. This requires an outage of the data for applications, which may be a big consideration. 

This is a major problem for many sites and so should be very clear up front. 

Another concern for some is that some of the DBUTLTY functions must run with DBUTLTY authorized and so if the site is not already doing this, it must be done. 
-------------------------------------


The following steps will enable data base encryption: 


- On the data base side, update the CXX, a TYPE=K CXX report will show the available encryption options 

<Please see attached file for image>

User-added image

- Set ENCRYPT OPTION via DBUTLTY:
//CXXNCRYP EXEC PGM= DBUTLTY, 
//SYSIN DD * 
ENCRYPT OPTION=SET_BASIC_KEY_1,OPTION2=*,OPTION4=* 


- REPORT AREA=CXX,TYPE=K 
RECOVER - YES ENCRYPTION - B(BASIC) C(AES256) 


- Execute the following DDUPDATE statements 
//SYSIN DD * 
COMM OPTION=CLOSE,DBID=nnn 
-USR DATACOM-INSTALL,NEWUSER 
-UPD DATABASE,basename(PROD,DD,PRIV) 
1000 RESTORE,T001 
-END 
-UPD TABLE,tablname(PROD) 
3150 ttt Y 
-END
3154 B C 
-END
-CPY DATABASE,basename(T001,DD,PRIV),PROD 
-END
-UPD DATABASE,basename(PROD) 
1000 CATALOG 
-END 

Additional Information

https://docops.ca.com/ca-datacom/15-1/en/reference/dbutlty-reference/utility-function-summary/encrypt-facilitate-data-encryption

DDUPDATE 3154 transaction:


https://docops.ca.com/ca-datacom/15-1/en/using/ca-datacom-datadictionary-batch-facilities/ddupdate-updating-datadictionary/3150-to-3160-table-transactions#id-3150to3160TABLETransactions-3154TABLETransaction
 

3154 TABLE Transaction

Use the 3154 transaction to specify the Data Encryption requirements for the specified TABLE occurrence. The format of the 3154 transaction follows. Names in parentheses are the attribute names as they appear on batch reports and online panels.

Starting
Position
LengthDescription
14Enter 3154 as the transaction code.
(DDMAINT-REC-TYP)
61(Optional) Enter a valid Encryption Type Code.
(ENCRYPTION_TYPE)
Valid entries: B or blank
Default value: blank (none)
81

(Optional) Enter a valid Encryption Method Code.
(ENCRYPTION-METHOD) as follows:

A - represents use of AES128
B - represents use of AES192
C - represents use of AES256

Valid entries: A, B, C, or blank
Default value: blank (none)

Attachments

1558689828416000125582_sktwi1f5rjvs16g23.jpeg get_app