Enabling ENCRYPTION for Datacom Databases

Products

Datacom Datacom/AD Datacom/DB

Issue/Introduction

Is there any documentation that summarizes what needs to be done to enable ENCRYPTION for a Datacom database? For example what are the DBUTLTY steps, the DATADICTIONARY steps etc.

Environment

Release: 15.1 and higher

Resolution

Things to consider before implementing encryption:

A major point for clients to know is that implementing table encryption requires the data to be backed up and loaded. It will take the same effort and time to remove encryption, should that ever be desired. This requires an outage of the data for applications, which may be a big consideration.

Another concern for some is that some of the DBUTLTY functions must run with DBUTLTY APF Authorized and so if the site is not already doing this, it must be done.

The following steps will enable database encryption:

On the database side, update the CXX. Running a TYPE=K CXX report will show the available encryption options

Set ENCRYPT OPTION via DBUTLTY:

//SYSIN DD * 
ENCRYPT OPTION=SET_BASIC_KEY_1,OPTION2=*,OPTION4=*

Produce CXX report in DBUTLTY:
```
//SYSIN DD * 
REPORT AREA=CXX,TYPE=K
```
You should now see RECOVER - YES ENCRYPTION - B(BASIC) C(AES256)
Run DBUTLTY BACKUP after closing the base in the MUF. This needs to be run before the DDUPDATE CATALOG.

Execute the following DDUPDATE statements:

//SYSIN DD * 
-USR DATACOM-INSTALL,NEWUSER 
-UPD DATABASE,basename(PROD,DD,PRIV) 
1000 RESTORE,T001 
-END 
-UPD TABLE,tablname(T001) 
3150 ttt              Y                                      ---  note Y in position 22 for RECOVERY    
3154 B C 
-END
-CPY DATABASE,basename(T001,DD,PRIV),PROD 
-END
-UPD DATABASE,basename(PROD) 
1000 CATALOG 
-END

Run a DBUTLTY LOAD to encrypt the table.

Additional Information

For documentation , see

Data Encryption

DBUTLTY ENCRYPT (Facilitate Data Encryption)

DDUPDATE 3154 transaction

3154 TABLE Transaction

Use the 3154 transaction to specify the Data Encryption requirements for the specified TABLE occurrence. The format of the 3154 transaction follows. Names in parentheses are the attribute names as they appear on batch reports and online panels.

Starting
Position Length Description

1 4 Enter 3154 as the transaction code.
(DDMAINT-REC-TYP)

6 1 (Optional) Enter a valid Encryption Type Code.
(ENCRYPTION_TYPE)
Valid entries: B or blank
Default value: blank (none)

8 1
(Optional) Enter a valid Encryption Method Code.
(ENCRYPTION-METHOD) as follows:

A - represents use of AES128
B - represents use of AES192
C - represents use of AES256

Valid entries: A, B, C, or blank
Default value: blank (none)

Starting Position	Length	Description
1	4	Enter 3154 as the transaction code. (DDMAINT-REC-TYP)
6	1	(Optional) Enter a valid Encryption Type Code. (ENCRYPTION_TYPE) Valid entries: B or blank Default value: blank (none)
8	1	(Optional) Enter a valid Encryption Method Code. (ENCRYPTION-METHOD) as follows: A - represents use of AES128 B - represents use of AES192 C - represents use of AES256 Valid entries: A, B, C, or blank Default value: blank (none)