Enabling ENCRYPTION for CA Datacom Databases

Document ID : KB000125582
Last Modified Date : 20/02/2019
Show Technical Document Details
Issue:
Is there any documentation that summarizes what needs to be done to enable ENCRYPTION for a CA Datacom database, e.g. y=the DBUTLTY steps, the DICTIONARY steps etc.
Environment:
z/os, CA Datacom/DB 15.0 and higher
Resolution:
Be careful, before implementing encryption:
A major point for clients to know is that implementing  table encryption requires the data to be backed up and loaded. It will take the same effort and time to remove encryption, should that ever be desired. This requires an outage of the data for applications, which may be a big consideration. 

This is a major problem for many sites and so should be very clear up front. 

Another concern for some is that some of the DBUTLTY functions must run with DBUTLTY authorized and so if the site is not already doing this, it must be done. 
-------------------------------------


The following steps will enable data base encryption: 


- On the data base side, update the CXX, a TYPE=K CXX report will show the available encryption options 
User-added image

- Set ENCRYPT OPTION via DBUTLTY:
//CXXNCRYP EXEC PGM= DBUTLTY, 
//SYSIN DD * 
ENCRYPT OPTION=SET_BASIC_KEY_1,OPTION2=*,OPTION4=* 


- REPORT AREA=CXX,TYPE=K 
RECOVER - YES ENCRYPTION - B(BASIC) C(AES256) 


- Execute the following DDUPDATE statements 
//SYSIN DD * 
COMM OPTION=CLOSE,DBID=nnn 
-USR DATACOM-INSTALL,NEWUSER 
-UPD DATABASE,basename(PROD,DD,PRIV) 
1000 RESTORE,T001 
-END 
-UPD TABLE,tablname(PROD) 
3150 ttt Y 
-END
3154 B C 
-END
-CPY DATABASE,basename(T001,DD,PRIV),PROD 
-END
-UPD DATABASE,basename(PROD) 
1000 CATALOG 
-END 
Additional Information:
https://docops.ca.com/ca-datacom/15-1/en/reference/dbutlty-reference/utility-function-summary/encrypt-facilitate-data-encryption

DDUPDATE 3154 transaction:


https://docops.ca.com/ca-datacom/15-1/en/using/ca-datacom-datadictionary-batch-facilities/ddupdate-updating-datadictionary/3150-to-3160-table-transactions#id-3150to3160TABLETransactions-3154TABLETransaction
 

3154 TABLE Transaction

Use the 3154 transaction to specify the Data Encryption requirements for the specified TABLE occurrence. The format of the 3154 transaction follows. Names in parentheses are the attribute names as they appear on batch reports and online panels.

Starting
Position
LengthDescription
14Enter 3154 as the transaction code.
(DDMAINT-REC-TYP)
61(Optional) Enter a valid Encryption Type Code.
(ENCRYPTION_TYPE)
Valid entries: B or blank
Default value: blank (none)
81

(Optional) Enter a valid Encryption Method Code.
(ENCRYPTION-METHOD) as follows:

A - represents use of AES128
B - represents use of AES192
C - represents use of AES256

Valid entries: A, B, C, or blank
Default value: blank (none)