Installing Powertech Encryption for IBM i 

These instructions describe how to install Powertech Encryption for IBM i

Before You Begin

Read this section before you install Powertech Encryption for IBM i.

System Requirements

Powertech Encryption requires the following:

  • IBM i version 7.2 or higher
  • PTFs:
    • IBM i 7.2:
      • MF64712
      • SI73247
    • IBM i 7.3:
      • MF64713
      • SI72668
    • IBM i 7.4:
      • SI74025
  • 75 MB of disk space

System Values

It is Powertech’s goal not to change system values on customer systems because we recognize that security-conscious organizations have rigorous change control processes in place for even small changes to system values. Therefore, we ask you to make any system value changes that are needed. However, the Powertech Encryption for IBM i installation process could change a system value to allow the install to proceed if a system value is not set as specified below. If the Installation Wizard changes a system value during install, it changes it back to its original value when the install completes.

To install Powertech Encryption for IBM i on your system, the following system values that control object restores must be configured as shown.

  • Set QALWOBJRST to *ALWPGMADP (at a minimum) to allow the system to restore programs that adopt authority. Many Powertech Encryption for IBM i programs adopt the authority of the product owner, rather than forcing you to give authority directly to administrators and end users. (Note: For some system configurations, *ALL is required temporarily.)
  • QALWUSRDMN controls which libraries on the system can contain certain types of user domain objects. You should set the system value to *ALL or include the name of the Powertech Encryption for IBM i product library (PTABLIB and QTEMP as a minimum) for the product to function properly.
  • Set QVFYOBJRST to 1, 2, or 3. This allows Powertech Encryption for IBM i to restore all objects regardless of their signature. (Note: If you normally check signatures, remember to check this system value after the Powertech Encryption install process completes.)
  • Set QFRCCVNRST (Force conversion on restore) to 0. Do not convert anything.

Pre-Installation Notes

Components Installed:

The Powertech Encryption for IBM i software restores a library, CRYPTO, onto the IBM i. After the installation, the software (objects) will be contained in the library named CRYPTO. Two authorization lists are also created: PCRADMIN and PCRREPORT.

Product Updates

Please read this section if you are updating from a prior release of Powertech Encryption for IBM i.

HelpSystems recommends all customers update Powertech Encryption for IBM i software on a test system before updating production systems to ensure data is accessible and that applications run correctly.

Always backup Powertech Encryption and encrypted data prior to update.

WARNING: Before you update, make sure there are no Jobs Encrypting or Decrypting data.
New Product License Keys (when upgrading from a version prior to 3.0 or to a version after 3.58).

New product license key(s) are required when upgrading from a version prior to 3.0 or for the first update after the update to 3.58 or higher. Please contact HelpSystems at keys@helpsystems.com to request new product license keys. Failure to do so will cause the product to stop functioning.

Check for Locks

Before upgrading, if you have CRYPTO in the System Library List, there will be many locks on the CRYPTO library. This is okay if you are using Crypto for native object encryption (files in libraries) only.

If you are using IFS Encryption, make sure there are no locks on the CRPFIFS, CRPFIFS2 and CRPFIFSLOG files in the CRYPTO library. If locks are present, wait until off-hours or a maintenance window to put the system in a restricted state before upgrading in order to release the locks and run the update.

Retention of User Data
WARNING: You should not delete the existing Powertech Encryption for IBM i library, CRYPTO before upgrading, otherwise user-defined data in the library will be lost.

If you already have a permanent license key to Powertech Encryption for IBM i, this license key will be retained during the update. After version 3.58 a new license key format is used.

The following user-defined data will be retained through the Powertech Encryption for IBM i update:

  • External Key Managers
  • Key Policy settings
  • Security Alert settings
  • Key Officer entries
  • Master Encryption Keys
  • Key Stores
  • IFS Encryption Registry Entries (if used)
  • Field Encryption Registry entries
  • External files used to store encrypted field values (if applicable)

During the installation process, a copy of the existing user-defined data will be saved into a library called CRYPTxxxxx, where xxxxx is a sequential number starting with 00001. This library will only be needed if an update fails, in which case you should contact HelpSystems.

Installing Powertech Encryption for IBM i

Follow these instructions to install/update Powertech Encryption for IBM i.

Ensure the following servers are available and running prior to installation or updating:

  • FTP Server
  • Remote Command Server

Stop any replication of the Crypto library prior to updating.

Do the following to perform the installation or update:

  1. Download the Powertech Encryption for IBM i installer (setupEncryption3.exe) from the Powertech Encryption for IBM i download page. (The "Trial" download is the full product, which can be unlocked with a valid License Key).
  2. On the Choose Components panel, select which components you want to install. You can choose to install the Manuals and the Software for IBM i. Click Next.
  3. If you are only installing the Manuals, the process completes and the installer closes. The Manuals have been installed. You can skip the rest of these steps. Note: The manuals are installed to the following location: C:\Program Files\PowerTech\Encryption\manuals
  4. On the IBM i Details panel:
    1. Select or enter the IBM i where you want to load Powertech Encryption for IBM i.
    2. Enter a user profile and password that’s a member of the user class *SECOFR and has at least the following special authorities: *ALLOBJ, *SECADM, *JOBCTL, *IOSYSCFG, *AUDIT, and *SERVICE. The user profile should have Limit capabilities set to *NO. This profile will be used to restore and copy objects, and for product maintenance on the IBM i.
    3. (Optional) In the Advanced Settings section:
      • Enter a port number or use the arrows if you want to change the FTP port number to something other than the default of 21.
      • Select Secure File Transfer if you want to use FTPS (FTP over SSL) during the file transfer. The default FTPS secure port is 990, but it can be changed to the required secure port for your environment.
      • In the Timeout (seconds) field, enter the number of seconds the session should be kept active during an FTP transfer. You can choose anywhere between 25 and 1800 seconds (30 minutes). Note: If the transfer takes longer than the amount of time specified, the session will expire.
    4. Click Next.
  5. You have two options on the Product Load Options panel:
    1. Click Immediate Load if you’d like to load the product on the IBM i now.
    2. Click Staged Load if you’d like to transfer the objects now and load them on the IBM i at a later time. Note: See "Loading Staged Objects on the IBM i" (below) for instructions on how to load the staged objects on your selected IBM i system.
    3. When the processing is complete, you have two choices:
      • If this is the only installation or update of Powertech Encryption for IBM i that you're doing, click Finish.
      • If you have installs or updates to do on other IBM i systems, click Restart. Then, return to step 4.

      • To verify that Powertech Encryption for IBM i installed successfully, enter the following command to display the Powertech Encryption for IBM i window, which shows the release and modification level of the product:

        GO CRYPTO/CRYPTO

Loading Staged Objects on the IBM i

If you chose to stage your objects during step 5b of the installation or update process, do the following to manually load them on the IBM i you identified above.

  1. On the IBM i, execute the following command to display the Work with Loads panel:

    HSLOADMGR/HSWRKLOAD
  2. Enter option 1, Load, next to the Load Name for Powertech Encryption for IBM i and press Enter.

Objects Installed on System

The installed CRYPTO library (and the objects contained in the library) will initially provide authorities to the following users:

QPGMR: *ALL authority

*PUBLIC: *USE authority

If you would like to assign different authorities for the CRYPTO library and objects, then use the CHGOBJOWN, RVKOBJAUT and GRTOBJAUT commands to make those changes. It is highly recommended to not give *PUBLIC any additional authorities (beyond *USE) to the programs and commands in CRYPTO library.

After You Are Done

Congratulations! Powertech Encryption for IBM i is now installed. Read the following for additional information and next steps.

Licensing

After Powertech Encryption for IBM i has been installed, the next step is to add your license key to the product. Configuration of the product may then begin. Use the command Go CRYPTO/CRYPTO, take menu option 10 for Product Information, then 1 for License Setup.

NOTE: The Powertech Encryption for IBM i User Guide can be found at Powertech Product Manuals.

Contacting Us

For additional resources, or to contact Technical Support, visit the HelpSystems Community Portal at https://community.helpsystems.com.