Activate Field Entries (ACTFILFLDE)

The Activate File Fields Encryption (ACTFILFLDE) command will activate any *INACTIVE entries in the Field Encryption Registry for the file that use Field Procedures.

It is strongly recommended to submit this command to batch.

The following users can use this command:

• QSECOFR user profile (unless excluded in the Key Officer settings)
• A user profile with *SECADM authority (unless excluded in the Key Officer settings)
• A Key Officer who has a *YES specified for the "Maintain Field Enc. Registry" authority setting

This command requires that you have *CHANGE authority to the CRVL002 Validation List (*VLDL) object which contains the Field Encryption Registry.

1. Make sure you have *ALL authority to the database file containing the field to encrypt.
2. Within a test environment, you should have tested ACTFILFLDE, tested any API calls needed for encryption/decryption and tested your applications thoroughly with encrypted values.
3. No applications or users should be currently using the database file containing the field to encrypt.
4. The ACTFILFLDE command will perform a mass encryption of the current field values. You should allocate enough downtime for the ACTFILFLDE to execute. Execution times will vary depending on the processor speed of your system, the number of records in your database file, and other activity running on the system at the time. In order to estimate the execution time for ACTFILFLDE, you should run the ACTFILFLDE command over some test data first.
5. Check (and double check) the field entry settings using the DSPFLDENC command. Especially make sure the database file name, field name, type and length is correct.
   IMPORTANT: When activating a field using a DB2 Field Procedure, and if there are already other DB2 Field Procedures on the file, then you should have at least *USE authority to the 'Full' Authorization Lists assigned to those other fields, as well as at least *USE authority to the Key Stores that contain the encryption and decryption Keys used by those fields. This is because IBM's ALTER TABLE statement (used in the activation process) runs the decrypt/encrypt processes for all fields that have a DB2 Field Procedure. Failure to have proper authorities will cause loss of data.

The ACTFILFLDE command performs the following primary steps:

1. Obtains an exclusive (*EXCL) lock on the database file containing the field to encrypt.
2. Optional: Creates a backup of the database file (containing the field to encrypt) into a Save file named BACKUPxxxxx, where xxxxx is a sequential number from 1 to 99999.
3. Performs a mass encryption of the current field values in the database file. If a DB2 Field Procedure is specified for the field, then it will be added to the field at that time.
4. The exclusive lock will be released on the database file containing the encrypted field.
5. The status of the field entries will be changed to *ACTIVE.

How to Get There

On the File Field Encryption Menu, choose option 3, Activate File Encryption Entry(s).

Options

Activate file name (ACTFILE)

Specify the name of the file that contains the field(s) to activate.

The possible values are:

The possible library values are:

Save database file (SAVDTA)

Indicate if the database file (containing the field to encrypt) should be saved (backed up) into a Save File before the activation process begins. It is highly recommended to save the database file for error recovery purposes.

The possible values are: