Configuring Multiple Production Environments

Your organization may store production data for multiple companies or divisions on the same system.  For each company or division, a unique library (otherwise called an “environment”) may have been created to store the production data for that company or division.  The user’s library list is most likely used to control which environment’s library is accessed.

You can establish different Powertech Encryption for IBM i configurations for each environment by placing certain product-specific objects into those environment libraries.   Review the following scenarios to learn more.

Environment Scenario #1

In this scenario, your organization may want to have a different Field Encryption Registry for each environment on the system.  Your organization may also want to share Powertech Encryption for IBM i’s Key Policy settings, Key Officers, Master Keys, Security Alerts and Key Stores across all of those environments. 

Follow the steps below to implement this scenario:

  1. Make sure that no applications are currently using any Powertech Encryption for IBM i programs or functions. 
  2. The Field Encryption Registry (contained in the CRVL002 object) cannot be in the CRYPTO library when multiple environments are needed. Therefore, set up the first environment by moving the CRVL002 object from the CRYPTO product library into that environment’s library using the command below:
> MOVOBJ OBJ(CRYPTO/CRVL002) OBJTYPE(*VLDL) TOLIB(datalib1)
  1. For each additional environment, you will need to create the Field Encryption Registry (CRVL002 object) into that environment’s library using the command below:
> CRTVLDL VLDL(datalib2/CRVL002) TEXT(‘Field Encryption Registry’)
  1. If the physical file option is used to store the last index numbers [LSTINDSTG(*PF) parm on the Registry], then the physical file (named CRPF002) cannot be in the CRYPTO library when multiple environments are needed. Follow these steps to set up CRPF002:
    1. Set up the first environment by moving the CRPF002 file from the CRYPTO product library into that environment’s library using this command:  
    > MOVOBJ OBJ(CRYPTO/CRPF002) OBJTYPE(*FILE) TOLIB(datalib1)
    1. For each additional environment, you will need to create the CRPF002 physical file (for storing the last index numbers) into that environment’s library using the command below:
    > CRTPF FILE(datalib2/CRPF002) SRCFILE(CRYPTO/QDDSSRC)

Then follow the steps below to configure the Field Encryption Registry for each environment:

TIP: If the field ID has an *INACTIVE status, then you can use the CPYFLDENC command to copy field entries from one production Field Encryption Registry to another.
  1. Place the environment’s library at the top of the library list:
    > ADDLIBLE LIB(datalib1) POSITION(*FIRST)
  2. Configure the Field Encryption Registry for the environment:
    > CRYPTO/WRKFLDENC 

The Powertech Encryption for IBM i Field Encryption Registries are now ready for use in the environments.  Be sure to place the appropriate environment library in the user’s library list in order to use that environment’s corresponding Field Encryption Registry.

Environment Scenario #2

In this scenario, your organization may not want to share any Powertech Encryption for IBM i keys or configurations between any environments.  In other words, your organization may want to have different Key Policy settings, Key Officers, Master Keys, Security Alerts, Key Stores and Field Encryption Registries for each environment on the system.   

Follow the steps below to implement this scenario:

  1. Make sure that no applications are currently using any Powertech Encryption for IBM i programs or functions. 
  2. Certain objects cannot remain in the CRYPTO library for this scenario.  Therefore, set up the first environment by moving Powertech Encryption for IBM i’s Key Policies, Key Officers and Master Keys (contained in the CRVL001 object), the Field Encryption Registry (contained in the CRVL002 object) and the CRPF002 physical file (for storing the last index numbers used) from the CRYPTO product library into that environment’s library using the commands below:
> MOVOBJ OBJ(CRYPTO/CRVL001) OBJTYPE(*VLDL) TOLIB(datalib1)
> MOVOBJ OBJ(CRYPTO/CRVL002) OBJTYPE(*VLDL) TOLIB(datalib1)
> MOVOBJ OBJ(CRYPTO/CRPF002) OBJTYPE(*FILE) TOLIB(datalib1)
  1. For each additional environment, you will need to create the CRVL001, CRVL002 and CRPF002 objects into that environment’s library by using the commands below:
> CRTVLDL VLDL(datalib2/CRVL001) TEXT(‘Settings and Master Keys')
> CRTVLDL VLDL(datalib2/CRVL002) TEXT(‘Field Encryption Registry’)
> CRTPF FILE(datalib2/CRPF002) SRCFILE(CRYPTO/QDDSSRC)

Then follow the steps below to configure the Key Policy settings, Key Officers, Master Keys, Security Alerts, Key Stores and Field Encryption Registries for each environment:

  1. Place the environment’s library at the top of the library list.  Example:
    > ADDLIBLE LIB(datalib1) POSITION(*FIRST)
  2. Set the Key Policy settings for the environment.
    > CRYPTO/CHGKEYPCY  (press F4 to prompt)
  3. Establish the Key Officers for the environment.
    > CRYPTO/WRKKEYOFR
  4. Load the Master Key passphrases for the environment. Example:
    > CRYPTO/LODMSTKEY MEKID(1) MEKPRT(?) PASSPHRASE(??)
  5. Set the Master Key for the environment. Example:
    > CRYPTO/SETMSTKEY MEKID(1)
  6. Create a Key Store for the environment.  Example:
    > CRYPTO/CRTKEYSTR KEYSTR(datalib1/KEYSTR) MEKID(1) TEXT(‘Key Store’)
  7. Set up the Data Encryption Keys in the new Key Store. Example:
    > CRYPTO/WRKSYMKEY KEYSTR(datalib1/KEYSTR)
  8. Configure the Security Alerts for the Environment.
    > CRYPTO/WRKCCALR 

The Powertech Encryption for IBM i keys and configurations are now ready for use for each environment.  Be sure to place the appropriate environment library in the user’s library list in order to use that environment’s corresponding keys and configurations.