Deactivate IFS Encryption (DCTIFSENC)
The Deactivate IFS Encryption (DCTIFSENC) command allows authorized users to deactivate an *ACTIVE entry in the IFS Encryption Registry.
It is strongly recommended to submit this command to batch.
The following users can use this command:
- QSECOFR user profile (unless excluded in the Key Officer settings)
- A user profile with *SECADM authority (unless excluded in the Key Officer settings)
- A Key Officer who has a *YES specified for the "Maintain IFS Enc. Registry" authority setting
*RWX data authority and *ALL object authority to the directories and files in the Source and Target that are to be decrypted.
*CHANGE authority to the CRVL003 (Validation List object which contains the IFS Encryption Registry), CRPFIFS, CRPFIFSL1, CRPFIFSL2, CRPFIFSL3, CRPFIFSL4, CRPFIFS2 and CRPFIFSLOG files, which will be updated during this process.
*USE authority to the Authorization List, Keys and Keystore that are assigned to this entry. “
- Make sure you have *ALL authority to the Source and Target directories containing the IFS files to decrypt.
- Make sure you have at least *USE authority to the Key Store(s) which hold the Data Encryption Keys (DEKs) that will be used to decrypt the data. You can use the WRKIFSKEY command to find out which Key Store(s) and DEKs are used to decrypt the IFS values. If you created any of these DEKs yourself, in which you are considered the owner of these DEK(s), then the “DEK decrypt usage by owner” setting (viewable in the DSPKEYPCY command) must be a *YES.
- Make sure you have at least *USE authority to the Authorization List used to allow for decryption of the data.
- Within a test environment, you should have tested DCTIFSENC and tested your applications thoroughly with decrypted values.
- No applications or users should be currently using the directory containing the IFS files to decrypt.
- The DCTIFSENC command will perform a mass decryption of the current IFS files. You should allocate enough downtime for the DCTIFSENC to execute. Execution times will vary depending on the processor speed of your system, the number of files, and other activity running on the system at the time. In order to estimate the execution time for DCTIFSENC, you should run the DCTIFSENC command over some test data first.
The DCTIFSENC command performs the following primary steps:
- Optional: Creates a backup of the IFS directory and subdirectories if INCSUBDIR is *YES (containing the source files) into a Save file named BACKUPxxxxx, where xxxxx is a sequential number from 1 to 99999.
- Optional: Creates a backup of the IFS directory and subdirectories if INCSUBDIR is *YES (containing the encrypted files) into a Save file named BACKUPxxxxx, where xxxxx is a sequential number from 1 to 99999.
- Journaling will be stopped for the directories.
- Performs a mass decryption of the IFS files in the directories.
- The status of the IFS registry entry will be changed to *INACTIVE.
How to Get There
From the IFS Encryption Menu, choose option 11. Or, prompt (F4) the command CRYPTO/DCTIFSENC.
Options
IFS identifier (IFSID)
Specify the IFS identifier to deactivate.
Save database file (SAVDTA)
Indicate if the directory(s) containing the source files and the target directory(s) containing the encrypted files should be saved (backed up) into a Save File before the deactivation process begins. It is highly recommended to save the files for error recovery purposes. The source files and the target (encrypted files) will be saved into two different backup files.
The possible values are:
- The created Save Files will be named BACKUPxxxxx, where xxxxx is a sequential number from 1 to 99999. The backup files will be placed in the CRYPTO library.
- Before using this option, ensure that enough disk space is available for a saved copy of the files.