Encrypt IFS Stream File (ENCSTMF)

The ENCSTMF command allows authorized users to encrypt IFS stream files to a device (physical or virtual) or to the IFS. Encryption algorithms provided are AES128, AES192 and AES256. Either a Symmetric Key or a Password can be specified for the encryption.

Monitoring for Errors

When executing the ENCSTMF command within a CL program, you can trap for errors by monitoring for message id CRE0700.

Auditing

If a Symmetric Key is used for the ENCSTMF command and “Log encryption usage” is enabled for the Symmetric Key, then an audit log entry will be generated in the Powertech Encryption for IBM i journal file each time the Key is used for encryption. Each audit entry will indicate the Label and Key Store of the Symmetric Key which was used, along with the user, date, time, job number and job name.

How to Get There

On the Library/Object/File Encryption Menu, choose option 5.

Options

Object (OBJ)

Specifies the objects to be saved. You can specify an object name pattern for the path name to be used. When a path name is specified that could match many objects, you can specify a value for the Name pattern (PATTERN) parameter to subset the objects that are to be saved.

A maximum of 25 path names can be specified.

Element 1: Name

The possible values are:

'*' The objects in the current directory are saved.

path-name Specify an object path name or a pattern that can match many names.

Element 2: Include or omit

Specifies whether names that match the pattern should be included or omitted from the operation. Note that in determining whether a name matches a pattern, relative name patterns are always treated as relative to the current working directory.

NOTE: The SUBTREE parameter determines whether the subtrees are included or omitted.

The possible values are:

*INCLUDE The objects that match the object name pattern are to be saved, unless overridden by an *OMIT specification.

*OMIT The objects that match the object name pattern are not saved. This overrides an *INCLUDE specification and is intended to be used to omit a subset of a previously selected pattern.

Name pattern (PATTERN)

Specifies one or more object name patterns to be used to subset the objects to be saved. The Objects (OBJ) parameter defines the set of candidate objects. A maximum of 25 values can be specified for this parameter.

Element 1: Pattern

The possible values are:

'*' All objects which qualify for the operation are included or omitted.

character-value Specify an object name or a pattern that can match many names.

Element 2: Include or omit

Specifies whether names that match the pattern should be included or omitted from the operation.

The possible values are:

*INCLUDE Only objects which are included by the OBJ parameter to be saved, and match the PATTERN parameter are included in the save, unless overridden by an *OMIT specification.

*OMIT All objects which are included by the OBJ parameter are included in the save except those objects which match the PATTERN parameter. This overrides an *INCLUDE specification and is intended to be used to omit a subset of a previously selected pattern.

Directory subtree (SUBTREE)

Specifies whether directory subtrees are included in the restore operation.

The possible values are:

*ALL The entire subtree of each directory that matches the object name pattern is processed. The subtree includes all subdirectories and the objects within those subdirectories.

*DIR The objects in the first level of each directory that matches the object name pattern are processed. The subdirectories of each matching directory are included, but the objects in the subdirectories are not included.

*NONE No subtrees are included in the restore operation. If a directory matches the object name pattern specified, the objects in the directory are included. If the directory has subdirectories, neither the subdirectories nor the objects in the subdirectories are included.

*OBJ Only the objects that match the object name pattern will be processed. If the object name pattern specifies a directory, objects in the directory are not included.

*STG The objects that match the object name pattern are processed along with the storage for related objects. Objects can only be restored using this value if they were saved with SUBTREE(*STG).

To type (TOTYPE)

Indicate where to write the encrypted data.

The possible values are:

*STMF Write the encrypted data into an IFS stream file.

*DEV Write the encrypted data to a tape device.

To stream file (TOSTMF)

Specify the path to the stream (IFS) file to store the encrypted file(s).

The possible values are:

ifs-file-name

Specify the absolute IFS path to store the encrypted stream file(s). For instance: '/ABCcompany/Files/Payroll.aes'

To Device (TODEV)

Indicate the name of the device to write the encrypted data to.

Volume identifier (VOL)

Specifies the volume identifier on which the data is saved.

The possible values are:

*NONE The data is saved on the volume placed in the device.

volume-identifier Specify the identifier of the volume for the save operation.

Sequence number (SEQNBR)

Specifies the tape sequence number to store the encrypted data.

The possible values are:

*END The encrypted data will be saved after the last sequence number on the tape.

sequence-number Specify the sequence number to store the encrypted data. Valid values range from 1 through 16777215.

Label (LABEL)

Specifies the name that identifies the data file on the tape that is to be used for the save operation.

The possible values are:

data-file-identifier Specify the data file identifier of the data file used for the save operation. A maximum of 17 characters can be used.

File expiration date (EXPDATE)

Specifies the expiration date of the file created by the save operation. If a date is specified, the file is protected and cannot be overwritten until the specified expiration date. The expiration date must be later than or equal to the current date.

NOTE: Specifying this parameter does not protect against a later save operation specifying CLEAR(*ALL).

The possible values are:

*PERM The file is protected permanently.

expiration-date Specify the date when protection for the file ends.

End of media option (ENDOPT)

Specifies the operation that is automatically done on the tape after the save operation ends.

The possible values are:

*REWIND The tape is automatically rewound, but not unloaded, after the operation has ended.

*LEAVE The tape does not rewind or unload after the operation ends. It remains at the current position on the tape drive.

*UNLOAD The tape is automatically rewound and unloaded after the operation ends.

Target release (TGTRLS)

Specifies the release of the operating system on which you intend to restore and use the object.

When specifying the target-release value, the format VxRxMx is used to specify the release, where Vx is the version, Rx is the release, and Mx is the modification level. For example, V2R3M0 is version 2, release 3 modification level 0.

To specify that an object be saved for distribution to a system at a different release level than the system on which the save operation is to occur, the procedure differs for program or non-program objects and by the release level on which a program object is created. If, for example, you are saving an object for distribution to a target system running on an earlier release, you have the following choices:

For program objects

If the program object was created at a release level more current than the targeted earlier release, you must (1) create the program object again specifying the targeted earlier release, (2) save the program object specifying the targeted earlier release, and then (3) restore the program object on the target system.
If the program object was created at the same release level as the target system, you can (1) save the program object specifying the targeted earlier release and then (2) restore the program object on the target system.

For non-program objects

You can (1) save the object specifying the targeted earlier release and then (2) restore the object on the target system.

The possible values are:

*CURRENT The object is to be restored to, and used on, the release of the operating system currently running on your system. The object can also be restored to a system with any subsequent release of the operating system installed.

*PRV The object is to be restored to the previous release with modification level 0 of the operating system. The object can also be restored to a system with any subsequent release of the operating system installed.

target-release Specify the release in the format VxRxMx. The object can be restored to a system with the specified release or with any subsequent release of the operating system installed. Valid values depend on the current version, release, and modification level, and they change with each new release.

Update history (UPDHST)

Specifies whether the save history information of each saved object is changed with the date, time, and location of this save operation. The save history information for an object is displayed using the Display Object Description (DSPOBJD) command. The save history information is used to determine which journal entries are processed when RCVRNG(*LASTSAVE) and FROMENT(*LASTSAVE) are used on the Apply

Journaled Changes (APYJRNCHG) command.

The possible values are:

*YES The last save date, time, and location is updated in each object saved.

*NO The save history information contained in the description of each object saved is not updated.

Object pre-check (PRECHK)

Specifies whether the save operation for a library ends if any of the following are true:

The objects do not exist
The library or the objects were previously found to be damaged
The library or the objects are locked by another job
The requester of the save operation does not have authority to the library or to save the objects.

The possible values are:

*NO The save operation for a library continues, saving only those objects that can be saved.

*YES If, after all specified objects are checked, one or more objects cannot be saved, the save operation for a library ends before any data is written. If multiple libraries are specified, the save operation continues with the next library.

Save active (SAVACT)

Specifies whether an object can be updated while it is being saved.

NOTE: If your system is in a restricted state, this parameter is ignored and the save operation is performed as if SAVACT(*NO) was specified.

The possible values are:

*NO Objects that are in use are not saved. Objects cannot be updated while being saved.

*YES Objects can be saved and used at the same time. The object checkpoints can occur at different times.

*SYNC Objects can be saved and used at the same time. All of the object checkpoints occur at the same time.

Save active option (SAVACTOPT)

Specifies options to be used with the save while active parameter.

The possible values are:

*NONE No special save while active options will be used.

*ALWCKPWRT Enables objects to be saved while they are being updated if the corresponding system attribute for the object is set.

NOTE: This option should only be used by applications to save objects that are associated with the application and that have additional backup and recovery considerations. For more information see the Backup and Recovery book, SC41-5304.

Save active message queue (SAVACTMSGQ)

Specifies the message queue that the save operation uses to notify the user that the checkpoint processing is complete. For more information on specifying path names, refer to "Object naming rules" in "CL concepts and reference" in the CL concepts and reference topic in the iSeries Information Center at http://www.ibm.com/eserver/iseries/infocenter.

The possible values are:

*NONE No notification message is sent.

*WRKSTN The notification message is sent to the work station message queue.

path-name Specify the path name of the message queue to be used.

ASP device (ASPDEV)

Specifies the name of the auxiliary storage pool (ASP) device to be included in the save operation.

The possible values are:

* The operation includes the system ASP (ASP number 1), all basic user ASPs (ASP numbers 2-32), and, if the current thread has an ASP group, all independent ASPs in the ASP group.

*SYSBAS The system ASP and all basic user ASPs are included in the save operation.

*CURASPGRP If the current thread has an ASP group, all independent ASPs in the ASP group are included in the save operation.

auxiliary-storage-pool-device-name The specified independent ASP is included in the save operation.

Algorithm (ALGORITHM)

Indicate which algorithm to use to encrypt the file. The default is *AES256.

The possible values are:

*AES128 A 128 bit key size is utilized for the encryption process. This is the fastest encryption option and the least secure.

*AES192 A 192 bit key size is utilized for the encryption process.

*AES256 A 256 bit key size is utilized for the encryption process. This is the slowest encryption option and the most secure.

Compress data (COMPRESS)

Specifies whether to compress the data during the backup. The compression option may increase the save times. This command uses the TERSE compression algorithm.

The possible values are:

*YES Compress the data.

*NO Do not compress the data.

Use key or password (USEKEYPAS)

Indicate to use a either a key from a key store or a password to encrypt the data. The default is *KEY.

The possible values are:

*KEY Use a key from a key store to encrypt the data.

*PASS Use a password to encrypt the data.

Key label (KEYLABEL)

Indicate the label of the key to use for encrypting the data.

Key store name (KEYSTR)

Indicate the object name and library of the Key Store which contains the Symmetric Key to use for encryption of the data.

The possible values are:

key-store-name Enter the name of the Key Store.

*DEFAULT Use the default Key Store name specified at the Key Policy level.

The possible library values are:

library-name Enter the name of the library where the Key Store is located.

*LIBL Locate the Key Store within the library list.

Store key information (STRKEYINF)

Indicate whether to store the key label and key store library/name in the encrypted data. This is useful in that you will not have to remember which key label to use on the decryption process. The default is *YES.

The possible values are:

*YES Store the key label and key store library/name in the encrypted data.

*NO Do not store the key label and key store library/name in the encrypted data.

Password (PASSWORD)

Indicate the password to use to encrypt the data with.

Copyright © Fortra, LLC and its group of companies.
All trademarks and registered trademarks are the property of their respective owners.
4.0 | 202307100156 | July 2023