High Availability Setup

Follow the steps below to setup Powertech Encryption for IBM i on a High Availability(HA) system and to replicate the Production settings and related user data properly.

Initial setup:

Install Powertech Encryption for IBM i onto the HA system (see Installing Powertech Encryption for IBM i).

A license key for Powertech Encryption for IBM i is required on the HA system.

Manual replication:

Powertech Encryption for IBM i’s Key Policy settings, Key Officer settings, Security Alert settings and Master Keys are stored in a Validation List (*VLDL) object named CRVL001.  This CRVL001 *VLDL object is encrypted with a Product Encryption Key (PEK), which is unique to each IBM i serial number.  Therefore, any changes to those settings on the Production system will need to be manually applied to the HA system using Powertech Encryption for IBM i’s commands and screens.

WARNING: DO NOT replicate the CRVL001 *VLDL object from the Production system to the HA system.  Settings in CRVL001 must be manually configured using Powertech Encryption for IBM i’s screens.

Follow the instructions below to manually apply those settings on the HA system:

Key Policy Settings

If Powertech Encryption for IBM i’s Key Policy settings are changed on the Production system, then those Key Policy settings need to be also changed on the HA system by following these steps:

  1. On the Production system, display the Key Policy settings using the command CRYPTO/DSPKEYPCY and record the values displayed.
  2. On the HA system, change the Key Policy settings using the command CRYPTO/CHGKEYPCY using the recorded values from the Production system.

Key Officers

If Powertech Encryption for IBM i’s Key Officers are added, changed or deleted on the Production system, then those changes need to be applied on the HA system by following these steps:

  1. On the Production system, display the Key Officer settings using the command CRYPTO/WRKKEYOFR and record the values displayed.
  2. On the HA system, configure the Key Officers by using the command CRYPTO/WRKKEYOFR using the recorded values from the Production system.

Security Alerts

If Powertech Encryption for IBM i’s Security Alerts are added, changed or deleted on the Production system, then those changes need to be applied on the HA system by following these steps:

  1. On the Production system, display the Security Alert settings using the command CRYPTO/WRKCCALR and record the values displayed.
  2. On the HA system, configure the Security Alerts by using the command CRYPTO/WRKCCALR using the recorded values from the Production system.

Master Keys

If Powertech Encryption for IBM i’s Master Keys are Set on the Production system, then those Master Keys must also be Set on the HA system by following these steps:

  1. On the HA system, enter the passphrase parts for each Master Encryption Key (MEK) using the LODMSTKEY (Load Master Key) command. These passphrase parts must be entered exactly as they were on the Production system.
  2. On the HA system, generate (set) each Master Encryption Key (MEK) using the SETMSTKEY (Set Master Key) command.

Automatic replication:

Configure your High Availability (HA) product to replicate the following objects on an ongoing basis:

  1. Your user-created Key Stores are created as Validation list (*VLDL) objects. The names (and library locations) of these *VLDL objects are those names that were specified on the CRTKEYSTR (Create Key Store) command, unless they were later moved or renamed. These *VLDL objects should be replicated by your HA product from the Production system to the HA system.
  2. Replicate the CRVL002 *VLDL object from the Production system to the HA system. This object contains the Field Encryption Registry.
  3. If you use the Field Encryption Registry and are using external files to store encrypted database field values and if the ‘last index numbers used’ are stored in the physical file option [LSTINDSTG(*PF) parm on the Registry], then replicate the physical file named CRPF002.
  4. Replicate any IBM i Authorization Lists that may be used to secure Key Stores or to secure fields in the Field Encryption Registry. Add your replication software service profile to the full authorization object (*AUTL) used in the field encryption registry for each field in the files being replicated
  5. Replicate the Powertech Encryption for IBM i authorization lists PCRADMIN and PCRREPORT.
  6. DO NOT replicate the CRVL001 *VLDL object from the Production system to the HA system. The settings in CRVL001 are encrypted with the Product Encryption Key (PEK), which is unique per IBM i serial number.
  7. Field encryption is normally implemented using field procedures. However, in a legacy environment, field encryption entries may be using external files. In that case, replicate the external files from the Production system to the HA system. You can find the names of those external files by running the CRYPTO/WRKFLDENC command and placing an option 5 next to each *ACTIVE field entry.

High Availability Diagram