Powertech Encryption for IBM i
December 2024
Version 4.03
December 3, 2024
New Features
-
The Master Encryption Key commands (LODMSTKEY, SETMSTKEY, DSPMSTKEY, CLRMSTKEY) now offer better support for the scenario of testing the Master Encryption Key passphrases. They support a new *TEST setting, which gives the ability to safely test loading and setting passphrases. When the *TEST key is displayed, then you can use the comparison value to if the *TEST key matches the MEK on a different system, without setting the MEK.
Enhancements
-
Warning messages will now be issued when symmetric keys are created or changed and the logging option is enabled for the data encryption and/or data decryption. The warning messages point out the potentially strong overhead that the use of those options can create.
-
The installer now runs additional pre-checks if Powertech Encryption is being updated from a version prior to 4.0.
-
Improved support for External Key Managers
-
Added diagnostic messages for scenarios where the connection between Powertech Encryption and an External Key Manager fails. This helps to better identify if there are network latency or setup issues when TLS/SSL is used. Information in these messages includes the GSKIT error return code, identifying the source of the failed connection.
-
Added new functionality to allow the user to configure timeout values for the connection between Powertech Encryption and the External Key Manager. This gives users the ability to extend the timeout. The new command; ‘Change EKM Timeout Value’ (CHGTIMEOUT), has been added for this purpose.
-
-
Powertech Encryption Backup and Restore Encryption commands now support a "Private authorities" option corresponding to the option on the IBM i backup and restore commands; ENCSAVLIB, DECRSTLIB, ENCSAVOBJ, DECRSTOBJ, ENCSTMF, DECSTMF.
-
License expiration messages now follow the configured system date format.
-
The live Partition Mobility feature has a new command (ADDLPMEXT) to automate the setup of exit point programs.
-
Improved security for the use of CRRP015 and a new audit category value of 79 has been added.
Fixes
-
Fixed an issue where programs were not resolving to the CRYPTO library correctly.
-
The WRKFILFLDS command has been modified to refresh masking values when adding multiple field encryption entries to a file.
-
The store procedure P_GetFldIdx has improved efficiency when retrieving the field id if multiple keys are used on a field.
-
When the Translate Field Encryption Keys (TRNFLDKEYF) command was used after the key for a field encryption entry had been changed, a wrong key was applied. This has been fixed.
-
The CRYPTO main menu function key (F9) for the previous command retrieval has been corrected.
-
The CRCL015A program introduced in Powertech Encryption 4.0 has been deprecated and will be removed in a future release. Existing programs that use the CRCL015A program may require modification to call CRRP015.
-
The handling of removing exit point programs for the Powertech Encryption uninstaller has been improved.
-
The field procedure second level text for the SQL return error for numeric values has been improved to include full text for the Powertech Encryption error message.
June 2024
Version 4.02
June 3, 2024
New Features
-
A new Field Encryption Registry report (PRTFLDREGE) has been added. This allows users to print all the Encryption Field Encryption setup information with the ability to filter results on Field Identifier, Library, File, Field, and Status.
-
A new Field Encryption audit has been added (PRTFLDAUD) that allows users to find all library/file fields on a system that contain the Encryption field procedure and validate those to the field encryption registry. This audit can detect mismatches in the field encryption registry and the field procedure attached to the file. This allows it to:
-
locate orphaned files that are associated with encryption field procedures but not with a corresponding field encryption entry in Powertech Encryption.
-
detect files that indicate they should be encrypted but no longer have field procedures, indicating data is left in an unencrypted state.
-
-
A new menu option for "Reports" has been added to the CRYPTO/CRYPTO main menu. It contains the following reports:
-
Field Encryption Registry (PRTFLDREGE) report
-
Field Encryption Entry (PRTFLDENCE) report
-
Field Proc Verification (PRTFLDAUDC) report
-
Enhancements
-
Improved processing for the IFS encryption SCAN OPEN/CLOSE exit programs by:
-
Reducing the number of Powertech Encryption file locks which impacted the ability to upgrade when using IFS Encryption.
-
Resolving error RNQ0202 — "CRRM650 in CRYPTO/CRRP650 called INITIALIZE which ended in error"
-
If a license key has not previously been entered, the license warning dialog will not be displayed.
-
-
The IFS encryption server job now handles scenarios when the journal receiver is changed, and the journal entry sequence number is reset while the job is active.
-
The print field encryption report (PRTFLDENCE) has been enhanced to include a report header and summary footer.
-
Added the ability to utilize a retry and delay option when a file lock is encountered while IFS encryption is being activated:
-
A new command CHGIFSLCK has been added to allow users to control the length of delay and amount of retries when activation encounters a file in use.
-
This resolves issues where IFS activation would fail with error "CPF9898: The file was in use by a job."
-
-
Help text has been added to the Change Exit Pgm Run Option (CHGEXTRUN) command.
-
If you plan to create referential constraints over fields that are already encrypted, the appropriate IBM i O/S version PTF must be applied:
-
IBM i 7.3: SI84738
-
IBM i 7.4: SI84755
-
IBM i 7.5: SI84754
-
Fixes
-
An authority issue that prevented encryption and decryption API's from acknowledging when the current job user was changed has been resolved.
-
An authority issue with starting and ending the IFS server job (STRIFSENCJ and ENDIFSENCJ commands), causing it to fail with error CPA0702, has been resolved.
-
A function check error of RNX1255 on the WRKFLDENC menu has been resolved.
-
An issue that caused the inability to locate the master encryption key, resulting in error CRE0366, has been resolved.
-
Command CHGEXTRUN has been added under PCRADMIN authorization list.
-
Resolved CPF4133, CEE9901, and RNX1219 errors on GO CRYPTO when an external file called 'CRYPTO’ resides in a library that is higher in the library list than library CRYPTO.
November 2023
Version 4.01
November 13, 2023
Enhancements
-
The Field Encryption Configuration report (Option 22 on a Field Registry Entry) has been updated to include "Authorization list caching" option.
Fixes
-
A potential security concern has been resolved.
-
An issue that caused the backup of an incorrect file, when using the Translate File Field Keys (TRNFILKEYF) command, has been fixed.
-
The issue that caused cut off error message text has been fixed.
-
The Export Field Encryption Entry (EXPFLDENCE) command’s output has been updated to reflect all current parameters for a field encryption entry.
-
A warning pop up containing an incorrect warning for IFS encryption exit point validation has been fixed.
-
The issue that caused the Change Symmetric Key (CHGSYMKEY) command to error out has been fixed.
-
Configuration reports, where key and keystore were not accurately reported, have been fixed.
-
Error messages generated when using the Start RLA Sort Utility (STRRLASRT) command have been resolved.
-
Help text information regarding IFS encryption algorithms has been improved.
-
Fixed an issue that caused failures in active jobs after Live Partition Mobility was used to move a partition.
May 2023
Version 4.0
May 3, 2023
New Features
-
Powertech Encryption now supports exit program integration, allowing the efficient use of multiple exit programs for File Server and scan exit points.
Enhancements
-
Powertech Encryption now supports live partition mobility and no longer requires manual intervention after a partition is moved.
-
Library CRYPTO is no longer needed in system value QSYSLIBL.
-
Powertech Encryption objects are now owned by user profiles PTENCUSR and PTENCADM.
-
The *PUBLIC authority to library CRYPTO has been amended to *USE from *CHANGE.
-
Improved visibility for license related errors has been introduced throughout the product.
-
Added warnings to main menu if the product license is set to expire, expired, or invalid.
-
A “comparison value” has replaced the “key verification value” shown on the Master Encryption and Key Store display screens. Note that because of the change, MEKs cannot be directly compared between systems running 3.65 or older and systems running 4.00 or higher of Powertech Encryption. If you need to compare MEKs for any release prior to version 4.0 please contact Powertech support.
-
The output of the Display Symmetric Key Attributes (DSPSYMKEY) command now contains a symmetric key comparison value.
-
The Print Field Encryption Entry (PRTFLDENCE) command is now included in the Field Encryption Menu.
-
Add Field Encryption Entry from the Work with File Fields (WRKFILFLDS) menu now allows the faster setup of encryption entries.
-
A new Display Key Usage (DSPKEYUSG) command identifies field encryption entries that use a particular keystore and label pair.
Fixes
-
Fixed audit logging errors caused by user authority.
-
Fixed an issue with journal location overrides within IFS encryption.
-
Fixed the Print Field Encryption Entry (PRTFLDENCE) command to include all entries when printed.
-
Fixed an issue that prevented activation for IFS files over 2GB.
-
Fixed an issue with key officers running the Activate IFS Encryption (ACTIFSENC) command without special authority.
-
Powertech Encryption for IBM i has been rebranded, where applicable, from HelpSystems to Fortra.
-
Changed the Activate IFS Encryption (ACTIFSENC) command to give a warning if the user is not authorized to perform this action.
-
Authorization list handling has been updated in response to changes made by IBM in IBM i V7R5.
-
The Configuration report now shows new key comparison values.
-
IFS deactivation no longer errors when there is no default key store configured.
-
We now prevent *LIBL from being used as a field identifier in Work with File Fields (WRKFILFLDS).
-
Fixed an issue when deactivating files with long schema names.
July 2022
Version 3.65
July 19, 2022
Enhancements
-
Added additional compatibility checks for the Decryption Accelerator option.
-
Updated the Field Encryption Configuration report (Option 22 on a Field Registry Entry) to include information about triggers and sorting for file fields.
-
Newly created Field Registry entries will now default to not use the Decryption Accelerator value.
-
Enhanced Field Encryption activation to detect file sorting options, such as ALTSEQ (alternative sequencing), that are incompatible with encryption.
Fixes
-
Option 16 "Change Field Mask" in the Field Registry no longer displays an error.
-
Suppressed attempt to display an on-screen warning during activation, unless activation is performed interactively.
-
For actions performed on files with encrypted fields, including duplicating the files, the "Field Length Change" error no longer occurs when the CRVL002 validation list does not reside in the product library and is not contained in the library list.
August 2021
Version 3.64
August 30, 2021
- Changes in version 3.63 caused tokenization APIs to fail. This has been fixed.
July 2021
Version 3.63
July 13, 2021
Enhancements
- An Intermediate (*INT) value has been added to the Auth. List Caching (AUTLCACHE) parameter for field encryption entries. The new setting caches authorization lists, but checks them every 60 seconds between decryption operations. Previous versions offered a choice between full caching, which never picked up changes to authorization lists, and no caching, which carried a distinct performance penalty. The new setting offers the flexibility of the no-cache option, combined with a pronounced performance advantage over the no-cache setting.
-
A new "Decryption Accelerator" option has been added to the field encryption entries. Setting this new option to *YES can provide performance improvements for jobs that use native I/O (RPG, Cobol) to read data from encrypted fields.
NOTE: Fields that have already been encrypted do not benefit from this setting automatically. For those fields, deactivating and reactivating any field can provide the performance improvement for all encrypted fields in that file. - Certain system values must be configured properly in order for IFS encryption to perform as intended (indicated in the User Guide). If IFS encryption is attempted without the appropriate system values set, Powertech Encryption now issues a warning message that indicates the system values that have not been properly configured.
- Enhancements to the PRTFLDENCE report now allow the encryption status for all field encryption entries to be reported.
- The language in the High Availability instructions was updated for clarity, and instructions were added to include the product's own authorization lists in the objects to replicate.
- The configuration report that, once generated, is saved to /tmp is now set to *PUBLIC *EXCLUDE for improved security.
- Instructions that describe the RLA Sort Utility STRRLASRT, and its recommended usage, have been added to the User Guide.
Fixes
- An issue causing a zero-length file size after copying an encrypted sub-folder has been resolved.
- Issues with activating fields of specific data types (VARCHAR, GRAPHIC, BLOB, CLOB) that were causing an SQL0681 error have been resolved.
- A single quotation mark (') in the message text for CRYPTO/CRMSGF msgID CRE4036 that interfered with dynamic command execution has been removed.
- A pointer issue in the CHGLFLDKEY command has been resolved.
April 2021
Version 3.62
April 21, 2021
Enhancements
- Powertech Encryption now includes a utility to assist with encrypted key sorting when processed by native I/O (SETLL/READ).
- A Powertech Encryption Configuration Report can now be generated to quickly export important configuration information for specific field encryption or IFS encryption entries. This report can be helpful as a diagnostic resource when customers collaborate with HelpSystems support.
- Enhancements have been made for compatibility with Powertech Antivirus.
- Pending Record Changes and Other Pending Changes options have been added to the SAVACTWAIT parameter of the ENCSAVLIB and ENCSAVOBJ commands.
Fixes
- An error preventing encryption due to an incorrect field type (*BLOB instead of *CLOB) has been resolved.
- An issue that could cause IFSENCJOB to incorrectly indicate no active IFS entries after IFS entries have been activated has been resolved.
- Entries in the List Fields in File screen are now sorted alphabetically, and option F8 (Position To) now functions properly.
- An issue causing an inconsistent number of decimal positions when adding/changing field registry entries has been resolved.
February 2021
Version 3.61
Enhancements
- The Limit All-Object Authority setting in the default Security Policy has been changed from *NO to *YES.
- Security alert audit messages now always include a message identifier.
Fixes
- An issue that caused the IFS Encryption Server program to fail when a file was opened and closed many times in a row has been resolved.
- A timing issue that caused an error while running the STRIFENCJ command in encrypted directories on the IFS has been resolved.
- An issue that caused an error updating data area CRDA211, with subsequent accessibility issues, has been resolved.
- An invalid user profile can no longer be used on command ADDIFSEXTP.
- Errors and unexpected behavior while running the Encrypt Object (ENCSAVOBJ) command have been resolved.
- An IFSENCJOB error on retrieving file info (API GetFileInfo) has been resolved.
- An issue that caused activation/deactivation to fail when a file had more than 100 fields has been resolved.
- An issue has been resolved that could cause activation/deactivation to fail when the field registration contained entries for the same file name but different libraries, and different authorization lists were assigned to each entry.
- Incompatible IFSENCJOB date formats that could previously cause CRPIFSPRC to function incorrectly have been resolved.
- A problem showing the Last Modified date when an IFS entry is activated has been resolved.
- There is no longer a need to press ENTER twice to submit changes on the Work with Symmetric Keys screen.
January 2019
Version 3.60
Enhancements
- A new parameter has been added to the CRTKEYSTR (Create Key Store) command that creates the Key Store library if it does not exist.
- A new parameter has been added to the CRTKEYSTR (Create Key Store) command that sets the Key Store as the default Key Store in the Key Policy.
- Up to 50 fields can now be activated (mass encrypted) at one time using the ACTFLDENC command, as long as all of the fields are in the same file and all use the DB2 Field Procedure technique for encryption.
- Up to 50 fields can now be deactivated (mass decrypted) at one time using the DCTFLDENC command, as long as all of the fields are in the same file and all the DB2 Field Procedure technique.
- The new command ACTFILFLDE activates all *INACTIVE fields in a file.
- The new command DCTFILFLDE activates all *ACTIVE fields in a file.
- The ability to save Pending keys for fields encrypted using Field Procedures has been added. The keys can be used during the next Data Encryption Keys rotation.
- The new command TRNFILKEYF (Translate File Encryption Keys - Field Procedures) rotates the keys for any fields in a file that have a Pending Key.
- The new command WRKLIBFILS (Work with Library Files) lists all physical files in a library.
- The new command WRKFILFLDS (Work with File Fields) lists all fields in a physical files.
- F4 lookup has been added for Key Stores in the WRKSYMKEY (Work with Symmetric Keys) command.
- The WRKFLDKEY (Work with Field Encryption Keys) command now shows new Pending Keys.
- The STRIFSENCJ (Start IFS Encryption Job ) command has been improved with two new parameters that allow you to start the server job at a previous Journal Receiver or a different Journal Sequence number.
- Access to Powertech Encryption is now secured with authorization lists.
- The new EXPCLNTCRT command allows you to export the Public Certificate from the Digital Certificate Manager to the IFS.
- When adding or changing a Key Officer, if the User is set to maintain any of the following: Key Policy, Key Officers, Load MEK Parts or Load MEK, then the User Profile is added to the CRVL001 object with *CHANGE Authority.
Fixes
- Fixed an issue where QIBM_QP0L_SCAN_CLOSE and QIBM_QP0L_SCAN_OPEN exit programs recursively call program CRRP002.
October 2018
Version 3.59
Enhancements
- Object lock checks have been added to the update procedure in order to determine if automatic IFS encryption has been configured, and to determine if there is a lock on a Crypto Complete menu.
- A check is now performed for PTF MF64712 (IBM i 7.2) or PTF MF64713 (IBM i 7.3) during the update procedure. These PTFs resolve an issue that can cause some fields on a file to become hex 00s when multiple fields are encrypted.
Fixes
- An issue regarding object allocation during failed updates has been resolved.
- A check is now performed while updating to confirm the existence of the VERSION data area if the CRVERSION data area is not found.
July 2018
Version 3.58
Enhancements
- Field type Hex is now allowed to be encrypted as type *CHAR when using the Field Registry.
- The Create Key Store (CRTKEYSTR) command AUT parm default has been changed to *USE.
- The Add Field Encryption Entry (ADDFLDENC) command parameter "Use DB2 field procedure" (USEFLDPROC) default has been changed to *YES.
- The Change Key Policy (CHGKEYPCY) command parameter "decrypt usage by owner" (DEKDECOWN) default has been changed to *YES.
- The IFS Server job process has been changed so that it is allowed to use Journal Receivers that are not in the same library as the Journal.
- The IFS Server job process has been changed so that it recognizes journal type PR. As such, the job now knows when a new Journal Receiver was attached when little encryption activity is occurring.
- The ability to filter by Status type in the Work with Field Encryption Registry program has been added.
- The ability to filter by Status type in the Work with IFS Encryption Registry program has been added.
- 75-character licensing has been added.
Fixes
- The WRKFLDENC Work with Field Encryption screen has been fixed so that it stays on the current screen when options are selected.
- The WRSYMKEY Work with Symmetric Keys screen has been fixed so that it stays on the current screen when options are selected.
- The WRKIFSENC Work with IFS Encryption screen has been fixed so that it stays on the current screen when options are selected.
- The WRKCCALR Work with Security Alerts screen has been fixed so that it stays on the current screen when options are selected.
- The WRKEKM Work with External Key Managers screen has been fixed so that it stays on the current screen when options are selected.
- An issue with the return message when the connection to the External Key Manager cannot be made has been fixed.
- An issue with Delete Crypto Complete Alert (DLTCCALR) has been fixed. The *EKMGR category has been added.
- An issue with masking for O-type fields has been fixed.
- An issue causing the IFS server job to use an inappropriate date format has been fixed.
- IFS Encryption server job: An issue reading journal records that do not include job information that are derived from unencrypted directories has been fixed.
December 2017
Version 3.57
- Fixed an issue with the CHGSYMKEY command to work correctly with keys that do not use parameter GENTYP *REMOTE.
November 2017
Version 3.56
- Rebranded Crypto Complete as a HelpSystems product.
September 2017
Version 3.55
Enhancements
- Added new Alert Audit Category of *EKMGR to monitor for events related to External Key Managers.
- Added a new field Alternate Server Host(ALTSRVHST) in the ADDEKM, CHGEKM and DSPEKM commands. This new field will hold the alternate host to use when trying to connect to an external key manager to retrieve a key.
July 2017
Version 3.54
Enhancements
- Enhanced the External Key Manager to work with Key Managers that use the Key Management Interoperability Protocol(KMIP) standard. Crypto can work with external key managers that use the encoding types TTLV or XML. Crypto can also connect to servers that use SSL over TCP or HTTPS connections.
- Enhanced the Create Symmetric Key (CRTSYMKEY) command to add a new option Create External Key (CRTEXTKEY) when using either type *KMIP or *VORMETRIC. This allows the key to be generated on the *KMIP or *VORMETRIC server if the key does not already exist.
June 2017
Version 3.53
- Fixed an issue with the upgrader to work correctly with the new CRPFIFSPRC file.
- Fixed the edit when adding Date, Time and Timestamp fields using Field Procedures to not require a default value when the field allows null values. The field will default to null automatically.
-
Fixed an issue with masking numeric values when using field procedures.
February 2017
Version 3.52
Enhancements
- Enhanced the Field Encryption registry to lookup more information about the field when adding or updating an entry. This change reduces processing overhead and reduces issues with checking field information when decrypting.
- Added a position to screen to allow users to easily position to entries in the Field Encryption registry
- Added a position to screen to allow users to easily position to entries in the IFS Encryption registry
- Added a position to screen to allow users to easily position to entries in the Data Encryption Key Store.
- In the IFS Encryption Server job added the ability to check for requests for the job to end every 30 seconds.
- In the Add Field Encryption(ADDFLDENC) command changed the Field procedure return value(FLDPROCOPT) default value from *FULL to *AUTH.
Other Updates
- Fixed an issue where the IFS Encryption exit point programs would not find the CRRP002 program in the library list.
- Fixed the WRKFLDENC Work with Field Encryption screen to not load more than 9,999 entries at a time.
- Fixed the WRSYMKEY Work with Symmetric Keys screen to not load more than 9,999 entries at a time.
- Fixed the WRKIFSENC Work with IFS Encryption screen to not load more than 9,999 entries at a time.
- Fixed the IFS Encryption Server job to recognise restores of files.
- In the IFS Encryption Server job removed processing the WA entries.
- In the IFS Encryption Server job reduced the file lock contention.
- In the IFS Encryption Server job added code to better update the CRLSTSEQ data area with proper journal receiver and sequence number.
- In the IFS Encryption Server job added code to read the journal in the correct library.
- In the IFS Encryption Server job fixed an issue when renaming files through mapped drives.
- When changing an entry in the in the External Key Manager check the correct license.
- Changed the user swap program (CRRP015) to strengthen the parameter editing.
- Added code to check if a file is locked in the VFYIFSENC command.
July 2016
Version 3.51
Enhancements
- Enhanced the performance when decrypting fields. When using AUTLCACHE(*YES) the process now caches the information for each current user.
- Enhanced the performance when decrypting different types of fields together in the same job.
- Enhanced the FNDDBFLD command to read "PF38" source members.
- Enhanced the FNDDBFLD command to work with libraries, files and files that are surounded by double quotes.
- Added a new program API named CRRP015 that will allow customers to change the current user of the job. This change will be recognized when using Field Procedures.
April 2016
Version 3.50 (04/19/2016)
- Fixed the ADDFLDENC, CHGFLDENC and CHGFLDMSK options to allow the MASKOPT value of *NONE for *DATE, *TIME and *TIMESTAMP field types.
March 2016
Version 3.42 (03/18/2016)
Enhancements
- Enhanced the performance of decryption when cashing authorization lists with AUTLCACHE(*YES) specified for a field procedure.
- Enhanced the Work with Field Encryption screen (WRKFLDENC command) to allow users to edit the authorization lists for field entries using options 14 and 15.
- Enhanced the Work with IFS Encryption (WRKIFSENC) command to allow users to edit the authorization list for IFS entries using option 15.
- Added a new masking option for *DATE, *TIME and *TIMESTAMP field types in the Field Encryption Registry.
- Enhanced the auto-IFS encryption functions to work with iASPs.
- Enhanced the auto-IFS encryption to work with directories that are already journaled by another process.
- Allow turning off commitment control when storing the encrypted values for a field in an external file.
- Added a new command called PRTFLDENCE to print a list of entries in a Field Encryption Registry. The list will include the Field Id, file name, file library, field name and status. Added a new command EXPFLDENCE to export the Field Encryption Entries into a source physical file member. It will place the ADDFLDENC command into the source member for each field.
Fixes
- Fixed the DB2 Field Procedure Service program that is used for decrypting fields to be Thread Safe.
- Fixed the DB2 Field Procedure programs to not adopt authority.
- Fixed the DB2 Field Procedure program for numeric values to catch and ignore errors encountered when invalid numeric data is received to encrypt.
December 2014
Version 3.41 (12/29/2014)
Fixes
- When encrypting a field in the Field Registry using the external file method; Fixed an issue with the creation of the external file.
- When encrypting a field with a long name and *REMOTE in the DBFLD parameter, the value *REMOTE was being replaced with the field long name.
Version 3.40 (12/15/2014)
Enhancements
- Add the ability to use keys from an External Key Manager. The supported key managers are Crypto Complete, SafeNet and Vormetric. Authorized users can access the External Key Manager (EKM) commands from a menu by typing GO CRYPTO15. After an EKM is defined, you can refer to a symmetric key in the EKM by using the CRTSYMKEY command and specifing *REMOTE for the key generation type and then specify the EKM name and remote key label.
- Added a new program API named CRRP643 that will compute either an MD5, SHA-1, SHA-256, SHA-384 or SHA512 Hash Value for a value entered. The input type can be specified in ASCII or EBCDIC. The output format can be Character, Hex or Base64 format. Optionally, you can call the procedure named GenHashValue in service program CRSP503.
Fixes
- When encrypting a field in the Field Registry using the external file method; If the original File Name and Field name are using long names, then build the new external File Text label to not exceed 50 characters.
- For the auto-IFS encryption, changed the IFSENCJOB server job to use the correct Journal Receiver sequence number if the receiver was changed by the system.
- When calling the delete procedure for encrypted values stored in an external file, do not error out the process if the external record is not found.
- For auto-IFS encryption, support an IASP name when starting/stopping journaling of a file.
August 2014
Version 3.32 (8/26/2014)
Enhancements
- Improved the performance of DB2 Field Procedure programs when automatically decrypting numeric fields.
- On the DECRSTLIB (Decrypt Restore Library) command, added the ability to position to a sequence number on the tape when restoring multiple libraries or when specifying a wildcard or *ALL.
- On the DECRSTLIB command, ignore non-encrypted sequence numbers when restoring multiple libraries or when specifying a wildcard or *ALL.
- When sending out Security alerts via email, added the IBM i System Name to the beginning of the email subject.
Fixes
- If the STRIFSENCJ command is submitted to batch, then that command will submit the Auto IFS encryption server batch job.
- When a user is attempting to decrypt an IFS file that has not been encrypted yet, and if the user is not authorized to the encryption keystore, then do not attempt to lock or encrypt the file.
- After encrypting an IFS file, do not clear the original file if there is still a lock on it.
- Change the Print Audit Log Report to work with journal date formats of *DMY, *DMY0, *EUR and *EUR0.
- When adding a field to the registry that is numeric and if using a field procedure, then do not generate an error message if the field only has right-most decimal positions.
- Fixed the decryption DecAdv3 and DecAdv4 APIs to use the correct length when decrypting Hex or Base64 input formats so the output plaintext and length are returned with the proper values.
- Fixed the encryption EncAdv3 and EncAdv4 APIs to correctly return the output cipher length when the output format is Hex or Base64.
August 2013
Version 3.30 (8/22/2013)
Enhancements
- Created a new Auto IFS encryption and decryption feature, which will automatically encrypt files in a specified directory and optionally all its subdirectories. The process will automatically decrypt the IFS files for those users which are authorized. Please note that a license for the Auto IFS encryption feature is required from Linoma Software.
The new IFS encryption commands are called:
- WRKIFSENC (Work with IFS Encryption)
- ADDIFSENC (Add IFS Encryption Entry)
- CHGIFSENC (Change IFS Encryption Entry)
- DSPIFSENC (Display IFS Encryption Entry)
- RMVIFSENC (Remove IFS Encryption Entry)
- ACTIFSENC (Activate IFS Encryption)
- DCTIFSENC (Deactivate IFS Encryption)
- WRKIFSKEY (Work with IFS Encryption Keys)
- CHGIFSKEY (Change IFS Encryption Key)
- STRIFSENCJ (Start IFS Server Job)
- ENDIFSENCJ (End IFS Server Job)
- ADDIFSEXTP (Add IFS Exit Point Programs)
- RMVIFSEXTP (Remove IFS Exit Point Programs)
- DSPIFSDBG (Display IFS Debug Mode)
- CHGIFSDBG (Change IFS Debug Mode)
- CLRIFSLOG (Clear IFS Debug Log)
These commands are available under the following new menus:
- IFS Encryption Menu (GO CRYPTO12)
- IFS Keys Menu (GO CRYPTO13)
- IFS Utility Menu (GO CRYPTO14)
- Added new audit types for journal entries that will be created in the CRJN001 journal for the auto-IFS encryption feature:
- 60 Add IFS Encryption Entry(ADDIFSENC)
- 61 Change IFS Encryption Key(CHGIFSKEY)
- 62 Remove IFS Encryption Entry(RMVFLDENC)
- 63 Activate IFS Encryption(ACTFLDENC)
- 64 Change IFS Encryption Entry(CHGIFSENC)
- 65 Deactivate IFS Encryption(DCTFLDENC)
- 66 Unable to Activate
- 67 Unable to Deactivate
- 68 IFS Automatic Encryption Failed
- 69 IFS Automatic Decryption Failed
- 70 General Failure in Automatic IFS Encryption
- 71 Add Exit Point Program
- 72 Remove Exit Point Program
- 73 IFS Server Program Started
- 74 IFS Server Program Stopped
- 75 Debug Mode was changed
- 76 Debug File was cleared
- Improved the performance of the DB2 Field Procedure programs when multiple fields are encrypted by caching information about each field into the job's memory.
- When generating log records for Field Procedure encrypt and decrypt operations, additionally log the field's File and Library name in the log record.
- Added support for BLOB and CLOB data types when encrypting with DB2 Field Procedures.
- Changed the Field Procedure programs to add the CRYPTO library to the bottom of the library list the first time called in the job.
- Added functionality to find the index for an unencrypted value when storing the encrypted values in an external file. Use one of the following programs:
- Service program named CRSP513 with the procedure GetFldIdx
- Program CRRP642 using a traditional CALL statement
- SQL stored procedure p_GetFldIdx
- Added new parameters to the CPYFLDENC (Copy Field Encryption Registry) command to allow redirecting the key store and file libraries to something other than the target field registry library.
Fixes
- Fixed an issue with the HTTP_GetConnection procedure to work with the IBM HTTP Server in V6R1 and V7R1.
- Fixed an issue with the WRKDFLDENC (Work with Field Encryption) command to allow a user to work with over 999 entries in the field registry.
- Fixed an issue with VarGraphic fields when using Field Procedures, to use the field's CCSID when generating the masked or non-authorized value on a decrypt operation.
- If 'Limit all-object authority' is specified at the key policy level, if the user belongs to supplemental groups, then make sure to look at all 15 supplemental group profiles (used to be 5) to determine if the user has *ALLOBJ authority and, if so, determine if those supplemental groups have specific authority to the key stores or authorization lists needed to decrypt the field value.
- Fixed an issue with VarGraphic fields (when encrypting using Field Procedures) to determine the correct length for the field data.
- Fixed the DB2 Field Procedure program that is used for encrypting numeric fields to be Thread Safe.
- When sending an email alert, add single quotes around the email address to support dashes and other special characters.
- Fixed the CHGFLDMASK (Change Field Mask) command to not verify certain field attributes (e.g. file name, field length, etc.) when DBFLD is specified as *REMOTE.
- Fixed the HTTP_GetEncFld procedure to not verify the field type when the Field is *REMOTE.
- Fixed DB2 Field Procedures to properly trim any trailing spaces in variable length fields when encoding the data.
- Fixed ENCSAVLIB (Encrypt Save Library) command to use the proper backup labels when multiple libraries are entered on the command.
July 2012
Version 3.10 (7/24/2012)
Enhancements
- When adding a new field to the Field Encryption Registry, provided a new masking *OPTION2 that allows you to specify how many characters or digits to show on the left and right sides of the field value. You can then specify the masking character or number to use for the portion of the value to hide from the user.
Note: When determining which characters to show, the leading and trailing blanks are ignored for alpha fields, as well as the leading zeros will be ignored for numeric fields.
- When using DB2 Field Procedures for auto-decryption, allow a numeric field to return a masked value if the user is only authorized to the masked value. Valid masking digits are 0 to 9.
- Added support to DB2 Field Procedures for the latest IBM masking feature.
- Enhanced the WRKFLDENC (Work with Field Encryption Registry) command to allow up to 9999 entries. The maximum previously was 999 entries.
- Allow masking for numeric fields that have decimal positions, in which case the mask will be applied to only the whole number (on the left side of the decimal point).
- When determining user authority to a decrypted field value in a DB2 Field Proc, always get the latest current user for the job. This will allow the customer to change the current user as needed, in which case Crypto Complete will recognize the current user when determining what their authority is to the field value.
- Changed the F_DECFIL, F_DECFILMASK and F_DECFILAUTH functions to not attempt to decrypt a field value of blanks. This will simplify SQL Select statements by not having to condition on blank values.
- When determining a list of libraries in the ENCSAVLIB and DECRSTLIB commands, allow a user with *SAVSYS special authority to backup or restore libraries which they may not have authority to. This can be accomplished by changing the program CRRP056 to adopt authority from the program owner, in which case the program owner would need at least *USE authority to the libraries which need to be backed up or restored.
- Allow omitting libraries and objects on the ENCSAVLIB and DECRSTLIB commands.
- Allow omitting objects on the ENCSAVOBJ and DECRSTOBJ commands.
- Added the OUTPUT parameter to the ENCSAVLIB, DECRSTLIB, ENCSAVOBJ, DECRSTOBJ, ENCSTMF and DECSTMF commands.
- Added a COMPRESS parameter to the ENCSAVLIB, ENCSAVOBJ and
- ENCSTMF commands. This new parameter can help minimize the amount of tape utilized, but may extend the time of the backup.
- Enhanced the ENCSAVLIB command to return the escape message CRE0712 when not all Libaries are saved.
- Enhanced the ENCSAVOBJ command to return the escape message CRE0713 when not all Objects are saved.
- Enhanced the DECRSTLIB command to return the escape message CRE0714 when not all Libaries are restored.
- Enhanced the DECRSTOBJ command to return the escape message CRE0715 when not all Objects are restored.
- Added a new Key Officer setting to indicate if the user can maintain the IFS encryption registry, as well as control other settings for automatic IFS encryption. This feature is reserved for a future use.
- Added new audit codes from 60-70 for generating journal entries for the new upcoming automatic IFS encryption feature.
- Added new Alert Audit Category of *IFSREG to monitor for events related to automatic IFS encryption. For a future use.
Fixes
- In the ADDFLDENC and CHGFLDENC commands, change the field name in the DBFLD parameter from the short name to the alternate long name if one exists for the field.
- On the CRTSYMKEY (Create Symmetric Key) command, make sure the Iteration count is specified when the user is attempting to generate a key with the *PASS (password) option.
- Fixed the DECLIB, DECSAVF and DECRSTLIB commands to not skip libaries that may have been listed on the command in non-alphabetical order.
- Fixed the GetEncFld, GetEncFldMask and GetEncFldAuth APIs and functions to not lock the record if the Last Retrieved User and Time are not in the record.
- Fixed the ACTENCFLD command when encrypting a variable length field using the internal method.
- Fixed the ENCSAVLIB command parameter LABEL to use the value entered if not *LIB.
May 2011
Version 3.00 (5/25/2011)
Enhancements
- Broke out Crypto Complete into three separate licensed features:
5001 - Base Product license (Includes Key Management, Policy Settings, Security Controls, Alerts and Audit trails)
5002 - Field Encryption license (Includes all Field encryption features including the field registry, tokenization and APIs) 5003 - Backup Encryption license (Includes the Backup and IFS encryption/decryption commands) Each feature must be activated with a separate license key from Linoma Software. The license status of these features can be displayed using the command of CRYPTO/DSPPRDINF or WRKLICINF.
- Allow up to 25 fields to be activated (mass encrypted) at one time using the ACTFLDENC command, as long as all of the fields are in the same file and all use the DB2 Field Procedure technique for encryption.
- Allow up to 25 fields to be deactivated (mass decrypted) at one time using the DCTFLDENC command, as long as all of the fields are in the same file and all the DB2 Field Procedure technique.
- Added ability to restore/decrypt up to 600 libraries (was 300) when using wildcards on the DECLIB and DECRSTLIB commands.
- Added new program API named CRRP641 that will close the last external file that was opened for storing or retrieving encrypted data. This is useful if you want to close the file for commitment control or if you need to perform maintenance on the file.
Fixes
- Fix the HTTP Token lookup program to only select one row when searching for an encrypted value in the token file.
February 2011
Version 2.52 (02/08/2011)
- Fixed the ENCSAVLIB and ENCSAVOBJ commands to properly use the SAVACTWAIT and SAVACTMSGQ parameters for Save While Active.
- Fixed the ENDOPT parameter for the ENCSAVLIB command when multiple libraries are specified. For each library, it will now use ENDOPT(*LEAVE) until the last library, in which it will use the ENDOPT option that was specified by the user.
- Fixed the ENCSAVLIB command to ignore the error message CPF3701 when using a wild card to encrypt multiple libraries.
- Fixed the DB2 Field Procedure encryption process to compare the saved data against the data that is passed to the procedure (before encryption), to determine if the data was changed and should be encrypted.
- Fixed the edit check when using DB2 Field Procedures and performing a Field Activation or Deactivation. For activation, it now checks the user's authority to the encryption key store for each field that uses a Field Procedure. For deactivation, it now checks the user's authority to the decryption key store for each field that uses a Field Procedure.
- Fixed the HTTP Token Lookup (GetFldTkn) program CRRP809 to use the QILE Activation Group.
Version 2.51 (11/19/2010)
- When adding a new entry to the field encryption registry, do not check how large the field is (in order to store external index numbers) if the encrypted values will not be stored externally.
- Fixed the ENCSTMF and DECSTMF commands to call out the CRRP081 and CRRP082 programs in the CRYPTO library.
October 2010
Version 2.50 (10/21/2010)
- Added support for Graphic character types when using Field Procedures for automatic encryption and decryption.
- Increased the speed of the ACTMLTSBM command. It can now encrypt up to 40% more records in the same amount of time when using an external file (to store the encrypted values) and up to 84% more records when storing the encrypted values internally.
Version 2.43 (09/02/2010)
Enhancements
- Created new IFS encryption and decryption commands, which are faster than previous commands (ENCFIL/DECFIL) especially when interacting with tape backup devices. The new commands are called:
- ENCSTMF (Encrypt IFS Stream File)
- DECSTMF (Decrypt IFS Stream File) Multiple IFS files can be encrypted at once from multiple folders using wildcards and *INCLUDE/*OMIT criteria. The encrypted files can be stored to the IFS or a tape device. The user can specify either a password or a key for the encryption process. AES128, AES192 and AES256 algorithms are provided. Added the new ENCSTMF and DECSTMF commands to the CRYPTO5 menu, which can be accessed with the command "GO CRYPTO/CRYPTO5". Updated the CL examples of BACKUPALL and RESTOREALL to include the new ENCSTMF and DECSTMF commands.
- Removed depricated encryption commands (ENCSAVF, DECSAVF, ENCFIL and DECFIL) from the manual and from the CRYPTO5 menu. Moved these commmands to the CRYPTO11 legacy menu.
- Qualified the CLRMSTKEY (Clear Master Key) command with the CRYPTO library when running it from the CRYPTO2 menu, so it does not interfere with IBM's CLRMSTKEY command.
- Added the option of NOTAUTHFV (named 'Not authorized fill value') to the field registry. This is a 1-byte value to fill the returned value on a decryption request (from a DB2 Field Procedure or a Crypto Complete 'auth' API) if the user is not authorized to either the full or masked authorization lists.
For instance, if the fill value is '9' and the field length is 7, then the value of '9999999' will be returned on an unauthorized decryption request.
Notes on the NOTAUTHFV fill value:
- The fill value is required when a DB2 Field Procedure is utilized and the return value (FLDPROCOPT) is set to *AUTH.
- If the field type is *CHAR, then the fill value can be a number, letter or special character (e.g. #, *, %).
- If the field type is *DEC, then the fill value can be a number from 1 through 9 if a DB2 Field Procedure is being utilized, otherwise it can be number from 0 through 9.
- The fill value is not allowed for field types of *DATE, *TIME and *TIMESTAMP. The NOTAUTHFV parameter was added to the ADDFLDENC, CHGFLDENC, DSPFLDENC and CHGFLDAUTL commands. Documented in Programmers Guide.
- Enhanced 'auth' program APIs to return the fill value (NOTAUTHFV) when the user is not authorized to the full or masked value. ILE APIs affected are DecFldAuth and GetEncFldAuth. Program APIs affected are CRRP637 and CRRP638. SQL functions affected are F_DecFldAuth, F_getEncfldAuth and F_getEncfldAuthChr. Stored Procedures affected are P_DecFldAuth and P_GetEncFLdAuth.
- Enhanced the Field Procedures to not update the field value if it contains the masked or fill value.
- Added edit check to TRNFLDKEYF command to make sure the user has authority to the FULL value for all fields (which have Field Procedures) in the file.
- When activating or deactivating a field with the ACTFLDENC or DCTFLDENC commands, make sure the user has authority to the FULL value for all fields (which have Field Procedures) in the file.
Fixes
- Added edit check to TRNFLDKEYI command to make sure the field does not use Field Procedures.
- Removed the CLEAR option from the ENCSAVLIB and ENCSAVOBJ commands since that option is not supported by streaming API.
- Fixed the ENDOPT parameter for the ENCSAVLIB, DECRSTLIB,
- ENCSAVOBJ and ENCRSTOBJ commands, so it does not always rewind.
- Fixed the ENCSAVLIB and ENCSAVOBJ commands so they do not lock lock the destination tape or file if an error occurs.
- Fixed the DECRSTLIB and DECRSTOBJ commands so they do not lock the source tape or file if an error occurs.
Version 2.42 (08/6/2010)
- Enhanced help text on various commands within Crypto Complete.
Version 2.41 (07/30/2010)
Enhancements
- Provided support for DB2 Field Procedures which IBM made available in V7R1. This is a technique which allows for the automatic encryption/decryption of fields, which is an alternative approach to using triggers and API calls. DB2 Field Procedures also allow storing the 'encoded' encrypted values within the existing file, which is especially useful for numeric fields. [In the past, a separate external file had to be created to store the encrypted values for numeric fields.]
The following changes were made to support DB2 Field Procedures:
- Added the new option of USEFLDPROC to the field registry to allow an authorized user to specify if DB2 Field Procedures should be used for the field. This option was added to the ADDFLDENC, CHGFLDENC and DSPFLDENC commands.
- Allowed encryption of integer, date, time and timestamp data types in the field registry.
- Added a new edit to allow a masking format to be specified for a field only if it's character (alpha) with a length which does not exceed 30 bytes.
- On the activation of a field (using ACTFLDENC), use the SQL ALTER TABLE command to add the DB2 field procedure to the file.
This will perform a mass encryption of the current field values and store those values in the 'encoded' portion of the field within the file. Future inserts/updates of the field will cause the field procedure to be called, which will encrypt the value and encode it.
- On the deactivation of the field (using DCTFLDENC), use the SQL ALTER TABLE command to remove the field procedure from the file. This will perform a mass decryption of the field values and return the field to its original state (unencoded).
- Created a new command called TRNFLDKEYF, which will translate (rotate) the key used to encrypt the field values. This command will read all the records in the file and will decrypt each field value with the old key and re-encrypt the 'encoded' value with the new key specified. It will then set the new key for any new values to encrypt.
- Added a new Key Policy option named LMTALLOBJ (Limit all-Object).
This new option, when set to *YES, will cause Crypto Complete to perform its own authority check on any requested Key Store or Authorization List when the user has *ALLOBJ authority. This user's profile (or group profile which it belongs) must be specifically listed as an authority entry (with at least *USE authority) on the Key Store or Authorization List.
For an *ALLOBJ user, this authority check will be performed in any function that requests a key from a Key Store, including the encrypt/decrypt functions and key management commands (e.g. CPYSYMKEY, DLTSYMKEY, WRKSYMKEY, DSPSYMKEY, etc.) This authority check is also performed when determining which value (full, masked or none) to return on a decrypt function, which is based on the authorization lists assigned to the field in the field registry.
- Added the new option of FLDPROCOPT to the field registry, which can be specified when DB2 Field Procedures are used. This option determines which field value is returned (based on user permissions) from the DB2 Field Procedure to the application on a read operation. The user's permissions to the field are determined by the authorization lists specified on the AUTLDEC and AUTLMASK parameters on the Field Encryption Registry entry. The FLDPROCOPT option was added to the ADDFLDENC, CHGFLDENC and DSPFLDENC commands.
Valid options for FLDPROCOPT are:
*FULL = Returns the fully decrypted value if the user has at least *USE rights to the authorization list specified on the AUTLDEC parameter (or if *NONE is specified on that parameter). Otherwise an error with the message id of CPF504D will be generated in the application performing the read. The *FULL option is available for *CHAR, *DEC, *DATE, *TIME and
*TIMESTAMP data types.
*AUTH = For character (*CHAR) fields, this option returns either: 1) the full value if the user has at least
*USE rights to the authorization list specified onthe AUTLDEC parameter (or if *NONE is specified on that parameter) or 2) the masked value if the user has at least *USE rights to the authorization list specified on the AUTLMASK parameter (or if *NONE is specified on that parameter) or 3) blanks if the user does not have at least *USE rights to either authorization list.
For decimal/numeric (*DEC) fields, this option returns the full value if the user has at least *USE rights to the Authorization List specified on the AUTLDEC parameter (or if *NONE is specified on that parameter). Otherwise (if not authorized) zeros are returned.
The *AUTH option is not valid for *DATE, *TIME and *TIMESTAMP data types.
- Added the option LSTINDSTG to the field registry, which allows an authorized user to specify the object type to store the 'last index number used'. This option is available when storing the encrypted values in an external file, which uses index numbers for sequencing. Each time a record is written (inserted) to the external file, the ?last index number used? is retrieved from the object, increased by 1, assigned to the new record and saved back to the object. Valid options are:
*FLDREG = Store the last index number used in the field registry object, which is a validation list (*VLDL) with the name of CRVL002. This is the default option. *PF = Store the last index number in a physical file with the name of CRPF002. A physical file may be easier to replicate (than a *VLDL) with a High Availability tool. A physical file will also provide better performance (than a *VLDL) when a high volume of inserts occurs for the field, due to the file's ability to handle locks more efficiently.
- Added the option of AUTLCACHE to the field registry, which allows you to specify if the permissions for authorization lists are 'cached' in memory. Valid values are:
- Enhanced the HTTP_GetConnection procedure to not reconnect if the connection has already been made and the parameters have not changed. This will ensure better performance for remote applications for a tokenized environment.
- Changed messages CRE0387, CRE0393 and CRE0497 to include the field lengths found in the file.
- Write an error message (CRE0380) to the job log if the license key for Crypto Complete is expired.
*YES = Caching will occur. When a field decrypt operation is performed, the permissions for the authorization lists will be saved (in memory) and used in future authority checks [for decrypt operations] within the job. This caching option provides the best performance. Please note: In order to recognize any permission changes to the authorization lists, the jobs [that are performing decrypt operations] will need to be restarted.
*NO = Caching will not occur. The permissions to the authorization lists will be checked each time a decrypt operation is performed. This option is useful when you want changes to the authorization lists to be immediately recognized by jobs that are performing decrypt operations, or if you want to take advantage of program adopted authority when determining permissions to an authorization list. The AUTLCACHE parameter was added to the ADDFLDENC, CHGFLDENC, DSPFLDENC and CHGFLDAUTL commands.
Fixes
- Corrected the message logged to the audit journal when changing the SYSLOG facility or severity on an alert entry. It now logs the text values for the facility and severity [instead of the underlying numeric values].
- Fixed an issue when using CBC mode for a field in the Registry which stored the encrypted values in an external file. The Init Vector was inadvertently changed when encrypting new values, which would cause the values to get various Init Vectors.
- Fixed the DECRSTOBJ (Decrypt Restore Object) command when using options VOL(*MOUNTED) and SEQNBR(*SEARCH) to not return the message Volume '*NONE ' is not correct.
- When building the trigger names for a field in the registry, use an underscore to replace any period that may be in the file or field name.
- Fixed the HTTP_GetFldTkn procedure to be able to work with encrypted values that contain single quotes.
- Fixed the SYSLOG send program so it would work even if observability was removed.
Version 2.22 (03/17/2010)
Enhancements
- Added a new procedure named PtgEnc to encrypt data in a format that is compatible with Protegrity cryptographic functions. This procedure is contained in service program CRSP512. See the programmer's guide for more details.
- Added a new procedure named PtgDec to decrypt data from a Protegrity format. This procedure is contained in service program CRSP512. See the programmer's guide for more details.
- Added a log entry [to the audit journal file] from the trigger encryption program when a field registry entry is not found.
- Send a message to the job log when unable to write to the journal.
- On the CRTSYMKEY, increased the size of the SALT field from 16 to 32 characters when creating the key using the *MANUAL option.
Fixes
- When creating a Data Encryption key with GENOPT(*PASS) and ASCII(*YES), the character @ was being ignored. When the key was generated, blanks were trimmed out of the key.
- Changed the IMPPTGKEY to use the Key Algorithm from the Key Encrytion Key when decrypting the keys to import.
- Changed the IMPPTGKEY to use the Algorithm '*TDES' when the value of '3DES' is passed by Protegrity.
- Changed the EncAdv3 and EncAdv4 procedures to pad correctly when using *TDES and numeric padding.
- Change the DecAdv3 and DecAdv4 procedures to remove the padding correctly when using *TDES and numeric padding.
Version 2.21 (02/12/2010)
- When deactivating a variable-length field in the field encryption registry, and if the encrypted values are externally stored, fix an issue with the external index out of bounds error.
- Fixed functions F_GetEncFldChr, F_GetEncFldMaskChr, F_GetEncFldAuthChr and F_UpdEncFldChr to not generate an "out of bounds" error when the external index is stored in a variable-length field.
- Improved the performance of the HTTP_GetEncFld, HTTP_GetEncFldMask, and HTTP_GetEncFldAuth procedures.
- Was not sending out an alert when using the audit category of *ALL and no other alerts existed.
January 2010
Version 2.20 (1/28/2010)
Enhancements
- Added a new option to the DEKRTVVAL (DEK values can be retrieved) parameter on the Key Policy to allow the export of a Data Encryption Key (DEK) only if the DEK is encrypted with a Key Encryption Key (KEK). This new option is named *KEK. This allows organizations to securely export and transport DEKs to other systems.
- On the EXPSYMKEY command, added the ability to export a Data Encryption Key (DEK) and encrypt it with a Key Encryption Key (KEK). When encrypting the DEK, the mode used is CBC with no padding. This export is allowed if the global policy setting of DEKRTVVAL (DEK values can be retrieved) is set to *KEK or *YES.
- On the CRTSYMKEY command, added the ability to manually create a Data Encryption Key (DEK) that is encrypted with a Key Encryption Key (KEK) when GENOPT(*MANUAL) is specified.
- When adding an alert with the ADDCCALR command, allow the user to specify the category of *ALL. This will capture all monitored admin events in Crypto Complete including key policy changes, key management activities, authority errors, etc.
- When adding an alert with the ADDCCALR command, allow the user to specify the action of *PTGLOG, which will send the audit messages to a Protegrity Log Server. When setting up the alert, the user will need to specify the host, port number and the client application (if using SSL).
- When adding an alert with the ADDCCALR command, allow the user to specify the action of *SYSLOG, which will send the audit messages to a SYSLOG Server using RFC standards. When setting up the alert, the user will need to specify the host, source port, destination port, log facility and log severity.
- When adding a field to the field encryption registry, allow specifying *REMOTE for the DBFLD field parameter. This allows encrypting and storing values from other systems for support of tokenization. When *REMOTE option is specified, then the values must be stored externally with the STREXTFILE(*YES) option.
- Added new HTTP services, primarily to support tokenization. This allows remote systems to access Crypto Complete functions over HTTP/s to store and retrieve data. Read the new HTTP guide for more details.
Fixes
- When activating a field in the registry, and if unable to add triggers to the file, then change the status of the field entry to *ERROR and do not remove the external file.
- On the CRTSYMKEY command with GENOPT(*MANUAL), ensure that the length of the key entered matches the required length for the encryption algorithm. For instance, AES256 requires that the key is exactly 32 bytes in length.
- On the ACTMLTSBM (Activate Field Multi Submit) command:
- Get an exclusive lock on the database file before attempting to activate the field.
- Allow running it over a an empty database file.
- Allow running it when there are less records in the file than the number of JOBS selected. If that is the case, then use just one job to encrypt the records.
- On the DCTFLDENC (Deactivate Field Encrypt) command, get an exclusive lock on the external file before attempting to deactivate the field.
- When updating or deleting a field in an external file, indicate the index# within the error messages when the record cannot be found.
- When using the GetEncFld, GetEncFldMask or GetEncFldAuth procedures, indicate the index# within the error message when the record cannot be found.
Version 2.10 (10/29/2009)
Enhancements
- Created new encryption save/restore commands which are up to 2 times faster than previous commands. The new commands are:
- ENCSAVOBJ (Encrypt/Save Object) - replaces ENCOBJ
- DECRSTOBJ (Decrypt/Restore Object) - replaces DECOBJ
- ENCSAVLIB (Encrypt/Save Library) - replaces ENCLIB
- DECRSTLIB (Decrypt/Restore Library) - replaces DECLIB The encrypted libraries/objects can be targeted to the IFS or a tape device. The user can specify either a password or a key for the encryption process. Please note that the new save/restore commands (ENCSAV*, DECRST*) are not compatible with the older save/restore (ENCOBJ, DECOBJ, ENCLIB, DECLIB) commands.
- Doubled the speed of the ACTFLDENC (Activate Field Encryption) command when performing a mass encryption of fields that are 100 bytes or less. This will minimize the downtime on the database file during the activate process.
- Doubled the speed of the DCTTFLDENC (Deactivate Field Encryption) command when performing a mass decryption of fields that are 100 bytes or less. This will minimize the downtime on the database file during the deactivate process.
- Change the maximum field size that can be encrypted from 31744 to 32766 bytes.
- Increased the speed of the ACTMLTSBM command by breaking up the file records into even counts.
- Changed the ACTMLTSBM command to start the external index at 1 (and incrementing sequentially) instead of using the RRN of the record.
Fixes
- Change the maximum field size (for the encrypted value) from 1971 to 32624 bytes when using an external file and storing both the last retrieved information and the hash value.
- When returning the masked value for a numeric field, include the negative sign on the right side if the value is negative and occupies the entire field length.
- Fixed SQL functions F_GetEncFldChr, F_GetEncFldMaskChr and F_GetEncFldAuthChr to return an error when an invalid Field Identifier is specified.
- When a new Key Store is created, log the journal entry with the audit type of 08 (not 06).
- When deactivating a field using an external file and validating the keys used for decryption, place double quotes around the external library/file names. This allows for using library/file names that contain special characters, such as a period.
July 2009
Version 2.00 (7/13/2009)
Enhancements
- Created a new command called TRNFLDKEYI which can be used to easily translate (rotate) the keys used to encrypt the field values that are stored in the existing database file (internal storage). This command will read all the records in the file and will decrypt each field value with the old key and reencrypt the value with the new key specified.
Fixes
- When copying a field entry in the Field Registry to another library, the new external logical library value was not being updated correctly in the Field Registry.
- When copying a field in the field registry, do not show an error when the physical file does not exist in the TO Library and when the TOFLDSTS parameter is set to *INACTIVE.
- Fixed the date and time validations in the PRTAUDLOG (Print Audit Log) command.
- Corrected the OVRTAPF and OVRDBF parameters for reading and writing to Tape and Save files for the ENCFIL, DECFIL, ENCOBJ, DECOBJ, ENCLIB, DECLIB, ENCSAVF and DECSAVF commands.
- Added validation to the TRNFLDKEY (Translate Field Keys) command to ensure the field identifier is in an *ACTIVE status.
- Added validation to the CHGFLDKEY (Change Field Keys) command to ensure that the Key encryption algorithms match the field identifier's encryption algorithm.
Version 1.61 (6/16/2009)
- Within the Advanced encryption/decryption APIs (EncAdv3, EncAdv4, DecAdv3, DecAdv4), allow specifying the pad option of '2' when using the AES Algorithm, which will pad the value using a padding number. See the Programmer's Guide for more details.
- Added a pre-check to ACTFLDENC (Activate Field Encryption) to verify the key can be used for encryption and that the user is authorized to encrypt with that key. This validation will run before any values are encrypted.
- Added a pre-check to DCTFLDENC (Deactivate Field Encryption), when the values are stored in an external file, to verify all related keys can be used for decryption and that the user has authority to those keys. This validation will run before any values are decrypted.
Version 1.60 (6/8/2009)
Enhancements
- When adding/changing a field in the Field Encryption Registry, you can specify *CUSP mode for the AES algorithm. CUSP mode produces an encrypted value that is the same length as the input (plain text) value. This allows you to encrypt alpha fields of any length and store the encrypted values within the existing field.
- When adding/changing a field in the Field Encryption Registry, you can specify an Initialization Vector (IV) for *CBC and *CUSP modes. The IV serves as an additional input to the AES encryption algorithm to produce different output (encrypted) values. This is an additional security mechanism.
Fixes
- When adding/changing a field in the Field Encryption Registry, verify the field mask value is not longer than the specified field length.
- Changed EncAdv3, EncAdv4, DecAdv3 and DecAdv4 to use a default block length of 32 (versus 16) when the AES algorithm and CUSP mode is specified and no block length is provided by the programmer.
Version 1.59 (6/3/2009)
- The FNDDBFLD (Find Database Fields) command now bypasses non-readable files in the search.
Version 1.58 (5/19/2009)
- Allow activating a field in the registry that is stored in a multi-member file. This is allowed only if the encrypted values are stored in the existing field.
Version 1.57 (5/11/2009)
Enhancements
- Produce a warning message if adding a field in the registry with an entered length that is shorter than the actual database field length.
- When decrypting a field's masked value using a key that requires logging, then indicate in the audit log that only the masked value was retrieved. In the prior version, you could not tell if the full or masked value was decrypted.
- Added new command WRKCCALR, which allows authorized users to set up and maintain Security Alert settings. Security Alerts can be configured to send immediate notifications when security-related changes or authority errors occur in Crypto Complete. Security Alerts can be sent when any changes are performed on the Key Policy settings, Key Officer settings, Master Encryption Keys, Data Encryption Keys, Field Encryption Registry entries and Alert settings. Alerts can also be sent when authority errors occur in Crypto Complete, such as when an unauthorized user attempts to access a Key Store. Alerts can be sent to email addresses, QSYSOPR, QHST log, message queues and QAUDJRN. Alerts can also be added, changed, displayed and deleted with the new commands of ADDCCALR, CHGCCALR, DSPCCALR and DLTCCALR.
- Added new audit types for journal entries that will be created in the CRJN001 journal:
* 34 Unable to send Security Alert
* 35 Security Alert added (ADDCCALR)
* 36 Security Alert changed (CHGCCALR)
* 37 Security Alert deleted (DLTCCALR)
- For the Advanced encryption/decryption APIs (EncAdv3, EncAdv4, DecAdv3, DecAdv4), added a new mode of '6' to allow the programmer to specify CUSP mode. With CUSP mode, the output cipher text will be the same length as the input plaintext. When using CUSP mode, it is also important to supply a unique Initialization Vector to provide the best protection.
- Added a new flag to the Key Officers to indicate if the Officer is allowed to maintain the Key Policy and Alerts. The name of the flag is MNTPCYALR. Added this flag to the commands of WRKKEYOFR, DDKEYOFR, CHGKEYOFR and DSPKEYOFR.
- Added a new parameter to the ADDFLDENC (Add Field Encryption) and CHGFLDENC (Change Field Encryption) commands to allow specifying the Authorization List (AUTLDEC) to use by the field decryption APIs when decrypting the full values for the field.
- Added a new parameter to the ADDFLDENC (Add Field Encryption) and CHGFLDENC (Change Field Encryption) commands. This parameter specifies which Authorization List (AUTLMASK) is used by the field decryption APIs when accessing the masked values for the field. Added new command CHGFLDAUTL (Change Field Authorization Lists) to allow changing the Authorization Lists for the AUTLDEC and AUTLMASK parameters. Added to menu CRYPTO4.
- Added new ILE procedure DecFldAuth in service program CRSP505 to retrieve either 1) the fully decrypted value for the field, 2) the masked value for the field, or 3) a blank value. The user's authority to the field is determined by checking the Authority Lists indicated on the field?s AUTLDEC and AUTLMASK settings that are specified in the Field Encryption Registry. This API can be used when the encrypted values are stored in the existing file. The corresponding program API is CRRP638. SQL function is F_DecFldAuth. Stored procedure is P_DecFldAuth.
- Added new ILE procedure GetEncFldAuth in service program CRSP505 to retrieve either 1) the fully decrypted value for the field, 2) the masked value for the field, or 3) a blank value. The user's authority to the field is determined by checking the Authority Lists indicated on the field?s AUTLDEC and AUTLMASK settings that are specified in the Field Encryption Registry. This API can be used when the encrypted values are stored in an external file. The corresponding program API is CRRP637. SQL functions are F_GetEncFldAuth and F_GetEncFldAuthChr. Stored procedure is P_GetEncFldAuth.
- Added new ILE procedure DecFldMask in service program CRSP505 to allow a programmer to retrieve the masked value. This can be used when the encrypted value is stored in the existing database field. The DecFldMask has the same functionality as the existing DecFld2 procedure, but now has a more descriptive name.
- Added new SQL function F_DecFldMask and Stored Procedure P_DecFldMask that allows the retrieval of the masked value for a field. These can be used when the encrypted values are stored in the existing file.
- Added new ILE procedure GetEncFldMask in service program CRSP505 to allow a programmer to retrieve the masked value. This is used when the encrypted value is stored in a separate external file. The GetEncFldMask has the same functionality as the existing GenEncFld2 procedure, however it retains the leading zeros when returning the masked value for numeric data.
- Added new SQL functions F_GetEncFldMask and F_GetEncFldMaskChr, as well as Stored Procedure P_GetEncFldMask, which allows the retrieval of the masked value for a field. These can be used when the encrypted values are stored in a separate external file.
- Added new program API CRRP640 to retrieve the masked value. This can be used when the encrypted value is stored in a separate external file. CRRP640 has the same functionality as the existing CRRP624 program, however it retains the leading zeros when returning the masked value for numeric data.
- Added a new program API called CRRP639 to retrieve the masked value. This can be used when the encrypted value is stored in the existing field. CRRP639 has the same functionality as the existing CRRP623 program.
- ILE procedures DecFldMask, DecFld2, GetEncFldMask and GenEncFld2 were enhanced to check the user's permission to the Authorization List specified on the field's AUTLMASK parameter. Also placed same behavior in SQL functions F_DecFldMask, F_DecFldMaskChr, F_GetEncFldMask and F_GetEncFld2. Also added this behavior to program APIs CRRP640, CRRP624, CRRP639 and CRRP623. If not authorized, a message is returned on the API and a journal entry will be written to the audit file.
- Added new parameters to EncAdv3 and EncAdv4 procedures to allow the programmer to specify the OutputType (*EBCDIC, *ASCII) and the OutputFmt (*CHAR, *HEX, *BASE64). The main benefit of these new parameters allows you to share of encrypted data with non-System i platforms. Performed the same changes to their corresponding program APIs of CRRP633 and CRRP635.
- Added new parameters to DeccAdv3 and DeccAdv4 procedures to allow the programmer to specify the InputType (*EBCDIC, *ASCII) and the InputFmt (*CHAR, *HEX, *BASE64). The main benefit of these new parameters allows you to decrypt data that was encrypted on a non-System i platform. Performed the same changes to their corresponding program APIs of CRRP634 and CRRP636.
- Depricated program APIs CRRP629 and CRRP630. Depricated SQL functions F_EncAES3 and F_DecAES3. Depricated Stored procedures P_EncAES3 and P_EncAES3.
- Created SQL Functions F_EncAdv and F_DecAdv to be able to encrypt/decrypt data with advanced features. Corresponding stored procedures are P_EncAdv and P_DecAdv.
- Enhanced the DECFIL (Decrypt File) command to allow the user to decrypt multiple stream files on the IFS using wildcard criteria.
Fixes
- On the ENCFIL command, if *DEFAULT is specified as the Key Store, then it stores the actual Key Store name in the header of the data being encrypted. This will ensure that the DECFIL command can locate the appropriate Key Store if the default is no longer specified or changed.
- On the ENCFIL and DECFIL commands, only allow a log comment to be specified if a *KEY is indicated. Do NOT allow for a *PASSword.
- Move the edit check for multi-member files from the ADDFLDENC and CHGFLDENC commands to the ACTFLDENC (activate) and DCTFLDENC (deactivate) commands.
- Changed the ENCFIL command to store the file's byte count in the header of the encrypted file. Changed the DECFIL command to decrypt the file using this byte count in order to preserve the original length in the decrypted file. This ensures that binary IFS files (PDFs, Excel, etc.) can be opened properly after they are decrypted.
- On the advanced encryption APIs with the AES algorithm, make sure the block length parameter is either 0, 16, 24 or 32.
- When a user specifies encryption and decryption keys on the ADDFLDENC and CHGFLDKEY commands, verify that the key values match.
- When performing mass encryption with the ACTFLDENC command, do not error out if the length of data is longer than the field length entered in the field registry. Instead, clear out any remaining bytes in the field. For instance, if the field length entered in the registry is 16, but the field length in the database is actually 20, then it will clear out the remaining 4 bytes in the field.
Version 1.56 (2/18/2009)
Enhancements
- Added a new command named PRTAUDLOG which allows authorized users to print any audit log entries generated by Crypto Complete. The PRTAUDLOG command provides selection criteria of from/to dates and times, user id and audit types. A formatted report will be generated with the audit details. For each detail record printed, it will include the audit date, time, user, job name, job number, audit type and message.
- Added a new command named FNDDBFLD which allows authorized users to find database files that contain fields that may require encryption. This is especially useful for finding sensitive fields such as credit card numbers and social security numbers. With the FNDDBFLD command, you can search for fields that meet your criteria, such as a type of field, a certain field length and a range of field values. A formatted report will be generated with details of any files/fields found that meet the selection criteria.
- Add a new command IMPPTGKEYS which allows authorized users to import keys from Protegrity's Enterprise Security Administrator. See www.Protegrity.com for more details on their enterprise key management solution.
- Added a new parameter option of KEYVALFMT(*BASE64) to the CRTSYMKEY (Create Symmetric Key) command, which allows authorized users to import keys into a Crypto Complete Key Store that are in *BASE64 format. This provides more flexibility for importing keys that were generated in other key management solutions.
- In the CRTSYMKEY (Create Symmetric Key) command, allow the user to specify an iteration count up to 50,000 when generating a key using the GENOPT(*PASS) option. Uses the algorithm specified in RFC2898.
- In the CRTSYMKEY (Create Symmetric Key) command, allow the user to specify a passphrase and salt in ASCII format using the ASCII(*YES) option. This is Valid when generating a key using the GENOPT(*PASS) option.
- Generate an audit log entry when a user attempts to access a Key Store that does not exist.
- Add a new command VFYCRVL001 which allows a user to check the validity of the CRVL001 validation list, which holds the key policies, key officers and master keys.
- Added a new procedure named VfyCRVL001 in service program CRSP509 to allow a programmer to check the validity of the CRVL001 validation list, which holds the key policies, key officers and master keys. Corresponding program API is CRRP632.
- Added a new procedure named GetFldAttr in service program CRSP505 to allow a programmer to retrieve the attributes for a field registry entry. Corresponding program API is CRRP631.
- Enhanced the ENCFIL (Encrypt File) command to allow the user to encrypt multiple stream files on the IFS using wildcard criteria.
- Changed the ADDFLDENC (Add Field Encryption Registry Entry) command to allow the user to specify a logical file name. This will allow a user to encrypt only the records that are selected in that logical file. When using a logical file name, triggers are not allowed for auto-encryption.
Fixes
- When using the Field Encryption Registry to set up fields to encrypt, then use the proper algorithm if AES128 or AES192 is specified. Also use the proper mode when CBC mode is specified for AES or TDES algorithms, and use the proper key value if TDES algorithm is specified. The old behaviors will be preserved for fields that are currently activated in the registry. However, the new behavior will be used for any future activations of fields (including when a field is deactivated and reactivated).
- Fixed a problem with the F_GetEncFldChr (Get Encrypted Field) procedure, in which it was not returning the decrypted value if certain conditions were met. This would only affect a customer if the encrypted values were stored in an external file, and if the index number was stored (aligned) on the right side of the field, and if the length of the field was greater than 34 characters.
- Fixed a problem in the SQL update trigger, in which it was not properly updating a field value if certain conditions were met. This would only affect a customer if the encrypted values were stored in an external file, and if the index number was stored (aligned) on the right side of the field, and if the length of the field was greater than 13 characters.
- Changed the DSPKEYSTR (Display Key Store) command to show the proper error message if the MEK version is not found.
- When adding SQL triggers to a file for automated encryption, place double quotes around the library and file names. This allows for adding triggers to library/file names that contain special characters, such as a period.
- When launching the SETMSTKEY command from the CRYPTO2 menu, qualify it with the library name of CRYPTO. This ensures that the user does not inadvertently run IBM's SETMSTKEY command that was introduced in V6R1.
- Added validation to the ENCFIL (Encrypt File) command to verify the from physical file member exists when FROMTYPE is *PF and the member name is entered.
- Added validation to the DECFIL (Decrypt File) command to verify the from physical file member exists when FROMTYPE is *PF and the member name is entered.
- Deprecated procedures EncAdv1, EncAdv2, DecAdv1, DecAdv2 in CRSP505 and replaced with procedures EncAdv3, EncAdv4, DecAdv3, DecAdv4 in CRSP510. These were fixed to use the proper algorithm if AES128 or AES192 is specified. Also fixed to use the proper mode when CBC mode is specified for AES or TDES algorithms, and fixed to use the proper key value if TDES algorithm is specified.
- Deprecated programs CRRP610, CRRP611, CRRP612, CRRP613 and replaced with programs CRRP633, CRRP634, CRRP635, CRRP636. These were fixed to use the proper algorithm if AES128 or AES192 is specified. Also fixed to use the proper mode when CBC mode is specified for AES or TDES algorithms, and fixed to use the proper key value if TDES algorithm is specified.
Version 1.55 (06/17/2008)
Enhancements
- Increased the speed of the ACTFLDENC (Activate Field Encryption) command when performing a mass encryption of field values that will be stored in an external file. It can now encrypt up to 40% more records in the same amount of time. This will minimize the downtime on the database file during the activate process.
- Increased the speed of the ACTFLDENC (Activate Field Encryption) command when performing a mass encryption of field values that will be stored in the existing customer's file. It can now encrypt up to 54% more records in the same amount of time. This will minimize the downtime on the database file during the activate process.
- Improved the performance of encryption (which use external files to store the encrypted values) by keeping the data path to the external file open between operations.
- Increased the speed of the "Insert" SQL Triggers to be 2 times faster. This will decrease CPU usage for applications that write records to a file containing fields that are automatically encrypted by Crypto Complete.
- Increased the speed of the "Update" SQL Triggers to be 3 times faster. This will decrease CPU usage for applications that update records in a file containing fields that are automatically encrypted by Crypto Complete.
- Increased the speed of the "Delete" SQL Triggers to be 6 times faster. This will decrease CPU usage for applications that delete records in a file containing fields that are automatically encrypted by Crypto Complete.
- Added ability to use commitment control on an external physical file which stores the encrypted values.
- Added ability to activate (mass encrypt) a field using multiple jobs, which is especially useful when the file contains millions of records. Since this option requires some custom programming, please consult with Linoma Software if you would like to explore this feature.
- Created new SQL functions called F_ENCAES3 and F_DECAES3 which can be used to encrypt and decrypt strings of data using the AES algorithm and a key label. These functions can be called from within SQL statements. These functions include format options of *HEX and *BASE64 to allow the cipher text to be changed into a format that other platforms can work with.
- Created new SQL stored procedures of P_ENCAES3 and P_DECAES3 which can be used to encrypt and decrypt strings of data using the AES algorithm and a key label. These stored procedures can be called using the SQL CALL statement. These procedures include format options of *HEX and *BASE64 to allow the cipher text to be changed into a format that other platforms can work with.
- Added program CRRP629 to allow a programmer to encrypt a string using AES256 encryption and specify an output (cipher) format of *HEX, *BASE64 or *CHAR.
- Added program CRRP630 to allow a programmer to encrypt a string using AES256 encryption and specify an input (cipher) format of *HEX, *BASE64 or *CHAR.
Fixes
- Added validation to the CPYFLDENC (Copy Field Encryption Entry) command to not allow the copy of a field with a status of *ERROR or *PROCESS.
- Add validation to the CPYFLDENC (Copy Field Encryption Entry) command to not allow the copy of a field when its status is *ACTIVE and the file does not exist in the TO library.
- Added ability to use the default key store when using the EncAdv2 and DecAdv2 procedures.
- Changed the command ENCFIL parameter of EXPDATE to allow values other then *PERM.
- When exporting a key with the EXPSYMKEY command, users can specify *BASE64 format.
- Fixed issue with decrypting data that was backed up using Transfer Anywhere's SAVOBJENC, SAVLIBENC, and SAVSAVFENC commands with *AES128 and *AES192 algorithms.
June 2008
Version 1.54 (06/02/2008)
Enhancements
- Added a new parameter to the ACTFLDENC (Activate Field Encryption) command to allow the user to specify if their database file should be saved (to a Save File) before the field is activated (mass encrypted).
- Added a new parameter to the DCTFLDENC (Deactivate Field Encryption) command to allow the user to specify if their database file should be saved (to a Save File) before the field is deactivated (mass decrypted).
- When performing an backup of an object into a Save File during internal Crypto Complete processes, use the parameter of TGTRLS(*CURRENT) on the SAVOBJ command.
- If the user chooses to use trigger exit programs on their fields, then perform an edit to make sure all fields in a database file are using the same exit program (when activated).
- When performing authorization checks for Crypto Complete functions, utilize the "Current User Profile" for the job (not the originating "Job User Profile"). This is useful when user profiles are swapped out within a job, such as through ODBC or JDBC connections.
- Created new ILE procedures called GetFirstFldKeyInf and GetNextFldKeyInf in service program CRSP505. These ILE procedures will return the encryption/decryption Key Labels and Key Store names for the specified Field Identifier.
- Created new program APIs called CRRP627 and CRRP628, which will return the encryption/decryption Key Labels and Key Store names for the specified Field Identifier.
- Significantly increased (by 2.5 times) the speed of the mass field encryption process within the ACTFLDENC (Activate Field Encryption) command, when the encrypted values are stored in an external file. This will minimize the downtime on the database file when a customer goes live.
- Significantly increased (also by 2.5 times) the speed of the mass field decryption process within the DCTFLDENC (Deactivate Field Encryption) command, when the encrypted values are stored within an external file.
- When displaying a Master Key's attributes with the DSPMSTKEY (Display Master Key) command, additionally show the "Key Verification Value" of the Master Key.
- When displaying a Key Store's attributes with the DSPKEYSTR (Display Key Store) command, additionally show the "Key Verification Value" of the Master Key in which the Key Store is encrypted under.
- Added a new parameter to the EXPSYMKEY (Export Symmetric Key) command to allow a key to be exported in *BASE64 format. This is in addition to the existing *CHAR and *HEX formats.
Fixes
- When inserting encrypted field values into an external file, do not place "Duplicate Key" CPF5026 messages in the job log when resolving duplicate index numbers.
- On the ENCFIL (Encrypt File) command, allow values other than *END for the SEQNBR parameter.
Version 1.53 (03/22/2008)
Enhancements
- Do not save the CRVL002 validation list (which holds the field encryption registry) during the field activation/deactivation processes. This allows customers on V5R3 (and lower) to activate or deactivate multiple fields in different files at the same time.
Fixes
- Changed the DSPPRDINF (Display Product Information) command to show the correct version number of Crypto Complete by looking for the VERSION data area in the CRYPTO library (versus the *LIBL).
Version 1.52 (03/11/2008)
Enhancements
- When adding a field in the encryption registry with the ADDFLDENC command, allow the user to specify an exit program to call. This is valid when SQL triggers are specified for automatic encryption. When an exit program is specified for a field, the trigger will call this exit program before processing the insert, update or delete. The user-defined exit program can return a code to indicate if the trigger should process the value, ignore the request or produce an error. Also changed CHGFLDENC and DSPFLDENC commands to include the exit program parameters.
- When adding a field in the encryption registry with the ADDFLDENC command, allow the user to specify a padding character (INDEXPAD) and alignment option (INDEXALIGN) for the index number. This is valid for character fields when the encrypted values are stored in an external file. Also changed CHGFLDENC and DSPFLDENC commands to include those parms.
- When activating a field entry in the registry, do not place the entry in an *ERROR status when triggers cannot be created on the file.
- Added a new ILE procedure API which will return the name of the external library and file (which contains the encrypted values) for the Field Id specified. This is allowed if the encrypted values are stored externally. The name of the new procedure is GetExtFilInf, which is contained in the CRSP505 service program. Corresponding program API is CRRP625.
- Added a new ILE procedure API which will convert an index number from a character value into a decimal value. The name of the new procedure is CvtExtIdxDec, which is contained in the CRSP505 service program. Corresponding program API is CRRP626.
- Add audit entry from the trigger encryption program when any unexpected errors are found.
- Perform edit checks in the CHGFLDENC (Change Field Encryption) command before calling the command processing program.
Fixes
- Fixed the CRE0328 error message to show the SQLCODE error.
February 2008
Version 1.51 (2/25/2008)
- Changed the volume parameter (VOL) from type NAME to type CHARACTER on the ENC*** and DEC*** commands. This change allows numeric values to be entered for the volume parameter.
- Changed the volume parameter (VOL) to allow volumes other than *NONE on the ENCFIL and DECFIL commands.
- If a single library is specified with ENDOPT(*UNLOAD) on the ENCLIB command, then unload the tape after the save.
- If a single save file is specified with ENDOPT(*UNLOAD) on the ENCSAVF command, then unload the tape after the save.
- Do not prematurely unload the tape when ENDOPT(*UNLOAD) is specified on the DECLIB, DECOBJ and DECSAVF commands. Wait until all restores are completed.
- Remove single quotes from messages CRE0328 and CRE0377 to allow auditing message to be sent to the journal when adding/removing SQL Triggers.
Enhancements
- When activating a field in the Encryption Registry, do not fail on the creation of the external logical file when the external physical file library is not in the library list.
- Add audit entry in the journal when attempting to encrypt data with a key that is not allowed for encryption purposes.
- Add audit entry in the journal when attempting to decrypt data with a key that is not allowed for decryption purposes.
- Add edit checks when using the ADDFLDENC (Add Field Encryption) or ACTFLDENC (Activate Field Encryption) commands:
- Check that the file has one member.
- Check to make sure that the field length is large enough to hold the external index number (based on the number of records in the file).
Version 1.50 (1/30/2008)
Enhancements
- When activating a field in the Encryption Registry, use the option of *NOLIST when creating the external file to not generate the compile listing.
- When activating or deactivating a field in the Encryption Registry, also store the database field name and library/file name for the audit messages (message ids CRA0037 and CRA0040) that are generated in the journal CRJN001.
- Provide a more descriptive error message when a Symmetric Key in a Key Store cannot be decrypted with a Master Encryption Key. The new message will appear as "Master Key &1 does not match the Master Key on the Key Store."
- When activating a field in the Encryption Registry which uses an external file, increase the initial size of the external file from 10,000,000 records to *NOMAX.
- Created a new command called RMVFLDTRG (Remove Field Triggers) which will remove any triggers that were created by Crypto Complete on the database file for the specified Field Identifier. This command is useful to temporarily remove the triggers when a programmer needs to perform maintenance on the database file, such as adding a new field to the database file.
- Created a new command called ADDFLDTRG (Add Field Triggers) which will recreate the triggers on the database file (which were removed by the RMVFLDTRG command) for the specified Field Identifier.
- Created a new command called CPYFLDENC (Copy Field Encryption Entry) which will copy an entry from one Field Encryption Registry (CRVL002 object) to another. This command is useful if a customer has multiple Field Encryption Registries (to support multiple environments) and needs to replicate the entries between them.
- Created a new command called TRNFLDKEY (Translate Field Key) which will translate (reencrypt) any values which were encrypted under older Keys up to the most current Key for the specified Field Identifier. The TRNFLDKEY command can only be used for fields which use an external file to store the encrypted values.
- Created new SQL functions called F_ENCAES2 and F_DECAES2 which can be used to encrypt and decrypt strings of data using the AES algorithm and a key label. These functions can be called from within SQL statements.
- Created new stored procedures P_ENCAES2 and P_DECAES2 which can be used to encrypt and decrypt strings of data using the AES algorithm and a key label. These stored procedures can be called using the SQL CALL statement.
- Created a new ILE procedure called GetActiveFldId in service program CRSP505. This ILE procedure will return the name of the active Field Identifier (within the Encryption Registry) for the specified database file name, library and field name.
- Created a new program API called CRRP621 which will return the name of the active Field Identifier (within the Encryption Registry) for the specified database file name, library and field name.
- Created a new ILE procedure called GetEncFldKeyInf in service program CRSP505. This ILE procedure will return the current encryption/decryption Key Labels and Key Store names for the specified Field Identifier.
- Created a new program API called CRRP622 which will return the current encryption/decryption Key Labels and Key Store names for the specified Field Identifier.
- When adding a field into the Encryption Registry with the ADDFLDENC command, allow the user to optionally specify a logical file name to be created over the external physical file. This new logical file will be keyed by the Field Identifier (XXFLDID) and the encrypted value (XXVALUE). This is useful if a programmer needs to retrieve (chain out to) a record from an external file using an encrypted value.
- When adding a field in the Encryption Registry with the ADDFLDENC command, allow the user to optionally specify a mask value to apply to the field value when it is decrypted with the new ILE procedures of DecFld2 & GetEncFld2 and new program APIs of CRRP623 & CRRP624. For instance, a specified mask value of '************9999' would only show the last 4 digits of a credit card number.
- Created a new command called CHGFLDMSK (Change Field Mask) which will allow a user to change the mask value for an existing Field Identifier in the Encryption Registry.
- Created a new ILE procedure called DecFld2 in service program CRSP505. This ILE procedure will apply a mask to the decrypted field value which is stored in the customer's database file.
- Created a new program API called CRRP623 which will apply a mask to the decrypted field value which is stored in the customer's database file.
- Created a new ILE procedure called GetEncFld2 in service program CRSP505. This ILE procedure will apply a mask to the decrypted field value which is retrieved from an external file.
- Created a new program API called CRRP624 which will apply a mask to the decrypted field value which is retrieved from an external file.
- Created a new command called ENCFIL (Encrypt File) which can be used to encrypt stream files, physical files and save files using the AES algorithm. The user can specify either a password or a key for the encryption process.
- Created a new command called DECFIL (Decrypt File) which can be used to decrypt stream files, physical files and tape files using the AES algorithm. The user can specify either a password or a key for the decryption process.
- Created a new command called ENCOBJ (Encrypt Object) which can be used to encrypt one or more objects using the AES algorithm. The encrypted objects can be targeted to the IFS or a tape device for encrypted backups. The user can specify either a password or a key for the encryption process.
- Created a new command called DECOBJ (Decrypt Object) which can be used to decrypt one or more objects using the AES algorithm. Either the IFS or a tape device can be the source of the encrypted data. The user can specify a password or a key for the decryption process.
- Created a new command called ENCLIB (Encrypt Library) which can be used to encrypt one or more libraries using the AES algorithm. The encrypted libraries can be targeted to the IFS or a tape device for encrypted backups. The user can specify either a password or a key for the encryption process.
- Created a new command called DECLIB (Decrypt Library) which can be used to decrypt one or more libraries using the AES algorithm. Either the IFS or a tape device can be the source of the encrypted data. The user can specify a password or a key for the decryption process.
- Created a new command called ENCSAVF (Encrypt Save-File) which can be used to encrypt one or more Save Files using the AES algorithm. The encrypted Save Files can be targeted to the IFS or a tape device for encrypted backups. The user can specify either a password or a key for the encryption process.
- Created a new command called DECSAVF (Decrypt Save-File) which can be used to decrypt one or more Save Files using the AES algorithm. Either the IFS or a tape device can be the source of the encrypted data. The user can specify a password or a key for the decryption process.
- Created a new menu called CRYPTO5 for the new file and object encryption commands of ENCFIL, DECFIL, ENCOBJ, DECOBJ, ENCLIB, DECLIB, ENCSAVF and DECSAVF. This new menu is accessible from the main Crypto Complete menu.
- Created a new menu called CRYPTO6 for the RPG source examples. The new menu is accessible from the main Crypto Complete menu.
- Created a new menu called CRYPTO7 for the Field Encryption Key commands of WRKFLDKEY, CHGFLDKEY and TRNFLDKEY. This new menu is accessible from the Field Encryption Menu of CRYPTO4.
- Created a new menu called CRYPTO8 for the Field Encryption Trigger commands of RMVFLDTRG and ADDFLDTRG. This new menu is accessible from the Field Encryption Menu of CRYPTO4.
- Documented how to use the %DEC built-in-function to convert an alphanumeric index number to decimal. Added to Programmers Guide and source examples.
Fixes
- Correctly calculate the hash value when updating an external record which does not store the last retrieved user/time.
- When activating or deactivating a field in the Encryption Registry, do not create duplicate audit log messages (for message ids CRA0037 and CRA0040) in the journal CRJN001.
- If the library name is left blank on the WRKSYMKEY (Work with Symmetric Keys) command, then use *LIBL for the library name.
- When adding a field in the Encryption Registry with the ADDFLDENC command, properly edit-check the trigger names specified.
- When deactivating a field in the Encryption Registry with the DCTACTFLD command; if an external file cannot be deleted, then change the status of the field entry from *PROCESS to *ERROR and deallocate the customer's data base file.
Version 1.21 (10/29/2007)
- In CRRP616, allow decrypting a field value when triggers are specified for the field in the encryption registry.
October 2007
Version 1.20 (10/18/2007)
Enhancements
- When adding/changing/activating a field in the Field Encryption Registry (which has triggers), make sure that the trigger names do not already exist on the file. Also make sure that the Insert, Update and Delete trigger names are unique.
- Make an audit journal entry when the activation or deactivation of a field registry entry fails.
Fixes
- Fix the CHGFLDENC command to show the correct value for the "Trigger name for updates" parameter.
- When activating a field encryption entry, check to see if the same field name is already activated (after allocating the file).
- When generating backup save files (for certain maintenance activities in the product), make sure that when creating the auto-named save file, that the library list is not used to determine if the backup file already exists. Just check the object library.
- When storing encrypted values in an external file, make sure an alpha index number (which utilizes all 13 positions) is correctly parsed for encryption and decryption functions.
- Allow calling the F_DecFld function and the P_DecFld stored procedure from SQL even if the field registry entry has triggers specified.
- Fixed the Field Registry Activation process to resolve the trigger library name of *DBLIB to the database library name. This is when trigger names are overridden by the customer (not *GEN).
- Fixed problem in F_GetEncFld function to properly format the numeric decrypted value.