Adventures In IBM i Encryption
September 17, 2018 Tom Woolaway
Are you impacted by the New York Cybersecurity Requirements for Financial Services Companies? If you are a banking, insurance, or brokerage firm that uses a license to operate in New York, these regulations require specific cybersecurity practices be implemented. Section 500.15 Encryption of Nonpublic Information requires encryption at rest of non-public information. Or perhaps you have other reasons to want to encrypt your IBM i drives.
This article focuses on encryption at rest of the disk drives of IBM i systems using 57XX-SS1 Option 45 – Encrypted ASP Enablement, where you end up with an unencrypted system ASP 1 and an encrypted ASP. An ASP is an auxiliary storage pool.
Our IBM partner, Rob Wise at UCG Technologies, installed the encryption feature, removed drives from the system ASP, added drives to the new encrypted ASP, and gave us guidance on the overall process. The rest we handled internally.
WRKDSKSTS shows the storage used in each of your drives. If you will be encrypting a large percentage of the system, you may need to do several rounds of moving drives to the new ASP and moving data to the new ASP. Keep a close eye on this. The percentage used should not exceed 85 percent. You may need to add new drives to the system. Here drives were moved three times – initially to set up the encrypted ASP2, a second time after a large amount of data had been moved from ASP1 to ASP2, and a final time after all encryption had been completed to balance the percent used across the two ASPs.
Encryption: What It Does And Does Not Do
Encryption makes a drive removed from an IBM i system unreadable. Drive encryption basically protects you from someone stealing your drives and trying to read them. You may be much more concerned about hackers or inside threats. Even though you may think the risk of disk theft is very low, if you are impacted by this NY regulation, you have a lot more to put on your to do list!
Anyone with a valid login and permissions to data is still able to use DBU from ProData Computer Services to access encrypted data, or use Access Client Solutions to download encrypted data to unencrypted Excel files, or use any other method that worked before encryption to access encrypted data, except for absconding with your disk drives.
While the threat of drive theft may be small, the effort to encrypt is not.
I strongly recommend you do this process first in a Test LPAR. Since your environment is different, you may run into issues not encountered here. This is one company’s experience with encrypting IBM i drives. It is not meant to be a full plan for all since it has not been tested elsewhere.
What To Encrypt
The first time consuming task is determining what to encrypt. The IBM Q libraries cannot be encrypted – the OS manages the encryption, so they must remain unencrypted. Our IBM partner strongly recommend against encrypting all non-IBM libraries. What to encrypt entails reviewing every library in all your LPARs to determine what libraries contain customer non-public information – information not generally available to the public. In the main production LPAR here, we had over 700 libraries. While we are running on a recent Power7 system at IBM i version 7.3, the application is 20 years old and has been moved to a new system every few years. There was never an incentive to go through and clean up what has accumulated over many years – until now.
RTVDSKINF is a long running process that gathers info on your storage. This should be submitted to batch, to a job queue that will not hold up other jobs. It is best to run when there will be little activity on system. Here is the command:
SBMJOB CMD(RTVDSKINF) JOB(RTVDSKINF) JOBQ(QBATCH2)
PRTDSKINF uses the data collected by RTVDSKINF. Here we ran this a day after RTVDSKINF.
PRTDSKINF *LIB to get the library information report.
- Hold or save the spool file.
- I used Access Client Solutions, Printer Output, to convert the spool file to a PDF saved on network drive.
- With Word, I converted the PDF to Text.
- With Excel, Using Data, Text to Column and made a list of all libraries, then sorted them on size from high to low.
- In Excel, I added columns for “Delete?” and “Encrypt?”
The IT Operations Manager has been here more than 30 years. I met with him several times to review libraries. Could it be deleted? If not, did the library contain non-public information? If so, the library needs to be encrypted. By looking at what files were in a library, or for some, using DBU to look at contents of files, we determined if library needed to be encrypted. Of the 764 libraries in main production LPAR, we came up with 288 that could be saved to tape and deleted. To save and delete these libraries, I made a CL program to do a SAVLIB for each library and another CL to do a DLTLIB for each library. Copying the CL source line for number of libraries needed, and then copying libraries from Excel into CL, one screen at a time saved a lot of typing. Deleting these libraries significantly shortened our full system backups, which greatly pleased the IT Operations Manager.
Journals, PFs, And LFs
The next big hurdles involved journals and physical and logical files (PF and LF).
- A journal, all the objects journaled by it and its receivers must reside in the same ASP.
- All logical files must reside in the same ASP as their physical file.
WRKJRN *all *all, 8 to work with journal attributes, F19 (shift F7) and then 1 Files or 30 All Objects showed us we had a bit of a mess to clean up. Several developers that had come and gone over the years had copied files being journaled to other libraries for testing. This expanded the journal to include these new files. Production libraries had been copied to development and testing environments in the same LPAR. This copied the journals as well.
Using ENDJRN, ENDJRNAP, ENDJRNLIB, ENDJRNOBJ, and ENDJRNPF, I whittled the journals and what they were journaling down to only what the IT operations manager wanted.
If you get errors trying to delete a library with unsaved journal receivers, (for journals that never should have been created), add the message CPA7025 to the system reply list with WRKRPYLE. Then on a SBMJOB command, use INQMSGRPY(*SYSRPYL).
Saving, Deleting, and Restoring To Encrypted ASP
To encrypt a library, you must save it, verify it was all saved, delete it, and restore it to the encrypted ASP. You cannot delete a library if it is in your library list, so either sign on as a user with a minimal library list or RMVLIBLE for any library you need to delete.
For journals that cover objects from multiple libraries, all those libraries must be deleted, before restoring any of them to encrypted ASP. Delete the library containing the journal last. Restore the library containing the journal first.
The restore commands have a RSTASP parameter for ASP #.
RSTLIB F4 to prompt, F9 for all parameters, restore to ASP number RSTASP(2) or whatever # was used to create your encrypted ASP.
You may get some logical file restore errors due to the physical file not existing.
If you are doing this in a Test LPAR that is a copy of a Production LPAR, in Production, open the LF with DBU, shift F2 will show the physical file(s) it is based on. After you have restored the library with the physical file(s), you should go back and restore any logical files that gave restore errors. Continue this process until all the libraries to be encrypted have been saved, deleted, and restored to the encrypted ASP. Depending on your environment you may need to include PVTAUT(*YES) and SPLFDTA(*ALL;*NEW) on your save and restore commands.
System Value Library Lists
With WRKSYSVAL, look at QSYSVAL – the system library list, and QUSRLIBL – the user library list. If any of the libraries listed need to be encrypted, additional steps will be needed.
For QURSLIBL, you need to remove the library from this library list, to remove the object lock by QSYSARB. WRKOBJLCK will likely show a lot of other locks, which prevent deletion of the library. Save the library to a save file (SAVF). ENDSBS SBS(*ALL) DELAY(30) will remove the remaining object locks. Then from the console, delete the library, restore it from the SAVF to ASP2, add it back to the QUSRLIBL system value, and then bring the system up or PWRDWNSYS DELAY(30) RESTART(*YES).
If you have a library that needs encrypted in the QSYSVAL library list, you need to remove it from the library list, and then do an IPL.
The Integrated File System
Do you use IFS, the Integrated File System on IBM i? Here IFS is used for many things: for a 300GB Webdocs scanned document repository with over a half million files, for ACH files before and after being sent to bank with GoAnywhere, for export/import of Accounting related files between IBM i and a Windows Server Accounting system with GoAnywhere and VisualCron, etc.
I made an Excel list of all the IFS folders. With Navigator for i, I checked the properties to these folders to get size and added that to Excel. Added an “Encrypt?” column. Went through each IFS folder to determine if it needed to be encrypted (if it had non-public customer information).
Create IFS On Encrypted ASP
If you created a new ASP, the system must be IPLed before IFS will recognize the new ASP. Create a user defined file system (run only once):
CRTUDFS UDFS('/DEV/QASP02/ASP02.UDFS') DTAAUT(*RWX) OBJAUT(*ALL) CASE(*MONO)
Create the main IFS folder on ASP2 under which all encrypted folders will reside (run only once): MKDIR DIR(‘/IFSASP2’) (use whatever name you like – IFSASP2 was the most meaningful to me). To use the user defined file system, it must be mounted:
MOUNT TYPE(*UDFS) MFS('/DEV/QASP02/ASP02.UDFS') MNTOVRDIR('/IFSASP2')
Repeat these steps for each IFS folder to be encrypted:
CRTSAVF mysavflib/myfolder SAV DEV('/QSYS.LIB/mysavflib.LIB/myfolder.FILE') OBJ(('/myfolder'))
Verify it was saved.
WRKLNK 4 on myfolder, F4, subtree *all (to delete folder)
If readonly attributes prevent deletion, change the attributes with WRKLNK, 13, ATR(*READONLY) VALUE(*NO) SUBTREE(*ALL).
Then retry delete.
MKDIR DIR(‘/IFSASP2/myfolder’) creates the folder under main encrypted IFS folder.
RST DEV(‘/QSYS.LIB/mysavflib.LIB/myfolder.FILE’) OBJ((‘/myfolder’ *INCLUDE ‘/IFSASP2/myfolder’))
The RST command restores the folder to encrypted ASP IFS.
ADDLNK OBJ('/IFSASP2/myfolder') NEWLNK('/myfolder')
The addlnk step creates a symbolic link, so that any programs that were using that folder, will work without changing source code.
With WRKLNK, do an 8 to look at the attributes of the folders you created.
You should see type DIR, ASP 2 on the encrypted ones.
For the ones created with ADDLNK, you should see type SYMLNK, ASP 1.
The mount command needs to be run after each IPL, so it should be added to your startup program.
WRKSYSVAL QSTRUPPGM shows the startup program.
MOUNT TYPE(*UDFS) MFS('/DEV/QASP02/ASP02.UDFS') MNTOVRDIR('/IFSASP2')
The startup program defaults to running under user profile QPGMR, based on JOBD QSTRUPJD. QPGMR does not have authority to the mount and unmount commands.
Add the authority with:
GRTOBJAUT OBJ(MOUNT) OBJTYPE(*CMD) USER(QPGMR) AUT(*USE) GRTOBJAUT OBJ(UNMOUNT) OBJTYPE(*CMD) USER(QPGMR) AUT(*USE)
BRMS – Backups Of Encrypted IFS
To save the encrypted IFS, you must unmount it first.
To end Windows drive mappings to IFS, run ENDTCPSVR SERVER(*NETSVR). Then run UNMOUNT TYPE(*UDFS) MNTOVRDIR(‘/IFSASP2’)
In BRMS Backup Control Groups, I added *EXIT commands to call 2 CL programs: the first one to run the 2 commands above to end Windows drive mappings and unmount; and the other to mount and start netserver for drive mappings with the two commands below.
MOUNT TYPE(*UDFS) MFS('/DEV/QASP02/ASP02.UDFS') MNTOVRDIR('/IFSASP2') STRTCPSVR SERVER(*NETSVR).
If you are doing a full system backup with TCP down, the STRTCPSVR will error if it is run before TCP is up.
WRKJOBSCDE – Scheduled Jobs
You may also want to add the mount command and the start netserver command as a WRKJOBSCDE job with a submit date in 2035 or held. Then an operator can easily do a 10 to submit immediately, without having to look up the proper parameters. If you get errors when anyone tries to use encrypted IFS, it likely needs mounted and/or netserver started for Windows drive mappings.
Review your output queues with WRKOUTQ. Any spool files with reports containing customer non-public information need to be in an encrypted library. The IBM Q libraries such as QUSRSYS and QGPL cannot be encrypted. Create a library for user output queues in ASP2. Add this to your system library list ahead of QUSRSYS with WRKSYSVAL QSYSLIBL. For any output queues that need encrypted, create them in this new library with CRTOUTQ. Use MOVSPLFBRM to move the spool files to new outq. Change all your user profiles so they have an OUTQ setting for an outq in an encrypted library. If you only have a PRINTER setting, that will send to the outq of the same name as the printer in library QUSRSYS which cannot be encrypted. Check the job queues with WRKJOBQ for any scheduled jobs, (which retrieve user outq at time of submission, not run time). You may need to scan your source code for any hard-coded output queues and check application setup areas. Change your start up program to start printer writers from the new encrypted outq. Monitor your unencrypted outqs for spool files that should be encrypted. You may find specific jobs that need a change to source code, job description or user profile, to put output into an encrypted outq.
If you want to clean up your output queues prior to encrypting, look at IBM’s Delete Old Spool Files sample program: http://www-01.ibm.com/support/docview.wss?uid=nas8N1019285
If you use that, change message queue delivery to severity above 80. Otherwise you get a break message for every spool file deleted.
CHGMSGQ MSGQ(*USRPRF) DLVRY(*BREAK) SEV(85) DLTOLDSPLF USRPRFNME(*ALL) OUTQUEUE(QUSRSYS/myoutq) DELETEDATE('12/31/2017')
Alternatively, there is a delete expired spool files command (DLTEXPSPLF), but it only works if you changed the default expiration date before the spool file was created.
Test, Test, Test
Take good notes as you do these processes in your Test LPAR.
Test all your applications after you have completed encryption of libraries and IFS folders.
Make a plan for encryption of Production LPAR. You may need to include time for multiple iterations of disk moves from non-encrypted to encrypted ASP. Availability of the production system, personnel and disk space may dictate the need to break this up into several phases, such as encrypting groupings of libraries based upon journals and PF & LF dependencies, and IFS folders, over several evenings or weekends.
Policy and Education for New Object Creation
For anyone that can create a new library, file, IFS folder, IFS file, or output queue, ensure they are aware of the importance of and process for putting anything that may contain customer non-public information into the encrypted ASP.
NY Cybersecurity Requirement: https://dfs.ny.gov/legal/regulations/adoptions/dfsrf500txt.pdf
Tom Woolaway has 20+ years of experience as an admin and programmer on the IBM i and predecessors iSeries, AS400 and System/38. He was a Global IT Director for a total of 16 years for two manufacturing companies until they were bought by larger companies. He led the IT integration of 40 acquired manufacturing companies. Tom has a BS in Computer Science from Penn State. He is currently working in the financial, insurance, annuity sector. Tom can be reached at firstname.lastname@example.org.