Powertech Encryption’s backup encryption commands can be integrated within IBM’s BRMS environment to encrypt designated user libraries. Follow the steps outlined in this document to:

  • Omit libraries (to be encrypted) from the BRMS *ALLUSR library list.
  • Create a new BRMS backup control group (based on a copy of your current control group) to include Powertech Encryption’s ENCSAVLIB (Encrypt Save Library) command for encrypting libraries which were omitted from step 1.
  • Disable the old control group.
  • Run and test the new control group.

Step 1: Removing libraries from *ALLUSR library list

The first step is for you to identify the libraries which need to be encrypted. You should not need to encrypt IBM libraries or other libraries that do not contain sensitive data. Those libraries can continue to be backed up (without encryption) through normal BRMS save processes.

If you use the *ALLUSR library list in your BRMS control groups, then the libraries which require encryption should be omitted from that library list. Follow the steps below to omit those libraries.

  1. Work with the backup policies by executing the command:

    WRKPCYBRM TYPE(*BKU)

  2. Select option 2 (Work with items to omit from backup) from the menu.
  3. For each library to omit from the *ALLUSR library list (which requires encryption):
    1. Type in option 1 under the “Opt” heading
    2. Type in *ALLUSR under the “Type” heading
    3. Type in the library name under the “Backup item” heading
    4. Press enter.

      Work with Items to Omit from Backup

  4. When done, press F3 to exit the screen.

Step 2: Creating a new BRMS backup control group

After omitting libraries from the *ALLUSR library list, you can now create new control group(s) in BRMS to replace your current control group(s). The new control group(s) will incorporate Powertech Encryption’s ENCSAVLIB command (as an *EXIT item) to encrypt sensitive libraries. Follow the steps below for each control group which you use:

    1. Work with the control groups by executing the command:

      WRKCTLGBRM TYPE(*BKU)

    2. The “Work with Backup Control Groups” screen which will be displayed.
    3. Type option 3 (Copy) next to the existing control group and press enter.

      Work with Backup Control Groups

    4. Type the name of the new control group and press enter.

       Copy Backup Control Group

    5. The new control group appears in the list.
    6. To edit the control group, place option 2 (edit entries) next to it and press enter. A list of entries will be displayed for the control group.
    7. Type in a new sequence number (choose one that is greater than the last sequence number) on the first line and type in the word *EXIT under the heading of “Backup Items”.

      Edit Backup Control Group Entries

    8. The new item will appear in the list.
    9. Position the cursor on the new *EXIT backup item and press F10.
    10. The “User Exit Maintenance” screen appears.
    11. Type the ENCSAVLIB command and press F4 to prompt. Specify the libraries to encrypt. These should be the libraries which were omitted from the *ALLUSR library list. Also specify any additional parameters, such as the key to use for protecting the encrypted data. Example:

      User Exit Maintenance

    12. After specifying the ENCSAVLIB command and parameters, press enter to save the user exit. You will be returned to the “Edit Backup Control Group Entries” screen.
    13. Press F3 to return to the “Work with Backup Control Groups” screen.

Step 3: Removing the old BRMS backup control group from the Schedule

    1. From the “Work with Backup Control Groups” screen, type option 8 (Change attributes) next to the old control groups (the groups which were copied) and press enter.

      Work with Backup Control Groups

    2. Clear out the value next to the “Default weekly activity” parameter and press enter.

      Change Backup Control Group Attributes

Step 4: Running the new Backup Control Group

Listed below is an example of using the STRBKUBRM command to run the backup using the new control group.

STRBKUBRM CTLGRP(ENCRYPTED)

Restoring libraries

If you are planning to use BRMS to perform restores, then BRMS will only restore those libraries which were saved using normal BRMS save commands. The libraries which you saved using Powertech Encryption’s ENCSAVLIB command (as exit points in the control groups) will have to be restored separately using Powertech Encryption’s DECRSTLIB (Decrypt Library) command.

Important - Testing

  • Any time you change your backup processes, it is critical for you to test these processes thoroughly. Listed below is a minimum of things which you should test after making the changes in the BRMS backup:
    • Display the job log after running the backup with the new control group. In this job log:
    • Make sure the libraries you omitted from the *ALLUSR library list (in step 1) are indicated in the job log as being omitted.
    • Make sure you see the ENCSAVLIB command being executed for the libraries you wanted to encrypt.
    • Make sure there are no errors listed.
  • Display the tape and make sure it contains labels for both the non-encrypted and encrypted libraries.
  • Test a restore of some of the non-encrypted libraries using the BRMS restore processes.
  • Test a restore of the encrypted libraries using Powertech Encryption’s DECRSTLIB command.

Still have questions? We can help. Submit a case to Technical Support.

Last Modified On: April 18, 2019