Important Updates to Cybersecurity Software

HelpSystems is updating the names of our cybersecurity software, including the Powertech product line. Don’t worry—the functionality of your products won’t change.

See the new names here > New, Simpler Names for HelpSystems Security Software.

--------------------

When moving Crypto Complete to a new LPAR that uses the same serial number, you do not need to know the passphrases to set the MEK, as this is generated in a way that ties it to the serial number of the system.

When moving to a new system that uses a different serial number, it is very important that you have recorded the passphrases for the current system MEK (Master Encryption Key). If you do not have access to the system you are moving from and you do not know the passphrases for the MEK your encrypted data will be unrecoverable.

If you have access to the old system and you do not know the passphrases, you can create a new master key and translate all key stores with the new master key, then save the key stores and restore them onto the new system. Then enter the new passphrases to create the Master Key. 

Contact keys@helpsystems.com to to request your new license key.

On the Current system:

  1. Prior to backing up your data, verify the keystore Crypto Complete is using is the *CURRENT keystore. Do this with the command DSPKEYSTR (or Go Crypto, menu option 3, then 2 for Display Key Store Attr). If it doesn’t show *CURRENT, you must translate the key store by taking option 3 “Translate Key Store”. See the user guide for information on how to set and translate the key store.
  2. Perform a full system or restricted state backup on your current system. Be sure to save your data files that will be used on the new system, as well as the CRYTO library and any libraries containing your KEYSTORES and CRVL002 Validation Lists. 

Note: You will need a new license key when you move Crypto Complete to a new LPAR and/or serial number.

When moving to a new serial number, if you will not have access to the system after the move, be sure to note the configuration for your Key Policy, Security Alerts, and Key Officers, External Key Managers, in addition to having the pass phrase information.  

On the New system:

  1. Restore the system backup to your new box.
  2. Enter the new license key for the system. To do so, use menu option 10 for Product Information, then 1 for License setup.

Additional Steps to take on the New system when moving to a new serial number:

If you are moving to a different serial number, you should omit or rename the *VLDL object CRVL001 from the restore. This is typically located in the CRYPTO library but could be in a different location.

Note: CRVL001 contains the system configuration, including the Master Encryption Key. The MEK is encrypted by the PEK (Production Encryption Key) which is generated using some system information like the Serial Number. If a CRVL001 object was encrypted on another box with a different serial number, it will not be usable on the new box.

  1. Create a new CRVL001 object using the command CRTVLDL VLDL(CRYPTO/CRVL001)

  2. Make sure that the new CRVL001 object has the same authority as the one from the old system.

  3. In the Key Policy and Security Menu, take option 1, then option 1 to Change Key Policy (CHGKEYPCY) in order to update the Key Policy to match what was on the old system. 

  4. In the Key Policy and Security Menu, take option 10, Work with Key Officers (WRKKEYOFR) to add the Key officers to match what was on the old system.

  5. On on the Key Policy and Security Menu, take option 3, Work with Security Alerts. Use (WRKCCALR) to add the alerts to match what was on the old system.

  6. If using External Key Managers, take option 20, External Key Manager Menu (GO CRYPTO15) from the main menu to add the external key manager entry to match what was on the old system.
  7. In the Master key Menu use option 1 to load in the passphrases EXACTLY as they were entered on the production box. They do not need to be entered with the same user profile.

  8. Then, set the MEK using Option 2 (SETMSTKEY) or use the command CRYPTO/SETMSTKEY. After the MEK has been set, use option 3 (DSPMSTKEY) *CURRENT to compare the "Key verification value" of the new MEK with the "Key verification value" of the server you are moving from. Also go into menu 3 “Symmetric Key Menu” and take option 2 “Display Key Store Attr.” for each key store you are using. Make sure the Version is *CURRENT. If it is *NOT FOUND then the key store was encrypted with a different Master Key. If the passphrases were entered correctly, the values will match.

Troubleshooting tips:

Concern

Solution

Key verification values do not match

Go back and re-enter the pass phrases carefully. These are case sensitive.

SETMSTKEY command shows no passphrases entered

Try CRYPTO/SETMSTKEY (may help on older Crypto versions on newer OS as IBM has added  SETMSTKEY command

Want to verify the passphrases are entered correctly on the new system

Use option 3 (DSPMSTKEY) from the Master Encryption Key menu to compare the "Key verification value" of the new MEK with that of the server you are moving from

Want to verify both systems are using the *CURRENT MEK

Take option 2 from the Symmetric Encryption Key Menu to Display Key Store Attr on each system.         (DSPKEYSTR)  If the key stores are show *NOTFOUND the encryption and decryption process will not work

Note to IFS Encryption Users

Follow instructions in the IFS user guide for moving to a new system

Note to Field Encryption Registry Users

Restore the CRVL002 *VLDL object from your backup media.  If you have not moved it, it will be restored with the Crypto library

Note to Field Encryption Registry Users

If using with external files storing encrypted database field values (instead of field procs);  and the ‘last index numbers used’ are stored in the physical file [LSTINDSTG(*PF) on the registry

Restore the file CRPF002 from your backup media.  If you have not changed the location, this will have been restored with the CRYPTO library


Still have questions? We can help. Submit a case to Technical Support.

Last Modified On: October 31, 2018