Dump & Restore encrypted data between two Parallel Sysplexes
azeemmohammed 120000BRPQ Visits (5059)
We performed a special test where we dumped encrypted data in one our sysplexes and restored it in a different sysplex. We used the DFSMSdss DUMP command to dump encrypted datasets (sequential format) in our production sysplex (PLEX1) and used DFSMSdss RESTORE to restore them in our test sysplex (PLEX2).
We placed the backup copy of the data on a volume which was accessible from both PLEX1 and PLEX2. However, the content of the backup copy was unreadable since the datasets we dumped were in encrypted format. We ensured that the ID on PLEX2 had proper RACF/ICSF access to the dataset and keylabel so it could perform the restore and access the dataset upon restore. We also had to copy the encrypted data keys from PLEX1 to PLEX2 before restoring the datasets.
Please see the Accessing the Data Key on multiple CKDS’ section below for the procedure we used to copy the data keys from one PLEX to another.
We used the following job to dump the encrypted datasets.
//DUMP EXEC PGM=
//SYSPRINT DD SYSOUT=*
//DISKOUT DD UNIT
//SYSIN DD *
DUMP OUTDDNAME(DISKOUT) TOL(ENQF) OPT(4) COMPRESS -
The following job was used to restore the encrypted datasets.
//DASDIN DD UNIT
//DASDOUT DD UNIT
//SYSIN DD *
RESTORE INDD(DASDIN) OUTDD(DASDOUT) TOL(ENQF) -
Accessing the Data Key on multiple CKDS’
From here on out, we will refer to the date key encrypted under the AES Master Key as the data key.
The data key used in Pervasive Encryption of Data Sets is encrypted under the AES Master Key and stored in the ICSF CKDS data set. Among our sysplexes and even images, we run with multiple CKDS’. So, when we originally encrypted the datasets on PLEX1, we created a data key to be used in the encryption. In order for the data set to be accessed successfully on PLEX2 for the RESTORE, we had to ensure that the data key was available on that image. For the data key to be available to the image on PLEX2, we had to add it to the CKDS being used by that PLEX2 image.
We were able to do this using the ICSF services below because we run with the same AES Master across all cards in both our plexes. On the PLEX1 image we originally created the data key on, we used the ICSF callable service, CSNBKRR, and the key label to obtain the encrypted data key. On the PLEX2 image we planned to run the RESTORE on, we used the ICSF callable service, CSNBKRC2, to place the data key in the CKDS. We ran this ICSF service using the encrypted data key output and the key label from the CSNBKRR command issued on the PLEX1 image. This service, CSNBKRC2, places the encrypted data key in the CKDS under the key label specified in the call.