Creating a DB2 encryption UDF by editing a sample job

InfoSphere® Guardium Data Encryption provides sample jobs that you can edit to create an encryption User Defined Function (UDF).

Before you begin

Obtain the cryptographic key label from the security analyst who installs or administers Integrated Cryptographic Service Facility (ICSF).

About this task

You can create an encryption UDF by editing the sample job that is available in PDS smphlq.SDECSAMP, where smphlq is the SMP/E high-level qualifier for the product:

DECDB2UD

This job link-edits the DB2® CPACF protected key UDFs, DECENU00, DECENUI0 and DECENUP0, and the Random Number UDF DECENURN ICV, with their corresponding ICSF callable services.

DECUXUDF

This member contains SQL statements and descriptions that demonstrate and describe the use of the DECENURN and DECENUI0 UDFs. DECUXUDF is provided to demonstrate the use of DB2 UDFs provided by Encryption Tool. The SQL contained is intended to provide a functioning example for:

Creating the DB2 functions for invoking the UDF
Inserting rows containing encrypted column values
Selecting rows, decrypting column values
Updating existing rows, encrypting a previously non-encrypted column (for migration)
Using DECENURN in conjunction with DECENUI0 to generate a unique ICV per row

DECENURN: This UDF program retrieves a random value from the CSNBRNGL ICSF callable service. DECENURN can be used in conjunction with DECENUI0, DECENUBL, and and DECENUP0.

Note: DECUXUDF is intended to serve as a basis for your own customized use. The sample SQL can be run without modification, but instances of INFOSPHERE GUARDIUM DATA ENCRYPTION ENCRYPTED KEY should be replaced with the cryptographic key label that was built by your security analyst.

Procedure

Edit the sample job that is associated with the UDF.
Replace all lowercase JCL variables and data set names with values for your installation. The UDF name that you specify must be a unique name; it cannot be a DBD name.
At the bottom of the jobs, replace the variable yyyyyyyyyy with the cryptographic key label that was built by your security analyst.
The encryption key label that you specify can be up to 64 characters long. If you do not use all 64 characters, include the correct number of trailing blanks before the right parenthesis that ends the parameter list.

Your encryption key label is 50 characters long, include 14 trailing blanks, as shown in this example:
```
(yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy              )
```

What to do next

If you modify the encryption UDF, a DB2 restart is required to refresh the encryption UDF with the new version.

You might have to customize the job to run in your ISPF/PDF environment. For example, you might have to add your ISPF basic target libraries to the appropriate //ISPxLIB ddname concatenations and add //ISPTABL to point to the same libraries as //ISPTLIB.