BRMS Software Encryption: Restoring BRMS Software Encrypted Data using NATIVE commands to a Different System

Troubleshooting

Problem

This document explains how to restore BRMS software encrypted data using native commands to a different system . The system may not have BRMS installed or may be part of a different BRMS network.

Resolving The Problem

This document explains how to restore BRMS software encrypted data using Native commands to a different system. The target system may not have BRMS installed or may be part of a different BRMS network.

To restore the encrypted data using Native commands to a different system, it will be necessary to follow one of the following two methods:

Method 1. Create the same Master Key on the target system that is used on the source system and use the same Q1AKEYFILE file that was used on the source system by restoring the file to the target system. The Master Key is either created using the same passphrase as the source system or is scratch installed onto the target system when LIC is installed from a SAVSYS.

Method 2. If the same MASTER KEY and Q1AKEYFILE file cannot be used, it will be necessary to create a new MASTER KEY on each the source and target system and translate the source system's Q1AKEYFILE file. Then transfer the translated keystore file over from the source system to the target system.

METHOD 1: Detailed steps required when the Master Key and Q1AKEYFILE can be the same on both the source and target systems

1. Create the same MASTER KEY on the target system using the same PASSPHRASE from the source system

2. Save the Q1AKEYFILE file from the source system and restore to the target system ... DO NOT have to restore to the QUSRBRM library on the target system if it already exists with another version of the Q1AKEYFILE

3. Create the data area required for the native RSTxxx commands Use a decryption data area to specify the encryption keystore file and record label information to be used to decrypt your tapes. The data area must be named QTADECRYPT and should be created in either library QTEMP or QUSRSYS. Note: remember that QTEMP is cleared when you signoff your session so use QUSRSYS if wanting to keep for multiple restores or sessions. The data area must provide the following information o Char(10) Device name (Decryption will only be run for tape volumes in this device and the device must be a TAPxx device and cannot be a TAPMLBxx tape library device) o Char(10) Encryption keystore file name o Char(10) Encryption keystore library o Char(32) Encryption record label Here is an example of how to create a decryption data area in QTEMP: a. *CRTDTAARA DTAARA(QTEMP/QTADECRYPT) TYPE(CHAR) LEN(62) b. CHGDTAARA DTAARA(QTEMP/QTADECRYPT (1 10)) VALUE('TAP01') c. CHGDTAARA DTAARA(QTEMP/QTADECRYPT (11 10)) VALUE('Q1AKEYFILE') d. CHGDTAARA DTAARA(QTEMP/QTADECRYPT (21 10)) VALUE('QUSRBRM') e. CHGDTAARA DTAARA(QTEMP/QTADECRYPT (31 32)) VALUE('record_label') Note: The Record Label is found in the Media Policy. Note:** With this data area created, non-encrypted data may not be able to be restored. Delete the data area to restore non-encrypted data. 2. Ensure there is no other BRMS activity, and temporarily disable BRMS by changing Media monitor to NO in the System Policy (WRKPCYBRM SYS, Option 1). 3. Perform native restore commands ... one RSTxxx command required for each sequence on the tape volume. 4. Remember to re-enable BRMS after restore completes by changing Media monitor back to *YES in the System policy. Failure to do so will result in BRMS problems.

METHOD 2: Detailed steps required when the source system's Master Key and Q1AKEYFILE cannot be used on the target system.

First operation required is to translate and transfer the keystore file to target system:

1.	Set up a temporary master key on both systems by loading and setting any unused master key with identical pass phrases. Make sure the key being used is open to use on BOTH systems with the following: *CHKMSTKVV MSTKEY(3) VERSION(CURRENT) (You should receive the message Version 1 of master key 3 is not set.) On both System A and System B: ADDMSTPART MSTKEY(3) PASSPHRASE('mytransferkey') followed by: SETMSTKEY MSTKEY(3)**
2.	On the source system, create a duplicate of the keystore file (for example, using the CRTDUPOBJ CL command). System A: *CRTDUPOBJ OBJ(Q1AKEYFILE) FROMLIB(QUSRBRM) OBJTYPE(FILE) + TOLIB(QUSRBRM) NEWOBJ(BRMTRANSF) ASPDEV() TOASPDEV(ASPDEV) + DATA(YES) CST(YES) TRG(YES) FILEID(NO)**
3.	Translate the duplicated keystore file to the temporary master key. System A: TRNCKMKSF KEYSTORE(QUSRBRM/BRMTRANSF) MSTKEY(3)
4.	Move the new translated keystore file to the target system. System A: Create a save file and save the object BRMTRANSF from library QUSRBRM to the save file FTP the save file to System B
5. 6.	Delete the translated keystore file from the source system A. (You still have the original keystore file.) System A: DLTF QUSRBRM/BRMTRANSF Restore object BRMTRANSF to library QUSRBRM from the save file created in Step 4.
7.	OPTIONAL STEP: Translate the keystore file to another master key preferably use the master key that is used for QUSRBRM/Q1AKEYFILE in this example MSTKEY(1) was use for Q1AKEYFILE and can be checked with the DSPCKMKSFE or iNAV System B: TRNCKMKSF KEYSTORE(QUSRBRM/BRMTRANSF) MSTKEY(1)
8.	OPTIONAL STEP: Clear the temporary master key on both systems after the restores are complete. System A and System B: *CLRMSTKEY MSTKEY(3) VERSION(CURRENT)**

9.	Create a data area required for the native RSTxxx commands Use a decryption data area to specify the encryption keystore file and record label information to be used to decrypt your tapes. The data area must be named QTADECRYPT and should be created in either library QTEMP or QUSRSYS. Note: remember that QTEMP is cleared when you signoff your session so use QUSRSYS if wanting to keep for multiple restores or sessions. The data area must provide the following information o Char(10) Device name (Decryption will only be run for tape volumes in this device and the device must be a TAPxx device and cannot be a TAPMLBxx tape library device) o Char(10) Encryption keystore file name o Char(10) Encryption keystore library o Char(32) Encryption record label Here is an example of how to create a decryption data area in QTEMP: a. *CRTDTAARA DTAARA(QTEMP/QTADECRYPT) TYPE(CHAR) LEN(62) b. CHGDTAARA DTAARA(QTEMP/QTADECRYPT (1 10)) VALUE('TAP01') c. CHGDTAARA DTAARA(QTEMP/QTADECRYPT (11 10)) VALUE('BRMTRANSF') d. CHGDTAARA DTAARA(QTEMP/QTADECRYPT (21 10)) VALUE('QUSRBRM') e. CHGDTAARA DTAARA(QTEMP/QTADECRYPT (31 32)) VALUE('record_label') Note: The Record Label is found in the Media Policy. Note:** With this data area created, non-encrypted data may not be able to be restored. Delete the data area to restore non-encrypted data
10.	Ensure there is no other BRMS activity, and temporarily disable BRMS by changing Media monitor to NO in the System Policy (WRKPCYBRM SYS, Option 1).
11 12.	Perform native restore commands ... one RSTxxx command required for each sequence on the tape volume Remember to re-enable BRMS after restore completes by changing Media monitor back to *YES in the System policy. Failure to do so will result in BRMS problems.

Note:

If restoring data using native commands to the same system that performed BRMS software encrypted save ... use IBM i Tech Doc: Restoring BRMS Software Encrypted Data to the same system using native commandshttp://www-01.ibm.com/support/docview.wss?uid=nas8N1011938
This document is intended as an interim until BRMS can be installed.
Cannot display encrypted and non-encrypted data with the data area created.

[{"Type":"MASTER","Line of Business":{"code":"LOB68","label":"Power HW"},"Business Unit":{"code":"BU070","label":"IBM Infrastructure"},"Product":{"code":"SWG60","label":"IBM i"},"ARM Category":[{"code":"a8m0z000000cwpBAAQ","label":"Save Restore-\u003EBRMS"}],"ARM Case Number":"","Platform":[{"code":"PF012","label":"IBM i"}],"Version":"All Versions"}]

Historical Number

658301198

Was this topic helpful?

Document Information

Modified date:
13 November 2024

UID

nas8N1010573

Tips