FDRCRYPT Dump Examples

All examples in this section are found in the JCL library installed with FDR. The member names are EX7120x.

Important

The following examples show a variety of FDR dump functions, including FDR, FDRDSF, and FDRABR. However, FDRCRYPT works essentially the same no matter which type of FDR operation is performed. So an example shown for PGM=FDR works just as well with PGM=FDRABR or FDRDSF, and vice versa. Although the name of the Encryption Keyfile in these examples contains the word “KEYFILE” for clarity, we recommend that for additional security the actual names used in your installation do not identify these as FDRCRYPT Encryption Keyfiles.
The FDRCRYPT DD statement is shown as an in-line data set (DD *) in many examples for simplicity, but actually this is not recommended if key values are included, since this may be a security exposure. For best security, point FDRCRYPT to a DASD data set that is secured by your security system.

Encrypt an FDR backup example

This simple example backs up one DASD volume with FDR and encrypts it with AES128 encryption. FDRCRYPT generates the AES128 encryption key and the master AES key is specified on an ENCRYPT statement. Since no KEYFILE statement is included, the Encryption Keyfile identified in the FDR Global Options is dynamically allocated and used to record the AES key.

//DUMP     EXEC PGM=FDR,REGION=0M
//SYSPRINT DD SYSOUT=*
//SYSUDUMP DD SYSOUT=*
//DISK1    DD UNIT=SYSALLDA,DISP=OLD,VOL=SER=123456
//TAPE1    DD DSN=BACKUP.V123456(+1),DISP=(,CATLG),
//            UNIT=CART,EXPDT=99000
//SYSIN    DD *
DUMP     TYPE=FDR,ENCRYPT=ALL,ENCRYPTTYPE=AES128
/*
//FDRCRYPT DD *
  ENCRYPT MASTERKEY=A342714423F6DECC0712947FEA834297
/*

Encrypt an FDRDSF backup example

This example backs up data sets from two DASD volumes with FDRDSF. The COPY 2 backups (TAPE11 and TAPE22) are encrypted with AES 128-bit key encryption; the COPY 1 backups are not encrypted. A separate AES encryption key is specified for each DASD volume. The master key is obtained from security profile FACILITY/FDRCRYPT.PAYROLL. The KEYFILE statement causes the keys to be recorded in data set “FDRCRYPT.KEYFILE”.

//DUMP     EXEC PGM=FDRDSF,REGION=0M
//SYSPRINT DD SYSOUT=*
//SYSUDUMP DD SYSOUT=*
//DISK1    DD UNIT=SYSALLDA,DISP=OLD,VOL=SER=LIB001
//TAPE1    DD DSN=BACKUP1.VLIB001(+1),DISP=(,CATLG),
//            UNIT=CART,EXPDT=99000
//TAPE11   DD DSN=BACKUP2.VLIB001(+1),DISP=(,CATLG),
//            UNIT=CART,EXPDT=99000
//DISK2    DD UNIT=SYSALLDA,DISP=OLD,VOL=SER=LIB002
//TAPE2    DD DSN=BACKUP1.VLIB002(+1),DISP=(,CATLG),
//            UNIT=CART,EXPDT=99000
//TAPE22   DD DSN=BACKUP2.VLIB002(+1),DISP=(,CATLG),
//            UNIT=CART,EXPDT=99000
//SYSIN    DD *
DUMP     TYPE=DSF,ENCRYPT=COPY2,ENCRYPTTYPE=AES
SELECT   DSN=PAYROLL.**
/*
//FDRCRYPT DD DSN=PAYROLL.FDRCRYPT.OPTIONS,DISP=SHR

Data set “PAYROLL.FDRCRYPT.OPTIONS” contains these statements:

KEYFILE DSN=FDRCRYPT.KEYFILE
  ENCRYPT MASTERKEYID=PAYROLL
  ENCRYPT VOL=LIB001,AESKEY=A342CC0012947FE71442344773F6DEA8
  ENCRYPT VOL=LIB002,AESKEY=947FEA34213F6DEA8CC4423447700127

Encrypt FDRABR volume backups example

This example does ABR full-volume backups of a set of volumes. The COPY 2 backups (TAPE11) are encrypted with AES 128-bit key encryption, except that system volumes are not encrypted. Although volumes are selected in ABR by SMS storage group, encryption parameters must be specified by volume serial. FDRCRYPT randomly generates all encryption keys. The master key for all the backups is obtained from security profile FACILITY/FDRCRYPT.ABRBKUP. Since no KEYFILE statement is included, the Encryption Keyfile identified in the FDR Global Options is dynamically allocated and used to record the encryption key used for each backup.

//DUMP     EXEC PGM=FDRABR,REGION=0M
//SYSPRINT DD SYSOUT=*
//SYSUDUMP DD SYSOUT=*
//TAPE1    DD UNIT=CART,DSN=ABR1,DISP=(,KEEP),EXPDT=99000
//TAPE11   DD UNIT=CART,DSN=ABR11,DISP=(,KEEP),EXPDT=99000
//SYSIN    DD *
DUMP     TYPE=FDR,ENCRYPT=COPY2,ENCRYPTTYPE=AES
MOUNT    STORGRP=DB2A
MOUNT    STORGRP=DB2B
MOUNT    STORGRP=SYS
/*
//FDRCRYPT DD *
  ENCRYPT MASTERKEYID=ABRBKUP
  ENCRYPT VOL=SYS*,ENCRYPTTYPE=BYPASS
/*

Encrypt FDRABR Volume Backups with AES256 Example

This example does ABR full-volume backups of a set of volumes with AES-256 (256-bit key). Since no KEYFILE statement is included, the Encryption Keyfile identified in the FDR Global Options is dynamically allocated and used to record the encryption key used for each backup. The short versions of ENCRYPT (EC) and AESKEY (AK=) are used so that the 64-digit key fits on one line (columns 1-71).

Important

Because of the overhead of AES256, it is recommended only for the most sensitive data or when required by regulations.

//DUMP     EXEC PGM=FDRABR,REGION=0M
//SYSPRINT DD SYSOUT=*
//SYSUDUMP DD SYSOUT=*
//TAPE1    DD DSN=ABR1,DISP=(,KEEP),UNIT=CART,EXPDT=99000
//SYSIN    DD *
DUMP     TYPE=FDR,ENCRYPT=COPY1,ENCRYPTTYPE=AES256
MOUNT    VOLG=DB1
MOUNT    VOLG=DB2
MOUNT    VOLG=SYS
/*
//FDRCRYPT DD *
EC AK=947FEA34213F6DEA8CC4423447700127A342CC0012947FE71442344773F6DEA8
/*

Encrypt FDRAPPL application backups example

This example does FDRAPPL data set backups of a set of data sets. The backups are encrypted with AES 128-bit key encryption. FDRCRYPT randomly generates all encryption keys. The master key is obtained from security profile FACILITY/FDRCRYPT.PAYROLL. The KEYFILE statement causes the keys to be recorded in “PAYROLL.FDRCRYPT.KEYFILE”.

//BACKUP   EXEC PGM=FDRABR,REGION=0M
//SYSPRINT DD SYSOUT=*
//SYSPRIN1 DD SYSOUT=*
//SYSUDUMP DD SYSOUT=*
//ARCHIVE DD DSN=PAYROLL.APPL.BACKUP,DISP=SHR
//TAPE1    DD DSN=PAYBKUP.APPL1,UNIT=CART,DISP=(,KEEP)
//TAPE11   DD DSN=PAYBKUP.APPL2,UNIT=CART,DISP=(,KEEP)
//SYSIN    DD *
DUMP     TYPE=APPL,ARCB1DSN=PAYROLL.APPL.ACFBKP1(+1),
          ARCB2DSN=PAYROLL.APPL.ACFBKP2(+1),RETPD=14,
          ENCRYPT=ALL,ENCRYPTTYPE=AES
SELECT   CATDSN=PAYROLL.**
SELECT   CATDSN=HOURLY.PAY*.**
/*
//FDRCRYPT DD *
  KEYFILE DSN=PAYROLL.FDRCRYPT.KEYFILE
  ENCRYPT MASTERKEYID=PAYROLL
/*