FDRCRYPT Dump Examples

All examples in this section are found in the JCL library installed with FDR. The member names are EX7120x.

Important

  • The following examples show a variety of FDR dump functions, including FDR, FDRDSF, and FDRABR. However, FDRCRYPT works essentially the same no matter which type of FDR operation is performed. So an example shown for PGM=FDR works just as well with PGM=FDRABR or FDRDSF, and vice versa. Although the name of the Encryption Keyfile in these examples contains the word “KEYFILE” for clarity, we recommend that for additional security the actual names used in your installation do not identify these as FDRCRYPT Encryption Keyfiles.
  • The FDRCRYPT DD statement is shown as an in-line data set (DD *) in many examples for simplicity, but actually this is not recommended if key values are included, since this may be a security exposure. For best security, point FDRCRYPT to a DASD data set that is secured by your security system.

Encrypt an FDR backup example

This simple example backs up one DASD volume with FDR and encrypts it with AES128 encryption. FDRCRYPT generates the AES128 encryption key and the master AES key is specified on an ENCRYPT statement. Since no KEYFILE statement is included, the Encryption Keyfile identified in the FDR Global Options is dynamically allocated and used to record the AES key.

//DUMP EXEC PGM=FDR,REGION=0M //SYSPRINT DD SYSOUT=* //SYSUDUMP DD SYSOUT=* //DISK1 DD UNIT=SYSALLDA,DISP=OLD,VOL=SER=123456 //TAPE1 DD DSN=BACKUP.V123456(+1),DISP=(,CATLG), // UNIT=CART,EXPDT=99000 //SYSIN DD * DUMP TYPE=FDR,ENCRYPT=ALL,ENCRYPTTYPE=AES128 /* //FDRCRYPT DD * ENCRYPT MASTERKEY=A342714423F6DECC0712947FEA834297 /*

Encrypt an FDRDSF backup example

This example backs up data sets from two DASD volumes with FDRDSF. The COPY 2 backups (TAPE11 and TAPE22) are encrypted with AES 128-bit key encryption; the COPY 1 backups are not encrypted. A separate AES encryption key is specified for each DASD volume. The master key is obtained from security profile FACILITY/FDRCRYPT.PAYROLL. The KEYFILE statement causes the keys to be recorded in data set “FDRCRYPT.KEYFILE”.

//DUMP EXEC PGM=FDRDSF,REGION=0M //SYSPRINT DD SYSOUT=* //SYSUDUMP DD SYSOUT=* //DISK1 DD UNIT=SYSALLDA,DISP=OLD,VOL=SER=LIB001 //TAPE1 DD DSN=BACKUP1.VLIB001(+1),DISP=(,CATLG), // UNIT=CART,EXPDT=99000 //TAPE11 DD DSN=BACKUP2.VLIB001(+1),DISP=(,CATLG), // UNIT=CART,EXPDT=99000 //DISK2 DD UNIT=SYSALLDA,DISP=OLD,VOL=SER=LIB002 //TAPE2 DD DSN=BACKUP1.VLIB002(+1),DISP=(,CATLG), // UNIT=CART,EXPDT=99000 //TAPE22 DD DSN=BACKUP2.VLIB002(+1),DISP=(,CATLG), // UNIT=CART,EXPDT=99000 //SYSIN DD * DUMP TYPE=DSF,ENCRYPT=COPY2,ENCRYPTTYPE=AES SELECT DSN=PAYROLL.** /* //FDRCRYPT DD DSN=PAYROLL.FDRCRYPT.OPTIONS,DISP=SHR

Data set “PAYROLL.FDRCRYPT.OPTIONS” contains these statements:

KEYFILE DSN=FDRCRYPT.KEYFILE ENCRYPT MASTERKEYID=PAYROLL ENCRYPT VOL=LIB001,AESKEY=A342CC0012947FE71442344773F6DEA8 ENCRYPT VOL=LIB002,AESKEY=947FEA34213F6DEA8CC4423447700127

Encrypt FDRABR volume backups example

This example does ABR full-volume backups of a set of volumes. The COPY 2 backups (TAPE11) are encrypted with AES 128-bit key encryption, except that system volumes are not encrypted. Although volumes are selected in ABR by SMS storage group, encryption parameters must be specified by volume serial. FDRCRYPT randomly generates all encryption keys. The master key for all the backups is obtained from security profile FACILITY/FDRCRYPT.ABRBKUP. Since no KEYFILE statement is included, the Encryption Keyfile identified in the FDR Global Options is dynamically allocated and used to record the encryption key used for each backup.

//DUMP EXEC PGM=FDRABR,REGION=0M //SYSPRINT DD SYSOUT=* //SYSUDUMP DD SYSOUT=* //TAPE1 DD UNIT=CART,DSN=ABR1,DISP=(,KEEP),EXPDT=99000 //TAPE11 DD UNIT=CART,DSN=ABR11,DISP=(,KEEP),EXPDT=99000 //SYSIN DD *
DUMP TYPE=FDR,ENCRYPT=COPY2,ENCRYPTTYPE=AES MOUNT STORGRP=DB2A MOUNT STORGRP=DB2B MOUNT STORGRP=SYS /* //FDRCRYPT DD * ENCRYPT MASTERKEYID=ABRBKUP ENCRYPT VOL=SYS*,ENCRYPTTYPE=BYPASS /*

Encrypt FDRABR Volume Backups with AES256 Example

This example does ABR full-volume backups of a set of volumes with AES-256 (256-bit key). Since no KEYFILE statement is included, the Encryption Keyfile identified in the FDR Global Options is dynamically allocated and used to record the encryption key used for each backup. The short versions of ENCRYPT (EC) and AESKEY (AK=) are used so that the 64-digit key fits on one line (columns 1-71).

Important

Because of the overhead of AES256, it is recommended only for the most sensitive data or when required by regulations.

//DUMP EXEC PGM=FDRABR,REGION=0M //SYSPRINT DD SYSOUT=* //SYSUDUMP DD SYSOUT=* //TAPE1 DD DSN=ABR1,DISP=(,KEEP),UNIT=CART,EXPDT=99000 //SYSIN DD * DUMP TYPE=FDR,ENCRYPT=COPY1,ENCRYPTTYPE=AES256 MOUNT VOLG=DB1 MOUNT VOLG=DB2 MOUNT VOLG=SYS /* //FDRCRYPT DD * EC AK=947FEA34213F6DEA8CC4423447700127A342CC0012947FE71442344773F6DEA8 /*

Encrypt FDRAPPL application backups example

This example does FDRAPPL data set backups of a set of data sets. The backups are encrypted with AES 128-bit key encryption. FDRCRYPT randomly generates all encryption keys. The master key is obtained from security profile FACILITY/FDRCRYPT.PAYROLL. The KEYFILE statement causes the keys to be recorded in “PAYROLL.FDRCRYPT.KEYFILE”.

//BACKUP EXEC PGM=FDRABR,REGION=0M //SYSPRINT DD SYSOUT=* //SYSPRIN1 DD SYSOUT=* //SYSUDUMP DD SYSOUT=* //ARCHIVE DD DSN=PAYROLL.APPL.BACKUP,DISP=SHR //TAPE1 DD DSN=PAYBKUP.APPL1,UNIT=CART,DISP=(,KEEP) //TAPE11 DD DSN=PAYBKUP.APPL2,UNIT=CART,DISP=(,KEEP) //SYSIN DD * DUMP TYPE=APPL,ARCB1DSN=PAYROLL.APPL.ACFBKP1(+1), ARCB2DSN=PAYROLL.APPL.ACFBKP2(+1),RETPD=14, ENCRYPT=ALL,ENCRYPTTYPE=AES SELECT CATDSN=PAYROLL.** SELECT CATDSN=HOURLY.PAY*.** /* //FDRCRYPT DD * KEYFILE DSN=PAYROLL.FDRCRYPT.KEYFILE ENCRYPT MASTERKEYID=PAYROLL /*

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*