All examples in this section can be found in the JCL library installed with FDR. The member names are EX7121x.
WarningImportant
- The following examples show a variety of FDR restore functions, including FDR, FDRDSF, and FDRABR. However, FDRCRYPT works essentially the same no matter which type of FDR operation is performed. So an example shown for PGM=FDR works just as well with PGM=FDRABR or FDRDSF, and vice versa. Although the name of the Encryption Keyfile in these examples contains the word “KEYFILE” for clarity, we recommend that for additional security the actual names used in your installation do not identify these as FDRCRYPT Encryption Keyfiles.
- The FDRCRYPT DD statement is shown as an in-line data set (DD *) in many examples for simplicity, but actually this is not recommended if key values are included, since this may be a security exposure. For best security, point FDRCRYPT to a DASD data set that is secured by your security system.
Restore an encrypted FDR backup example
This simple example restores one DASD volume with FDR. The backup was encrypted by FDRCRYPT. During the restore, FDRCRYPT automatically detects that the backup was encrypted and the type of encryption used. Since no FDRCRYPT DD statement is provided, FDRCRYPT allocates the Encryption Keyfile specified in the FDR Global Options and locates the encryption key for this backup. The data is decrypted and restored.
WarningImportant
For all types of restores, if the encryption keys were stored in the Encryption Keyfile identified by the FDR Global Options, and that Encryption Keyfile is available, then no FDRCRYPT DD statement or special options are required to restore from encrypted backups. This is especially important if you encrypt your FDRABR Archive backups, so that auto-recall can work.
//RESTORE EXEC PGM=FDR,REGION=0M //SYSPRINT DD SYSOUT=* //SYSUDUMP DD SYSOUT=* //DISK1 DD UNIT=SYSALLDA,DISP=OLD,VOL=SER=123456 //TAPE1 DD DSN=BACKUP.V123456(0),DISP=OLD //SYSIN DD * RESTORE TYPE=FDR /*
RESTORE an encrypted data set backup example
This example restores data sets from the AES encrypted backups of two DASD volumes. Because the Encryption Keyfile used during the backups is not available, the 128-bit AES key of each backup is provided in the FDRCRYPT DD statement.
WarningImportant
The type of key provided (for example, AESKEY) must match the encryption type used to encrypt the tape.
//RESTORE EXEC PGM=FDRDSF,REGION=0M //SYSPRINT DD SYSOUT=* //SYSUDUMP DD SYSOUT=* //TAPE1 DD UNIT=CART,DSN=BACKUP1.VLIB001(0),DISP=OLD //TAPE2 DD UNIT=CART,DSN=BACKUP1.VLIB002(0),DISP=OLD //SYSIN DD * RESTORE TYPE=DSF SELECT DSN=PAYROLL.** /* //FDRCRYPT DD DSN=PAYROLL.FDRCRYPT.RESTOPT,DISP=SHR
Data set “PAYROLL.FDRCRYPT.RESTOPT” contains these statements:
KEYFILE DSN=NULLFILE DECRYPT VOL=LIB001,AESKEY=A342CC0012947FE71442344773F6DEA8 DECRYPT VOL=LIB002,AESKEY=947FEA34213F6DEA8CC4423447700127
Restore encrypted FDRABR volume backups example
This example does ABR full-volume restores of a set of volumes whose backups were encrypted. The restore is being done at a disaster recovery site, but the Encryption Keyfile in which the encryption keys were stored is not available, so the master key used for the backups is specified. Volumes starting with “SALE” used one master key; all other backups used another master key, so both are provided.
The master key allows FDRCRYPT to access an encrypted form of the actual key from each backup, and decrypt the data. It does not matter what encryption type was used. ONLY use this type of restore if the Encryption Keyfile or the individual encryption keys cannot be provided. The master key must be kept extremely secure and used only by authorized individuals when necessary. A restore using a master key can be done only if a master key was specified during the backup.
Since this ABR full-volume restore may read incremental backups and a full-volume backup while restoring each DASD volume, it is necessary that all of those backups were done using the same master key. Although master keys can be changed at any time, for ABR volume backups it is important that they change only when full-volume backups are taken (the beginning of a new generation).
//RESTORE EXEC PGM=FDRABR,REGION=0M //SYSPRINT DD SYSOUT=* //SYSUDUMP DD SYSOUT=* //SYSIN DD * RESTORE TYPE=FDR,CPYVOLID=YES,CONFMESS=NO,DYNTAPE,ONLINE SELECT VOL=SALE01,NVOL=DR0001 SELECT VOL=SALE02,NVOL=DR0002 SELECT VOL=PROD01,NVOL=DR0003 SELECT VOL=PROD02,NVOL=DR0004 SELECT VOL=PROD03,NVOL=DR0005 SELECT VOL=PROD04,NVOL=DR0006 /* //FDRCRYPT DD * KEYFILE DSN=NULLFILE DO NOT ATTEMPT TO OPEN THE KEY FILE DECRYPT VOL=SALE*,MASTERKEY=A342CC0012947FE71442344773F6DEA8 DECRYPT VOL=*,MASTERKEY=947FEA34213F6DEA8CC4423447700127 /*
Restore encrypted backups with FDRDRP example
This example does FDRDRP full-volume restores of a set of volumes whose ABR backups were encrypted. The Encryption Keyfile used for these backups was previously restored and its name is specified.
//RESTORE EXEC PGM=FDRDRP,REGION=0M //SYSPRINT DD SYSOUT=* //SYSUDUMP DD SYSOUT=* //SYSIN DD * RESTORE TYPE=DRP,CPYVOLID=YES SELECT VOL=DB2001,NVOL=DR0001 SELECT VOL=DB2002,NVOL=DR0002 SELECT VOL=DB2003,NVOL=DR0003 … /* //FDRCRYPT DD * KEYFILE DSN=FDRABR.KEYFILE /*
