Engineering Corner: DMSII Data Encryption
By Howard Bell, Architect – EAE/AB Suite MCP Runtime and Debugger, Unisys
The ability to encrypt persistent attributes in Enterprise Database Server for ClearPath® MCP (DMSII) is now supported in Agile Business Suite (AB Suite®) 7.0.
Using the new Data Encryption product, you’re able to secure the data in these attributes – and elsewhere within your DMSII database – through two distinct approaches: data masking and data encryption.
Just be sure to note that although it’s possible to use data masking and data encryption in the same database, DMSII does not allow both in the same data set. Only one form of security may be used in a data set.
AB Suite 7.0 includes two unique model properties to support data masking and data encryption within the DMSII database:
- Secure Technique: A class model property used to specify whether the secured persistent attributes in the class will be encrypted or masked.
- IsSecure: An attribute model property that specifies if the attribute will be secured. In order to secure an attribute within a class, you must set the IsSecure property on the attribute to “True.”
Below, you’ll find details on how to use the Data Encryption product’s data masking and data encryption capabilities, along with the model properties described above, to secure your persistent attributes.
To secure the data of a persistent attribute with data masking, you’ll first need to set the Secure Technique property on the class owning the persistent attribute to “DataMasking.” Then, set the IsSecure property on the attribute to “True.”
Be aware that these settings will not take effect until the Obfuscate Level configuration property is set to a value greater than zero. The Obfuscate Level instructs DMSII to select the methodology for masking data content on a scale of zero to three:
- 0: Suppresses all data masking within the database. This is the default level.
- 1: Instructs the entire database to use the same methodology for masking data.
- 2: Tells each structure within the database to use a different method to scramble the data.
- 3: Specifies that each record in the structure use its own means of masking data.
Note that Obfuscate Level 3 is only allowed on structures where the Extended Edition property is set to “True” on all “ispec,” “copyispec,” “event,” “copyevent,” and vanilla classes with persistent attributes.
Also, when using MCP Runtime Transfer, you must set the Obfuscate Level to the same value for the source and target configurations.
When using data encryption to secure persistent attributes, start by setting the Secure Technique property on the class owning the persistent attribute to “DataEncryption,” and the IsSecure property to “True.”
These settings will only be active once you set the Data Encryption Type configuration property to either the “AESGCM” or “AESHMAC” algorithm.
Using data encryption requires that you enable an encryption key for the database. DMSII takes care of this automatically after you specify an encryption algorithm by setting the Data Encryption Key Set segment configuration to “True” and creating a key during the next system build. Please note that you’ll need to manually back up your encryption key in the Security Center. If you change the encryption key set option, or the first generate with data encryption enabled takes place, a full database backup
is required to ensure recoverability following any sort of failure.
Enabling data encryption will trigger a database reorganization during the next deployment. For performance reasons, DMSII puts encrypted data items together at the end of the data set record, after the non-encrypted items and any DBFILLER, if present.
AB Suite has adopted this ordering because it reads the whole database record, not individual fields, so the mapping as shown in the DASDL must match the physical data set layout. If you have programs outside of AB suite that also access the encrypted data set in this manner, you will need to consider the revised data item order.