If you already have CRYPTO COMPLETE installed on your System i (iSeries) and
want to see your current installed version, run the command:
Please read the Crypto Complete manuals for complete details on any of the enhancements listed below.
Version 2.50 (10/21/2010)
ENHANCE: Added support for Graphic character types when using Field
Procedures for automatic encryption and decryption.
ENHANCE: Increased the speed of the ACTMLTSBM command. It can now encrypt
up to 40% more records in the same amount of time when using an
external file (to store the encrypted values) and up to 84% more
records when storing the encrypted values internally.
Version 2.43 (09/02/2010)
ENHANCE: Created new IFS encryption and decryption commands, which are
faster than previous commands (ENCFIL/DECFIL) especially when
interacting with tape backup devices. The new commands are
- ENCSTMF (Encrypt IFS Stream File)
- DECSTMF (Decrypt IFS Stream File)
Multiple IFS files can be encrypted at once from multiple
folders using wildcards and *INCLUDE/*OMIT criteria. The
encrypted files can be stored to the IFS or a tape device. The
user can specify either a password or a key for the encryption
process. AES128, AES192 and AES256 algorithms are provided.
Added the new ENCSTMF and DECSTMF commands to the CRYPTO5
menu, which can be accessed with the command "GO CRYPTO/CRYPTO5".
Updated the CL examples of BACKUPALL and RESTOREALL to include
the new ENCSTMF and DECSTMF commands.
ENHANCE: Removed depricated encryption commands (ENCSAVF, DECSAVF, ENCFIL
and DECFIL) from the manual and from the CRYPTO5 menu. Moved
these commmands to the CRYPTO11 legacy menu.
ENHANCE: Qualified the CLRMSTKEY (Clear Master Key) command with the
CRYPTO library when running it from the CRYPTO2 menu, so it
does not interfere with IBM's CLRMSTKEY command.
ENHANCE: Added the option of NOTAUTHFV (named 'Not authorized fill value')
to the field registry. This is a 1-byte value to fill the
returned value on a decryption request (from a DB2 Field
Procedure or a Crypto Complete 'auth' API) if the user is not
authorized to either the full or masked authorization lists.
For instance, if the fill value is '9' and the field length
is 7, then the value of '9999999' will be returned on an
unauthorized decryption request.
Notes on the NOTAUTHFV fill value:
- The fill value is required when a DB2 Field Procedure is
utilized and the return value (FLDPROCOPT) is set to *AUTH.
- If the field type is *CHAR, then the fill value can be a
number, letter or special character (e.g. #, *, %).
- If the field type is *DEC, then the fill value can be a
number from 1 through 9 if a DB2 Field Procedure is being
utilized, otherwise it can be number from 0 through 9.
- The fill value is not allowed for field types of *DATE,
*TIME and *TIMESTAMP.
The NOTAUTHFV parameter was added to the ADDFLDENC, CHGFLDENC,
DSPFLDENC and CHGFLDAUTL commands. Documented in Programmers
ENHANCE: Enhanced 'auth' program APIs to return the fill value (NOTAUTHFV)
when the user is not authorized to the full or masked value.
ILE APIs affected are DecFldAuth and GetEncFldAuth. Program APIs
affected are CRRP637 and CRRP638. SQL functions affected are
F_DecFldAuth, F_getEncfldAuth and F_getEncfldAuthChr. Stored
Procedures affected are P_DecFldAuth and P_GetEncFLdAuth.
ENHANCE: Enhanced the Field Procedures to not update the field value if
it contains the masked or fill value.
ENHANCE: Added edit check to TRNFLDKEYF command to make sure the user
has authority to the FULL value for all fields (which have
Field Procedures) in the file.
ENHANCE: When activating or deactivating a field with the ACTFLDENC or
DCTFLDENC commands, make sure the user has authority to the
FULL value for all fields (which have Field Procedures) in the
FIX: Added edit check to TRNFLDKEYI command to make sure the field
does not use Field Procedures.
FIX: Removed the CLEAR option from the ENCSAVLIB and ENCSAVOBJ
commands since that option is not supported by streaming API.
FIX: Fixed the ENDOPT parameter for the ENCSAVLIB, DECRSTLIB,
ENCSAVOBJ and ENCRSTOBJ commands, so it does not always
FIX: Fixed the ENCSAVLIB and ENCSAVOBJ commands so they do not lock
lock the destination tape or file if an error occurs.
FIX: Fixed the DECRSTLIB and DECRSTOBJ commands so they do not lock
the source tape or file if an error occurs.
Version 2.42 (08/6/2010)
ENHANCE: Enhanced help text on various commands within Crypto Complete.
Version 2.41 (07/30/2010)
ENHANCE: Provided support for DB2 Field Procedures which IBM made available
in V7R1. This is a technique which allows for the automatic
encryption/decryption of fields, which is an alternative approach
to using triggers and API calls. DB2 Field Procedures also allow
storing the 'encoded' encrypted values within the existing file,
which is especially useful for numeric fields. [In the past, a
separate external file had to be created to store the encrypted
values for numeric fields.]
The following changes were made to support DB2 Field Procedures:
> Added the new option of USEFLDPROC to the field registry to
allow an authorized user to specify if DB2 Field Procedures
should be used for the field. This option was added to the
ADDFLDENC, CHGFLDENC and DSPFLDENC commands.
> Allowed encryption of integer, date, time and timestamp data
types in the field registry.
> Added a new edit to allow a masking format to be specified for
a field only if it's character (alpha) with a length which
does not exceed 30 bytes.
> On the activation of a field (using ACTFLDENC), use the SQL
ALTER TABLE command to add the DB2 field procedure to the file.
This will perform a mass encryption of the current field values
and store those values in the 'encoded' portion of the field
within the file. Future inserts/updates of the field will
cause the field procedure to be called, which will encrypt
the value and encode it.
> On the deactivation of the field (using DCTFLDENC), use the SQL
ALTER TABLE command to remove the field procedure from the file.
This will perform a mass decryption of the field values and
return the field to its original state (unencoded).
> Created a new command called TRNFLDKEYF, which will translate
(rotate) the key used to encrypt the field values. This command
will read all the records in the file and will decrypt each
field value with the old key and re-encrypt the 'encoded' value
with the new key specified. It will then set the new key for
any new values to encrypt.
ENHANCE: Added a new Key Policy option named LMTALLOBJ (Limit all-Object).
This new option, when set to *YES, will cause Crypto Complete to
perform its own authority check on any requested Key Store or
Authorization List when the user has *ALLOBJ authority. This
user's profile (or group profile which it belongs) must be
specifically listed as an authority entry (with at least *USE
authority) on the Key Store or Authorization List.
For an *ALLOBJ user, this authority check will be performed in
any function that requests a key from a Key Store, including
the encrypt/decrypt functions and key management commands (e.g.
CPYSYMKEY, DLTSYMKEY, WRKSYMKEY, DSPSYMKEY, etc.)
This authority check is also performed when determining which
value (full, masked or none) to return on a decrypt function,
which is based on the authorization lists assigned to the field
in the field registry.
ENHANCE: Added the new option of FLDPROCOPT to the field registry, which
can be specified when DB2 Field Procedures are used. This
option determines which field value is returned (based on
user permissions) from the DB2 Field Procedure to the
application on a read operation. The user's permissions to the
field are determined by the authorization lists specified on the
AUTLDEC and AUTLMASK parameters on the Field Encryption Registry
The FLDPROCOPT option was added to the ADDFLDENC, CHGFLDENC
and DSPFLDENC commands.
Valid options for FLDPROCOPT are:
*FULL = Returns the fully decrypted value if the user has at
least *USE rights to the authorization list specified
on the AUTLDEC parameter (or if *NONE is specified
on that parameter). Otherwise an error with the
message id of CPF504D will be generated in the
application performing the read. The *FULL option is
available for *CHAR, *DEC, *DATE, *TIME and
*TIMESTAMP data types.
*AUTH = For character (*CHAR) fields, this option returns
either: 1) the full value if the user has at least
*USE rights to the authorization list specified on
the AUTLDEC parameter (or if *NONE is specified on
that parameter) or 2) the masked value if the user
has at least *USE rights to the authorization list
specified on the AUTLMASK parameter (or if *NONE is
specified on that parameter) or 3) blanks if the
user does not have at least *USE rights to either
For decimal/numeric (*DEC) fields, this option
returns the full value if the user has at least *USE
rights to the Authorization List specified on the
AUTLDEC parameter (or if *NONE is specified on that
parameter). Otherwise (if not authorized) zeros are
The *AUTH option is not valid for *DATE, *TIME and
*TIMESTAMP data types.
ENHANCE: Added the option LSTINDSTG to the field registry, which allows
an authorized user to specify the object type to store the
'last index number used'. This option is available when storing
the encrypted values in an external file, which uses index
numbers for sequencing. Each time a record is written (inserted)
to the external file, the ?last index number used? is retrieved
from the object, increased by 1, assigned to the new record and
saved back to the object. Valid options are:
*FLDREG = Store the last index number used in the field registry
object, which is a validation list (*VLDL) with
the name of CRVL002. This is the default option.
*PF = Store the last index number in a physical file
with the name of CRPF002. A physical file
may be easier to replicate (than a *VLDL) with a
High Availability tool. A physical file will also
provide better performance (than a *VLDL) when a high
volume of inserts occurs for the field, due to the
file's ability to handle locks more efficiently.
ENHANCE: Added the option of AUTLCACHE to the field registry, which allows
you to specify if the permissions for authorization lists
are 'cached' in memory. Valid values are:
*YES = Caching will occur. When a field decrypt operation is
performed, the permissions for the authorization lists
will be saved (in memory) and used in future authority
checks [for decrypt operations] within the job. This
caching option provides the best performance. Please
note: In order to recognize any permission changes to
the authorization lists, the jobs [that are performing
decrypt operations] will need to be restarted.
*NO = Caching will not occur. The permissions to the
authorization lists will be checked each time a decrypt
operation is performed. This option is useful when you
want changes to the authorization lists to be
immediately recognized by jobs that are performing
decrypt operations, or if you want to take advantage
of program adopted authority when determining
permissions to an authorization list.
The AUTLCACHE parameter was added to the ADDFLDENC, CHGFLDENC,
DSPFLDENC and CHGFLDAUTL commands.
ENHANCE: Enhanced the HTTP_GetConnection procedure to not reconnect if
the connection has already been made and the parameters have
not changed. This will ensure better performance for remote
applications for a tokenized environment.
ENHANCE: Changed messages CRE0387, CRE0393 and CRE0497 to include the
field lengths found in the file.
ENHANCE: Write an error message (CRE0380) to the job log if the license
key for Crypto Complete is expired.
FIX: Corrected the message logged to the audit journal when changing
the SYSLOG facility or severity on an alert entry. It now logs
the text values for the facility and severity [instead of the
underlying numeric values].
FIX: Fixed an issue when using CBC mode for a field in the Registry
which stored the encrypted values in an external file. The Init
Vector was inadvertently changed when encrypting new values,
which would cause the values to get various Init Vectors.
FIX: Fixed the DECRSTOBJ (Decrypt Restore Object) command when using
options VOL(*MOUNTED) and SEQNBR(*SEARCH) to not return the
message Volume '*NONE ' is not correct.
FIX: When building the trigger names for a field in the registry,
use an underscore to replace any period that may be in the file
or field name.
FIX: Fixed the HTTP_GetFldTkn procedure to be able to work with
encrypted values that contain single quotes.
FIX: Fixed the SYSLOG send program so it would work even if
observability was removed.
Version 2.22 (03/17/2010)
ENHANCE: Added a new procedure named PtgEnc to encrypt data in a format
that is compatible with Protegrity cryptographic functions. This
procedure is contained in service program CRSP512. See the
programmer's guide for more details.
ENHANCE: Added a new procedure named PtgDec to decrypt data from a
Protegrity format. This procedure is contained in service program
CRSP512. See the programmer's guide for more details.
ENHANCE: Added a log entry [to the audit journal file] from the trigger
encryption program when a field registry entry is not found.
ENHANCE: Send a message to the job log when unable to write to the journal.
ENHANCE: On the CRTSYMKEY, increased the size of the SALT field from 16 to
32 characters when creating the key using the *MANUAL option.
FIX: When creating a Data Encryption key with GENOPT(*PASS) and
ASCII(*YES), the character @ was being ignored. When the key
was generated, blanks were trimmed out of the key.
FIX: Changed the IMPPTGKEY to use the Key Algorithm from the Key
Encrytion Key when decrypting the keys to import.
FIX: Changed the IMPPTGKEY to use the Algorithm '*TDES' when the
value of '3DES' is passed by Protegrity.
FIX: Changed the EncAdv3 and EncAdv4 procedures to pad correctly
when using *TDES and numeric padding.
FIX: Change the DecAdv3 and DecAdv4 procedures to remove the padding
correctly when using *TDES and numeric padding.
Version 2.21 (02/12/2010)
FIX: When deactivating a variable-length field in the field encryption
registry, and if the encrypted values are externally stored, fix
an issue with the external index out of bounds error.
FIX: Fixed functions F_GetEncFldChr, F_GetEncFldMaskChr,
F_GetEncFldAuthChr and F_UpdEncFldChr to not generate an
"out of bounds" error when the external index is stored in a
FIX: Improved the performance of the HTTP_GetEncFld, HTTP_GetEncFldMask,
and HTTP_GetEncFldAuth procedures.
FIX: Was not sending out an alert when using the audit
category of *ALL and no other alerts existed.