ibmi-brunch-learn

Announcement

Collapse
No announcement yet.

IFS, PASE and encryption

Collapse
X
Collapse
 
  • Page of 2
  • Filter
  • Time
  • Show
Clear All
new posts
Previous 1 2 template Next
  • #1

    IFS, PASE and encryption

    Hello!

    First of all, sorry if my question sounds stupid... I'm just new to the AS400 world, so I'm not very familiar with it. In fact, this is my first post. I come from the Unix world so there are some things that I don't know how to do it in the AS400 environment. Ok... I will try to describe the scenario in order to clarify my problem. Sorry if the post is a little large.

    We have an application written in C for encryption of files. This application generates a binary encrypted file with certain characteristics from any source file. We want to use this application in order to encrypt our backups in the AS400 evironments. So, I ported the application to an AIX system and then copy the generated binary to the AS400. By using the PASE framework in the AS400 (call qp2term), the application works without any problem. The idea is that the sysadmins of the AS400 generates the backups as a SAVF file in the /qsys.lib path, and then I encrypt the generated files by using my application. After that, the encrypted file must be copied to the tapes, which is responsability of the sysadmins. And now my questions...
    • If I try to generate the encrypted file inside the same path of the source SAVF file inside the /qsys.lib, the application breaks and it is not possible to generate such file. I suspect (I'm not sure) that AS400 dislikes the format of my binary encrypted file, since if I perform a simple echo "hello world" > encdata.file in /qsys.lib the system truncates the content of the file. Is the format of the binary encrypted file the problem and the reason why the application can't generate the destination file?
    • We have tried to encrypt a SAVF file from /qsys.lib to /tmp in order to avoid the previous problem, and it works without any problem. However, if we consider the decryption.. that is to decrypt a file from /tmp to /qsys.lib the process is very very very slow. In fact, if I just only copy a file of 11GB from /tmp to /qsys.lib it needs about 45 minutes. However if I copy the same file from /tmp to /tmp (with a different name), the process just only need 6 minutes. Therefore, this proofs that there isn't a problem related with the storage/disks. Does anyone knows if there is a way to improve the speed of this process, and if it is normal that the process of copying from /tmp to /qsys.lib is slow?
    • As an alternative, we are planning to migrate the application and use the crypto API of the AS400 directly (i.e. Qc3EcryptData, etc...). Does anyone know if it is possible to use the crypto API in order to generate an encrypted SAVF file directly? That is... by avoiding to generate the SAVF file first, and then to encrypt it? Is there any example code as a starting point?


    Thank you in advance!

    Novice400
    Tags: None
  • #2
    Re: IFS, PASE and encryption

    There are quite a few details that need to be added, but also there are a couple basic principles that might help keep you going in the right direction.

    The /QSYS.LIB path designates a specific kind of "file system". It's not merely a directory path. As a file system, the operations that are allowed against objects within it are restricted.

    First, things within it are 'objects' (as are most things on the AS/400) that may only be operated on through the methods that are made available by that type of object. A savefile is a particular kind of '*FILE' object, so only '*FILE' methods that are allowed for savefiles can be used. You can't simply access bytes in a '*FILE' object; you must use appropriate database methods. And the OS places some restrictions on *.SAVF objects beyond general '*FILE' ones. In general, for example, while it's possible to use normal database reads and writes for savefiles, the records are fixed-length 512 bytes and can't be anything else. I've never tried to encrypt savefile records themselves, but it should work as long as you don't step outside of the DB2 database functions.

    Second, you can use the CPYTOSTMF command to copy the content of a savefile out of /QSYS.LIB into a simple streamfile in one of the other file systems, e.g., into the /QOpenSys or /root file system. Once it's just a streamfile, you can encrypt/decrypt all you want. And if you use a .SAVF extension for any decrypted copy, when you copy the content back into a new file in /QSYS.LIB (using CPYFRMSTMF), the file system will automatically create the new '*FILE' object as a savefile file type.

    In short, for this encrypt/decrypt, it seems that you'd really want to do it over a streamfile copy. Once encrypted, the streamfile can be put on tape, copied to a network share or put wherever desired. When needed later, it would be returned to the encryption/decryption location, then decrypted, and copied back into a *.SAVF file in /QSYS.LIB in order to cause it to be a valid "savefile" again. The decrypted bytes would need to be exactly the same as the ones before encryption.

    Tom
    Tom

    There are only two hard things in Computer Science: cache invalidation, naming things and off-by-one errors.

    Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth?

    Comment

    • #3
      Re: IFS, PASE and encryption

      Thank you Tom!

      I have just discovered the CPYFRMSTMF command, which has allowed me to copy the decrypted file from /tmp to /qsys.lib in just 8 minutes. If we compare this time to the need by the cp command in the PASE command (45 minutes), the improve is remarkable :-)

      I have also discovered some comercial products which claims that they can allow you to encrypt or compress the SAVF files. One example is the absCompress (http://www.seasoft.com/abscompress.asp). I would like to know how these products work from a programmatically
      standpoint. I mean... if they first generate the SAVF file and then compress/encrypt the resulting file, or if they use some mechanism (i.e. something like pipes? streams?) in order to compress/encrypt the file while it is beeing generated. This would allow me to encrypt the file directly, avoiding the generation of the SAVF file first, and then encrypt it. Does anyone know if there is a mechanism to do this?

      Novice400

      Comment

      • #4
        Re: IFS, PASE and encryption

        /QSYS.LIB is the native (and original) file system of the IBM i operating system (the current generation of the operating system is called IBM i. Older generations were called i5/OS, and before that OS/400. OS/400 ran on hardware called AS/400 that was discontinued 13 years ago... so... IBM i what you're really referring to when you say "AS400"... not sure if you were aware of that.)

        As Tom said, it's an object-based file system, which is a pretty unique thing -- but is very powerful. Each type of "object" on disk (file, program, user profile, data area, etc, etc) all have their own attributes unique to that type of object. The system actually enforces that each object can only be used in the proper way for it's object type. So, you cannot execute a file, you cannot write to or read from a program, etc. In unix, everything is a file (including a program) so it's a whole different world.

        A "save file" (which is a *FILE object with SAVF attribute) is a good example of this. It's not just a string of bytes... it's specifically a save file. Save files are organized into "records", and each record has a particular structure. There are also checksums within a save file to make sure the data isn't corrupt. These values have to be correct for the data inside of it. When you write data to a save file, the system verifies this stuff as it's written -- so if your data isn't organized into records, or the records don't have the right structure, or don't have the proper checksums in the proper places, then you will get an error and be unable to write the data.

        This guards against data corruption. It's also a huge security feature, since a malicious piece of software can't just modify the data in a save file to create a "virus" (or similar malware).

        Anyway... you can't encrypt the data inside the save file because this screws up the structure and the checksums, so the system won't allow it. When you copy it to /tmp, you are moving it into a completely different file system, and storing it in a stream file (which is like a Unix file... it's just a string of bytes with no particular structure -- at least, none that the OS knows about.) That's why you can do the encryption in /tmp.

        IF you wish to do this natively, my suggestion would be to check out the QaneSava/QaneRsta APIs. This allows the system to create save files, but instead of storing them on disk in a SAVF *FILE object, the data is passed to your program. Your program can then do the crypto and save the data directly to a stream file. When restoring, obviously, it'd go the other way, your program would read the stream file, decrypt it, and feed it into the system process that restores the objects.

        I've done stuff like this for saving data to a cloud backup... My program gets the data (instead of it being written to disk) and I encrypt it and immediately (as it's being saved) I write it to the web service that talks to the cloud. It performed pretty well -- but, of course, in my situation, the bottleneck was the network speed, not the crypto speed... so YMMV.

        Comment

        • #5
          Re: IFS, PASE and encryption

          Originally posted by novice400
          ... This application generates a binary encrypted file with certain characteristics from any source file. We want to use this application in order to encrypt our backups in the AS400 evironments. ... After that, the encrypted file must be copied to the tapes, which is responsability of the sysadmins. ...
          Have you seen this?
          http://www.disuk.com/products/backup-encryption/paranoia3.php
          Regards

          Kit
          http://www.ecofitonline.com
          DeskfIT - ChangefIT - XrefIT
          ___________________________________
          There are only 3 kinds of people -
          Those that can count and those that can't.

          Comment

          • #6
            Re: IFS, PASE and encryption

            Originally posted by Scott Klement View Post
            IF you wish to do this natively, my suggestion would be to check out the QaneSava/QaneRsta APIs. This allows the system to create save files, but instead of storing them on disk in a SAVF *FILE object, the data is passed to your program. Your program can then do the crypto and save the data directly to a stream file. When restoring, obviously, it'd go the other way, your program would read the stream file, decrypt it, and feed it into the system process that restores the objects.
            Thank you very much Scott!!!

            This helps me a lot! The QaneSave/QaneRsta API is what I have been looking for Now I'm playing with these APIs, however, I have a strange error which I don't know how to correct it. I have tried to use the APIs in a ILE C program. The program first creates a User Space Name under the same library of the code (MYLIB), and then calls the QaneSave API in order to "encrypt and backup" the same library MYLIB through the exit program MYLIB/ENCRYPT. Then the program launchs the following exception with the QaneSava API:

            CPFB8C7 E Unsupported value for &1 API.

            which I don't know the reason of it. Could anyone advise me about how to correct the problem, or where is the root of the exception? The code of the application is:

            Code:
            #include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <qusec.h>
#include <qus.h>
#include <quscrtus.h>
#include <qusptrus.h>
#include <qane.h>
#include <qaneserv.h>

/* -------------------------------------------------------------------------- */

#define BKP_USRLIB   "MYLIB     "               /* User Space Library Name    */
#define BKP_USROBJ   "BACKUPOBJ "               /* User Space Object Name     */
#define BKP_QUSRSPC  BKP_USROBJ BKP_USRLIB      /* User Space Qualified Name  */
#define BKP_EXIT_LIB "MYLIB     "               /* Exit Program Library Name  */
#define BKP_EXIT_PRG "ENCRYPT   "               /* Exit Program Name          */
#define BKP_SAVE_CMD "LIB(MYLIB)"               /* Save Command               */
#define SAVLIB_CMD   4                          /* Save Library Command = 4   */
#define TGT_CURRENT  "*CURRENT"
#define USRFMTNAM    "SVRS0100"
#define STAFMTNAM    "SRST0100"

/* -------------------------------------------------------------------------- */

int main(void)
{
   Qus_EC_t        errCode;
   char            ini_val = 0x00;
   Qane_SVRS0100_t *pSvrs;
   Qane_SRST0100_t pSrst;
   int             lenSrst;
   memset(&errCode, 0, sizeof(errCode));

   /* Create user space object for QaneSava --------------------------------- */
   QUSCRTUS(BKP_QUSRSPC,
         "          ",
         1024,
         &ini_val,
         "*CHANGE   ",
         "                                                  ",
         "*YES      ",
         &errCode);

   /* Get a pointer of the user space object and update --------------------- */
   QUSPTRUS(BKP_QUSRSPC, &pSvrs, &errCode);
   pSvrs->Struct_Len  = sizeof(Qane_SVRS0100_t) + strlen(BKP_SAVE_CMD);
   pSvrs->CmdParm_Off = sizeof(Qane_SVRS0100_t);
   pSvrs->CmdParm_Len = strlen(BKP_SAVE_CMD);
   pSvrs->AppDta_Off  = 0;
   pSvrs->AppDta_Len  = 0;
   pSvrs->Cmd_Type    = SAVLIB_CMD;
   strcpy(pSvrs->Exit_Pgm, BKP_EXIT_PRG);
   strcpy(pSvrs->Exit_Lib, BKP_EXIT_LIB);
   strcpy(pSvrs->Tgt_Rls,  TGT_CURRENT);
   strcpy((char *)(pSvrs + pSvrs->CmdParm_Off), BKP_SAVE_CMD);

   /* Execute QaneSava process ---------------------------------------------- */
   lenSrst = sizeof(Qane_SRST0100_t);
   memset(&errCode, 0, sizeof(errCode));
   QaneSava(BKP_QUSRSPC, USRFMTNAM, STAFMTNAM, &pSrst, &lenSrst, &errCode);

   return 0;
}

            Comment

            • #7
              Re: IFS, PASE and encryption

              Originally posted by kitvb1 View Post
              Have you seen this?
              http://www.disuk.com/products/backup.../paranoia3.php
              Thank you Kit!

              Yes, we know that there are some hardware mechanism to encrypt the data transparently. However, we apply a particuar encryption method which is not provided by these "hardware devices", so this is the reason why we implement the encryption/backup by software.

              Novice 400

              Comment

              • #8
                Re: IFS, PASE and encryption

                Review the rest of the message:
                Cause . . . . . : Value &2 beginning at decimal offset &3 of user space &4
                in library &5 is not supported.
                There isn't a lot we can tell you about it without seeing the actual resolved message and seeing what's in the user space at the noted offset. The first hundred or so bytes of the user space would probably be sufficient if you're doing some basic testing.

                In general, the error is saying that the user space doesn't contain a data structure that is formatted according to the SVRS0100 format or that values in that data structure are invalid. The decimal offset will point to the specific bytes.

                Tom
                Tom

                There are only two hard things in Computer Science: cache invalidation, naming things and off-by-one errors.

                Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth?

                Comment

                • #9
                  Re: IFS, PASE and encryption

                  Originally posted by tomliotta View Post
                  Review the rest of the message:

                  There isn't a lot we can tell you about it without seeing the actual resolved message and seeing what's in the user space at the noted offset. The first hundred or so bytes of the user space would probably be sufficient if you're doing some basic testing.

                  In general, the error is saying that the user space doesn't contain a data structure that is formatted according to the SVRS0100 format or that values in that data structure are invalid. The decimal offset will point to the specific bytes.

                  Tom
                  Sorry Tom, but when you say "Review the rest of the message...", where I can see "the rest of the message"? When I execute the program, the only thing that I can see in the terminal is the number of the exception CPFB8C7, and in the URL of the QaneSava API I get the "Unsupported value for &1 API." (http://publib.boulder.ibm.com/infoce...2FQaneSava.htm).

                  I can't see where is the problem with the content of the user space object, since I have obtained a pointer to it by means of the QUSPTRUS API, and then I have filled all the elements of the structure. I feel completly lost with this new environment

                  Is there a way to show you the content of the user space object in order to discover the source of the problem?

                  Novice

                  Comment

                  • #10
                    Re: IFS, PASE and encryption

                    Code:
                                             Additional Message Information                       
                                                                              
 Message ID . . . . . . :   CPFB8C7       Severity . . . . . . . :   40       
 Message type . . . . . :   Escape                                            
 Date sent  . . . . . . :   06/12/13      Time sent  . . . . . . :   11:41:02 
                                                                              
 Message . . . . :   Unsupported value for QaneSava API.                      
 Cause . . . . . :   Value 0X00 beginning at decimal offset 52 of user space  
   BACKUPOBJ in library MYLIB is not supported.                               
 Recovery  . . . :   Correct the problem and try the request again.

                    Comment

                    • #11
                      Re: IFS, PASE and encryption

                      Originally posted by Scott Klement View Post
                      Code:
                                               Additional Message Information                       
                                                                              
 Message ID . . . . . . :   CPFB8C7       Severity . . . . . . . :   40       
 Message type . . . . . :   Escape                                            
 Date sent  . . . . . . :   06/12/13      Time sent  . . . . . . :   11:41:02 
                                                                              
 Message . . . . :   Unsupported value for QaneSava API.                      
 Cause . . . . . :   Value 0X00 beginning at decimal offset 52 of user space  
   BACKUPOBJ in library MYLIB is not supported.                               
 Recovery  . . . :   Correct the problem and try the request again.
                      Scott where did you get this? I just press F1 in the status line where the exception information appears and doesn't report such message. Sorry for this simple question, but as I have said I'm completly new in the AS400 environment We use v5r4, is this the cause why we don't get the same type of error messages?

                      Novice

                      Comment

                      • #12
                        Re: IFS, PASE and encryption

                        You'd get the CEE9901 ("Application Error, XXXX unmonitored by ....") error in your status line. If you hit F1 on that, it'll give you an F10=Display messages in job log. Then,put the cursor on the "Unsupported value" error message and press F1.

                        Comment

                        • #13
                          Re: IFS, PASE and encryption

                          Anyway, I don't have time to debug your code right now -- but it appears that the BKP_SAVE_CMD (which goes at offset 52) isn't making it into the user space -- likely a bug in the way you're copying the data. Maybe that'll point you in the right direction.

                          Comment

                          • #14
                            Re: IFS, PASE and encryption

                            Scott most likely has a sample that can generate the error, so he simply created it on his system and copied it. I don't have a useful example on any of the systems currently available to me. I'd go with his description before thinking in a different direction.

                            An easy way to view content of a user space is to run this command:
                            Code:
                            DMPOBJ  mylib/myusrspc  *USRSPC
                            That will create a spooled file named QPSRVDMP in the job that runs the command. Most attributes of the *USRSPC will be dumped in hex including the content of the 'SPACE' itself. (Run DSPJOB to see stuff about a current job.)

                            Beyond that...

                            Maybe the single most helpful thing to dig into for this problem is how to view messages. It's not clear why you would only see an unresolved message text anywhere, especially one that actually shows a substitution variable such as "&1". Usually the substitution variables are shown only when you look directly at the message description itself in a message file. When a message gets sent to a message queue, the substitution variables are replaced with values (even if the value is empty). Scott's example shows that actual values have been inserted into his message.

                            If you're using an emulator, the first thing to do with any message that you don't understand is to move the cursor to some part of the message and press F1. (On almost any system screen, the F1 key will tell you something about whatever the cursor is touching.) The key will even work on any parts of the screens that are shown when you use the key. Learning how the 'Help' functions work will get you a long way. There are additional F-keys listed when you invoke a 'Help' function. (Use F1 on that part of the screen to read about them.)

                            Tom
                            Tom

                            There are only two hard things in Computer Science: cache invalidation, naming things and off-by-one errors.

                            Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth?

                            Comment

                            • #15
                              Re: IFS, PASE and encryption

                              DMPOBJ works nicely. Another way to see a user space is to use the DSPF command, because user spaces can be treated as stream files via the IFS interface.
                              Code:
                              DSPF STMF('/QSYS.LIB/MYLIB.LIB/BACKUPOBJ.USRSPC')
                              In DSPF, you can hit F15 to view the data in hex. The only weird thing about this interface is if you have any 0x0a chars, it'll treat them as newlines, which might be a bit confusing... so DMPOBJ might be nicer. (Though, the output of DMPOBJ is ugly, imho.)

                              Comment

                              Previous 1 2 template Next
                              Working...
                              X