Performing Recovery OperationsTBEMIGRT UtilityHow Key Management for Disaster Recovery Backup Works › Copy Keys from CKDS for Disaster Recovery and Clear the BES Database

Previous Topic: How Key Management for Disaster Recovery Backup Works

Next Topic: How You Modify Your Configuration to Add a System With No CKDS Support

Copy Keys from CKDS for Disaster Recovery and Clear the BES Database

Use the TBEMIGRT utility to copy keys from CKDS to the BES database for use at a disaster recovery site when the disaster recovery site does not have a cryptographic coprocessor. You can then use TBEMIGRT to clear the keys from the BES database.

To copy keys for disaster recovery

  1. When you back up your BES database, run TBEMIGRT with the following PARM= syntax: 
    PARM='BES=BESn,FROMCKDS'
    n

    Indicates the subsystem of the BES database you are backing up.

    This copies the keys stored in the CKDS to the specified BES database.

  2. Back up your BES mirror database using your tape backup software.

    This makes a backup of the BES database that you can use at the disaster recovery site.

  3. Go to the disaster recovery site and restore the primary and mirror databases using the jobs in the BESDBRST and BESPCOPY members of the CTAPJCL data set.

    The primary and mirror databases at the disaster recovery site are restored with the most recent data.

  4. Operate with the primary and mirror databases for recovery operations.

    CA Tape Encryption runs at the disaster recovery site in a normal manner.

  5. Before you return to your home site, use the job in member BESDBBAK to back up the mirror data set used for recovery operations.

    The backup mirror database is updated with any new keys that may have been generated.

  6. After you return to your home site, run TBEMIGRT against the original BES database with the following PARM= syntax: 
    PARM='BES=BESn,TOCKDS,MOVE'
    n

    Indicates the subsystem of the BES database you backed up.

    This moves the keys to the CKDS and removes them from the BES database.

    Note: Generally, the keys are already in the CKDS, so the effect of this command is to delete the keys from the BES database. However, any new keys generated from an extended disaster recovery operation would be added to the CKDS, so do not skip this step.