What is FIELDPROC for IBM i 7.1 and Why Do I Care?

If you’re a company using an IBM operating system (AS/400, iSeries) to store your data, but you still haven’t upgraded to V7R1; or if you have upgraded but are not sure how to utilize the new FIELDPROC procedure to best protect your data, don’t be discouraged!

Patrick Townsend, President and CEO of Townsend Security answers some questions about FIELDPROC and how it aids in helping you secure your sensitive data.

Q. What exactly is FIELDPROC?

FIELDPROC is a new feature in V7R1 that was not available in earlier releases of the AS/400 and iSeries. FIELDPROC stands for Field Procedures--it’s a column and field level exit point for the IBM i iDB2 database. There is no need for application changes to encrypt your data when using FIELDPROC.

As an Exit Point, FIELDPROC is not actually encryption software. FIELDPROC allows system administrators to select which data they want to encrypt on a column by column basis, however IBM does not provide actual encryption or key management software that is called on by the exit point. Encryption and Key Management must be implemented by vendors like us who have encryption solutions tailored for FIELDPROC.

Q. What Was Encryption on IBM i Like Before FIELDPROC?

Before the implementation of FIELDPROC, encryption was almost always a complicated, multifaceted application software project involving many application changes. After identifying all fields needing encryption, IBM developers often used SQL views and triggers to implement encryption, but that was only a partial solution.

Developers would have to modify their RPG or COBOL code, and then implement calls to an Application Programing Interface (API) to encrypt and decrypt data on an insert or update. All of those application changes had to be made using IBM’s encryption APIs or vendors like us who offer AES encryption solutions on the IBM i platform and offer independent APIs. After the application changes and encryption were implemented, IBM developers had to test the system over and over again to detect and eliminate points of failure. A grueling process.

Q. How do I Encrypt My Data With V7R1 FIELDPROC?

When you encrypt with V7R1 FIELDPROC, the entire process is automated with no need for application changes. IBM i system administrators first need to identify all fields they want to encrypt. Next, install FIELDPROC exit point software, and then activate it.

Used along side an encryption program, the DB2 database automatically, without application changes, calls on the FIELDPROC exit program to encrypt and decrypt, and retrieve encryption keys. One thing to remember is that using FIELDPROC only as an exit point is not by itself adequate for data security. IBM i administrators must also implement proper key management solutions if they want to not only secure their data but also be PCI DSS compliant.

Q. It seems clear that when we do our next OS upgrade, we should go directly to IBM i V7R1?

IBM customers have started moving to V7R1 from earlier versions (V5R4, V6R1) due to the increased security features that can be implemented with FIELDPROC. In fact, these security features are in such high demand that many V5R4 customers skip V6R1 and go straight to V7R1, and IBM supports this migration. If you’re still running these applications on an older version of the IBM i, you can upgrade to V7R1 and eliminate all of these time consuming application changes associated with data encryption.

Another key feature in V7R1 is a new version of the Secure Shell sFTP application. This is rapidly becoming the file transfer method of choice. And IBM provides version 4.7 in V7R1. If you are doing a substantial amount of file transfers with sFTP, or you plan to do so, you will want all of the latest security patches in OpenSSH.

I know that an operating system upgrade is a lot of work, and that’s why IBM i shops are reluctant to do it very often. And when they do an upgrade, there stay there as long as possible. But FIELDPROC is only available in V7R1, it is not patched back to V6R1. And the latest version of OpenSSH is provided in the V7R1 distribution.

So I think you should skip V6R1 and go directly to V7R1. You won’t want to be locked in to a version of the OS without important security features. And the jump from V5R4 directly to V7R1 is a fully supported path by IBM. I hope I’ve convinced you to consider this important security option as you look at your OS upgrades this year.

About Patrick Townsend

Patrick Townsend has been in the data security industry for more than 30 years and brings both a deep well of knowledge and a unique perspective to the subject. He founded Townsend Security, a company that specializes in data encryption, key management, and managed file transfer solutions. Patrick is an award winning speaker and regularly presents on data security topics. He contributes to standards development at organizations like OASIS and PCI SSC.