-
ibm.com/redbooks
Front cover
IBM System Storage Data Encryption
Alex OsunaDavid CrowtherReimar Pflieger
Esha SethFerenc Toth
Understand the encryption concepts and terminology
Compare various IBM storage encryption methods
Plan for Tivoli Key Lifecycle Manager and its keystores
http://www.redbooks.ibm.com/ http://www.redbooks.ibm.com/
-
International Technical Support Organization
IBM System Storage Data Encryption
June 2010
SG24-7797-00
-
Copyright International Business Machines Corporation 2010. All
rights reserved.Note to U.S. Government Users Restricted Rights --
Use, duplication or disclosure restricted by GSA ADP
ScheduleContract with IBM Corp.
First Edition (June 2010)
This edition applies to Tivoli Key Lifecycle Manager Version 1
and later and the Encryption Key Manager Release 1 and later.
Note: Before using this information and the product it supports,
read the information in Notices on page xvii.
-
Contents
Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . xviiTrademarks . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . xviii
Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . xixThe team who wrote this book . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
xixNow you can become a published author, too! . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . .xxComments
welcome. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . xxiStay connected
to IBM Redbooks . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . xxi
Part 1. Introduction to data encryption. . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . 1
Chapter 1. Encryption concepts and terminology . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . 31.1 Concepts of storage
data encryption . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . 4
1.1.1 Symmetric key encryption . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . 41.1.2
Asymmetric key encryption . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . 61.1.3 Hybrid
encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . 91.1.4 Digital
certificates . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . 9
1.2 IBM Key Management methods . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . 151.3 Tivoli Key
Lifecycle Manager and Encryption Key Manager . . . . . . . . . . .
. . . . . . . . . . 16
1.3.1 IBM Encryption Key Manager . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . 171.3.2 Encryption
Key Manager components and resources . . . . . . . . . . . . . . .
. . . . . . 191.3.3 Encryption keys. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. 211.3.4 Tivoli Key Lifecycle Manager . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . 211.3.5 Tivoli
Key Lifecycle Manager components and resources . . . . . . . . . .
. . . . . . . . 22
Chapter 2. Introduction to storage data encryption. . . . . . .
. . . . . . . . . . . . . . . . . . . . . 272.1 IBM tape drive
encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . 282.2 IBM System Storage
DS5000 series with encryption support. . . . . . . . . . . . . . .
. . . . . 292.3 DS8000 series with encryption support. . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
2.3.1 Encryption updates in DS8000 R5.0 . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . 332.4 Storage data
encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . 34
2.4.1 Encryption of data on IBM tape drives . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . 342.4.2 Encryption of
data in IBM System Storage DS5000 Series . . . . . . . . . . . . .
. . . . 352.4.3 Encryption of data in IBM System Storage DS8000
Series . . . . . . . . . . . . . . . . . 37
2.5 Encryption data . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
412.5.1 IBM tape drive. . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412.5.2
IBM Storage Series DS5000 and DS8000 . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . 43
2.6 Using data encryption . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
442.6.1 Encrypting data in the tape drive . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . 442.6.2 Encrypting
data on disk drives . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . 452.6.3 Fundamentals to encryption:
Policy and key management. . . . . . . . . . . . . . . . . . 46
Chapter 3. IBM storage encryption methods . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . 493.1 Tivoli Key
Lifecycle Manager . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . 50
3.1.1 Tivoli Key Lifecycle Manager components and resources . .
. . . . . . . . . . . . . . . . 513.1.2 Key exchange . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . 53
3.2 IBM Encryption Key Manager . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . 543.2.1
Encryption Key Manager components and resources . . . . . . . . . .
. . . . . . . . . . . 56
3.3 TS1120, TS1130, and LTO4 tape drive encryption. . . . . . .
. . . . . . . . . . . . . . . . . . . . . 58 Copyright IBM Corp.
2010. All rights reserved. iii
-
3.3.1 Key exchange . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 593.4
DS8000 disk encryption . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . 60
3.4.1 Encryption key management . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . 623.4.2 Encryption
deadlock . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . 673.4.3 Encryption recovery key
support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . 683.4.4 Dual platform key server support . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
70
3.5 Comparing tape encryption methods . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . 733.5.1
System-Managed Encryption . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . 743.5.2 Library-Managed
Encryption. . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . 773.5.3 Encrypting and decrypting with SME
and LME. . . . . . . . . . . . . . . . . . . . . . . . . . .
793.5.4 Application-Managed Encryption . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . 813.5.5 Mixed mode
example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . 84
Chapter 4. IBM System Storage tape automation for encryption . .
. . . . . . . . . . . . . . . 874.1 IBM System Storage TS1130 and
TS1120 tape drive . . . . . . . . . . . . . . . . . . . . . . . . .
88
4.1.1 Tape data encryption support . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . 894.1.2 TS1120
characteristics . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . 894.1.3 TS1130
characteristics . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . 914.1.4 3592 cartridges and
media . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . 93
4.2 IBM System Storage TS1120 Tape Controller . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . 954.2.1 IBM TS1120 Tape
Controller characteristics . . . . . . . . . . . . . . . . . . . .
. . . . . . . . 964.2.2 IBM TS1120 Tape Controller encryption
support . . . . . . . . . . . . . . . . . . . . . . . . . 974.2.3
Installation with an IBM TS3500 Tape Library . . . . . . . . . . .
. . . . . . . . . . . . . . . . 974.2.4 Installation with an IBM
TS3400 Tape Library . . . . . . . . . . . . . . . . . . . . . . . .
. . . 994.2.5 Installation with an IBM 3494 Tape Library . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . 1004.2.6 IBM
TotalStorage 3592 Model J70 Tape Controller . . . . . . . . . . . .
. . . . . . . . . . 101
4.3 IBM Virtualization Engine TS7700 . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . 1024.4 IBM LTO
Ultrium tape drives and libraries . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . 104
4.4.1 Linear Tape-Open overview . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . 1054.4.2 LTO media
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . 1064.4.3 IBM System Storage
TS2240 Tape Drive Express Model . . . . . . . . . . . . . . . . .
1084.4.4 IBM System Storage TS2340 Tape Drive Express Model . . . .
. . . . . . . . . . . . . 1094.4.5 IBM System Storage TS1040 Tape
Drive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1104.4.6 IBM System Storage TS2900 Tape Autoloader . . . . . . . .
. . . . . . . . . . . . . . . . . 1114.4.7 IBM System Storage
TS3100 Tape Library . . . . . . . . . . . . . . . . . . . . . . . .
. . . . 1114.4.8 IBM System Storage TS3200 Tape Library . . . . . .
. . . . . . . . . . . . . . . . . . . . . . 1134.4.9 IBM System
Storage TS3310 Tape Library . . . . . . . . . . . . . . . . . . . .
. . . . . . . . 115
4.5 IBM System Storage TS3400 Tape Library . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . 1184.6 IBM System Storage
TS3500 Tape Library . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . 120
4.6.1 TS3500 frames . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . 1214.6.2
TS3500 characteristics . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . 124
4.7 IBM TotalStorage 3494 Tape Library . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . 131
Chapter 5. Full Disk Encryption technology in disk subsystems. .
. . . . . . . . . . . . . . 1335.1 FDE fundamentals . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . 1345.2 Hardware implementation details . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. 1355.3 FDE disks in storage products . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
Part 2. IBM System Storage DS5000 . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . 139
Chapter 6. Understanding Full Disk Encryption in DS5000 . . . .
. . . . . . . . . . . . . . . . 1416.1 FDE disk drives . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . 142
6.1.1 Securing data against a breach . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . 1426.2 Creating a
security key . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . 143iv IBM System Storage
Data Encryption
-
6.3 Changing a security key . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1446.4
Security key identifier . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . 1446.5
Unlocking secure drives . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . 1486.6 Secure
erase. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . 1496.7 FDE
security authorizations . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . 1496.8 FDE key terms .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . 151
Chapter 7. Configuring encryption on DS5000 with Full Disk
Encryption drives . . . 1537.1 The need for encryption . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . 154
7.1.1 Encryption method . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . 1547.2 Disk
Security components. . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . 156
7.2.1 DS5000 Disk Encryption Manager . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . 1567.2.2 Full Data
Encryption disks. . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . 1577.2.3 Premium feature license .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . 1577.2.4 Keys . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . 1577.2.5 Security key identifier . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1577.2.6 Passwords . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
7.3 Setting up and enabling the Secure Disk feature . . . . . .
. . . . . . . . . . . . . . . . . . . . . . 1597.3.1 FDE and the
premium feature key check . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . 1597.3.2 Secure key creation . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . 1607.3.3 Enable disk security on the array . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . 162
7.4 Additional secure disk functions . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . 1637.4.1
Changing the security key. . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . 1647.4.2 Saving the
security key file . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . 1657.4.3 Secure disk erase . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . 1667.4.4 FDE drive status . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . 1677.4.5 Hot-spare drive . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1677.4.6 Log files. . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
168
7.5 Migrating secure disk arrays . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . 1687.5.1
Planning checklist . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . 1697.5.2 Export the
array . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . 169
7.6 Import secure drive array . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1727.6.1
Unlock drives . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . 1737.6.2 Import
array. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . 174
Chapter 8. DS5000 Full Disk Encryption best practices . . . . .
. . . . . . . . . . . . . . . . . . 1778.1 Physical asset
protection . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . 1788.2 Data backup . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . 1798.3 FDE drive security key and
the security key file . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . 1798.4 DS subsystem controller shell remote login . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1818.5
Working with Full Disk Encryption drives . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . 1818.6 Replacing
controllers. . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . 1828.7 Storage industry
standards and practices. . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . 182
Chapter 9. Frequently asked questions . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . 1839.1 Securing
arrays . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . 1849.2 Secure
erase. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . 1849.3 Security
keys and passphrases . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . 1859.4 Premium features . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . 1859.5 Global hot-spare drives . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . 1869.6 Boot support . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . 1869.7 Locked and unlocked states . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. 1879.8 Backup and recovery . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1879.9
Additional questions . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . 187 Contents
v
-
Part 3. Implementing tape data encryption . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. 189
Chapter 10. Planning for software and hardware to support tape
drives . . . . . . . . . 19110.1 Encryption planning. . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . 19210.2 Planning assumptions . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . 19210.3 Encryption planning quick-reference tables . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . 19310.4
Choosing encryption methods. . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . 196
10.4.1 Encryption method comparison. . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . 19710.4.2 System z
encryption methods. . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . 19710.4.3 Open systems encryption
methods. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . 19810.4.4 Decision time . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
199
10.5 Solutions available by operating system . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . 19910.5.1 The z/OS
solution components . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . 19910.5.2 z/VM, z/VSE, and z/TPF solution
components for TS1120 drives . . . . . . . . . . 20210.5.3 IBM
System i encryption solution components . . . . . . . . . . . . . .
. . . . . . . . . . . 20410.5.4 AIX solution components . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. 20610.5.5 Linux on System z. . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . 20910.5.6
Linux on System p, System x, and other Intel or AMD Opteron
servers. . . . . . 21010.5.7 HP-UX, Sun, and Microsoft Windows
components. . . . . . . . . . . . . . . . . . . . . . 21310.5.8
Tivoli Storage Manager . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . 216
10.6 Ordering information . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
21610.6.1 TS1120 tape drive prerequisites . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . 21610.6.2 Tape
controller prerequisites. . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . 21810.6.3 LTO4 and LTO5 tape
drive prerequisites . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . 21910.6.4 Tape library prerequisites . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
22010.6.5 Other library and rack open systems installations. . . .
. . . . . . . . . . . . . . . . . . . 22210.6.6 TS7700
Virtualization Engine prerequisites . . . . . . . . . . . . . . . .
. . . . . . . . . . . 22210.6.7 General software prerequisites for
encryption . . . . . . . . . . . . . . . . . . . . . . . . .
22310.6.8 TS1120 and TS1130 supported platforms . . . . . . . . . .
. . . . . . . . . . . . . . . . . . 22410.6.9 IBM LTO4 and LTO5
tape drive supported platforms . . . . . . . . . . . . . . . . . .
. . 225
10.7 Other planning considerations for tape data encryption . .
. . . . . . . . . . . . . . . . . . . . 22610.7.1 In-band and
out-of-band . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . 22610.7.2 Performance considerations .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . 22710.7.3 Encryption with other backup applications . . . .
. . . . . . . . . . . . . . . . . . . . . . . . 22710.7.4 ALMS and
encryption in the TS3500 library . . . . . . . . . . . . . . . . .
. . . . . . . . . . 22810.7.5 TS1120 and TS1130 rekeying
considerations . . . . . . . . . . . . . . . . . . . . . . . . .
229
10.8 Upgrade and migration considerations . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . 23010.8.1 Potential
issues. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . 23010.8.2 TS1120 and TS1130
compatibility considerations . . . . . . . . . . . . . . . . . . .
. . . 23110.8.3 DFSMSdss host-based encryption . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . 23510.8.4
Positioning TS1120 Tape Encryption and Encryption Facility for z/OS
. . . . . . 236
Chapter 11. Planning for Tivoli Key Lifecycle Manager and its
keystores. . . . . . . . . 23711.1 Tivoli Key Lifecycle Manager
planning quick reference . . . . . . . . . . . . . . . . . . . . .
. 23811.2 Tivoli Key Lifecycle Manager and keystore considerations.
. . . . . . . . . . . . . . . . . . . 241
11.2.1 Tivoli Key Lifecycle Manager configuration planning
checklist . . . . . . . . . . . . . 24411.3 Working with keys and
certificates . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . 245
11.3.1 IT Service Management . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . 24511.3.2 General
security . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . 24611.3.3 Tivoli Key
Lifecycle Manager key server availability . . . . . . . . . . . . .
. . . . . . . . 24611.3.4 Encryption deadlock prevention for
DS8000. . . . . . . . . . . . . . . . . . . . . . . . . . .
24711.3.5 Tivoli Key Lifecycle Manager key server. . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . 24711.3.6 DS8000 and tape
devices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . 248vi IBM System Storage Data Encryption
-
11.4 Multiple Tivoli Key Lifecycle Managers for redundancy . . .
. . . . . . . . . . . . . . . . . . . 24911.4.1 Setting up primary
and secondary Tivoli Key Lifecycle Manager servers. . . . .
25011.4.2 Synchronizing primary and secondary Tivoli Key Lifecycle
Manager servers . 250
11.5 Backup and restore . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
25111.5.1 Categories of data in a backup file . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . 25111.5.2 Backup file
security . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . 25211.5.3 IBM Tivoli Storage
Manager as a backup repository . . . . . . . . . . . . . . . . . .
. . 25211.5.4 Backup and restore runtime requirements . . . . . . .
. . . . . . . . . . . . . . . . . . . . . 25211.5.5 Backing up
critical files . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . 25311.5.6 Restoring a backup file
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . 25411.5.7 Deleting a backup file . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . 256
11.6 Key exporting and importing tasks . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . 25611.6.1
Exporting keys . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . 25611.6.2 Importing
keys. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . 25711.6.3 Importing the public
key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . 25811.6.4 Exporting the public key . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . 258
11.7 Integration and EKM to Tivoli Key Lifecycle Manager
migration . . . . . . . . . . . . . . . . 25911.7.1 Integrating
Tivoli Key Lifecycle Manager for DS8000 with an existing EKM
tape
encryption installation . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . 25911.7.2
Migrating from EKM to Tivoli Key Lifecycle Manager . . . . . . . .
. . . . . . . . . . . . 25911.7.3 Multiple encrypted disk or tape
devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
260
11.8 Data exchange with business partners . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . 26111.9 Disaster
recovery considerations . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . 26211.10 Database selection . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . 263
Chapter 12. Implementing Tivoli Key Lifecycle Manager . . . . .
. . . . . . . . . . . . . . . . . 26512.1 Implementation notes . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . 26612.2 Installing Tivoli Key Lifecycle
Manager on 64-bit Windows Server 2008 . . . . . . . . . 26612.3
Installing Tivoli Key Lifecycle Manager on 64-bit Red Hat
Enterprise Linux AS Version
5.3 server . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
29912.4 Installing Tivoli Key Lifecycle Manager on z/OS . . . . . .
. . . . . . . . . . . . . . . . . . . . . . 32912.5 Configuring
Tivoli Key Lifecycle Manager . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . 335
12.5.1 Configuration forLTO4 and TS1100 . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . 33912.5.2 Configuration
for DS8000 disk drives . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . 348
12.6 Conclusions. . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
351
Chapter 13. Tivoli Key Lifecycle Manager operational
considerations . . . . . . . . . . . 35313.1 Scripting with Tivoli
Key Lifecycle Manager . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . 354
13.1.1 Simple Linux backup script example. . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . 35413.2 Synchronizing
primary Tivoli Key Lifecycle Manager configuration data . . . . . .
. . . 355
13.2.1 Setting up primary and secondary Tivoli Key Lifecycle
Manager servers. . . . . 35513.2.2 Synchronizing primary and
secondary Tivoli Key Lifecycle Manager servers . 356
13.3 Tivoli Key Lifecycle Manager maintenance. . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . 35713.3.1 General disk
and tape management . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . 35713.3.2 Adding and removing drives . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
35913.3.3 Scheduling key group rollover for LTO tape drives. . . .
. . . . . . . . . . . . . . . . . . 36413.3.4 Scheduling
certificate rollover for 3592 tape. . . . . . . . . . . . . . . . .
. . . . . . . . . . 368
13.4 Tivoli Key Lifecycle Manager backup and restore procedures
. . . . . . . . . . . . . . . . . 37113.4.1 Using the GUI to back
up . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . 37213.4.2 Restore by using the GUI . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
37313.4.3 Backing up by using the command line. . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . 37613.4.4 Restore by using
the command line . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . 377
13.5 Data sharing with business partners . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . 378 Contents
vii
-
13.5.1 Sharing TS1100 certificate data with a business partner .
. . . . . . . . . . . . . . . . 37913.5.2 Sharing LTO key data with
a business partner . . . . . . . . . . . . . . . . . . . . . . . .
. 381
13.6 Removing Tivoli Key Lifecycle Manager . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . 38413.6.1 Backing up
the keystore . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . 385
13.7 Fixing the security warnings in your web browser. . . . . .
. . . . . . . . . . . . . . . . . . . . . 38513.7.1 Fixing the
security warning in Internet Explorer browser . . . . . . . . . . .
. . . . . . 38513.7.2 Fixing the security warning in Firefox 2. . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . 386
13.8 The Tivoli Key Lifecycle Manager command-line interface. .
. . . . . . . . . . . . . . . . . . 38613.8.1 Commands using
wsadmin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . 38613.8.2 Tivoli Key Lifecycle Manager commands
using wsadmin . . . . . . . . . . . . . . . . . 38713.8.3 Setting a
larger timeout interval for command processing . . . . . . . . . .
. . . . . . 38813.8.4 Syntax examples. . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
38813.8.5 Continuation character . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . 38813.8.6
Parameter error messages . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . 38913.8.7 Command summary . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . 389
Chapter 14. Planning for Encryption Key Manager and its
keystores . . . . . . . . . . . . 39314.1 EKM planning
quick-reference . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . 39414.2 Ordering information and
requirements . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . 396
14.2.1 EKM on z/OS or z/OS.e requirements . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . 39614.2.2 EKM on z/VM,
z/VSE, and z/TPF . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . 39714.2.3 EKM on IBM System i requirements . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
39714.2.4 EKM on AIX requirements . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . 39814.2.5 EKM on
Linux requirements . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . 39914.2.6 EKM on Hewlett-Packard,
Sun, and Windows requirements . . . . . . . . . . . . . . 399
14.3 EKM and keystore considerations. . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . 40014.3.1 EKM
configuration planning checklist . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . 40214.3.2 Best security practices for
working with keys and certificates. . . . . . . . . . . . . .
40314.3.3 Acting on the advice . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . 40314.3.4
Typical EKM implementations. . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . 40414.3.5 Multiple EKMs for
redundancy . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . 40714.3.6 Using Virtual IP Addressing . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
40814.3.7 Key manager backup . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . 40914.3.8 FIPS
140-2 certification. . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . 409
14.4 Other EKM considerations . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . 41014.4.1 EKM
Release 1 to EKM Release 2 migration . . . . . . . . . . . . . . .
. . . . . . . . . . . 41014.4.2 Data exchange with business
partners or other platforms . . . . . . . . . . . . . . . .
41014.4.3 Disaster recovery considerations . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . 41114.4.4 i5/OS
disaster recovery considerations. . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . 41114.4.5 EKM performance considerations.
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
411
Chapter 15. Implementing the Encryption Key Manager. . . . . . .
. . . . . . . . . . . . . . . . 41315.1 Implementing EKM in z/OS .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . 414
15.1.1 z/OS UNIX System Services. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . 41415.1.2 Installing
EKM in z/OS . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . 41515.1.3 Security products involved:
RACF, Top Secret, and ACF2. . . . . . . . . . . . . . . . 41715.1.4
Create a JCE4758RACFKS for EKM . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . 41815.1.5 Setting up the EKM
environment . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . 42015.1.6 Starting EKM. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. 42315.1.7 Additional definitions of hardware keystores for z/OS.
. . . . . . . . . . . . . . . . . . . 42815.1.8 Virtual IP
Addressing . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . 42915.1.9 EKM TCP/IP configuration
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . 430
15.2 Installing EKM on AIX . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431viii
IBM System Storage Data Encryption
-
15.2.1 Install the IBM Software Developer Kit . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . 43115.3 Installing EKM
on a Microsoft Windows platform . . . . . . . . . . . . . . . . . .
. . . . . . . . . 436
15.3.1 EKM setup tasks . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . 43715.3.2
Installing the IBM Software Developer Kit on Microsoft Windows. . .
. . . . . . . . 43815.3.3 Starting EKM on Microsoft Windows. . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44315.3.4
Configuring and starting EKM . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . 444
15.4 Installing EKM in i5/OS . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45015.4.1
New installation of the Encryption Key Manager. . . . . . . . . . .
. . . . . . . . . . . . . 45015.4.2 Upgrading the Encryption Key
Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
45315.4.3 Configuring EKM for tape data encryption . . . . . . . .
. . . . . . . . . . . . . . . . . . . . 455
15.5 Implementing LTO4 and LTO5 encryption . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . 45815.5.1 LTO4 EKM
implementation checklist . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . 45915.5.2 Download the latest EKM software .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
45915.5.3 Create a JCEKS keystore . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . 46315.5.4 Off-site
or business partner exchange with LTO4 compared to 3592. . . . . .
. . 46615.5.5 EKM Version 2 installation and customization on
Microsoft Windows . . . . . . . 46715.5.6 Starting EKM. . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . 46915.5.7 Starting EKM as a Microsoft Windows
Service . . . . . . . . . . . . . . . . . . . . . . . . . 470
15.6 Implementing LTO4 and LTO5 Library-Managed Encryption . . .
. . . . . . . . . . . . . . . 47215.6.1 Barcode Encryption Policy .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . 47215.6.2 Specifying a Barcode Encryption Policy . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . 47515.6.3
TS3500 Library-Managed Encryption differences from TS3310, TS3200,
TS3100,
and TS2900 . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . 47915.7 LTO4 or
LTO5 System-Managed Encryption implementation. . . . . . . . . . .
. . . . . . . 480
15.7.1 LTO4 SME implementation checklist for Windows . . . . . .
. . . . . . . . . . . . . . . . 480
Chapter 16. Planning and managing your keys with Encryption Key
Manager . . . . 48116.1 Keystore and SAF Digital Certificates
(keyrings) . . . . . . . . . . . . . . . . . . . . . . . . . . .
48216.2 JCEKS. . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
482
16.2.1 Examples of managing public-private key pairs . . . . . .
. . . . . . . . . . . . . . . . . . 48316.2.2 Managing symmetric
keys in a JCEKS keystore. . . . . . . . . . . . . . . . . . . . . .
. . 48616.2.3 Example using iKeyman . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . 490
16.3 JCE4758KS and JCECCAKS . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . 49716.3.1 Script
notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . 49716.3.2 Symmetric keys
in a JCECCAKS . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . 499
16.4 JCERACFKS. . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50016.5
JCE4758RACFKS and JCECCARACFKS . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . 502
16.5.1 RACDCERT keywords . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . 50316.5.2 Best
practice . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . 505
16.6 PKCS#11 . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
50616.7 IBMi5OSKeyStore . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 506
16.7.1 Digital Certificate Manager . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . 50716.7.2 Setting
up an IBMi5OSKeyStore. . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . 507
16.8 ShowPrivateTool . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52216.9
MatchKeys tool . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . 52416.10
Hardware cryptography. . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . 527
Chapter 17. Encryption Key Manager operational considerations. .
. . . . . . . . . . . . . 53117.1 EKM commands . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . 532
17.1.1 The EKM sync command and EKM properties file . . . . . .
. . . . . . . . . . . . . . . . 53217.1.2 EKM command-line
interface and command set . . . . . . . . . . . . . . . . . . . . .
. . 533
17.2 Backup procedures . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53817.2.1
EKM file system backup . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . 538 Contents ix
-
17.2.2 Identifying DFSMShsm to z/OS UNIX System Services . . . .
. . . . . . . . . . . . . . 54017.2.3 Keystore backup . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . 54017.2.4 RACF . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . 541
17.3 ICSF disaster recovery procedures. . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . 54217.3.1 Key
recovery checklist . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . 54217.3.2 Prerequisites . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . 54317.3.3 Pre-key change: All LPARs in
the sysplex . . . . . . . . . . . . . . . . . . . . . . . . . . . .
54317.3.4 Check the ICSF installation options data . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . 54617.3.5 Disable all
services . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . 54717.3.6 Entering master keys
for all LPARs in the sysplex . . . . . . . . . . . . . . . . . . .
. . . 54817.3.7 Post-key change for all LPARs in the sysplex. . . .
. . . . . . . . . . . . . . . . . . . . . . 55317.3.8 Exiting
disaster recovery . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . 554
17.4 Business partner tape-sharing example . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . 55417.4.1 Key-sharing
steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . 55417.4.2 Exporting a public key
and certificate to a business partner . . . . . . . . . . . . . . .
55517.4.3 Exporting a symmetric key from a JCEKS keystore . . . . .
. . . . . . . . . . . . . . . . 55917.4.4 Importing a public key
and a certificate from a business partner . . . . . . . . . . .
55917.4.5 Tape exchange and verification . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . 56117.4.6 Importing
symmetric keys to a JCEKS keystore . . . . . . . . . . . . . . . .
. . . . . . . . 563
17.5 RACF export tool for z/OS . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . 56317.6 Audit
log considerations . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . 564
17.6.1 Audit overview. . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . 56517.6.2
Audit log parsing tool . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . 565
Chapter 18. Implementing TS1100 series encryption in System z .
. . . . . . . . . . . . . . 57118.1 Implementation overview . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . 57218.2 Implementation prerequisites . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
572
18.2.1 Implementing the initial tape library hardware. . . . . .
. . . . . . . . . . . . . . . . . . . . 57318.2.2 Initial z/OS
software definitions. . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . 574
18.3 EKM implementation overview . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . 57518.4
Implementing the tape library . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . 576
18.4.1 Implementation steps for the IBM TS3500 Tape Library. . .
. . . . . . . . . . . . . . . 57618.4.2 Implementation steps for
the IBM 3494 Tape Library . . . . . . . . . . . . . . . . . . . .
57918.4.3 Implementation steps for the IBM TS3400 Tape Library. . .
. . . . . . . . . . . . . . . 583
18.5 Implementing the tape control unit . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . 58518.6 z/OS
implementation steps . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . 585
18.6.1 z/OS software maintenance . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . 58618.6.2 Update
PARMLIB member IECIOSxx. . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . 58618.6.3 Define or update Data Class
definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . 58718.6.4 Considerations for JES3 . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . 59118.6.5
Tape management system . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . 59218.6.6 DFSMSrmm support for
tape data encryption. . . . . . . . . . . . . . . . . . . . . . . .
. . 59218.6.7 DFSMSdfp access method service . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . 59618.6.8 Data
Facility Data Set Services considerations . . . . . . . . . . . . .
. . . . . . . . . . . 59718.6.9 DFSMS Hierarchal Storage Manager
considerations . . . . . . . . . . . . . . . . . . . . 598
18.7 z/VM implementation steps . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . 59918.7.1
Tape library and tape control unit implementation . . . . . . . . .
. . . . . . . . . . . . . 60018.7.2 Out-of-band encryption . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . 60018.7.3 Defining key aliases to z/VM. . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60418.7.4
Using ATTACH and DETACH to control encryption . . . . . . . . . . .
. . . . . . . . . . 60518.7.5 Using SET RDEVICE to control
encryption. . . . . . . . . . . . . . . . . . . . . . . . . . . .
60618.7.6 QUERY responses . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . 60618.7.7 z/VM
DASD Dump Restore (DDR) . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . 607x IBM System Storage Data Encryption
-
18.8 Miscellaneous implementation considerations . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . 60718.8.1 Data exchange
with other data centers or business partners . . . . . . . . . . .
. . . 60718.8.2 Availability . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
608
18.9 TS1120 and TS1130 tape cartridge rekeying in z/OS. . . . .
. . . . . . . . . . . . . . . . . . . 60818.9.1 TS1120 Model E05
rekeying support in z/OS. . . . . . . . . . . . . . . . . . . . . .
. . . . 60818.9.2 IEHINITT enhancements . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . 60918.9.3
Security considerations. . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . 61218.9.4 Packaging . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . 61218.9.5 Rekeying exits and
messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . 612
Chapter 19. Implementing TS7700 tape encryption . . . . . . . .
. . . . . . . . . . . . . . . . . . . 61319.1 TS7700 encryption
overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . 61419.2 Prerequisites . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . 615
19.2.1 Tape drives . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61519.2.2
TS7700 Virtualization Engine . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . 61519.2.3 Library Manager . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . 61519.2.4 Encryption Key Manager. . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . 615
19.3 Implementation overview . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . 61619.3.1
Implementing the initial tape library hardware. . . . . . . . . . .
. . . . . . . . . . . . . . . 61619.3.2 Implementing the initial
TS7700 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . 61619.3.3 Initial z/OS software definitions. . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
61719.3.4 EKM implementation overview . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . 617
19.4 Tape library implementation and setup for encryption . . .
. . . . . . . . . . . . . . . . . . . . 61719.4.1 Enabling drives
for encryption in the IBM TS3500 Tape Library. . . . . . . . . . .
. 61819.4.2 Enabling drives for encryption in the IBM 3494 Tape
Library . . . . . . . . . . . . . . 62019.4.3 Encryption-enabled
drives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . 623
19.5 Software implementation steps . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . 62319.5.1 z/OS
software maintenance . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . 62319.5.2 Encryption Key Manager
installation. . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . 62319.5.3 z/OS DFSMS implementation steps . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . 623
19.6 TS7700 implementation steps. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . 62419.6.1
Configuring the TS7700 for encryption . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . 62419.6.2 Creating TS7700 storage
groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . 62619.6.3 Creating TS7700 management classes . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . 62719.6.4 Activate
the TS7700 Encryption Feature License. . . . . . . . . . . . . . .
. . . . . . . . 62919.6.5 EKM addresses. . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. 63119.6.6 Testing EKM connectivity . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . 63219.6.7
Configuring pool encryption settings for the TS7700 . . . . . . . .
. . . . . . . . . . . . 632
19.7 Implementation considerations . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . 63419.7.1
Management construct definitions and transfer . . . . . . . . . . .
. . . . . . . . . . . . . 63419.7.2 Changing storage pool
encryption settings. . . . . . . . . . . . . . . . . . . . . . . .
. . . . 63419.7.3 Moving data to encrypted storage pools . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . 63519.7.4 EKM
operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . 63719.7.5 Tracking
encryption usage . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . 63819.7.6 Data exchange with other
data centers or business partners . . . . . . . . . . . . . .
638
19.8 TS7700 encryption with z/VM, z/VSE, or z/TPF . . . . . . .
. . . . . . . . . . . . . . . . . . . . . 638
Chapter 20. Implementing TS1120 and TS1130 encryption in an open
systems environment . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . 641
20.1 Encryption overview in an open systems environment . . . .
. . . . . . . . . . . . . . . . . . . 64220.2 Adding drives to a
logical library . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . 643
20.2.1 Advanced Library Management System considerations. . . .
. . . . . . . . . . . . . . 64320.3 Managing the encryption and
business partner exchange . . . . . . . . . . . . . . . . . . . .
644
20.3.1 Disaster recovery considerations . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . 646 Contents xi
-
20.3.2 Keeping track of key usage. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . 64720.4 Encryption
implementation checklist . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . 648
20.4.1 Planning your EKM environment. . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . 64820.4.2 EKM setup
tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . 64920.4.3 Application-Managed
Encryption setup tasks . . . . . . . . . . . . . . . . . . . . . .
. . . . 64920.4.4 System-Managed (Atape) Encryption setup tasks . .
. . . . . . . . . . . . . . . . . . . . 65020.4.5 Library-Managed
Encryption setup tasks . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . 651
20.5 Implementing Library-Managed Encryption . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . 65120.5.1 LME
implementation tasks . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . 65120.5.2 Upgrading firmware. . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . 65220.5.3 Add EKM or Tivoli Key Lifecycle Manager
IP addresses . . . . . . . . . . . . . . . . . 65820.5.4 Enabling
Library-Managed Encryption . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . 65920.5.5 Barcode Encryption Policy . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. 662
20.6 Implementing System-Managed Encryption . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . 66820.6.1 System-Managed
Encryption tasks. . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . 66920.6.2 Atape device driver . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. 67020.6.3 Update Atape EKM proxy configuration . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . 67020.6.4 System-Managed
Encryption Atape device entries . . . . . . . . . . . . . . . . . .
. . . 67220.6.5 Updating the Atape device driver configuration . .
. . . . . . . . . . . . . . . . . . . . . . 67320.6.6 Enabling
System-Managed Encryption using the TS3500 web GUI. . . . . . . . .
67420.6.7 Using SMIT to enable System-Managed Encryption . . . . .
. . . . . . . . . . . . . . . 67620.6.8 Managing System-Managed
Encryption and business partner exchange . . . . 683
20.7 Application-Managed Encryption . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . 68620.7.1 IBM
Tivoli Storage Manager overview . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . 68620.7.2 IBM Tivoli Storage Manager
support for 3592 drive encryption . . . . . . . . . . . . 68720.7.3
Implementing Application-Managed Encryption . . . . . . . . . . . .
. . . . . . . . . . . . 68820.7.4 IBM Tivoli Storage Manager
encryption considerations . . . . . . . . . . . . . . . . . .
691
20.8 IBM 3494 with TS1120 or TS1130 encryption . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . 69220.8.1 Review the 3494
encryption-capable drives . . . . . . . . . . . . . . . . . . . . .
. . . . . . 69220.8.2 Specifying a Barcode Encryption Policy . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . 69620.8.3
Entering the EKM IP address and key labels . . . . . . . . . . . .
. . . . . . . . . . . . . . 69820.8.4 ILEP key label mapping . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . 699
Chapter 21. Tape data encryption with i5/OS . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . 70121.1 Planning for
tape data encryption with i5/OS . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . 702
21.1.1 Hardware prerequisites . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . 70221.1.2
Software prerequisites . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . 70321.1.3 Disaster
recovery considerations . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . 70421.1.4 EKM keystore considerations . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . 70521.1.5 TS1120 Tape Encryption policy considerations . . . .
. . . . . . . . . . . . . . . . . . . . 70621.1.6 Considerations
for sharing tapes with partners. . . . . . . . . . . . . . . . . .
. . . . . . . 70721.1.7 Steps for implementing tape encryption with
i5/OS . . . . . . . . . . . . . . . . . . . . . 709
21.2 Setup and usage of tape data encryption with i5/OS . . . .
. . . . . . . . . . . . . . . . . . . . 70921.2.1 Creating an EKM
keystore and certificate. . . . . . . . . . . . . . . . . . . . . .
. . . . . . . 71021.2.2 Configuring the TS3500 library for
Library-Managed Encryption . . . . . . . . . . . 72221.2.3
Importing and exporting encryption keys . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . 73221.2.4 Working with encrypted tape
cartridges . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . 74421.2.5 Troubleshooting . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 749
Part 4. DS8000 encryption features. . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . 751
Chapter 22. IBM System Storage DS8000 encryption preparation. .
. . . . . . . . . . . . . 75322.1 Encryption-capable DS8000
ordering and configuration. . . . . . . . . . . . . . . . . . . . .
. 75422.2 Requirements for encrypting storage . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . 755xii IBM System
Storage Data Encryption
-
22.3 Tivoli Key Lifecycle Manager configuration. . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . 75622.3.1 Log in to
Tivoli Integrated Portal . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . 75622.3.2 Creating an image
certificate or certificate request. . . . . . . . . . . . . . . . .
. . . . . 75722.3.3 Configure the SFIs . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
76122.3.4 Starting and stopping the Tivoli Key Lifecycle Manager
server and determining its
status . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . 76522.4
Configuring the Tivoli Key Lifecycle Manager server connections to
the DS8000 . . 767
Chapter 23. DS8000 encryption features and implementation . . .
. . . . . . . . . . . . . . . 77123.1 DS8100/DS8300 (R4.2) GUI
configuration for encryption . . . . . . . . . . . . . . . . . . .
. 772
23.1.1 Configuring the encryption group . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . 77223.1.2 Applying
the encryption activation key . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . 77323.1.3 Configuring and administering
encrypted arrays. . . . . . . . . . . . . . . . . . . . . . . .
77623.1.4 Configuring and administering encrypted ranks . . . . . .
. . . . . . . . . . . . . . . . . . 78023.1.5 Configuring and
administering encrypted extent pools . . . . . . . . . . . . . . .
. . . . 783
23.2 DS8700 (R5.0) GUI configuration for encryption . . . . . .
. . . . . . . . . . . . . . . . . . . . . 78823.2.1 Configuring the
recovery key . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . 78823.2.2 Configuring the encryption group .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
79223.2.3 Applying the encryption activation key . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . 79423.2.4 Configuring
and administering encrypted arrays. . . . . . . . . . . . . . . . .
. . . . . . . 79623.2.5 Configuring and administering encrypted
ranks . . . . . . . . . . . . . . . . . . . . . . . . 79823.2.6
Configuring and administering encrypted extent pools . . . . . . .
. . . . . . . . . . . . 801
23.3 DS8000 DS CLI configuration for encryption . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . 80423.3.1 Configuring
the Tivoli Key Lifecycle Manager server connection . . . . . . . .
. . . 80423.3.2 Configuring and administering the encryption group.
. . . . . . . . . . . . . . . . . . . . 80623.3.3 Applying
encryption activation key . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . 80723.3.4 Creating encrypted arrays. . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . 80723.3.5 Creating encrypted ranks . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80823.3.6
Creating encrypted extent pools . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . 809
23.4 Encryption and Copy Services functions. . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . 810
Chapter 24. DS8700 advanced encryption features and
implementation . . . . . . . . . 81124.1 New security roles:
Storage and security administrator . . . . . . . . . . . . . . . .
. . . . . . 81224.2 Recovery key support . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. 814
24.2.1 Configuring the recovery key . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . 81424.2.2
Validating the recovery key. . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . 81824.2.3 Initiating
recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . 82024.2.4 Using the process to
rekey the recovery key . . . . . . . . . . . . . . . . . . . . . .
. . . . 82624.2.5 Deleting the recovery key . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83024.2.6
Recovery key state summary . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . 833
24.3 Dual platform key server support . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . 83324.3.1
Setting up Tivoli Key Lifecycle Manager server . . . . . . . . . .
. . . . . . . . . . . . . . 833
Chapter 25. Best practices and guidelines for DS8000 encryption
. . . . . . . . . . . . . . 84525.1 Best practices for encrypting
storage environments . . . . . . . . . . . . . . . . . . . . . . .
. . 846
25.1.1 Security . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
84625.1.2 Availability . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
84625.1.3 Encryption deadlock prevention . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . 847
25.2 Dual Hardware Management Console and redundancy . . . . . .
. . . . . . . . . . . . . . . . 85025.2.1 Dual Hardware Management
Console advantages . . . . . . . . . . . . . . . . . . . . .
85025.2.2 Redundant HMC configurations . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . 850
25.3 Multiple Tivoli Key Lifecycle Managers for redundancy . . .
. . . . . . . . . . . . . . . . . . . 85225.3.1 Setting up primary
and secondary Tivoli Key Lifecycle Manager servers. . . . .
85325.3.2 Synchronizing primary and secondary Tivoli Key Lifecycle
Manager servers . 853 Contents xiii
-
25.4 Backup and restore the Tivoli Key Lifecycle Manager servers
. . . . . . . . . . . . . . . . . 85325.4.1 Categories of data in a
backup file . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . 85425.4.2 Backup file security . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
85425.4.3 IBM Tivoli Storage Manager as a backup repository . . . .
. . . . . . . . . . . . . . . . 85425.4.4 Backup and restore
runtime requirements . . . . . . . . . . . . . . . . . . . . . . .
. . . . . 85425.4.5 Backing up critical files . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
85525.4.6 Restoring a backup file . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . 85625.4.7
Deleting a backup file . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . 858
25.5 Key exporting and importing tasks . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . 85825.5.1
Exporting keys . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . 85925.5.2 Importing
keys. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . 859
Appendix A. z/OS planning and implementation checklists . . . .
. . . . . . . . . . . . . . . . 863DFSMS Systems Managed Tape
planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . 864
DFSMS planning and the z/OS encryption planning checklist . . .
. . . . . . . . . . . . . . . . 864Storage administrator
stand-alone environment planning. . . . . . . . . . . . . . . . . .
. . . . . 865Storage administrator tape library environment
planning . . . . . . . . . . . . . . . . . . . . . . . 866
DFSMS Systems Managed Tape implementation . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . 867Object access method
planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . 869
Storage administrator OAM planning . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . 869OAM implementation
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . 870DFSMShsm tape environment
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . 871
Appendix B. DS8700 encryption-related system reference codes . .
. . . . . . . . . . . . . 873
Appendix C. z/OS Java and Open Edition tips . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . 877JZOS . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . 878
Console communication with batch jobs. . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . 878Encryption Key
Manager and JZOS . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . 879
MVS Open Edition tips . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
882Exporting a variable . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . .
882Setting up an alias . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
882Copying the escape character . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . 883Advantages of
VT100 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . 884
Advanced security hwkeytool and keytool scripts . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . 885Complete keytool
example for JCEKS using hidden passwords . . . . . . . . . . . . .
. . . . 885Complete hwkeytool example for JCE4758KS using hidden
passwords . . . . . . . . . . . 887
Java . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . 889Security and providers . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
889Garbage Collector . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
890Verifying the installation . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 891z/OS
region size . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . 891Policy files
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . 891
Appendix D. Asymmetric and Symmetric Master Key change
procedures . . . . . . . . 893Asymmetric Master Key change ceremony
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . 894
Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
894Testing encryption and decryption . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . 894Pre-key
change: Disabling PKA services for all images in the sysplex. . . .
. . . . . . . . . 894Key change: First LPAR in the sysplex . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
896Key change: Subsequent LPARs in the sysplex . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . 902Post-key change: All
LPARs in the sysplex . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . 906
ICSF tips . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. 910Creating a PKDS VSAM data set . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . 910xiv IBM System
Storage Data Encryption
-
Symmetric Master Key change ceremony . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . 911Prerequisites . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . 912Testing the encryption
and decryption . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . 912Disabling dynamic CKDS updates for all
images in the sysplex . . . . . . . . . . . . . . . . . . 912Key
change: First LPAR in the sysplex . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . 913Reenciphering the CKDS
under the new SYM-MK. . . . . . . . . . . . . . . . . . . . . . . .
. . . . 919Changing the new SYM-MK and activating the re-enciphered
CKDS . . . . . . . . . . . . . 921Key change: Subsequent LPARs in
the sysplex . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . 922Post-key change: All LPARs in the sysplex . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . 925
Appendix E. z/OS tape data encryption diagnostics . . . . . . .
. . . . . . . . . . . . . . . . . . . 931EKM problem determination
when running z/OS . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . 932Error scenarios. . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . 932Diagnostic scenarios . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . 935Encryption Key Manager error codes and recovery actions. .
. . . . . . . . . . . . . . . . . . . . . . 938
Drive error codes . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
940Control unit error codes . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . 941IOS628E
message indicates connection failure . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . 942
Appendix F. IEHINITT exits and messages for rekeying . . . . . .
. . . . . . . . . . . . . . . . . 943Dynamic Exits Service Facility
support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . 944
Error conditions. . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
944Programming considerations . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . 945
REKEY messages . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 945New
messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . 946Modified
messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . 946
Appendix G. Implementing EKM on z/OS SECURE key processing to
TS1100 and LTO4/LTO5 drives . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . 949
Implementing EKM in z/OS . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . .
950Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
950z/OS UNIX System Services. . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . 950Installing the
Encryption Key Manager in z/OS. . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . 951Create a JCECCAKS for EKM . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . 953Setting up the EKM environment . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . 954Starting
EKM. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . 957Configuring
EKM TCP/IP . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . 962Enterprise-wide key
management. . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . 964
Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
964
Appendix H. Encryption testing in an open systems environment .
. . . . . . . . . . . . . 965Encryption key path test . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . 966
Using key path diagnostics in an LME environment . . . . . . . .
. . . . . . . . . . . . . . . . . . . 966Key Path Diagnostic test
in a SME environment. . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . 969
Testing data encryption . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
973IBM Tape Diagnostic Tool. . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . 973Encryption
Verification test using the ITDT-GE. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . 973Encryption verification using the
ITDT-SE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . 978Encryption test using the device driver functions . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . 979
Related publications . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 985IBM
Redbooks publications . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . 985Other
publications . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . 985Online
resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . 987 Contents
xv
-
How to get IBM Redbooks publications . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . 988Help from IBM
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . 988
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . 991xvi IBM System Storage Data Encryption
-
Notices
This information was developed for products and services offered
in the U.S.A.
IBM may not offer the products, services, or features discussed
in this document in other countries. Consult your local IBM
representative for information on the products and services
currently available in your area. Any reference to an IBM product,
program, or service is not intended to state or imply that only
that IBM product, program, or service may be used. Any functionally
equivalent product, program, or service that does not infringe any
IBM intellectual property right may be used instead. However, it is
the user's responsibility to evaluate and verify the operation of
any non-IBM product, program, or service.
IBM may have patents or pending patent applications covering
subject matter described in this document. The furnishing of this
document does not give you any license to these patents. You can
send license inquiries, in writing, to: IBM Director of Licensing,
IBM Corporation, North Castle Drive, Armonk, NY 10504-1785
U.S.A.
The following paragraph does not apply to the United Kingdom or
any other country where such provisions are inconsistent with local
law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS
PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR
IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR
PURPOSE. Some states do not allow disclaimer of express or implied
warranties in certain transactions, therefore, this statement may
not apply to you.
This information could include technical inaccuracies or
typographical errors. Changes are periodically made to the
information herein; these changes will be incorporated in new
editions of the publication. IBM may make improvements and/or
changes in the product(s) and/or the program(s) described in this
publication at any time without notice.
Any references in this information to non-IBM websites are
provided for convenience only and do not in any manner serve as an
endorsement of those websites. The materials at those websites are
not part of the materials for this IBM product and use of those
websites is at your own risk.
IBM may use or distribute any of the information you supply in
any way it believes appropriate without incurring any obligation to
you.
Information concerning non-IBM products was obtained from the
suppliers of those products, their published announcements or other
publicly available sources. IBM has not tested those products and
cannot confirm the accuracy of performance, compatibility or any
other claims related to non-IBM products. Questions on the
capabilities of non-IBM products should be addressed to the
suppliers of those products.
This information contains examples of data and reports used in
daily business operations. To illustrate them as completely as
possible, the examples include the names of individuals, companies,
brands, and products. All of these names are fictitious and any
similarity to the names and addresses used by an actual business
enterprise is entirely coincidental.
The following company name appearing in this publication is
fictitious:
ZABYXC
This name is used for instructional purposes only.
COPYRIGHT LICENSE:
This information contains sample application programs in source
language, which illustrate programming techniques on various
operating platforms. You may copy, modify, and distribute these
sample programs in any form without payment to IBM, for the
purposes of developing, using, marketing or distributing
application programs conforming to the application programming
interface for the operating platform for which the sample programs
are written. These examples have not been thoroughly tested under
all conditions. IBM, therefore, cannot guarantee or imply
reliability, serviceability, or function of these programs.
Copyright IBM Corp. 2010. All rights reserved. xvii
-
Trademarks
IBM, the IBM logo, and ibm.com are trademarks or registered
trademarks of International Business Machines Corporation in the
United States, other countries, or both. These and other IBM
trademarked terms are marked on their first occurrence in this
information with the appropriate symbol ( or ), indicating US
registered or common law trademarks owned by IBM at the time this
information was published. Such trademarks may also be registered
or common law trademarks in other countries. A current list of IBM
trademarks is available on the web at
http://www.ibm.com/legal/copytrade.shtml
The following terms are trademarks of the International Business
Machines Corporation in the United States, other countries, or
both:
AIX
5LAIXalphaWorksAS/400CICSDB2developerWorksDS8000ESCONFICONFlashCopyi5/OSIBMiSeriesLanguage
Environment
LotusMVSNetfinityOS/400Parallel
SysplexpSeriesRACFRedbooksRedbooks (logo) RS/6000System i5System
iSystem pSystem Storage DSSystem Storage
System xSystem z9System
zTivoliTotalStorageVTAMWebSpherexSeriesz/OSz/VMz/VSEz9zSeries
The following terms are trademarks of other companies:
AMD, AMD Opteron, the AMD Arrow logo, and combinations thereof,
are trademarks of Advanced Micro Devices, Inc.
SUSE, the Novell logo, and the N logo are registered trademarks
of Novell, Inc. in the United States and other countries.
VMware, the VMware "boxes" logo and design are registered
trademarks or trademarks of VMware, Inc. in the United States
and/or other jurisdictions.
Java, and all Java-based trademarks are trademarks of Sun
Microsystems, Inc. in the United States, other countries, or
both.
Microsoft, Windows, and the Windows logo are trademarks of
Microsoft Corporation in the United States, other countries, or
both.
Microsoft product screen shot(s) reprinted with permission from
Microsoft Corporation.
Intel Xeon, Intel, Itanium, Intel logo, Intel Inside logo, and
Intel Centrino logo are trademarks or registered trademarks of
Intel Corporation or its subsidiaries in the United States and
other countries.
UNIX is a registered trademark of The Open Group in the United
States and other countries.
Linux is a trademark of Linus Torvalds in the United States,
other countries, or both.
Other company, product, or service names may be trademarks or
service marks of others. xviii IBM System Storage Data
Encryption
http://www.ibm.com/legal/copytrade.shtml
-
Preface
Strong security is not a luxury anymore in todays
round-the-clock, global business environment. It is a requirement.
Ensuring the protection and security of an organizations
information is the foundation of any successful business.
Encrypting data is a key element when addressing these concerns.
IBM provides a wide range of IBM storage hardware products that are
capable of encrypting the data that is written on them. This
product line includes a variety of disk systems and tape drives.
Several IBM storage products support encryption:
Disk systems:
IBM System Storage DS5000 series
IBM System Storage DS8000 series
Tape drives:
IBM System Storage TS1130 Model E06 and Model EU6 Tape Drive
IBM System Storage TS1120 Model E05 Tape Drive
IBM System Storage Linear Tape-Open (LTO) Ultrium Generation 4
Tape Drive
This IBM Redbooks publication describes IBM System Storage data
encryption. This book is intended for anyone who needs to learn
more about the concepts of data encryption and the IBM storage
hardware and software that enable data encryption.
The team who wrote this book
This book was produced by a team of specialists from around the
world working at the International Technical Support Organization,
Austin Center.
Alex Osuna is a Project Leader at the International Technical
Support Organization, Tucson Center. He writes extensively and
teaches IBM classes worldwide on all areas of storage. Before
joining the ITSO five years ago, Alex was a Tivoli Principal
Systems Engineer in storage. Alex has over 31 years experience in
the IT industry with over 29 of them spent in the storage arena. He
holds certification from IBM, Red Hat, and Microsoft.
David Crowther has over 30 years experience in the IT industry,
the last 24 working for IBM. During his IBM career, he has worked
in Technical Pre-sales, Services and Support, and currently works
in IBM BetaWorks where he manages early beta programs for Tivoli
Security and Provisioning products. In addition, he creates and
runs enablement workshops, authors technical cookbooks and manuals,
and provides technical support, presents, and acts as a subject
matter expert for the new products. He also has wide experience in
running beta programs on and supporting products from many of the
other IBM brands, including Large Systems, Networking, Pervasive,
Lotus, Voice, and WebSphere. He is a Consulting IT Specialist,
Chartered IT Professional, and Chartered Engineer, and he holds a
Masters degree in Electrical Sciences from Cambridge University.
Copyright IBM Corp. 2010. All rights reserved. xix
-
Reimar Pflieger is an IT Specialist from Germany working at the
IBM Global Technology Services Organization. He provides post-sales
support as a Product Field Engineer for RMSS products in Mainz. He
joined IBM in 1998 and worked for many years as a Process Support
and Manufacturing Engineer in Disk and Wafer Production. In his
current job role as an RMSS Product Field Engineer, he supports
Open Systems Tape, Tape Libraries from entry level to high-end
level and Tape Encryption solutions. His experience with Operating
Systems includes Linux, Windows and AIX platforms.
Esha Seth is a Software Engineer working at the IBM Systems and
Technology Labs in Pune, India. She graduated in 2006 with a
Bachelor of Engineering degree in Computer Science from Pune
University. She joined IBM after graduation and has worked as a
Systems Software developer for the Systems and Storage Management
group. During her tenure at IBM, she has contributed to all phases
of the software development life cycle and collaborated with global
teams in various projects for the IBM Systems Director product. Her
areas of technical expertise include understanding storage and
systems Management, IBM Systems Management solutions,
service-oriented architecture (SOA), JAVA and Eclipse and OSGi
plug-in development. Currently, she is a part of the IBM Systems
Director Network Manager team and is involved in its development
efforts.
Ferenc Toth is a Test Engineer working for DS8000 Storage Server
manufacturing in Vac, Hungary. He has four years of experience in
high-end disk subsystem testing, test process optimization, and new
product implementation. He holds a Masters of Science degree in
Electrical Engineering, with a specialization in embedded systems,
from the Budapest University of Technology and Economics, Hungary.
His focus is hardware and software qualification for all the
supported DS8000 releases in the manufacturing environment.
Thanks to the following people for their contributions to this
project:
David KahlerIBM Systems & Technology Group, Systems Hardware
Development
Steven R. Hart, CISSPz/OS Cryptography
Anjul MathurIBM Tucson
Jacob SheppardIBM Tucson
James WhelanIBM Systems & Technology Group, Development
Operations and Technical Support
Now you can become a published author, too!
Heres an opportunity to spotlight your skills, grow your career,
and become a published author - all at the same time! Join an ITSO
residency project and help write a book in your area of expertise,
while honing your experience using leading-edge technologies. Your
efforts will help to increase product acceptance and customer
satisfaction, as you expand your network of technical contacts and
relationships. Residencies run from two to six weeks in length, and
you can participate either in person or as a remote resident
working from your home base. xx IBM System Storage Data
Encryption
-
Find out more about the residency