Storage Encryption Sg247797

ibm.com/redbooks

Front cover

IBM System Storage Data Encryption

Alex OsunaDavid CrowtherReimar Pflieger

Esha SethFerenc Toth

Understand the encryption concepts and terminology

Compare various IBM storage encryption methods

Plan for Tivoli Key Lifecycle Manager and its keystores

International Technical Support Organization

IBM System Storage Data Encryption

June 2010

SG24-7797-00

Copyright International Business Machines Corporation 2010. All rights reserved.Note to U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP ScheduleContract with IBM Corp.

First Edition (June 2010)This edition applies to Tivoli Key Lifecycle Manager Version 1 and later and the Encryption Key Manager Release 1 and later.

Note: Before using this information and the product it supports, read the information in Notices on page xvii.

Contents

Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xviiTrademarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xviii

Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xixThe team who wrote this book . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xixNow you can become a published author, too! . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .xxComments welcome. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxiStay connected to IBM Redbooks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxi

Part 1. Introduction to data encryption. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Chapter 1. Encryption concepts and terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31.1 Concepts of storage data encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

1.1.1 Symmetric key encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41.1.2 Asymmetric key encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61.1.3 Hybrid encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91.1.4 Digital certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

1.2 IBM Key Management methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151.3 Tivoli Key Lifecycle Manager and Encryption Key Manager . . . . . . . . . . . . . . . . . . . . . 16

1.3.1 IBM Encryption Key Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171.3.2 Encryption Key Manager components and resources . . . . . . . . . . . . . . . . . . . . . 191.3.3 Encryption keys. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211.3.4 Tivoli Key Lifecycle Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211.3.5 Tivoli Key Lifecycle Manager components and resources . . . . . . . . . . . . . . . . . . 22

Chapter 2. Introduction to storage data encryption. . . . . . . . . . . . . . . . . . . . . . . . . . . . 272.1 IBM tape drive encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282.2 IBM System Storage DS5000 series with encryption support. . . . . . . . . . . . . . . . . . . . 292.3 DS8000 series with encryption support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

2.3.1 Encryption updates in DS8000 R5.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332.4 Storage data encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

2.4.1 Encryption of data on IBM tape drives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342.4.2 Encryption of data in IBM System Storage DS5000 Series . . . . . . . . . . . . . . . . . 352.4.3 Encryption of data in IBM System Storage DS8000 Series . . . . . . . . . . . . . . . . . 37

2.5 Encryption data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412.5.1 IBM tape drive. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412.5.2 IBM Storage Series DS5000 and DS8000 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

2.6 Using data encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 442.6.1 Encrypting data in the tape drive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 442.6.2 Encrypting data on disk drives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 452.6.3 Fundamentals to encryption: Policy and key management. . . . . . . . . . . . . . . . . . 46

Chapter 3. IBM storage encryption methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 493.1 Tivoli Key Lifecycle Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

3.1.1 Tivoli Key Lifecycle Manager components and resources . . . . . . . . . . . . . . . . . . 513.1.2 Key exchange . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

3.2 IBM Encryption Key Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 543.2.1 Encryption Key Manager components and resources . . . . . . . . . . . . . . . . . . . . . 56

3.3 TS1120, TS1130, and LTO4 tape drive encryption. . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 Copyright IBM Corp. 2010. All rights reserved. iii

3.3.1 Key exchange . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 593.4 DS8000 disk encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

3.4.1 Encryption key management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 623.4.2 Encryption deadlock . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 673.4.3 Encryption recovery key support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 683.4.4 Dual platform key server support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

3.5 Comparing tape encryption methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 733.5.1 System-Managed Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 743.5.2 Library-Managed Encryption. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 773.5.3 Encrypting and decrypting with SME and LME. . . . . . . . . . . . . . . . . . . . . . . . . . . 793.5.4 Application-Managed Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 813.5.5 Mixed mode example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84

Chapter 4. IBM System Storage tape automation for encryption . . . . . . . . . . . . . . . . . 874.1 IBM System Storage TS1130 and TS1120 tape drive . . . . . . . . . . . . . . . . . . . . . . . . . 88

4.1.1 Tape data encryption support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 894.1.2 TS1120 characteristics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 894.1.3 TS1130 characteristics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 914.1.4 3592 cartridges and media . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

4.2 IBM System Storage TS1120 Tape Controller . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 954.2.1 IBM TS1120 Tape Controller characteristics . . . . . . . . . . . . . . . . . . . . . . . . . . . . 964.2.2 IBM TS1120 Tape Controller encryption support . . . . . . . . . . . . . . . . . . . . . . . . . 974.2.3 Installation with an IBM TS3500 Tape Library . . . . . . . . . . . . . . . . . . . . . . . . . . . 974.2.4 Installation with an IBM TS3400 Tape Library . . . . . . . . . . . . . . . . . . . . . . . . . . . 994.2.5 Installation with an IBM 3494 Tape Library . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1004.2.6 IBM TotalStorage 3592 Model J70 Tape Controller . . . . . . . . . . . . . . . . . . . . . . 101

4.3 IBM Virtualization Engine TS7700 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1024.4 IBM LTO Ultrium tape drives and libraries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104

4.4.1 Linear Tape-Open overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1054.4.2 LTO media . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1064.4.3 IBM System Storage TS2240 Tape Drive Express Model . . . . . . . . . . . . . . . . . 1084.4.4 IBM System Storage TS2340 Tape Drive Express Model . . . . . . . . . . . . . . . . . 1094.4.5 IBM System Storage TS1040 Tape Drive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1104.4.6 IBM System Storage TS2900 Tape Autoloader . . . . . . . . . . . . . . . . . . . . . . . . . 1114.4.7 IBM System Storage TS3100 Tape Library . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1114.4.8 IBM System Storage TS3200 Tape Library . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1134.4.9 IBM System Storage TS3310 Tape Library . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115

4.5 IBM System Storage TS3400 Tape Library . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1184.6 IBM System Storage TS3500 Tape Library . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120

4.6.1 TS3500 frames . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1214.6.2 TS3500 characteristics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124

4.7 IBM TotalStorage 3494 Tape Library . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131

Chapter 5. Full Disk Encryption technology in disk subsystems. . . . . . . . . . . . . . . . 1335.1 FDE fundamentals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1345.2 Hardware implementation details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1355.3 FDE disks in storage products . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136

Part 2. IBM System Storage DS5000 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139

Chapter 6. Understanding Full Disk Encryption in DS5000 . . . . . . . . . . . . . . . . . . . . 1416.1 FDE disk drives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142

6.1.1 Securing data against a breach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142iv IBM System Storage Data Encryption

6.2 Creating a security key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143

6.3 Changing a security key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1446.4 Security key identifier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1446.5 Unlocking secure drives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1486.6 Secure erase. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1496.7 FDE security authorizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1496.8 FDE key terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151

Chapter 7. Configuring encryption on DS5000 with Full Disk Encryption drives . . . 1537.1 The need for encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154

7.1.1 Encryption method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1547.2 Disk Security components. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156

7.2.1 DS5000 Disk Encryption Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1567.2.2 Full Data Encryption disks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1577.2.3 Premium feature license . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1577.2.4 Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1577.2.5 Security key identifier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1577.2.6 Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158

7.3 Setting up and enabling the Secure Disk feature . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1597.3.1 FDE and the premium feature key check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1597.3.2 Secure key creation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1607.3.3 Enable disk security on the array . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162

7.4 Additional secure disk functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1637.4.1 Changing the security key. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1647.4.2 Saving the security key file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1657.4.3 Secure disk erase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1667.4.4 FDE drive status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1677.4.5 Hot-spare drive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1677.4.6 Log files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168

7.5 Migrating secure disk arrays . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1687.5.1 Planning checklist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1697.5.2 Export the array . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169

7.6 Import secure drive array . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1727.6.1 Unlock drives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1737.6.2 Import array. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174

Chapter 8. DS5000 Full Disk Encryption best practices . . . . . . . . . . . . . . . . . . . . . . . 1778.1 Physical asset protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1788.2 Data backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1798.3 FDE drive security key and the security key file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1798.4 DS subsystem controller shell remote login . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1818.5 Working with Full Disk Encryption drives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1818.6 Replacing controllers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1828.7 Storage industry standards and practices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182

Chapter 9. Frequently asked questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1839.1 Securing arrays . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1849.2 Secure erase. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1849.3 Security keys and passphrases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1859.4 Premium features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1859.5 Global hot-spare drives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1869.6 Boot support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1869.7 Locked and unlocked states . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1879.8 Backup and recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187 Contents v

9.9 Additional questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187

Part 3. Implementing tape data encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189

Chapter 10. Planning for software and hardware to support tape drives . . . . . . . . . 19110.1 Encryption planning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19210.2 Planning assumptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19210.3 Encryption planning quick-reference tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19310.4 Choosing encryption methods. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196

10.4.1 Encryption method comparison. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19710.4.2 System z encryption methods. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19710.4.3 Open systems encryption methods. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19810.4.4 Decision time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199

10.5 Solutions available by operating system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19910.5.1 The z/OS solution components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19910.5.2 z/VM, z/VSE, and z/TPF solution components for TS1120 drives . . . . . . . . . . 20210.5.3 IBM System i encryption solution components . . . . . . . . . . . . . . . . . . . . . . . . . 20410.5.4 AIX solution components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20610.5.5 Linux on System z. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20910.5.6 Linux on System p, System x, and other Intel or AMD Opteron servers. . . . . . 21010.5.7 HP-UX, Sun, and Microsoft Windows components. . . . . . . . . . . . . . . . . . . . . . 21310.5.8 Tivoli Storage Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216

10.6 Ordering information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21610.6.1 TS1120 tape drive prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21610.6.2 Tape controller prerequisites. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21810.6.3 LTO4 and LTO5 tape drive prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21910.6.4 Tape library prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22010.6.5 Other library and rack open systems installations. . . . . . . . . . . . . . . . . . . . . . . 22210.6.6 TS7700 Virtualization Engine prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . 22210.6.7 General software prerequisites for encryption . . . . . . . . . . . . . . . . . . . . . . . . . 22310.6.8 TS1120 and TS1130 supported platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22410.6.9 IBM LTO4 and LTO5 tape drive supported platforms . . . . . . . . . . . . . . . . . . . . 225

10.7 Other planning considerations for tape data encryption . . . . . . . . . . . . . . . . . . . . . . 22610.7.1 In-band and out-of-band . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22610.7.2 Performance considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22710.7.3 Encryption with other backup applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22710.7.4 ALMS and encryption in the TS3500 library . . . . . . . . . . . . . . . . . . . . . . . . . . . 22810.7.5 TS1120 and TS1130 rekeying considerations . . . . . . . . . . . . . . . . . . . . . . . . . 229

10.8 Upgrade and migration considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23010.8.1 Potential issues. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23010.8.2 TS1120 and TS1130 compatibility considerations . . . . . . . . . . . . . . . . . . . . . . 23110.8.3 DFSMSdss host-based encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23510.8.4 Positioning TS1120 Tape Encryption and Encryption Facility for z/OS . . . . . . 236

Chapter 11. Planning for Tivoli Key Lifecycle Manager and its keystores. . . . . . . . . 23711.1 Tivoli Key Lifecycle Manager planning quick reference . . . . . . . . . . . . . . . . . . . . . . 23811.2 Tivoli Key Lifecycle Manager and keystore considerations. . . . . . . . . . . . . . . . . . . . 241

11.2.1 Tivoli Key Lifecycle Manager configuration planning checklist . . . . . . . . . . . . . 24411.3 Working with keys and certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245

11.3.1 IT Service Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24511.3.2 General security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24611.3.3 Tivoli Key Lifecycle Manager key server availability . . . . . . . . . . . . . . . . . . . . . 24611.3.4 Encryption deadlock prevention for DS8000. . . . . . . . . . . . . . . . . . . . . . . . . . . 24711.3.5 Tivoli Key Lifecycle Manager key server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24711.3.6 DS8000 and tape devices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248vi IBM System Storage Data Encryption

11.4 Multiple Tivoli Key Lifecycle Managers for redundancy . . . . . . . . . . . . . . . . . . . . . . 24911.4.1 Setting up primary and secondary Tivoli Key Lifecycle Manager servers. . . . . 25011.4.2 Synchronizing primary and secondary Tivoli Key Lifecycle Manager servers . 250

11.5 Backup and restore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25111.5.1 Categories of data in a backup file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25111.5.2 Backup file security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25211.5.3 IBM Tivoli Storage Manager as a backup repository . . . . . . . . . . . . . . . . . . . . 25211.5.4 Backup and restore runtime requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25211.5.5 Backing up critical files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25311.5.6 Restoring a backup file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25411.5.7 Deleting a backup file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256

11.6 Key exporting and importing tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25611.6.1 Exporting keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25611.6.2 Importing keys. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25711.6.3 Importing the public key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25811.6.4 Exporting the public key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258

11.7 Integration and EKM to Tivoli Key Lifecycle Manager migration . . . . . . . . . . . . . . . . 25911.7.1 Integrating Tivoli Key Lifecycle Manager for DS8000 with an existing EKM tape

encryption installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25911.7.2 Migrating from EKM to Tivoli Key Lifecycle Manager . . . . . . . . . . . . . . . . . . . . 25911.7.3 Multiple encrypted disk or tape devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260

11.8 Data exchange with business partners . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26111.9 Disaster recovery considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26211.10 Database selection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263

Chapter 12. Implementing Tivoli Key Lifecycle Manager . . . . . . . . . . . . . . . . . . . . . . 26512.1 Implementation notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26612.2 Installing Tivoli Key Lifecycle Manager on 64-bit Windows Server 2008 . . . . . . . . . 26612.3 Installing Tivoli Key Lifecycle Manager on 64-bit Red Hat Enterprise Linux AS Version

5.3 server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29912.4 Installing Tivoli Key Lifecycle Manager on z/OS . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32912.5 Configuring Tivoli Key Lifecycle Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335

12.5.1 Configuration forLTO4 and TS1100 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33912.5.2 Configuration for DS8000 disk drives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348

12.6 Conclusions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351

Chapter 13. Tivoli Key Lifecycle Manager operational considerations . . . . . . . . . . . 35313.1 Scripting with Tivoli Key Lifecycle Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354

13.1.1 Simple Linux backup script example. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35413.2 Synchronizing primary Tivoli Key Lifecycle Manager configuration data . . . . . . . . . 355

13.2.1 Setting up primary and secondary Tivoli Key Lifecycle Manager servers. . . . . 35513.2.2 Synchronizing primary and secondary Tivoli Key Lifecycle Manager servers . 356

13.3 Tivoli Key Lifecycle Manager maintenance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35713.3.1 General disk and tape management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35713.3.2 Adding and removing drives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35913.3.3 Scheduling key group rollover for LTO tape drives. . . . . . . . . . . . . . . . . . . . . . 36413.3.4 Scheduling certificate rollover for 3592 tape. . . . . . . . . . . . . . . . . . . . . . . . . . . 368

13.4 Tivoli Key Lifecycle Manager backup and restore procedures . . . . . . . . . . . . . . . . . 37113.4.1 Using the GUI to back up . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37213.4.2 Restore by using the GUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37313.4.3 Backing up by using the command line. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37613.4.4 Restore by using the command line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377

13.5 Data sharing with business partners . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378 Contents vii

13.5.1 Sharing TS1100 certificate data with a business partner . . . . . . . . . . . . . . . . . 37913.5.2 Sharing LTO key data with a business partner . . . . . . . . . . . . . . . . . . . . . . . . . 381

13.6 Removing Tivoli Key Lifecycle Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38413.6.1 Backing up the keystore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385

13.7 Fixing the security warnings in your web browser. . . . . . . . . . . . . . . . . . . . . . . . . . . 38513.7.1 Fixing the security warning in Internet Explorer browser . . . . . . . . . . . . . . . . . 38513.7.2 Fixing the security warning in Firefox 2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 386

13.8 The Tivoli Key Lifecycle Manager command-line interface. . . . . . . . . . . . . . . . . . . . 38613.8.1 Commands using wsadmin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38613.8.2 Tivoli Key Lifecycle Manager commands using wsadmin . . . . . . . . . . . . . . . . . 38713.8.3 Setting a larger timeout interval for command processing . . . . . . . . . . . . . . . . 38813.8.4 Syntax examples. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38813.8.5 Continuation character . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38813.8.6 Parameter error messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38913.8.7 Command summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389

Chapter 14. Planning for Encryption Key Manager and its keystores . . . . . . . . . . . . 39314.1 EKM planning quick-reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39414.2 Ordering information and requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396

14.2.1 EKM on z/OS or z/OS.e requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39614.2.2 EKM on z/VM, z/VSE, and z/TPF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39714.2.3 EKM on IBM System i requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39714.2.4 EKM on AIX requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39814.2.5 EKM on Linux requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39914.2.6 EKM on Hewlett-Packard, Sun, and Windows requirements . . . . . . . . . . . . . . 399

14.3 EKM and keystore considerations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40014.3.1 EKM configuration planning checklist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40214.3.2 Best security practices for working with keys and certificates. . . . . . . . . . . . . . 40314.3.3 Acting on the advice . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40314.3.4 Typical EKM implementations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40414.3.5 Multiple EKMs for redundancy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40714.3.6 Using Virtual IP Addressing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40814.3.7 Key manager backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40914.3.8 FIPS 140-2 certification. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409

14.4 Other EKM considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41014.4.1 EKM Release 1 to EKM Release 2 migration . . . . . . . . . . . . . . . . . . . . . . . . . . 41014.4.2 Data exchange with business partners or other platforms . . . . . . . . . . . . . . . . 41014.4.3 Disaster recovery considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41114.4.4 i5/OS disaster recovery considerations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41114.4.5 EKM performance considerations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411

Chapter 15. Implementing the Encryption Key Manager. . . . . . . . . . . . . . . . . . . . . . . 41315.1 Implementing EKM in z/OS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414

15.1.1 z/OS UNIX System Services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41415.1.2 Installing EKM in z/OS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41515.1.3 Security products involved: RACF, Top Secret, and ACF2. . . . . . . . . . . . . . . . 41715.1.4 Create a JCE4758RACFKS for EKM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41815.1.5 Setting up the EKM environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42015.1.6 Starting EKM. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42315.1.7 Additional definitions of hardware keystores for z/OS. . . . . . . . . . . . . . . . . . . . 42815.1.8 Virtual IP Addressing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42915.1.9 EKM TCP/IP configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 430

15.2 Installing EKM on AIX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431viii IBM System Storage Data Encryption

15.2.1 Install the IBM Software Developer Kit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43115.3 Installing EKM on a Microsoft Windows platform . . . . . . . . . . . . . . . . . . . . . . . . . . . 436

15.3.1 EKM setup tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43715.3.2 Installing the IBM Software Developer Kit on Microsoft Windows. . . . . . . . . . . 43815.3.3 Starting EKM on Microsoft Windows. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44315.3.4 Configuring and starting EKM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 444

15.4 Installing EKM in i5/OS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45015.4.1 New installation of the Encryption Key Manager. . . . . . . . . . . . . . . . . . . . . . . . 45015.4.2 Upgrading the Encryption Key Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45315.4.3 Configuring EKM for tape data encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . 455

15.5 Implementing LTO4 and LTO5 encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45815.5.1 LTO4 EKM implementation checklist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45915.5.2 Download the latest EKM software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45915.5.3 Create a JCEKS keystore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46315.5.4 Off-site or business partner exchange with LTO4 compared to 3592. . . . . . . . 46615.5.5 EKM Version 2 installation and customization on Microsoft Windows . . . . . . . 46715.5.6 Starting EKM. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46915.5.7 Starting EKM as a Microsoft Windows Service . . . . . . . . . . . . . . . . . . . . . . . . . 470

15.6 Implementing LTO4 and LTO5 Library-Managed Encryption . . . . . . . . . . . . . . . . . . 47215.6.1 Barcode Encryption Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47215.6.2 Specifying a Barcode Encryption Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47515.6.3 TS3500 Library-Managed Encryption differences from TS3310, TS3200, TS3100,

and TS2900 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47915.7 LTO4 or LTO5 System-Managed Encryption implementation. . . . . . . . . . . . . . . . . . 480

15.7.1 LTO4 SME implementation checklist for Windows . . . . . . . . . . . . . . . . . . . . . . 480

Chapter 16. Planning and managing your keys with Encryption Key Manager . . . . 48116.1 Keystore and SAF Digital Certificates (keyrings) . . . . . . . . . . . . . . . . . . . . . . . . . . . 48216.2 JCEKS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 482

16.2.1 Examples of managing public-private key pairs . . . . . . . . . . . . . . . . . . . . . . . . 48316.2.2 Managing symmetric keys in a JCEKS keystore. . . . . . . . . . . . . . . . . . . . . . . . 48616.2.3 Example using iKeyman . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 490

16.3 JCE4758KS and JCECCAKS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49716.3.1 Script notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49716.3.2 Symmetric keys in a JCECCAKS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 499

16.4 JCERACFKS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50016.5 JCE4758RACFKS and JCECCARACFKS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 502

16.5.1 RACDCERT keywords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50316.5.2 Best practice . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 505

16.6 PKCS#11 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50616.7 IBMi5OSKeyStore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 506

16.7.1 Digital Certificate Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50716.7.2 Setting up an IBMi5OSKeyStore. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 507

16.8 ShowPrivateTool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52216.9 MatchKeys tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52416.10 Hardware cryptography. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 527

Chapter 17. Encryption Key Manager operational considerations. . . . . . . . . . . . . . . 53117.1 EKM commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 532

17.1.1 The EKM sync command and EKM properties file . . . . . . . . . . . . . . . . . . . . . . 53217.1.2 EKM command-line interface and command set . . . . . . . . . . . . . . . . . . . . . . . 533

17.2 Backup procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53817.2.1 EKM file system backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 538 Contents ix

17.2.2 Identifying DFSMShsm to z/OS UNIX System Services . . . . . . . . . . . . . . . . . . 54017.2.3 Keystore backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54017.2.4 RACF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 541

17.3 ICSF disaster recovery procedures. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54217.3.1 Key recovery checklist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54217.3.2 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54317.3.3 Pre-key change: All LPARs in the sysplex . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54317.3.4 Check the ICSF installation options data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54617.3.5 Disable all services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54717.3.6 Entering master keys for all LPARs in the sysplex . . . . . . . . . . . . . . . . . . . . . . 54817.3.7 Post-key change for all LPARs in the sysplex. . . . . . . . . . . . . . . . . . . . . . . . . . 55317.3.8 Exiting disaster recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 554

17.4 Business partner tape-sharing example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55417.4.1 Key-sharing steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55417.4.2 Exporting a public key and certificate to a business partner . . . . . . . . . . . . . . . 55517.4.3 Exporting a symmetric key from a JCEKS keystore . . . . . . . . . . . . . . . . . . . . . 55917.4.4 Importing a public key and a certificate from a business partner . . . . . . . . . . . 55917.4.5 Tape exchange and verification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56117.4.6 Importing symmetric keys to a JCEKS keystore . . . . . . . . . . . . . . . . . . . . . . . . 563

17.5 RACF export tool for z/OS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56317.6 Audit log considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 564

17.6.1 Audit overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56517.6.2 Audit log parsing tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 565

Chapter 18. Implementing TS1100 series encryption in System z . . . . . . . . . . . . . . . 57118.1 Implementation overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57218.2 Implementation prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 572

18.2.1 Implementing the initial tape library hardware. . . . . . . . . . . . . . . . . . . . . . . . . . 57318.2.2 Initial z/OS software definitions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 574

18.3 EKM implementation overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57518.4 Implementing the tape library . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 576

18.4.1 Implementation steps for the IBM TS3500 Tape Library. . . . . . . . . . . . . . . . . . 57618.4.2 Implementation steps for the IBM 3494 Tape Library . . . . . . . . . . . . . . . . . . . . 57918.4.3 Implementation steps for the IBM TS3400 Tape Library. . . . . . . . . . . . . . . . . . 583

18.5 Implementing the tape control unit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58518.6 z/OS implementation steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 585

18.6.1 z/OS software maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58618.6.2 Update PARMLIB member IECIOSxx. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58618.6.3 Define or update Data Class definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58718.6.4 Considerations for JES3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59118.6.5 Tape management system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59218.6.6 DFSMSrmm support for tape data encryption. . . . . . . . . . . . . . . . . . . . . . . . . . 59218.6.7 DFSMSdfp access method service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59618.6.8 Data Facility Data Set Services considerations . . . . . . . . . . . . . . . . . . . . . . . . 59718.6.9 DFSMS Hierarchal Storage Manager considerations . . . . . . . . . . . . . . . . . . . . 598

18.7 z/VM implementation steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59918.7.1 Tape library and tape control unit implementation . . . . . . . . . . . . . . . . . . . . . . 60018.7.2 Out-of-band encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60018.7.3 Defining key aliases to z/VM. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60418.7.4 Using ATTACH and DETACH to control encryption . . . . . . . . . . . . . . . . . . . . . 60518.7.5 Using SET RDEVICE to control encryption. . . . . . . . . . . . . . . . . . . . . . . . . . . . 60618.7.6 QUERY responses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60618.7.7 z/VM DASD Dump Restore (DDR) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 607x IBM System Storage Data Encryption

18.8 Miscellaneous implementation considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60718.8.1 Data exchange with other data centers or business partners . . . . . . . . . . . . . . 60718.8.2 Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 608

18.9 TS1120 and TS1130 tape cartridge rekeying in z/OS. . . . . . . . . . . . . . . . . . . . . . . . 60818.9.1 TS1120 Model E05 rekeying support in z/OS. . . . . . . . . . . . . . . . . . . . . . . . . . 60818.9.2 IEHINITT enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60918.9.3 Security considerations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61218.9.4 Packaging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61218.9.5 Rekeying exits and messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 612

Chapter 19. Implementing TS7700 tape encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . 61319.1 TS7700 encryption overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61419.2 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 615

19.2.1 Tape drives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61519.2.2 TS7700 Virtualization Engine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61519.2.3 Library Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61519.2.4 Encryption Key Manager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 615

19.3 Implementation overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61619.3.1 Implementing the initial tape library hardware. . . . . . . . . . . . . . . . . . . . . . . . . . 61619.3.2 Implementing the initial TS7700 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61619.3.3 Initial z/OS software definitions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61719.3.4 EKM implementation overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 617

19.4 Tape library implementation and setup for encryption . . . . . . . . . . . . . . . . . . . . . . . 61719.4.1 Enabling drives for encryption in the IBM TS3500 Tape Library. . . . . . . . . . . . 61819.4.2 Enabling drives for encryption in the IBM 3494 Tape Library . . . . . . . . . . . . . . 62019.4.3 Encryption-enabled drives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 623

19.5 Software implementation steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62319.5.1 z/OS software maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62319.5.2 Encryption Key Manager installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62319.5.3 z/OS DFSMS implementation steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 623

19.6 TS7700 implementation steps. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62419.6.1 Configuring the TS7700 for encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62419.6.2 Creating TS7700 storage groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62619.6.3 Creating TS7700 management classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62719.6.4 Activate the TS7700 Encryption Feature License. . . . . . . . . . . . . . . . . . . . . . . 62919.6.5 EKM addresses. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63119.6.6 Testing EKM connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63219.6.7 Configuring pool encryption settings for the TS7700 . . . . . . . . . . . . . . . . . . . . 632

19.7 Implementation considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63419.7.1 Management construct definitions and transfer . . . . . . . . . . . . . . . . . . . . . . . . 63419.7.2 Changing storage pool encryption settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . 63419.7.3 Moving data to encrypted storage pools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63519.7.4 EKM operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63719.7.5 Tracking encryption usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63819.7.6 Data exchange with other data centers or business partners . . . . . . . . . . . . . . 638

19.8 TS7700 encryption with z/VM, z/VSE, or z/TPF . . . . . . . . . . . . . . . . . . . . . . . . . . . . 638

Chapter 20. Implementing TS1120 and TS1130 encryption in an open systems environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 641

20.1 Encryption overview in an open systems environment . . . . . . . . . . . . . . . . . . . . . . . 64220.2 Adding drives to a logical library . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 643

20.2.1 Advanced Library Management System considerations. . . . . . . . . . . . . . . . . . 64320.3 Managing the encryption and business partner exchange . . . . . . . . . . . . . . . . . . . . 644 Contents xi

20.3.1 Disaster recovery considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 646

20.3.2 Keeping track of key usage. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64720.4 Encryption implementation checklist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 648

20.4.1 Planning your EKM environment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64820.4.2 EKM setup tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64920.4.3 Application-Managed Encryption setup tasks . . . . . . . . . . . . . . . . . . . . . . . . . . 64920.4.4 System-Managed (Atape) Encryption setup tasks . . . . . . . . . . . . . . . . . . . . . . 65020.4.5 Library-Managed Encryption setup tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 651

20.5 Implementing Library-Managed Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65120.5.1 LME implementation tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65120.5.2 Upgrading firmware. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65220.5.3 Add EKM or Tivoli Key Lifecycle Manager IP addresses . . . . . . . . . . . . . . . . . 65820.5.4 Enabling Library-Managed Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65920.5.5 Barcode Encryption Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 662

20.6 Implementing System-Managed Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66820.6.1 System-Managed Encryption tasks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66920.6.2 Atape device driver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67020.6.3 Update Atape EKM proxy configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67020.6.4 System-Managed Encryption Atape device entries . . . . . . . . . . . . . . . . . . . . . 67220.6.5 Updating the Atape device driver configuration . . . . . . . . . . . . . . . . . . . . . . . . 67320.6.6 Enabling System-Managed Encryption using the TS3500 web GUI. . . . . . . . . 67420.6.7 Using SMIT to enable System-Managed Encryption . . . . . . . . . . . . . . . . . . . . 67620.6.8 Managing System-Managed Encryption and business partner exchange . . . . 683

20.7 Application-Managed Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68620.7.1 IBM Tivoli Storage Manager overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68620.7.2 IBM Tivoli Storage Manager support for 3592 drive encryption . . . . . . . . . . . . 68720.7.3 Implementing Application-Managed Encryption . . . . . . . . . . . . . . . . . . . . . . . . 68820.7.4 IBM Tivoli Storage Manager encryption considerations . . . . . . . . . . . . . . . . . . 691

20.8 IBM 3494 with TS1120 or TS1130 encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69220.8.1 Review the 3494 encryption-capable drives . . . . . . . . . . . . . . . . . . . . . . . . . . . 69220.8.2 Specifying a Barcode Encryption Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69620.8.3 Entering the EKM IP address and key labels . . . . . . . . . . . . . . . . . . . . . . . . . . 69820.8.4 ILEP key label mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 699

Chapter 21. Tape data encryption with i5/OS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70121.1 Planning for tape data encryption with i5/OS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 702

21.1.1 Hardware prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70221.1.2 Software prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70321.1.3 Disaster recovery considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70421.1.4 EKM keystore considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70521.1.5 TS1120 Tape Encryption policy considerations . . . . . . . . . . . . . . . . . . . . . . . . 70621.1.6 Considerations for sharing tapes with partners. . . . . . . . . . . . . . . . . . . . . . . . . 70721.1.7 Steps for implementing tape encryption with i5/OS . . . . . . . . . . . . . . . . . . . . . 709

21.2 Setup and usage of tape data encryption with i5/OS . . . . . . . . . . . . . . . . . . . . . . . . 70921.2.1 Creating an EKM keystore and certificate. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71021.2.2 Configuring the TS3500 library for Library-Managed Encryption . . . . . . . . . . . 72221.2.3 Importing and exporting encryption keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73221.2.4 Working with encrypted tape cartridges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74421.2.5 Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 749

Part 4. DS8000 encryption features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 751

Chapter 22. IBM System Storage DS8000 encryption preparation. . . . . . . . . . . . . . . 75322.1 Encryption-capable DS8000 ordering and configuration. . . . . . . . . . . . . . . . . . . . . . 754xii IBM System Storage Data Encryption

22.2 Requirements for encrypting storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 755

22.3 Tivoli Key Lifecycle Manager configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75622.3.1 Log in to Tivoli Integrated Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75622.3.2 Creating an image certificate or certificate request. . . . . . . . . . . . . . . . . . . . . . 75722.3.3 Configure the SFIs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76122.3.4 Starting and stopping the Tivoli Key Lifecycle Manager server and determining its

status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76522.4 Configuring the Tivoli Key Lifecycle Manager server connections to the DS8000 . . 767

Chapter 23. DS8000 encryption features and implementation . . . . . . . . . . . . . . . . . . 77123.1 DS8100/DS8300 (R4.2) GUI configuration for encryption . . . . . . . . . . . . . . . . . . . . 772

23.1.1 Configuring the encryption group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77223.1.2 Applying the encryption activation key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77323.1.3 Configuring and administering encrypted arrays. . . . . . . . . . . . . . . . . . . . . . . . 77623.1.4 Configuring and administering encrypted ranks . . . . . . . . . . . . . . . . . . . . . . . . 78023.1.5 Configuring and administering encrypted extent pools . . . . . . . . . . . . . . . . . . . 783

23.2 DS8700 (R5.0) GUI configuration for encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . 78823.2.1 Configuring the recovery key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78823.2.2 Configuring the encryption group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79223.2.3 Applying the encryption activation key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79423.2.4 Configuring and administering encrypted arrays. . . . . . . . . . . . . . . . . . . . . . . . 79623.2.5 Configuring and administering encrypted ranks . . . . . . . . . . . . . . . . . . . . . . . . 79823.2.6 Configuring and administering encrypted extent pools . . . . . . . . . . . . . . . . . . . 801

23.3 DS8000 DS CLI configuration for encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80423.3.1 Configuring the Tivoli Key Lifecycle Manager server connection . . . . . . . . . . . 80423.3.2 Configuring and administering the encryption group. . . . . . . . . . . . . . . . . . . . . 80623.3.3 Applying encryption activation key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80723.3.4 Creating encrypted arrays. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80723.3.5 Creating encrypted ranks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80823.3.6 Creating encrypted extent pools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 809

23.4 Encryption and Copy Services functions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 810

Chapter 24. DS8700 advanced encryption features and implementation . . . . . . . . . 81124.1 New security roles: Storage and security administrator . . . . . . . . . . . . . . . . . . . . . . 81224.2 Recovery key support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 814

24.2.1 Configuring the recovery key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81424.2.2 Validating the recovery key. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81824.2.3 Initiating recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82024.2.4 Using the process to rekey the recovery key . . . . . . . . . . . . . . . . . . . . . . . . . . 82624.2.5 Deleting the recovery key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83024.2.6 Recovery key state summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 833

24.3 Dual platform key server support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83324.3.1 Setting up Tivoli Key Lifecycle Manager server . . . . . . . . . . . . . . . . . . . . . . . . 833

Chapter 25. Best practices and guidelines for DS8000 encryption . . . . . . . . . . . . . . 84525.1 Best practices for encrypting storage environments . . . . . . . . . . . . . . . . . . . . . . . . . 846

25.1.1 Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84625.1.2 Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84625.1.3 Encryption deadlock prevention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 847

25.2 Dual Hardware Management Console and redundancy . . . . . . . . . . . . . . . . . . . . . . 85025.2.1 Dual Hardware Management Console advantages . . . . . . . . . . . . . . . . . . . . . 85025.2.2 Redundant HMC configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 850

25.3 Multiple Tivoli Key Lifecycle Managers for redundancy . . . . . . . . . . . . . . . . . . . . . . 85225.3.1 Setting up primary and secondary Tivoli Key Lifecycle Manager servers. . . . . 853 Contents xiii

25.3.2 Synchronizing primary and secondary Tivoli Key Lifecycle Manager servers . 853

25.4 Backup and restore the Tivoli Key Lifecycle Manager servers . . . . . . . . . . . . . . . . . 85325.4.1 Categories of data in a backup file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85425.4.2 Backup file security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85425.4.3 IBM Tivoli Storage Manager as a backup repository . . . . . . . . . . . . . . . . . . . . 85425.4.4 Backup and restore runtime requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85425.4.5 Backing up critical files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85525.4.6 Restoring a backup file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85625.4.7 Deleting a backup file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 858

25.5 Key exporting and importing tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85825.5.1 Exporting keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85925.5.2 Importing keys. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 859

Appendix A. z/OS planning and implementation checklists . . . . . . . . . . . . . . . . . . . . 863DFSMS Systems Managed Tape planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 864

DFSMS planning and the z/OS encryption planning checklist . . . . . . . . . . . . . . . . . . . 864Storage administrator stand-alone environment planning. . . . . . . . . . . . . . . . . . . . . . . 865Storage administrator tape library environment planning . . . . . . . . . . . . . . . . . . . . . . . 866

DFSMS Systems Managed Tape implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 867Object access method planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 869

Storage administrator OAM planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 869OAM implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 870DFSMShsm tape environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 871

Appendix B. DS8700 encryption-related system reference codes . . . . . . . . . . . . . . . 873

Appendix C. z/OS Java and Open Edition tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 877JZOS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 878

Console communication with batch jobs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 878Encryption Key Manager and JZOS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 879

MVS Open Edition tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 882Exporting a variable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 882Setting up an alias . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 882Copying the escape character . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 883Advantages of VT100 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 884

Advanced security hwkeytool and keytool scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 885Complete keytool example for JCEKS using hidden passwords . . . . . . . . . . . . . . . . . 885Complete hwkeytool example for JCE4758KS using hidden passwords . . . . . . . . . . . 887

Java . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 889Security and providers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 889Garbage Collector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 890Verifying the installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 891z/OS region size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 891Policy files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 891

Appendix D. Asymmetric and Symmetric Master Key change procedures . . . . . . . . 893Asymmetric Master Key change ceremony . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 894

Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 894Testing encryption and decryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 894Pre-key change: Disabling PKA services for all images in the sysplex. . . . . . . . . . . . . 894Key change: First LPAR in the sysplex . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 896Key change: Subsequent LPARs in the sysplex . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 902Post-key change: All LPARs in the sysplex . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 906

ICSF tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 910xiv IBM System Storage Data Encryption

Creating a PKDS VSAM data set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 910

Symmetric Master Key change ceremony . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 911Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 912Testing the encryption and decryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 912Disabling dynamic CKDS updates for all images in the sysplex . . . . . . . . . . . . . . . . . . 912Key change: First LPAR in the sysplex . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 913Reenciphering the CKDS under the new SYM-MK. . . . . . . . . . . . . . . . . . . . . . . . . . . . 919Changing the new SYM-MK and activating the re-enciphered CKDS . . . . . . . . . . . . . 921Key change: Subsequent LPARs in the sysplex . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 922Post-key change: All LPARs in the sysplex . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 925

Appendix E. z/OS tape data encryption diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . 931EKM problem determination when running z/OS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 932Error scenarios. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 932Diagnostic scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 935Encryption Key Manager error codes and recovery actions. . . . . . . . . . . . . . . . . . . . . . . . 938

Drive error codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 940Control unit error codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 941IOS628E message indicates connection failure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 942

Appendix F. IEHINITT exits and messages for rekeying . . . . . . . . . . . . . . . . . . . . . . . 943Dynamic Exits Service Facility support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 944

Error conditions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 944Programming considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 945

REKEY messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 945New messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 946Modified messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 946

Appendix G. Implementing EKM on z/OS SECURE key processing to TS1100 and LTO4/LTO5 drives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 949

Implementing EKM in z/OS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 950Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 950z/OS UNIX System Services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 950Installing the Encryption Key Manager in z/OS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 951Create a JCECCAKS for EKM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 953Setting up the EKM environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 954Starting EKM. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 957Configuring EKM TCP/IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 962Enterprise-wide key management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 964

Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 964

Appendix H. Encryption testing in an open systems environment . . . . . . . . . . . . . . 965Encryption key path test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 966

Using key path diagnostics in an LME environment . . . . . . . . . . . . . . . . . . . . . . . . . . . 966Key Path Diagnostic test in a SME environment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 969

Testing data encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 973IBM Tape Diagnostic Tool. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 973Encryption Verification test using the ITDT-GE. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 973Encryption verification using the ITDT-SE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 978Encryption test using the device driver functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 979

Related publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 985IBM Redbooks publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 985Other publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 985Online resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 987 Contents xv

How to get IBM Redbooks publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 988Help from IBM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 988

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 991xvi IBM System Storage Data Encryption

Notices

This information was developed for products and services offered in the U.S.A.

IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any non-IBM product, program, or service.

IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to: IBM Director of Licensing, IBM Corporation, North Castle Drive, Armonk, NY 10504-1785 U.S.A.

The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you.

This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice.

Any references in this information to non-IBM websites are provided for convenience only and do not in any manner serve as an endorsement of those websites. The materials at those websites are not part of the materials for this IBM product and use of those websites is at your own risk.

IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you.

Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products.

This information contains examples of data and reports used in daily business operations. To illustrate them as completely as possible, the examples include the names of individuals, companies, brands, and products. All of these names are fictitious and any similarity to the names and addresses used by an actual business enterprise is entirely coincidental. The following company name appearing in this publication is fictitious:

ZABYXC

This name is used for instructional purposes only.

COPYRIGHT LICENSE:

This information contains sample application programs in source language, which illustrate programming techniques on various operating platforms. You may copy, modify, and distribute these sample programs in any form without payment to IBM, for the purposes of developing, using, marketing or distributing application programs conforming to the application programming interface for the operating platform for which the sample programs are written. These examples have not been thoroughly tested under all conditions. IBM, therefore, cannot guarantee or imply reliability, serviceability, or function of these programs. Copyright IBM Corp. 2010. All rights reserved. xvii

TrademarksIBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. These and other IBM trademarked terms are marked on their first occurrence in this information with the appropriate symbol ( or ), indicating US registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. A current list of IBM trademarks is available on the web at http://www.ibm.com/legal/copytrade.shtml

The following terms are trademarks of the International Business Machines Corporation in the United States, other countries, or both:

AIX 5LAIXalphaWorksAS/400CICSDB2developerWorksDS8000ESCONFICONFlashCopyi5/OSIBMiSeriesLanguage Environment

LotusMVSNetfinityOS/400Parallel SysplexpSeriesRACFRedbooksRedbooks (logo) RS/6000System i5System iSystem pSystem Storage DSSystem Storage

System xSystem z9System zTivoliTotalStorageVTAMWebSpherexSeriesz/OSz/VMz/VSEz9zSeries

The following terms are trademarks of other companies:

AMD, AMD Opteron, the AMD Arrow logo, and combinations thereof, are trademarks of Advanced Micro Devices, Inc.

SUSE, the Novell logo, and the N logo are registered trademarks of Novell, Inc. in the United States and other countries.

VMware, the VMware "boxes" logo and design are registered trademarks or trademarks of VMware, Inc. in the United States and/or other jurisdictions.Java, and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both.

Microsoft, Windows, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both.

Microsoft product screen shot(s) reprinted with permission from Microsoft Corporation. Intel Xeon, Intel, Itanium, Intel logo, Intel Inside logo, and Intel Centrino logo are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries.

UNIX is a registered trademark of The Open Group in the United States and other countries.

Linux is a trademark of Linus Torvalds in the United States, other countries, or both.

Other company, product, or service names may be trademarks or service marks of others. xviii IBM System Storage Data Encryption

Preface

Strong security is not a luxury anymore in todays round-the-clock, global business environment. It is a requirement. Ensuring the protection and security of an organizations information is the foundation of any successful business.

Encrypting data is a key element when addressing these concerns. IBM provides a wide range of IBM storage hardware products that are capable of encrypting the data that is written on them. This product line includes a variety of disk systems and tape drives. Several IBM storage products support encryption: Disk systems:

IBM System Storage DS5000 series IBM System Storage DS8000 series

Tape drives: IBM System Storage TS1130 Model E06 and Model EU6 Tape Drive IBM System Storage TS1120 Model E05 Tape Drive IBM System Storage Linear Tape-Open (LTO) Ultrium Generation 4 Tape Drive

This IBM Redbooks publication describes IBM System Storage data encryption. This book is intended for anyone who needs to learn more about the concepts of data encryption and the IBM storage hardware and software that enable data encryption.

The team who wrote this bookThis book was produced by a team of specialists from around the world working at the International Technical Support Organization, Austin Center.

Alex Osuna is a Project Leader at the International Technical Support Organization, Tucson Center. He writes extensively and teaches IBM classes worldwide on all areas of storage. Before joining the ITSO five years ago, Alex was a Tivoli Principal Systems Engineer in storage. Alex has over 31 years experience in the IT industry with over 29 of them spent in the storage arena. He holds certification from IBM, Red Hat, and Microsoft.

David Crowther has over 30 years experience in the IT industry, the last 24 working for IBM. During his IBM career, he has worked in Technical Pre-sales, Services and Support, and currently works in IBM BetaWorks where he manages early beta programs for Tivoli Security and Provisioning products. In addition, he creates and runs enablement workshops, authors technical cookbooks and manuals, and provides technical support, presents, and acts as a subject matter expert for the new products. He also has wide experience in running beta programs on and supporting products from many of the other IBM brands, including Large Systems, Networking, Pervasive, Lotus, Voice, and WebSphere. He is a Consulting IT Specialist, Chartered IT Professional, and Chartered Engineer, and he holds a Masters degree in Electrical Sciences from Cambridge University. Copyright IBM Corp. 2010. All rights reserved. xix

Reimar Pflieger is an IT Specialist from Germany working at the IBM Global Technology Services Organization. He provides post-sales support as a Product Field Engineer for RMSS products in Mainz. He joined IBM in 1998 and worked for many years as a Process Support and Manufacturing Engineer in Disk and Wafer Production. In his current job role as an RMSS Product Field Engineer, he supports Open Systems Tape, Tape Libraries from entry level to high-end level and Tape Encryption solutions. His experience with Operating Systems includes Linux, Windows and AIX platforms.

Esha Seth is a Software Engineer working at the IBM Systems and Technology Labs in Pune, India. She graduated in 2006 with a Bachelor of Engineering degree in Computer Science from Pune University. She joined IBM after graduation and has worked as a Systems Software developer for the Systems and Storage Management group. During her tenure at IBM, she has contributed to all phases of the software development life cycle and collaborated with global teams in various projects for the IBM Systems Director product. Her areas of technical expertise include understanding storage and systems Management, IBM Systems Management solutions, service-oriented architecture (SOA), JAVA and Eclipse and OSGi plug-in development. Currently, she is a part of the IBM Systems Director Network Manager team and is involved in its development efforts.

Ferenc Toth is a Test Engineer working for DS8000 Storage Server manufacturing in Vac, Hungary. He has four years of experience in high-end disk subsystem testing, test process optimization, and new product implementation. He holds a Masters of Science degree in Electrical Engineering, with a specialization in embedded systems, from the Budapest University of Technology and Economics, Hungary. His focus is hardware and software qualification for all the supported DS8000 releases in the manufacturing environment.

Thanks to the following people for their contributions to this project:David KahlerIBM Systems & Technology Group, Systems Hardware Development

Steven R. Hart, CISSPz/OS Cryptography

Anjul MathurIBM Tucson

Jacob SheppardIBM Tucson

James WhelanIBM Systems & Technology Group, Development Operations and Technical Support

Now you can become a published author, too!Heres an opportunity to spotlight your skills, grow your career, and become a published author - all at the same time! Join an ITSO residency project and help write a book in your area of expertise, while honing your experience using leading-edge technologies. Your efforts will help to increase product acceptance and customer satisfaction, as you expand your network of technical contacts and relationships. Residencies run from two to six weeks in length, and you can participate either in person or as a remote resident working from your home base. xx IBM System Storage Data Encryption

Find out more about the residency program, browse the residency index, and apply online at:ibm.com/redbooks/residencies.html

Comments welcomeYour comments are important to us!

We want our b

Storage Encryption Sg247797

Documents

Transcript of Storage Encryption Sg247797