crypto and disaster recovery · • infosphere guardium data encryption tool for ims and db2 •...
TRANSCRIPT
![Page 2: Crypto and Disaster Recovery · • Infosphere Guardium Data Encryption Tool for IMS and DB2 • Encryption Facility • Encryption Key Manager (EKM) • OEM products • Applications](https://reader030.vdocuments.net/reader030/viewer/2022040523/5e8384047da5cc3259330f20/html5/thumbnails/2.jpg)
©
Agenda – Crypto and Disaster Recovery• How Do You Do DR?• Technology
• Hardware• Domains
• Master Keys• Restoring the DR environment
• Encrypting tape drives• Encryption Facility or OEM product
• TKE
October 2014 zExchange – Crypto and Disaster Recovery Page 2
![Page 3: Crypto and Disaster Recovery · • Infosphere Guardium Data Encryption Tool for IMS and DB2 • Encryption Facility • Encryption Key Manager (EKM) • OEM products • Applications](https://reader030.vdocuments.net/reader030/viewer/2022040523/5e8384047da5cc3259330f20/html5/thumbnails/3.jpg)
©
How do you do DR?
• Hardware• Same machine type?• DR site is newer technology?• DR site is older technology?
• Operationally• Hot site?• Warm site?• Cold site?
• Virtual machines for DR testing?
October 2014 zExchange – Crypto and Disaster Recovery Page 3
![Page 4: Crypto and Disaster Recovery · • Infosphere Guardium Data Encryption Tool for IMS and DB2 • Encryption Facility • Encryption Key Manager (EKM) • OEM products • Applications](https://reader030.vdocuments.net/reader030/viewer/2022040523/5e8384047da5cc3259330f20/html5/thumbnails/4.jpg)
©
System z Clear Key Cryptographic Hardware –z890/z990, z9 (EC & BC), z10 (EC (GA3) & BC(GA2)), z196/z114, zEC12/zBC12• CP Assist for Cryptographic Function (CPACF)
• DES (56-, 112-, 168-bit), new chaining options• AES (128-, -192, 256-bit), new chaining options• SHA-1, SHA-256, SHA-512 (SHA-2)• PRNG• Protected Key
TechDoc WP100810 – A Synopsis of System z Crypto HardwareFC #3863
October 2014 zExchange – Crypto and Disaster Recovery Page 4
![Page 5: Crypto and Disaster Recovery · • Infosphere Guardium Data Encryption Tool for IMS and DB2 • Encryption Facility • Encryption Key Manager (EKM) • OEM products • Applications](https://reader030.vdocuments.net/reader030/viewer/2022040523/5e8384047da5cc3259330f20/html5/thumbnails/5.jpg)
©
System z Secure Key Crypto HardwarePCIXCC/PCICA, CEX2/CEX2-1P, CEX3/CEX3-1P, CEX4S• Secure Key DES/TDES• Secure Key AES• Financial (PIN) Functions***• Key Generate/Key Management***• Random Number Generate /
Generate Long• SSL Handshakes (2048-, 4096- bit
keys)• Protected Key Support• ECC (z196/z114 only)• EP11*** Additional functionality on later machines
TechDoc WP100810 – A Synopsis of System z Crypto Hardware
October 2014 zExchange – Crypto and Disaster Recovery Page 5
![Page 6: Crypto and Disaster Recovery · • Infosphere Guardium Data Encryption Tool for IMS and DB2 • Encryption Facility • Encryption Key Manager (EKM) • OEM products • Applications](https://reader030.vdocuments.net/reader030/viewer/2022040523/5e8384047da5cc3259330f20/html5/thumbnails/6.jpg)
©
How do you do DR?
• Hardware• Same machine type? Same MCLs?
• Shouldn’t be any issues• DR site is using newer hardware?
• New machines can do everything the old machines could do• But you might need toleration PTFs on your production system
(CEX3 in production, but CEX4S at DR)• DR site is using older technology?
• Are you using the latest functionality?
• Test!
October 2014 zExchange – Crypto and Disaster Recovery Page 6
![Page 7: Crypto and Disaster Recovery · • Infosphere Guardium Data Encryption Tool for IMS and DB2 • Encryption Facility • Encryption Key Manager (EKM) • OEM products • Applications](https://reader030.vdocuments.net/reader030/viewer/2022040523/5e8384047da5cc3259330f20/html5/thumbnails/7.jpg)
©
LPAR Activation ProfileFrom CPC Operational Customization, click on View LPAR Cryptographic Controls
Must match the DOMAIN parm in the Options data set!
October 2014 zExchange – Crypto and Disaster Recovery Page 7
![Page 8: Crypto and Disaster Recovery · • Infosphere Guardium Data Encryption Tool for IMS and DB2 • Encryption Facility • Encryption Key Manager (EKM) • OEM products • Applications](https://reader030.vdocuments.net/reader030/viewer/2022040523/5e8384047da5cc3259330f20/html5/thumbnails/8.jpg)
©
ICSF and Domains
• ICSF Domains cannot be shared by LPAR images or guests• First LPAR to activate or VM Guest to start will get access, later
images will fail to activate or start
• If only one domain assigned in the LPAR Activation profile or VM directory, then ICSF will figure that out and use it
• If multiple domains assigned in the LPAR Activation profile or VM directory, then you must tell ICSF which one to use in ICSF Options
October 2014 zExchange – Crypto and Disaster Recovery Page 8
![Page 9: Crypto and Disaster Recovery · • Infosphere Guardium Data Encryption Tool for IMS and DB2 • Encryption Facility • Encryption Key Manager (EKM) • OEM products • Applications](https://reader030.vdocuments.net/reader030/viewer/2022040523/5e8384047da5cc3259330f20/html5/thumbnails/9.jpg)
©
Crypto Support in the VM Directory• CRYPTO – authorizes guest machine to use crypto
• APVIRTual – provides access to clear key devices (PCICA, CEX2A, CEX3A) – for Linux and VSE Guests
• APDEDicated ap, ap … – assigns crypto devices• DOMAIN n – assigns a domain(s) to the guest• CSU 0,1,* – assigns zero, one or both CCFs• KEYENTRY – PCCF functions• SPECIAL – Enable Special Secure Mode• MODIFY – provides access to a TKE from this guest
• OPTION CRYMeasure – authorizes access to crypto measurement data on the crypto hardware
October 2014 zExchange – Crypto and Disaster Recovery Page 9
![Page 10: Crypto and Disaster Recovery · • Infosphere Guardium Data Encryption Tool for IMS and DB2 • Encryption Facility • Encryption Key Manager (EKM) • OEM products • Applications](https://reader030.vdocuments.net/reader030/viewer/2022040523/5e8384047da5cc3259330f20/html5/thumbnails/10.jpg)
©
Master Keys at the DR site• Master keys are installed into secure hardware
• Master keys must be available to the DR hardware• Once loaded, no way to retrieve them – so make sure you know
what you loaded in production!• Where do you store the master key components?
• Loading Master Keys• Passphrase Initialization, PPINIT• ISPF Panels for ICSF• Trusted Key Entry Workstation
• Use the MKVP (SYM-MK/CKDS) and the Hash Pattern (ASYM-MK/PKDS) to ensure you’re loading the right keys
October 2014 zExchange – Crypto and Disaster Recovery Page 10
![Page 11: Crypto and Disaster Recovery · • Infosphere Guardium Data Encryption Tool for IMS and DB2 • Encryption Facility • Encryption Key Manager (EKM) • OEM products • Applications](https://reader030.vdocuments.net/reader030/viewer/2022040523/5e8384047da5cc3259330f20/html5/thumbnails/11.jpg)
©
Master Keys on the DR System
• Hot-site (DASD mirroring)• CKDS/PKDS are mirrored, master key changes are made on the
production system and DR system
• Warm/Cold-site (Restore from Tape)• Are your System Volumes Encrypted? - If the keys are stored on the
z/OS system, then the driver system that restores the tapes, must have access to those keys
• Only Application Data Encrypted – DR system may be used to recover data
October 2014 zExchange – Crypto and Disaster Recovery Page 11
![Page 12: Crypto and Disaster Recovery · • Infosphere Guardium Data Encryption Tool for IMS and DB2 • Encryption Facility • Encryption Key Manager (EKM) • OEM products • Applications](https://reader030.vdocuments.net/reader030/viewer/2022040523/5e8384047da5cc3259330f20/html5/thumbnails/12.jpg)
©
Exactly what are you encrypting?
• System Volumes?• Application Volumes?• Specific application data?
October 2014 zExchange – Crypto and Disaster Recovery Page 12
And how are you encrypting?
• Encrypting tape drives• Encryption Facility for z/OS• OEM Product
![Page 13: Crypto and Disaster Recovery · • Infosphere Guardium Data Encryption Tool for IMS and DB2 • Encryption Facility • Encryption Key Manager (EKM) • OEM products • Applications](https://reader030.vdocuments.net/reader030/viewer/2022040523/5e8384047da5cc3259330f20/html5/thumbnails/13.jpg)
©
Restoring the DR environment –Encrypted Tape Drives• If your backups are encrypted – where is your key
repository?• IBM Security Key LifeCycle Manager (ISKLM, aka TKLM, EKM) under
Unix System Services (USS) and key repository using RACF, or ICSF or RACF and ICSF
• Plus – key security provided by RACF, ICSF and secure key hardware• Minus – must make the RSA keys available on the driver system, where
the tapes are restored
If the RSA keys are stored in ICSF, then the PKDS must be available to the driver system, which means the driver system must have secure hardware and the associated RSA-MK must be loaded
October 2014 zExchange – Crypto and Disaster Recovery Page 13
ISKLM for z/OS
Java JCE Provider IBMJCE
SAF based
Keyring
ICSF PKDS
Diagram from REDP-4646
![Page 14: Crypto and Disaster Recovery · • Infosphere Guardium Data Encryption Tool for IMS and DB2 • Encryption Facility • Encryption Key Manager (EKM) • OEM products • Applications](https://reader030.vdocuments.net/reader030/viewer/2022040523/5e8384047da5cc3259330f20/html5/thumbnails/14.jpg)
©
Restoring Tapes – Encrypted Tape Drives
• If your backups are encrypted – where is your key repository?
• keystore a remote system (z/OS or not)• Plus – driver system can connect to the production ISKLM and
key repository• Minus – key protection provided by the non-z/OS platform
z/OSJava
keystore
October 2014 zExchange – Crypto and Disaster Recovery Page 14
![Page 15: Crypto and Disaster Recovery · • Infosphere Guardium Data Encryption Tool for IMS and DB2 • Encryption Facility • Encryption Key Manager (EKM) • OEM products • Applications](https://reader030.vdocuments.net/reader030/viewer/2022040523/5e8384047da5cc3259330f20/html5/thumbnails/15.jpg)
©
Restoring tapes – Encryption Facility• Password option – the password must be provided to the
restore job on the driver system • RSA Option – RSA keys in the PKDS must be available on the
driver system, along with the RSA-MK that is associated with that PKDS
AND• Specific hardware may be required
• CLRAES – potential performance issues if the driver system doesn’t provide AES hardware
• ENCTDES – driver system must have secure hardware• RSA Keys – require CEX card
October 2014 zExchange – Crypto and Disaster Recovery Page 15
![Page 16: Crypto and Disaster Recovery · • Infosphere Guardium Data Encryption Tool for IMS and DB2 • Encryption Facility • Encryption Key Manager (EKM) • OEM products • Applications](https://reader030.vdocuments.net/reader030/viewer/2022040523/5e8384047da5cc3259330f20/html5/thumbnails/16.jpg)
©
Restoring tapes – OEM Products
• Where is the key repository? If it uses the CKDS or PKDS, then the CKDS and/or PKDS must be available on the driver system
October 2014 zExchange – Crypto and Disaster Recovery Page 16
![Page 17: Crypto and Disaster Recovery · • Infosphere Guardium Data Encryption Tool for IMS and DB2 • Encryption Facility • Encryption Key Manager (EKM) • OEM products • Applications](https://reader030.vdocuments.net/reader030/viewer/2022040523/5e8384047da5cc3259330f20/html5/thumbnails/17.jpg)
©
Using a TKE to manage the DR site
IBM System z9 EC/BCCrypto Express 2
TKE
IBM System z10 EC/BC Crypto Express / Crypto Express3
z196 Crypto Express3
Z114 Crypto Express3 Production
DR
October 2014 zExchange – Crypto and Disaster Recovery Page 17
![Page 18: Crypto and Disaster Recovery · • Infosphere Guardium Data Encryption Tool for IMS and DB2 • Encryption Facility • Encryption Key Manager (EKM) • OEM products • Applications](https://reader030.vdocuments.net/reader030/viewer/2022040523/5e8384047da5cc3259330f20/html5/thumbnails/18.jpg)
©
Using a TKE to manage the DR site
IBM System z9 EC/BCCrypto Express 2
TKE
IBM System z10 EC/BC Crypto Express / Crypto Express3
z196 Crypto Express3
Z114 Crypto Express3 Production
DR
October 2014 zExchange – Crypto and Disaster Recovery Page 18
DR TKE
![Page 19: Crypto and Disaster Recovery · • Infosphere Guardium Data Encryption Tool for IMS and DB2 • Encryption Facility • Encryption Key Manager (EKM) • OEM products • Applications](https://reader030.vdocuments.net/reader030/viewer/2022040523/5e8384047da5cc3259330f20/html5/thumbnails/19.jpg)
©
Disaster Recovery TKE• Host files
• TKECM – Crypto Module Data set defined to the Host Transaction Program
• Contains info about TKE application windows
• Crypto module notebooks (descriptions, domain descriptions, authority information)
• Backup for recovery purposes, but may need to be recreated at a DR site if the crypto modules and configuration are not identical
• Host Configuration – IP Addresses must be configured properly
• Workstation Files• Backup Critical Console
Data• intended for protecting
from a failed harddrive, applicable for DR IF the TKEs are identical
• TKE File Management Utility (TKE V5 and later)
October 2014 zExchange – Crypto and Disaster Recovery Page 19
![Page 20: Crypto and Disaster Recovery · • Infosphere Guardium Data Encryption Tool for IMS and DB2 • Encryption Facility • Encryption Key Manager (EKM) • OEM products • Applications](https://reader030.vdocuments.net/reader030/viewer/2022040523/5e8384047da5cc3259330f20/html5/thumbnails/20.jpg)
©
TKE Backup/Recovery of Keys
• Keys• Master Keys• Signature Keys• Operational Keys
• Storage• Smart Card• Floppy• Keystore• Print
October 2014 zExchange – Crypto and Disaster Recovery Page 20
![Page 21: Crypto and Disaster Recovery · • Infosphere Guardium Data Encryption Tool for IMS and DB2 • Encryption Facility • Encryption Key Manager (EKM) • OEM products • Applications](https://reader030.vdocuments.net/reader030/viewer/2022040523/5e8384047da5cc3259330f20/html5/thumbnails/21.jpg)
©
TKE Migration Wizard
October 2014 zExchange – Crypto and Disaster Recovery
Wizard is the implementation of a
secure protocol for collecting, saving, and installing data
from one cryptographic adapter to another.
Data includes Master Key Material!
Page 21
![Page 22: Crypto and Disaster Recovery · • Infosphere Guardium Data Encryption Tool for IMS and DB2 • Encryption Facility • Encryption Key Manager (EKM) • OEM products • Applications](https://reader030.vdocuments.net/reader030/viewer/2022040523/5e8384047da5cc3259330f20/html5/thumbnails/22.jpg)
©
A couple of final thoughts• After a DR – exercise or
the real thing• Clear your master
keys at the DR site
And maybe …- Change your master
keys
October 2014 zExchange – Crypto and Disaster Recovery Page 22
![Page 23: Crypto and Disaster Recovery · • Infosphere Guardium Data Encryption Tool for IMS and DB2 • Encryption Facility • Encryption Key Manager (EKM) • OEM products • Applications](https://reader030.vdocuments.net/reader030/viewer/2022040523/5e8384047da5cc3259330f20/html5/thumbnails/23.jpg)
©
Consider your crypto users
• System SSL• DB2 Built-In Functions• Infosphere Guardium Data Encryption
Tool for IMS and DB2• Encryption Facility• Encryption Key Manager (EKM)• OEM products• Applications
TEST!
October 2014 zExchange – Crypto and Disaster Recovery Page 23
![Page 24: Crypto and Disaster Recovery · • Infosphere Guardium Data Encryption Tool for IMS and DB2 • Encryption Facility • Encryption Key Manager (EKM) • OEM products • Applications](https://reader030.vdocuments.net/reader030/viewer/2022040523/5e8384047da5cc3259330f20/html5/thumbnails/24.jpg)
©
IBM Pubs
• ICSF Overview, SA22-7519• ICSF Administrator’s Guide,
SA22-7521• ICSF Application Programmer’s
Guide, SA22-7522• ICSF System Programmer’s
Guide, SA22-7520
October 2014 zExchange – Crypto and Disaster Recovery Page 24
![Page 25: Crypto and Disaster Recovery · • Infosphere Guardium Data Encryption Tool for IMS and DB2 • Encryption Facility • Encryption Key Manager (EKM) • OEM products • Applications](https://reader030.vdocuments.net/reader030/viewer/2022040523/5e8384047da5cc3259330f20/html5/thumbnails/25.jpg)
©
IBM Resources (on the web)
• ATS TechDocs Web Site www.ibm.com/support/techdocs(Search All Documents for keyword of ‘Crypto’)
• WP100810 – A Synopsis of System z Crypto Hardware
• ‘How to Setup TKE for Disaster Recovery’ in Hot Topics Aug. 2007 Issue 17
• http://publibz.boulder.ibm.com/epubs/pdf/e0z2n180.pdf
October 2014 zExchange – Crypto and Disaster Recovery Page 25
![Page 26: Crypto and Disaster Recovery · • Infosphere Guardium Data Encryption Tool for IMS and DB2 • Encryption Facility • Encryption Key Manager (EKM) • OEM products • Applications](https://reader030.vdocuments.net/reader030/viewer/2022040523/5e8384047da5cc3259330f20/html5/thumbnails/26.jpg)
©
Redbooks
• www.ibm.com/redbooks• SG24-7320 IBM System Storage Tape Encryption
Solutions• REDP-4646 IBM Security Key Lifecycle Manager for z/OS:
Deployment and Migration Considerations
October 2014 zExchange – Crypto and Disaster Recovery Page 26
![Page 27: Crypto and Disaster Recovery · • Infosphere Guardium Data Encryption Tool for IMS and DB2 • Encryption Facility • Encryption Key Manager (EKM) • OEM products • Applications](https://reader030.vdocuments.net/reader030/viewer/2022040523/5e8384047da5cc3259330f20/html5/thumbnails/27.jpg)
©
Questions?
October 2014 zExchange – Crypto and Disaster Recovery Page 27