Professional Documents
Culture Documents
Tape Encryption and BRMS On System I
Tape Encryption and BRMS On System I
Tape Encryption and BRMS On System I
IBM : System i
Acknowledgements
Bob Gintowt Jeff Uehling Dave Bhaskaran Scott Maxson Barb Smith Duane Wenzel Joe Kochan John Halda Sanjay Patel Mervyn Venter
IBM : System i
IBM : System i
Overview
Planning System i solution
Encryption Key Manager Library manager encryption setup Backup Recovery and Media Recovery Services (BRMS )
Requirements
IBM : System i
Planning
IBM : System i
Critical component
Encryption capable Tape Library Library Manager Key Management via Encryption Key Manager (EKM) Digital certificate Manager (DCM) on i5/OS if EKM is on i5/OS Backup Recovery and Media Recovery Services (BRMS) Media Management Media Movement Backup planning for encrypted save and EKM save Disaster Recovery Planning
IBM : System i
If encrypting all cartridges, then the cartridges can optionally be assigned to one Library-managed logical library Do I want to specify keys to be used with the cartridges in my library that are different from the defaults keys that have been configured at the EKM? If yes, then those key labels must be established ahead of time in order to be entered using the Scratch Encryption Policy
The key labels must be specified regardless of whether the same keys are to be applied to all encrypted cartridges or differing sets of keys are to be specified by VolSer range.
If not specifying keys different from the EKM defaults, then no further planning is required.
IBM : System i
Planning TS3100, TS3200, TS3310 or TS3400 Encryption - Choices for Library-Managed Encryption Before the Library-Managed Method can be Enabled...
Which EKM servers will I use for each Library-Managed logical library? When using any of these tape libraries, all cartridges in the logical tape library will be encrypted. If there are multiple logical tape libraries, encryption needs to be enable on each partition Activation key is required for LTO tape libraries
IBM : System i
IBM : System i
System i solution
IBM : System i
TS35xx
TCP/IP
1
Primary EKM server
Tape Library
4
TCP/IP
2
Secondary EKM server
7
No Encrypt ed Save for this partition
5
Library Manager Setup Where is EKM Encryption method
EKM Setup
Key manager configuration file Key store files , current and all digital certificates Device table file
2006 IBM Corporation
i5/OS
EKM server
11
IBM : System i
System i Library managed solution: Disaster recovery Process 6 TCP/IP 1 Recover TS35xx EKM Server System i Tape 3 BRMS 5 Library
Recovery Report
4
Library Manager Setup Where is EKM Encryption method EKM Setup
Key manager configuration file Key store files , current and all digital certificates Device table file
If EKM is on same i5/OS which is being recovered, and no Other EKM is available, You can not recover any Encrypted data.
2006 IBM Corporation
12
IBM : System i
Media Movement
Any os System i System i
Encrypted Media
FedUPS Ex
TCP/IP
EKM Server
AIX
FedEx
FedEx
Media Location 1
13
Media Location 2
Media Location 3
Media Location 4
2006 IBM Corporation
IBM : System i
14
IBM : System i
15
IBM : System i
16
IBM : System i
Customer Responsibility
17
IBM : System i
18
IBM : System i
19
IBM : System i
20
IBM : System i
21
IBM : System i
22
IBM : System i
23
IBM : System i
24
IBM : System i
System i and Library Managed Summary Can either have multiple logical partitions, some used for encryption, some not Or if all drives are encryption capable, can have one logical library and control encryption by VOLSER ranges
i.e. can have some VOLSERs for encryption, some can be written non-encrypted
25
IBM : System i
Customer sets backup policies using BRMS Data to be encrypted can be sent to a specific VOLSER range of tapes using BRMS policies
26
IBM : System i
27
IBM : System i
28
IBM : System i
29
IBM : System i
30
IBM : System i
31
IBM : System i
Requirements
IBM : System i
33
IBM : System i
System i and Digital certificate Manager (DCM) requirement on i5/OS is EKM is on i5/OS
Requirements for Digital certificate Manager (DCM) on i5 OS V5R3
Digital Certificate Manager (DCM) is a free feature that allows you to centrally manage digital certificates for your applications. To use DCM successfully, ensure that you do the following: Install the cryptographic access provider licensed program (5722AC3). This cryptographic product determines the maximum key length that is permitted for cryptographic algorithms based on export and import regulations. You must install this product before you can create certificates. Install option 34 of i5/OS. This is the browser-based DCM feature. Install the IBM HTTP Server for iSeries (5722DG1) and start the Administrative server instance. Ensure that TCP is configured for your system so that you can use a Web browser and the HTTP Server Administrative server instance to access DCM.
34
IBM : System i
35
IBM : System i
Backup Recovery and Media Services (BRMS) PTF requirements BRMS is enhanced via specified PTF to ensure encrypted media are used for encryption enabled media class . Prior to specified PTF BRMS does not validate media type for encryption.
V5R2: SI24932 Tentative date 10/15/2006 V5R3: SI24933 Tentative date 10/15/2006 V5R4: SI24934 Tentative date 10/15/2006
36
IBM : System i
Resources
http://www-03.ibm.com/servers/storage/enewscast/data_encryption/
37
IBM : System i
Disclaimers
Copyright 2006 by International Business Machines Corporation. No part of this document may be reproduced or transmitted in any form without written permission from IBM Corporation. The performance data contained herein were obtained in a controlled, isolated environment. Results obtained in other operating environments may vary significantly. While IBM has reviewed each item for accuracy in a specific situation, there is no guarantee that the same or similar results will be obtained elsewhere. These values do not constitute a guarantee of performance. The use of this information or the implementation of any of the techniques discussed herein is a customer responsibility and depends on the customer's ability to evaluate and integrate them into their operating environment. Customers attempting to adapt these techniques to their own environments do so at their own risk. Product data has been reviewed for accuracy as of the date of initial publication. Product data is subject to change without notice. This information could include technical inaccuracies or typographical errors. IBM may make improvements and/or changes in the product(s) and/or programs(s) at any time without notice. Any statements regarding IBM's future direction and intent are subject to change or withdrawal without notice, and represent goals and objectives only References in this document to IBM products, programs, or services does not imply that IBM intends to make such products, programs or services available in all countries in which IBM operates or does business. Any reference to an IBM Program Product in this document is not intended to state or imply that only that program product may be used. Any functionally equivalent program, that does not infringe IBM's intellectually property rights, may be used instead. It is the user's responsibility to evaluate and verify the operation of any on-IBM product, program or service.
38
IBM : System i
Disclaimers (continued)
THE INFORMATION PROVIDED IN THIS DOCUMENT IS DISTRIBUTED "AS IS" WITHOUT ANY WARRANTY, EITHER EXPRESS OR IMPLIED. IBM EXPRESSLY DISCLAIMS ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NONINFRINGEMENT. IBM shall have no responsibility to update this information. IBM products are warranted according to the terms and conditions of the agreements (e.g. IBM Customer Agreement, Statement of Limited Warranty, International Program License Agreement, etc.) under which they are provided. IBM is not responsible for the performance or interoperability of any non-IBM products discussed herein. Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products in connection with this publication and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. The provision of the information contained herein is not intended to, and does not, grant any right or license under any IBM patents or copyrights. Inquiries regarding patent or copyright licenses should be made, in writing, to: IBM Director of Licensing IBM Corporation North Castle Drive Armonk, NY 10504-1785 U.S.A.
39
IBM : System i
Trademarks
The following terms are trademarks or registered trademarks of the IBM Corporation in either the United States, other countries or both.
IBM, TotalStorage, zSeries, pSeries, xSeries, iSeries, S/390, ES/9000, AS/400, RS/6000 z/OS, z/VM, VM/ESA, OS/390, AIX, DFSMS/MVS, OS/2, OS/400, i5, FICON, ESCON, Tivoli ES/3090, VSE/ESA, TPF, DFSMSdfp, DFSMSdss, DFSMShsm, DFSMSrmm
Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both. Other company, product, and service names mentioned may be trademarks or registered trademarks of their respective companies.
40