Tape Encryption and BRMS On System I

IBM : System i
IBM Tape Encryption Solution with BRMS on system i

Revised by Mervyn Venter mventer@us.ibm.com Original doc created by Sanjay A Patel
2006 IBM Corporation
IBM : System i
Acknowledgements

Bob Gintowt Jeff Uehling Dave Bhaskaran Scott Maxson Barb Smith Duane Wenzel Joe Kochan John Halda Sanjay Patel Mervyn Venter
IBM : System i
High performance data encryption

Data encryption capabilities are now standard on newly ordered IBM System Storage TS1120 Model E05 Tape Drives and LTO4 Tape Drives Encrypting data at tape speed helps to avoid the need for host-based encryption of data and the concurrent drain on host performance or the use of specialized encryption appliances. This capability supports high volume data encryption of tape data, helping protect information if tape cartridges are lost or stolen. Encryption Key Manager that is designed to support the generation and communication of encryption keys for the TS1120 and LTO4 tape drives across the enterprise.
IBM : System i
Overview
Planning System i solution
Encryption Key Manager Library manager encryption setup Backup Recovery and Media Recovery Services (BRMS )
Requirements
IBM : System i
Planning
IBM : System i
Critical component
Encryption capable Tape Library Library Manager Key Management via Encryption Key Manager (EKM) Digital certificate Manager (DCM) on i5/OS if EKM is on i5/OS Backup Recovery and Media Recovery Services (BRMS) Media Management Media Movement Backup planning for encrypted save and EKM save Disaster Recovery Planning
IBM : System i
Planning TS3500 Encryption - Choices for LibraryManaged Encryption

Before the Library-Managed Method can be Enabled... Which EKM servers will I use for each Library-Managed logical library? Do I want to encrypt some but not all cartridges in my library? If yes, can I identify those cartridges by VolSer range?
If ranges can be specified, then Cartridge Assignment Policy will be required in order to assign cartridges to the same Library-managed logical library If ranges cannot be specified, then the cartridges will need to be separated into different logical libraries with Library-managed encryption enabled for only one of the two logical libraries
If encrypting all cartridges, then the cartridges can optionally be assigned to one Library-managed logical library Do I want to specify keys to be used with the cartridges in my library that are different from the defaults keys that have been configured at the EKM? If yes, then those key labels must be established ahead of time in order to be entered using the Scratch Encryption Policy
The key labels must be specified regardless of whether the same keys are to be applied to all encrypted cartridges or differing sets of keys are to be specified by VolSer range.
If not specifying keys different from the EKM defaults, then no further planning is required.
IBM : System i
Planning TS3100, TS3200, TS3310 or TS3400 Encryption - Choices for Library-Managed Encryption Before the Library-Managed Method can be Enabled...
Which EKM servers will I use for each Library-Managed logical library? When using any of these tape libraries, all cartridges in the logical tape library will be encrypted. If there are multiple logical tape libraries, encryption needs to be enable on each partition Activation key is required for LTO tape libraries
IBM : System i
TS35xx Encryption General Rules

All encryption related settings will be performed using the library web interface Encryption will be set per logical library for a subset of drives to be encryption enabled support for a Partitioned TS35xx tape library Different methods can be used on separate logical libraries. Key managers can be shared by any or all SystemManaged and Library-Managed solutions Plan for 24x7, 100% availability of EKM.
9 2006 IBM Corporation
IBM : System i
System i solution
IBM : System i
System i Library managed Encryption solution

Any os System i System i
BRMS Setup on i5/OS Device Media class Media policy
TS35xx
TCP/IP
1
Primary EKM server
EKM Server i5/OS Windows
Tape Library
4
TCP/IP
2
Secondary EKM server
Linux Unix AIX
7
No Encrypt ed Save for this partition
5
Library Manager Setup Where is EKM Encryption method
EKM Setup
Key manager configuration file Key store files , current and all digital certificates Device table file
i5/OS
EKM server
11
IBM : System i
System i Library managed solution: Disaster recovery Process 6 TCP/IP 1 Recover TS35xx EKM Server System i Tape 3 BRMS 5 Library
Recovery Report
EKM Server i5/OS Windows Linux Unix AIX
4
Library Manager Setup Where is EKM Encryption method EKM Setup
Key manager configuration file Key store files , current and all digital certificates Device table file
If EKM is on same i5/OS which is being recovered, and no Other EKM is available, You can not recover any Encrypted data.
12
IBM : System i
Media Movement
Any os System i System i
Encrypted Media
FedUPS Ex
TS35xx Tape Library
TCP/IP
EKM Server
Primary EKM server

TCP/IP
i5/OS Windows Linux Unix
Secondary EKM server
AIX
None Encrypted Media
FedEx
FedEx
Media Location 1
13
Media Location 2
Media Location 3
Media Location 4
IBM : System i
Encryption Key Manager : Critical component

In order to save all critical components of key manager keep all key manager configuration and data files in one directory. Encryption key manager must be saved without encryption. Key manager configuration file Key store files , current and all digital certificates Device table file Key manager audit file Encryption Activation Key for TS3100, TS3200 TS3310 and TS3500 (with only LTO4 drives)
14
IBM : System i
Encryption Setup TS3500 (LME)
15
IBM : System i
16
IBM : System i
Customer Responsibility
17
IBM : System i
18
IBM : System i
19
IBM : System i
Encryption Setup TS3100/TS3310

First require the activation key
20
IBM : System i
Encryption Setup TS3100/TS3200
21
IBM : System i
Encryption Setup TS3310
22
IBM : System i
23
IBM : System i
24
IBM : System i
System i and Library Managed Summary Can either have multiple logical partitions, some used for encryption, some not Or if all drives are encryption capable, can have one logical library and control encryption by VOLSER ranges
i.e. can have some VOLSERs for encryption, some can be written non-encrypted
25
IBM : System i
System i and Software BRMS

BRMS is strongly recommended whenever a System i connects to a tape library BRMS (5722-BR1) can be acquired 2 ways:
i5/OS Standard Edition - purchase the 5722-BR1 LP i5 OS Enterprise Edition - included in package but need to load/implement it explicitly
Customer sets backup policies using BRMS Data to be encrypted can be sent to a specific VOLSER range of tapes using BRMS policies
26
IBM : System i
BRMS Setup: Add Device to BRMS

Use Work with Devices using BRM (WRKDEVBRM) command, Option 1 to Add Device TAPMLB19.
27
IBM : System i
BRMS Setup: Media Class

Use Work with Media Classes (WRKCLSBRM) command, Option 1 to add Media Class FMT3592A2E which uses density FMT3592A2E.
28
IBM : System i
BRMS Setup: Media Policy

Use Work with Media Policies (WRKPCYBRM TYPE(*MED)) command option 1 to create Media Policy ENCRYPTED which uses media class FMT3592A2E.
29
IBM : System i
BRMS Setup: Encrypted backup

Encrypted backup control group using media policy ENCRYPTED
30
IBM : System i
Summary: How to setup BRMS for encrypted save

Initialize new device by using Initialize BRMS (INZBRM) command or Use WRKDEVBRM option 1 to add new device. For encrypted media i5 OS will report media density as FMT3592A2E. To distinguish between densities or even volumes, a media class will need to be created. Media enrolled in encryption pool will have a density of FMT3592A2E. Create a media class called FMT3592A2E by using the new media density FMT3592A2E. Use media class FMT3592A2E to enroll encryption capable media into BRMS inventory. Use media class FMT3592A2E for all media policies which require encrypted saves and archive operations. User is responsible for enrolling encrypted and none-encrypted media into the correct media class. All backup and archive operations performed on i5 OS V5R2 and above which use media class FMT3592A2E will be encrypted. LTO4 Media uses the same density for encrypted and non-encrypted saves.
Create different media classes for encrypted media if required LTO3 media will not be encrypted on a LTO4 drive.
31
IBM : System i
Requirements
IBM : System i
Tape encryption solution and system i

System i supports Library managed encryption with the TS3500, TS3400, TS3310, TS3200 Tape Library only Supported Operating system levels i5/OS V5.2, or later Any System i, i5, or iSeries with fiber adapter support TS3500 with TS1120 encryption capable drives Ethernet ALMS not required, but recommended TS35xx needs access to a Java Virtual Machine with the Encryption Key Manager (EKM) component available to the TS35xx tape library Ethernet connection Encryption Key Manager (EKM) can be on different System i (or LPAR), or on a different server in the enterprise Digital certificate Manager (DCM) on i5/OS Backup Recovery and Media Recovery Services (BRMS) for i5/OS, 5722-BR1
33
IBM : System i
System i and Digital certificate Manager (DCM) requirement on i5/OS is EKM is on i5/OS
Requirements for Digital certificate Manager (DCM) on i5 OS V5R3
Digital Certificate Manager (DCM) is a free feature that allows you to centrally manage digital certificates for your applications. To use DCM successfully, ensure that you do the following: Install the cryptographic access provider licensed program (5722AC3). This cryptographic product determines the maximum key length that is permitted for cryptographic algorithms based on export and import regulations. You must install this product before you can create certificates. Install option 34 of i5/OS. This is the browser-based DCM feature. Install the IBM HTTP Server for iSeries (5722DG1) and start the Administrative server instance. Ensure that TCP is configured for your system so that you can use a Web browser and the HTTP Server Administrative server instance to access DCM.
Requirements for Digital certificate Manager (DCM) on i5 OS V5R4

DCM is a free iSeries feature that allows you to centrally manage digital certificates for your applications. To use DCM successfully, ensure that you do the following: Install option 34 of i5/OS. This is the browser-based DCM feature. Install the IBM HTTP Server for i5/OS (5722DG1) and start the Administrative server instance. Ensure that TCP is configured for your system so that you can use a Web browser and the HTTP Server Administrative server instance to access DCM. Note: You will not be able to create certificates unless you install all the required products. If a required product is not installed, DCM displays an error message instructing you to install the missing component.
34
IBM : System i
Encryption Key Manager requirements

The System i support will require the EKM server to be run on a different partition or system other than where the encrypted save is being performed. Failure to do so could result in data loss. Prior to recovering encrypted data, EKM must be running or recovered on another system. Maintaining primary and secondary EKM servers is desired for maximum availability of encrypted backup and recovery. EKM and its associated data must be saved regularly without encryption. Encrypted save or archive operations must not be performed on the partition or system where the EKM server is running. If data on the system where EKM is running is encrypted, EKM cannot be recovered without availability of a secondary EKM server.
35
IBM : System i
Backup Recovery and Media Services (BRMS) PTF requirements BRMS is enhanced via specified PTF to ensure encrypted media are used for encryption enabled media class . Prior to specified PTF BRMS does not validate media type for encryption.
V5R2: SI24932 Tentative date 10/15/2006 V5R3: SI24933 Tentative date 10/15/2006 V5R4: SI24934 Tentative date 10/15/2006
36
IBM : System i
Resources
http://www-03.ibm.com/servers/storage/enewscast/data_encryption/
EKM Home Page http://www.ibm.com/support/docview.wss?&uid=ssg1S4000504
37
IBM : System i
Disclaimers
Copyright 2006 by International Business Machines Corporation. No part of this document may be reproduced or transmitted in any form without written permission from IBM Corporation. The performance data contained herein were obtained in a controlled, isolated environment. Results obtained in other operating environments may vary significantly. While IBM has reviewed each item for accuracy in a specific situation, there is no guarantee that the same or similar results will be obtained elsewhere. These values do not constitute a guarantee of performance. The use of this information or the implementation of any of the techniques discussed herein is a customer responsibility and depends on the customer's ability to evaluate and integrate them into their operating environment. Customers attempting to adapt these techniques to their own environments do so at their own risk. Product data has been reviewed for accuracy as of the date of initial publication. Product data is subject to change without notice. This information could include technical inaccuracies or typographical errors. IBM may make improvements and/or changes in the product(s) and/or programs(s) at any time without notice. Any statements regarding IBM's future direction and intent are subject to change or withdrawal without notice, and represent goals and objectives only References in this document to IBM products, programs, or services does not imply that IBM intends to make such products, programs or services available in all countries in which IBM operates or does business. Any reference to an IBM Program Product in this document is not intended to state or imply that only that program product may be used. Any functionally equivalent program, that does not infringe IBM's intellectually property rights, may be used instead. It is the user's responsibility to evaluate and verify the operation of any on-IBM product, program or service.
38
IBM : System i
Disclaimers (continued)
THE INFORMATION PROVIDED IN THIS DOCUMENT IS DISTRIBUTED "AS IS" WITHOUT ANY WARRANTY, EITHER EXPRESS OR IMPLIED. IBM EXPRESSLY DISCLAIMS ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NONINFRINGEMENT. IBM shall have no responsibility to update this information. IBM products are warranted according to the terms and conditions of the agreements (e.g. IBM Customer Agreement, Statement of Limited Warranty, International Program License Agreement, etc.) under which they are provided. IBM is not responsible for the performance or interoperability of any non-IBM products discussed herein. Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products in connection with this publication and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. The provision of the information contained herein is not intended to, and does not, grant any right or license under any IBM patents or copyrights. Inquiries regarding patent or copyright licenses should be made, in writing, to: IBM Director of Licensing IBM Corporation North Castle Drive Armonk, NY 10504-1785 U.S.A.
39
IBM : System i
Trademarks
The following terms are trademarks or registered trademarks of the IBM Corporation in either the United States, other countries or both.
IBM, TotalStorage, zSeries, pSeries, xSeries, iSeries, S/390, ES/9000, AS/400, RS/6000 z/OS, z/VM, VM/ESA, OS/390, AIX, DFSMS/MVS, OS/2, OS/400, i5, FICON, ESCON, Tivoli ES/3090, VSE/ESA, TPF, DFSMSdfp, DFSMSdss, DFSMShsm, DFSMSrmm
Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both. Other company, product, and service names mentioned may be trademarks or registered trademarks of their respective companies.
40

Tape Encryption and BRMS On System I

Uploaded by

Copyright:

Available Formats

You might also like

Tape Encryption and BRMS On System I

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Tape Encryption and BRMS On System I

Uploaded by

Copyright:

Available Formats

IBM : System i

IBM Tape Encryption Solution with BRMS on system i

2006 IBM Corporation

2006 IBM Corporation

High performance data encryption

2006 IBM Corporation

2006 IBM Corporation

2006 IBM Corporation

2006 IBM Corporation

Planning TS3500 Encryption - Choices for LibraryManaged Encryption

2006 IBM Corporation

2006 IBM Corporation

TS35xx Encryption General Rules

2006 IBM Corporation

System i Library managed Encryption solution

EKM Server i5/OS Windows

Linux Unix AIX

EKM Server i5/OS Windows Linux Unix AIX

TS35xx Tape Library

Primary EKM server

i5/OS Windows Linux Unix

Secondary EKM server

None Encrypted Media

Encryption Key Manager : Critical component

2006 IBM Corporation

Encryption Setup TS3500 (LME)

2006 IBM Corporation

Encryption Setup TS3500 (LME)

2006 IBM Corporation

Encryption Setup TS3500 (LME)

2006 IBM Corporation

Encryption Setup TS3500 (LME)

2006 IBM Corporation

Encryption Setup TS3500 (LME)

2006 IBM Corporation

Encryption Setup TS3100/TS3310

2006 IBM Corporation

Encryption Setup TS3100/TS3200

2006 IBM Corporation

Encryption Setup TS3310

2006 IBM Corporation

Encryption Setup TS3310

2006 IBM Corporation

Encryption Setup TS3400

2006 IBM Corporation

2006 IBM Corporation

System i and Software BRMS

2006 IBM Corporation

BRMS Setup: Add Device to BRMS

2006 IBM Corporation

BRMS Setup: Media Class

2006 IBM Corporation

BRMS Setup: Media Policy

2006 IBM Corporation

BRMS Setup: Encrypted backup

2006 IBM Corporation

Summary: How to setup BRMS for encrypted save

EKM Home Page http://www.ibm.com/support/docview.wss?&uid=ssg1S4000504