International Technical Support Organization. IBM System Storage Tape Encryption Solutions. May 2009 SG

Transcription

1 International Technical Support Organization IBM System Storage Tape Encryption Solutions May 2009 SG

2 Contents Notices Trademarks xiii xiv Preface xv The team that wrote this book xv Become a published author xvii Comments welcome xvii Summary of changes May 2009, Third Edition xix xix Parti. Introducing IBM tape encryption solutions 1 Chapter 1. Introduction to tape encryption How tape data encryption works What to encrypt Why use tape data encryption Why encrypt data in the drive Fundamental to encryption: Policy and key management Summary Concepts of tape data encryption Symmetric key encryption Asymmetric key encryption Hybrid encryption Digital certificates 16 Chapter 2. IBM tape encryption methods IBM Encryption Key Manager Encryption Key Manager components and resources Encryption keys and 3592 and LT04 differences Key exchange Tivoli Key Lifecycle Manager Tivoli Lifecycle Key Manager components and resources Key exchange Methods of managing IBM tape encryption System-Managed Encryption Library-Managed Encryption Encrypting and decrypting with SME and LME Application-Managed Encryption Mixed mode example 43 Chapter 3. IBM System Storage tape and tape automation for encryption IBM System Storage TS1130 and TS1120 Tape Drive Tape data encryption support TS1120 characteristics TS1130 characteristics cartridges and media IBM System Storage TS1120 Tape Controller IBM TS1120 Tape Controller characteristics 54

3 3.2.2 IBM TS1120 Tape Controller encryption support Installation with an IBM TS3500 Tape Library Installation with an IBM TS3400 Tape Library Installation with an IBM 3494 Tape Library IBM TotalStorage 3592 Model J70 Tape Controller IBM Virilization Engine TS IBM LTO Ultrium tape drives and libraries LTO overview LTO media IBM System Storage TS2240 Tape Drive Express Model IBM System Storage TS2340 Tape Drive Express Model IBM System Storage TS1040 Tape Drive IBM System Storage TS2900 Tape Autoloader IBM System Storage TS3100 Tape Library IBM System Storage TS3200 Tape Library IBM System Storage TS3310 Tape Library IBM System Storage TS3400 Tape Library IBM System Storage TS3500 Tape Library TS350O frames TS3500 characteristics IBM TotalStorage 3494 Tape Library 88 Chapter 4. Planning for software and hardware Encryption planning Planning assumptions Encryption planning quick-reference Choosing encryption methods Encryption method comparison System z encryption methods Open Systems encryption methods Decision time Solutions available by operating system The z/os solution components za/m,z/vse, and z/tpf solution components for TS1120 drives IBM System i encryption solution components AIX solution components Linux on System z Linux on System p, System x, and other Intel or AMD Opteron servers HP-UX, Sun, and Windows components Tivoli Storage Manager Ordering information TS1120 tape drive prerequisites Tape controller prerequisites LT04 tape drive prerequisites Tape library prerequisites Other library and rack Open Systems installations TS7700 Virilization Engine prerequisites General software prerequisites for encryption TS1120 and TS1130 supported platforms IBM LT04 tape drive supported platforms Other planning considerations for tape data encryption In-band and out-of-band Performance considerations 125

4 4.7.3 Encryption with other backup applications ALMS and encryption in the TS3500 library TS1120 and TS1130 rekeying considerations Upgrade and migration considerations Look out for potential problems TS1120 and TS1130 compatibility considerations DFSMSdss host-based encryption Positioning TS1120 Tape Encryption and Encryption Facility for z/os 134 Part 2. Implementing and operating the EKM 135 Chapter 5. Planning for EKM and its keystores EKM planning quick-reference Ordering information and requirements EKM on z/os or z/os.e requirements EKM on z/vm, z/vse, and z/tpf EKM on IBM System i5 requirements EKM on AIX requirements EKM on Linux requirements EKM on Hewlett-Packard, Sun, and Windows requirements EKM and keystore considerations EKM configuration planning checklist Best security practices for working with keys and certificates Acting on the advice Typical EKM implementations Multiple EKMs for redundancy Using Virtual IP Addressing Key Manager backup FIPS certification Other EKM considerations EKM Release 1 to EKM Release 2 migration Data exchange with business partners or different platforms Disaster recovery considerations i5/os disaster recovery considerations EKM performance considerations 155 Chapter 6. Implementing EKM Implementing the EKM in z/os z/os UNIX System Services Installing the EKM in z/os Security products involved: RACF, Top Secret, and ACF Create a JCE4758RACFKS for EKM Setting up the EKM environment Starting EKM Additional definitions of hardware keystores for z/os Virtual IP Addressing EKM TCP/IP configuration Installing EKM on AIX Install the IBM Software Developer Kit (SDK) Installing EKM on a Windows platform EKM setup tasks Installing the IBM Software Developer Kit on Windows Starting EKM on Windows Configuring and starting EKM 188

5 6.4 Installing the EKM in i5/0s New installation of the Encryption Key Manager Upgrading the Encryption Key Manager Configuring EKM for tape data encryption LT04 Encryption implementation LT04 EKM implementation checklist Download the latest EKM software Create a JCEKS keystore Off-site or business partner exchange with LT04 compared to EKM Version 2 installation and customization on Windows Start EKM Starting EKM as a windows Service LT04 Library-Managed Encryption implementation Barcode Encryption Policy Specifying a Barcode Encryption Policy TS3500 Library-Managed Encryption differences from TS3310, TS3200, TS3100, and TS LT04 System-Managed Encryption implementation LT04 SME implementation checklist for Windows 224 Chapter 7. Planning and managing your keys Keystore and SAF Digital Certificates (keyrings) JCEKS Examples of managing public-private key pairs Managing symmetric keys in a JCEKS keystore Example using IKEYMAN JCE4758KS and JCECCAKS Script notes Symmetric keys in a JCECCAKS JCERACFKS JCE4758RACFKS and JCECCARACFKS RACDCERT keywords Best practice PKCS# IBMi50SKeyStore Digital Certificate Manager How to set up an IBMi50SKeyStore ShowPrivateTool MatchKeys tool Hardware cryptography 270 Chapter 8. EKM operational considerations EKM commands The EKM sync command and EKM properties file EKM command line interface and command set Backup procedures EKM file system backup Identifying DFSMShsm to z/os UNIX System Services Keystore backup FtACF ICSF disaster recovery procedures Key recovery checklist Prerequisites 284

6 8.3.3 Pre-key change: All LPARs in the Sysplex Check the ICSF installation options data Disable all services Entering Master Keys for all LPARs in the Sysplex Post-key change for all LPARs in the Sysplex Exiting disaster recovery Business partner tape-sharing example Key-sharing steps Exporting a public key and certificate to a business partner Exporting a symmetric key from a JCEKS keystore 300 B.4.4 Importing a public key and a certificate from a business partner Tape exchange and verification Importing symmetric keys to a JCEKS keystore RACF export tool for z/os Audit log considerations Audit overview Audit log parsing tool 307 Part 3. Implementing and operating the TKLM 313 Chapter 9. Planning for TKLM and its keystores TKLM planning quick-reference TKLM and keystore considerations TKLM configuration planning checklist Best security practices for working with keys and certificates Acting on the advice Multiple TKLMs for redundancy Other TKLM considerations Database selection EKM to TKLM migration Data exchange with business partners or different platforms Disaster recovery considerations 321 Chapter 10. Implementing TKLM Implementation notes Installing TKLM Configuring TKLM Conclusions 345 Chapter 11. TKLM operational considerations Scripting with TKLM Simple Linux backup script example Synchronizing primary TKLM configuration data Setting up primary and secondary TKLM servers Synchronizing the primary and secondary TKLM servers TKLM maintenance Adding and removing drives Scheduling key group rollover Scheduling certificate rollover TKLM backup and restore procedures Backup by using the GUI Restore by using the GUI Backup by using the command line Restore by using the command line 364

7 11.5 Data sharing with business partners Sharing TS1100 certificate data with a business partner Sharing LTO key data with a business partner Removing TKLM Backing up the keystore Removing TKLM from a Windows system Fixing the security warnings in your Web browser Fixing the security warning in Internet Explorer browser Fixing the security warning in Firefox Part 4. Implementing tape data encryption 377 Chapter 12. Implementing TS1100 series Encryption in System z Implementation overview Implementation prerequisites Initial tape library hardware implementation Initial z/os software definitions EKM implementation overview Tape library implementation Implementation steps for the IBM TS3500 Tape Library Implementation steps for the IBM 3494 Tape Library Implementation steps for the IBM TS3400 Tape Library Tape control unit implementation z/os implementation steps z/os software maintenance Update PARMLIB member leciosxx Define or update Data Class definitions Considerations for JES Tape management system DFS.MSrmm support for tape data encryption DFSMSdfp access method service Data Facility Data Set Services considerations DFSMS Hierarchal Storage Manager considerations z/vm implementation steps Tape library and tape control unit implementation Out-of-band encryption Define key aliases to z/vm Using ATTACH and DETACH to control encryption Using SET RDEVICE to control encryption QUERY responses z/vm DASD Dump Restore (DDR) Miscellaneous implementation considerations Data exchange with other data centers or business partners Availability TS1120 and TS1130 tape cartridge rekeying in z/os TS1120 Model E05 rekeying support in z/os IEHINITT enhancements Security considerations Packaging Rekeying exits and messages 418 Chapter 13. Implementing TS7700 Tape Encryption TS7700 Encryption overview Prerequisites 421

8 Tape drives TS7700 Virtualization Engine Library Manager Encryption Key Manager Implementation overview Initial Tape Library hardware implementation Initial TS7700 implementation Initial z/os software definitions EKM implementation overview Tape library implementation and setup for encryption Enabling drives for encryption in the IBM TS3500 Tape Library Enabling drives for encryption in the IBM 3494 Tape Library Encryption-enabled drives Software implementation steps z/os software maintenance EKM installation Basic z/os DFSMS implementation steps TS7700 implementation steps Configuring the TS7700 for encryption Creating TS7700 Storage Groups Creating TS7700 Management Classes Activate the TS7700 Encryption Feature License EKM addresses Testing EKM connectivity Configuring Pool Encryption Settings for the TS Implementation considerations Management construct definitions and transfer Changing storage pool encryption settings Moving data to encrypted storage pools EKM operation Tracking encryption usage Data exchange with other data centers or business partners TS7700 Encryption with z/vm, z/vse, or z/tpf 444 Chapter 14. Implementing TS1120 and TS1130 Encryption in an Open Systems environment Encryption overview in an Open Systems environment Adding drives to a logical library Advanced Library Management System considerations Managing the encryption and business partner exchange Disaster recovery considerations Keeping track of key usage Encryption implementation checklist Planning your EKM environment EKM setup tasks Application-Managed Encryption setup tasks System-Managed (Atape) Encryption setup tasks Library-Managed Encryption setup tasks Implementing Library-Managed Encryption LME implementation tasks Upgrading firmware Add EKM ortklm IP addresses Enable Library-Managed Encryption 464

9 Barcode Encryption Policy Testing encryption Implementing System-Managed Encryption System-Managed Encryption tasks Atape device driver Update Atape EKM proxy configuration System-Managed Encryption Atape device entries Updating the Atape device driver configuration Enabling System-Managed Encryption using the TS3500 Web GUI Using SMIT to enable System-Managed Encryption Using tapeutil functions to verify EKM paths Managing System-Managed Encryption and business partner exchange Application-Managed Encryption IBM Tivoli Storage Manager overview ITSM support for 3592 drive encryption Implementing Application-Managed Encryption ITSM Encryption considerations IBM 3494 with TS1120 or TS1130 Encryption Review the 3494 encryption-capable drives Specifying a Barcode Encryption Policy Entering the EKM IP address and key labels ILEP key label mapping 504 Chapter 15. Tape data encryption with i5/os Planning for tape data encryption with I5/OS Hardware prerequisites Software prerequisites Disaster recovery considerations EKM keystore considerations TS1120 Tape Encryption policy considerations Considerations for sharing tapes with partners Steps for implementing tape encryption with i5/os Setup and usage of tape data encryption with I5/OS Creating an EKM keystore and certificate Configuring the TS3500 library for Library-Managed Encryption Importing and exporting encryption keys Working with encrypted tape cartridges Troubleshooting 552 Part 5. Appendixes 553 Appendix A. z/os planning and implementation checklists 555 DFSMS Systems Managed Tape planning 556 DFSMS planning and the z/os encryption planning checklist 556 Storage administrator stand-alone environment planning 557 Storage administrator tape library environment planning 558 DFSMS Systems Managed Tape implementation 559 Object access method planning 560 Storage administrator OAM planning 561 OAM implementation 562 DFSMShsm tape environment 562 Appendix B. z/os Java and Open Edition tips 563 JZOS 564

10 Console communication with batch jobs 564 EKM and JZOS 565 MVS Open Edition tips 568 Exporting a variable 568 Setting up an alias 568 Copying the escape character 569 Advantages of VT Advanced security hwkeytool and keytool scripts 571 Complete keytool example for JCEKS using hidden passwords 571 Complete hwkeytool example for JCE4758KS using hidden passwords 573 Java 575 Security and providers 575 Garbage Collector 576 Verifying the installation 577 z/os region size 577 Policy files 577 Appendix C. Asymmetric and Symmetric Master Key change procedures 579 Asymmetric Master Key change ceremony 580 Prerequisites 580 Encryption and decryption test 580 Pre-key change: Disable PKA services for all images in the Sysplex 580 Key change: First LPAR in the Sysplex 582 Key change: Subsequent LPARs in the Sysplex 588 Post-key change: All LPARs in the Sysplex 592 ICSF tips 597 Creating a PKDS VSAM data set 597 Symmetric Master Key change ceremony 598 Prerequisites 598 Encryption and decryption test 599 Disable dynamic CKDS updates for all images in the Sysplex 599 Key change: First LPAR in the Sysplex 600 Reencipher the CKDS under the new SYM-MK Master Key 604 Change the new SYM-MK Master Key and activate the reenciphered CKDS 606 Key change: Subsequent LPARs in the Sysplex 607 Post-key change: All LPARs in the Sysplex 610 Appendix D. z/os tape data encryption diagnostics 617 EKM problem determination when running z/os 618 Error scenarios 618 Diagnostic scenarios 621 Encryption Key Manager error codes and recovery actions 623 Drive error codes 626 Control unit error codes 627 IOS628E message indicates connection failure 628 Appendix E. IEHINITT exits and messages for rekeying 629 Dynamic Exits Service Facility support 630 Error conditions 630 Programming considerations 631 REKEY messages 632 New messages 632 Modified messages 633

11 Appendix F. TS1100 and LT04 SECURE key EKM on z/os 635 Implementing the EKM in z/os 636 Prerequisites 636 z/os UNIX System Services 636 Installing the Encryption Key Manager in z/os 637 Create a JCECCAKS for EKM 639 Setting up the EKM environment 640 Starting EKM 643 EKM TCP/IP configuration 648 Enterprise-wide key management 650 Conclusions 650 Related publications 651 IBM Redbooks publications 651 Other publications 651 Online resources 652 How to get IBM Redbooks publications 653 Help from IBM 653 Index 655