Front coverIBM System StorageTape EncryptionSolutionsLearn about IBM TS1130 Tape Driveand Tivoli Key Lifecycle ManagerEncr...
International Technical Support OrganizationIBM System Storage Tape Encryption SolutionsMay 2009                          ...
Note: Before using this information and the product it supports, read the information in “Notices” on page xiii.Third Edit...
Contents                    Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ...
3.2.2 IBM TS1120 Tape Controller encryption support . . . . . . . . . . . . . . . . . . . . . . . . .                     ...
4.7.3 Encryption with other backup applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . .                 ...
6.4 Installing the EKM in i5/OS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ...
8.3.3 Pre-key change: All LPARs in the Sysplex . . . . . . . . . . . . . . . . . . . . . . . . . . . . .                  ...
11.5 Data sharing with business partners . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .        ...
13.2.1 Tape drives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ....
14.5.5 Barcode Encryption Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .          ...
Console communication with batch jobs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .             ...
Appendix F. TS1100 and LTO4 SECURE key EKM on z/OS . . . . . . . . . . . . . . . . . . . .                                ...
NoticesThis information was developed for products and services offered in the U.S.A.IBM may not offer the products, servi...
TrademarksIBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International Business MachinesCorpora...
Preface                 This IBM® Redbooks® publication gives a comprehensive overview of the IBM System                 S...
The team: Babette, Arthur, and Jonathan               Thanks to the following people for their contributions to this proje...
Thanks to the authors of the previous editions of this book:           Authors of the first edition, IBM System Storage TS...
xviii   IBM System Storage Tape Encryption Solutions
Summary of changes                 This section describes the technical changes made in this edition of the book and in pr...
xx   IBM System Storage Tape Encryption Solutions
Part 1Part       1     Introducing IBM tape                 encryption solutions                 In this part, we introduc...
2   IBM System Storage Tape Encryption Solutions
1    Chapter 1.   Introduction to tape encryption                 IBM has three tape drives that are capable of encrypting...
The IBM System Storage LTO Ultrium Generation 4 Tape Drive shown in Figure 1-2 has the              capability to encrypt ...
You can greatly simplify your tape data encryption management, because the solution        provides functions that are tra...
1. Load cartridge, specify                                                    encryption                     Encryption   ...
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Ibm system storage tape encryption solutions sg247320
Upcoming SlideShare
Loading in …5
×

Ibm system storage tape encryption solutions sg247320

6,666 views
6,576 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
6,666
On SlideShare
0
From Embeds
0
Number of Embeds
5
Actions
Shares
0
Downloads
7
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Ibm system storage tape encryption solutions sg247320

  1. 1. Front coverIBM System StorageTape EncryptionSolutionsLearn about IBM TS1130 Tape Driveand Tivoli Key Lifecycle ManagerEncrypt data on LTO and TS1100series cartridgesDiscover usabilityenhancements Babette Haeusser Jonathan Barney Arthur Colvigibm.com/redbooks
  2. 2. International Technical Support OrganizationIBM System Storage Tape Encryption SolutionsMay 2009 SG24-7320-02
  3. 3. Note: Before using this information and the product it supports, read the information in “Notices” on page xiii.Third Edition (May 2009)This edition applies to the introduction of the IBM TS1130 Tape Drive and Tivoli Lifecycle Manager (TKLM)© Copyright International Business Machines Corporation 2008, 2009. All rights reserved.Note to U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP ScheduleContract with IBM Corp.
  4. 4. Contents Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii Trademarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv The team that wrote this book . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv Become a published author . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii Comments welcome. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii Summary of changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xix May 2009, Third Edition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xixPart 1. Introducing IBM tape encryption solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Chapter 1. Introduction to tape encryption. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.1 How tape data encryption works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 1.2 What to encrypt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 1.3 Why use tape data encryption. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 1.3.1 Why encrypt data in the drive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 1.3.2 Fundamental to encryption: Policy and key management . . . . . . . . . . . . . . . . . . . 8 1.3.3 Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 1.4 Concepts of tape data encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 1.4.1 Symmetric key encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 1.4.2 Asymmetric key encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 1.4.3 Hybrid encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 1.4.4 Digital certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Chapter 2. IBM tape encryption methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 2.1 IBM Encryption Key Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 2.1.1 Encryption Key Manager components and resources . . . . . . . . . . . . . . . . . . . . . 25 2.1.2 Encryption keys and 3592 and LTO4 differences . . . . . . . . . . . . . . . . . . . . . . . . . 27 2.1.3 Key exchange . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 2.2 Tivoli Key Lifecycle Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 2.2.1 Tivoli Lifecycle Key Manager components and resources . . . . . . . . . . . . . . . . . . 30 2.2.2 Key exchange . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 2.3 Methods of managing IBM tape encryption. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 2.3.1 System-Managed Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 2.3.2 Library-Managed Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 2.3.3 Encrypting and decrypting with SME and LME . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 2.3.4 Application-Managed Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 2.3.5 Mixed mode example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 Chapter 3. IBM System Storage tape and tape automation for encryption . . . . . . . . . 45 3.1 IBM System Storage TS1130 and TS1120 Tape Drive . . . . . . . . . . . . . . . . . . . . . . . . 46 3.1.1 Tape data encryption support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 3.1.2 TS1120 characteristics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 3.1.3 TS1130 characteristics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 3.1.4 3592 cartridges and media . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 3.2 IBM System Storage TS1120 Tape Controller . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 3.2.1 IBM TS1120 Tape Controller characteristics . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54© Copyright IBM Corp. 2008, 2009. All rights reserved. iii
  5. 5. 3.2.2 IBM TS1120 Tape Controller encryption support . . . . . . . . . . . . . . . . . . . . . . . . . 55 3.2.3 Installation with an IBM TS3500 Tape Library . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 3.2.4 Installation with an IBM TS3400 Tape Library . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 3.2.5 Installation with an IBM 3494 Tape Library . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 3.2.6 IBM TotalStorage 3592 Model J70 Tape Controller . . . . . . . . . . . . . . . . . . . . . . . 59 3.3 IBM Virtualization Engine TS7700 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 3.4 IBM LTO Ultrium tape drives and libraries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 3.4.1 LTO overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 3.4.2 LTO media . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 3.4.3 IBM System Storage TS2240 Tape Drive Express Model . . . . . . . . . . . . . . . . . . 66 3.4.4 IBM System Storage TS2340 Tape Drive Express Model . . . . . . . . . . . . . . . . . . 67 3.4.5 IBM System Storage TS1040 Tape Drive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 3.4.6 IBM System Storage TS2900 Tape Autoloader . . . . . . . . . . . . . . . . . . . . . . . . . . 68 3.4.7 IBM System Storage TS3100 Tape Library . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 3.4.8 IBM System Storage TS3200 Tape Library . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 3.4.9 IBM System Storage TS3310 Tape Library . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 3.5 IBM System Storage TS3400 Tape Library . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 3.6 IBM System Storage TS3500 Tape Library . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 3.6.1 TS3500 frames . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78 3.6.2 TS3500 characteristics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 3.7 IBM TotalStorage 3494 Tape Library . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88 Chapter 4. Planning for software and hardware. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 4.1 Encryption planning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92 4.2 Planning assumptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92 4.3 Encryption planning quick-reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 4.4 Choosing encryption methods. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96 4.4.1 Encryption method comparison. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97 4.4.2 System z encryption methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97 4.4.3 Open Systems encryption methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98 4.4.4 Decision time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99 4.5 Solutions available by operating system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99 4.5.1 The z/OS solution components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99 4.5.2 z/VM, z/VSE, and z/TPF solution components for TS1120 drives . . . . . . . . . . . 102 4.5.3 IBM System i encryption solution components . . . . . . . . . . . . . . . . . . . . . . . . . . 104 4.5.4 AIX solution components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106 4.5.5 Linux on System z. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108 4.5.6 Linux on System p, System x, and other Intel or AMD Opteron servers. . . . . . . 109 4.5.7 HP-UX, Sun, and Windows components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111 4.5.8 Tivoli Storage Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114 4.6 Ordering information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115 4.6.1 TS1120 tape drive prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115 4.6.2 Tape controller prerequisites. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116 4.6.3 LTO4 tape drive prerequisites. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118 4.6.4 Tape library prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118 4.6.5 Other library and rack Open Systems installations . . . . . . . . . . . . . . . . . . . . . . . 120 4.6.6 TS7700 Virtualization Engine prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121 4.6.7 General software prerequisites for encryption . . . . . . . . . . . . . . . . . . . . . . . . . . 121 4.6.8 TS1120 and TS1130 supported platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122 4.6.9 IBM LTO4 tape drive supported platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123 4.7 Other planning considerations for tape data encryption . . . . . . . . . . . . . . . . . . . . . . . 124 4.7.1 In-band and out-of-band . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124 4.7.2 Performance considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125iv IBM System Storage Tape Encryption Solutions
  6. 6. 4.7.3 Encryption with other backup applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125 4.7.4 ALMS and encryption in the TS3500 library . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126 4.7.5 TS1120 and TS1130 rekeying considerations . . . . . . . . . . . . . . . . . . . . . . . . . . 127 4.8 Upgrade and migration considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128 4.8.1 Look out for potential problems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128 4.8.2 TS1120 and TS1130 compatibility considerations . . . . . . . . . . . . . . . . . . . . . . . 129 4.8.3 DFSMSdss host-based encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133 4.8.4 Positioning TS1120 Tape Encryption and Encryption Facility for z/OS . . . . . . . 134Part 2. Implementing and operating the EKM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135 Chapter 5. Planning for EKM and its keystores . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137 5.1 EKM planning quick-reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138 5.2 Ordering information and requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140 5.2.1 EKM on z/OS or z/OS.e requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140 5.2.2 EKM on z/VM, z/VSE, and z/TPF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141 5.2.3 EKM on IBM System i5 requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141 5.2.4 EKM on AIX requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142 5.2.5 EKM on Linux requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143 5.2.6 EKM on Hewlett-Packard, Sun, and Windows requirements . . . . . . . . . . . . . . . 143 5.3 EKM and keystore considerations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144 5.3.1 EKM configuration planning checklist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146 5.3.2 Best security practices for working with keys and certificates. . . . . . . . . . . . . . . 147 5.3.3 Acting on the advice . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147 5.3.4 Typical EKM implementations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147 5.3.5 Multiple EKMs for redundancy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150 5.3.6 Using Virtual IP Addressing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151 5.3.7 Key Manager backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153 5.3.8 FIPS 140-2 certification. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153 5.4 Other EKM considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154 5.4.1 EKM Release 1 to EKM Release 2 migration . . . . . . . . . . . . . . . . . . . . . . . . . . . 154 5.4.2 Data exchange with business partners or different platforms . . . . . . . . . . . . . . . 154 5.4.3 Disaster recovery considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154 5.4.4 i5/OS disaster recovery considerations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155 5.4.5 EKM performance considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155 Chapter 6. Implementing EKM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157 6.1 Implementing the EKM in z/OS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158 6.1.1 z/OS UNIX System Services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158 6.1.2 Installing the EKM in z/OS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159 6.1.3 Security products involved: RACF, Top Secret, and ACF2. . . . . . . . . . . . . . . . . 161 6.1.4 Create a JCE4758RACFKS for EKM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162 6.1.5 Setting up the EKM environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164 6.1.6 Starting EKM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167 6.1.7 Additional definitions of hardware keystores for z/OS. . . . . . . . . . . . . . . . . . . . . 172 6.1.8 Virtual IP Addressing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173 6.1.9 EKM TCP/IP configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174 6.2 Installing EKM on AIX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175 6.2.1 Install the IBM Software Developer Kit (SDK). . . . . . . . . . . . . . . . . . . . . . . . . . . 175 6.3 Installing EKM on a Windows platform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180 6.3.1 EKM setup tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181 6.3.2 Installing the IBM Software Developer Kit on Windows . . . . . . . . . . . . . . . . . . . 182 6.3.3 Starting EKM on Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187 6.3.4 Configuring and starting EKM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188 Contents v
  7. 7. 6.4 Installing the EKM in i5/OS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194 6.4.1 New installation of the Encryption Key Manager. . . . . . . . . . . . . . . . . . . . . . . . . 194 6.4.2 Upgrading the Encryption Key Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197 6.4.3 Configuring EKM for tape data encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199 6.5 LTO4 Encryption implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202 6.5.1 LTO4 EKM implementation checklist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203 6.5.2 Download the latest EKM software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203 6.5.3 Create a JCEKS keystore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207 6.5.4 Off-site or business partner exchange with LTO4 compared to 3592. . . . . . . . . 210 6.5.5 EKM Version 2 installation and customization on Windows . . . . . . . . . . . . . . . . 211 6.5.6 Start EKM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213 6.5.7 Starting EKM as a windows Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213 6.6 LTO4 Library-Managed Encryption implementation . . . . . . . . . . . . . . . . . . . . . . . . . . 215 6.6.1 Barcode Encryption Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215 6.6.2 Specifying a Barcode Encryption Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219 6.6.3 TS3500 Library-Managed Encryption differences from TS3310, TS3200, TS3100, and TS2900 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223 6.7 LTO4 System-Managed Encryption implementation. . . . . . . . . . . . . . . . . . . . . . . . . . 223 6.7.1 LTO4 SME implementation checklist for Windows . . . . . . . . . . . . . . . . . . . . . . . 224 Chapter 7. Planning and managing your keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225 7.1 Keystore and SAF Digital Certificates (keyrings) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226 7.2 JCEKS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226 7.2.1 Examples of managing public-private key pairs . . . . . . . . . . . . . . . . . . . . . . . . . 227 7.2.2 Managing symmetric keys in a JCEKS keystore. . . . . . . . . . . . . . . . . . . . . . . . . 230 7.2.3 Example using IKEYMAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234 7.3 JCE4758KS and JCECCAKS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241 7.3.1 Script notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241 7.3.2 Symmetric keys in a JCECCAKS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243 7.4 JCERACFKS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244 7.5 JCE4758RACFKS and JCECCARACFKS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246 7.5.1 RACDCERT keywords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247 7.5.2 Best practice . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249 7.6 PKCS#11 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250 7.7 IBMi5OSKeyStore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250 7.7.1 Digital Certificate Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251 7.7.2 How to set up an IBMi5OSKeyStore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251 7.8 ShowPrivateTool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265 7.9 MatchKeys tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267 7.10 Hardware cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270 Chapter 8. EKM operational considerations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273 8.1 EKM commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274 8.1.1 The EKM sync command and EKM properties file . . . . . . . . . . . . . . . . . . . . . . . 274 8.1.2 EKM command line interface and command set. . . . . . . . . . . . . . . . . . . . . . . . . 275 8.2 Backup procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279 8.2.1 EKM file system backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279 8.2.2 Identifying DFSMShsm to z/OS UNIX System Services . . . . . . . . . . . . . . . . . . . 281 8.2.3 Keystore backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282 8.2.4 RACF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282 8.3 ICSF disaster recovery procedures. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284 8.3.1 Key recovery checklist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284 8.3.2 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284vi IBM System Storage Tape Encryption Solutions
  8. 8. 8.3.3 Pre-key change: All LPARs in the Sysplex . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285 8.3.4 Check the ICSF installation options data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287 8.3.5 Disable all services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288 8.3.6 Entering Master Keys for all LPARs in the Sysplex . . . . . . . . . . . . . . . . . . . . . . 289 8.3.7 Post-key change for all LPARs in the Sysplex . . . . . . . . . . . . . . . . . . . . . . . . . . 294 8.3.8 Exiting disaster recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296 8.4 Business partner tape-sharing example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296 8.4.1 Key-sharing steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296 8.4.2 Exporting a public key and certificate to a business partner . . . . . . . . . . . . . . . . 296 8.4.3 Exporting a symmetric key from a JCEKS keystore . . . . . . . . . . . . . . . . . . . . . . 300 8.4.4 Importing a public key and a certificate from a business partner . . . . . . . . . . . . 301 8.4.5 Tape exchange and verification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303 8.4.6 Importing symmetric keys to a JCEKS keystore . . . . . . . . . . . . . . . . . . . . . . . . . 304 8.5 RACF export tool for z/OS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305 8.6 Audit log considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306 8.6.1 Audit overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306 8.6.2 Audit log parsing tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307Part 3. Implementing and operating the TKLM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313 Chapter 9. Planning for TKLM and its keystores . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315 9.1 TKLM planning quick-reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316 9.2 TKLM and keystore considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318 9.2.1 TKLM configuration planning checklist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318 9.2.2 Best security practices for working with keys and certificates. . . . . . . . . . . . . . . 319 9.2.3 Acting on the advice . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319 9.2.4 Multiple TKLMs for redundancy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320 9.3 Other TKLM considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320 9.3.1 Database selection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320 9.3.2 EKM to TKLM migration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320 9.3.3 Data exchange with business partners or different platforms . . . . . . . . . . . . . . . 321 9.3.4 Disaster recovery considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321 Chapter 10. Implementing TKLM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323 10.1 Implementation notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324 10.2 Installing TKLM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324 10.3 Configuring TKLM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335 10.4 Conclusions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345 Chapter 11. TKLM operational considerations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347 11.1 Scripting with TKLM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348 11.1.1 Simple Linux backup script example. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348 11.2 Synchronizing primary TKLM configuration data. . . . . . . . . . . . . . . . . . . . . . . . . . . . 349 11.2.1 Setting up primary and secondary TKLM servers . . . . . . . . . . . . . . . . . . . . . . . 349 11.2.2 Synchronizing the primary and secondary TKLM servers. . . . . . . . . . . . . . . . . 350 11.3 TKLM maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350 11.3.1 Adding and removing drives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350 11.3.2 Scheduling key group rollover. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353 11.3.3 Scheduling certificate rollover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356 11.4 TKLM backup and restore procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359 11.4.1 Backup by using the GUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360 11.4.2 Restore by using the GUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361 11.4.3 Backup by using the command line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363 11.4.4 Restore by using the command line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364 Contents vii
  9. 9. 11.5 Data sharing with business partners . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365 11.5.1 Sharing TS1100 certificate data with a business partner . . . . . . . . . . . . . . . . . 365 11.5.2 Sharing LTO key data with a business partner . . . . . . . . . . . . . . . . . . . . . . . . . 368 11.6 Removing TKLM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371 11.6.1 Backing up the keystore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371 11.6.2 Removing TKLM from a Windows system . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371 11.7 Fixing the security warnings in your Web browser . . . . . . . . . . . . . . . . . . . . . . . . . . 375 11.7.1 Fixing the security warning in Internet Explorer browser . . . . . . . . . . . . . . . . . 375 11.7.2 Fixing the security warning in Firefox 2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376Part 4. Implementing tape data encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377 Chapter 12. Implementing TS1100 series Encryption in System z. . . . . . . . . . . . . . . 379 12.1 Implementation overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380 12.2 Implementation prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380 12.2.1 Initial tape library hardware implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . 381 12.2.2 Initial z/OS software definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382 12.3 EKM implementation overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383 12.4 Tape library implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384 12.4.1 Implementation steps for the IBM TS3500 Tape Library. . . . . . . . . . . . . . . . . . 384 12.4.2 Implementation steps for the IBM 3494 Tape Library . . . . . . . . . . . . . . . . . . . . 387 12.4.3 Implementation steps for the IBM TS3400 Tape Library. . . . . . . . . . . . . . . . . . 391 12.5 Tape control unit implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392 12.6 z/OS implementation steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392 12.6.1 z/OS software maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392 12.6.2 Update PARMLIB member IECIOSxx. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393 12.6.3 Define or update Data Class definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394 12.6.4 Considerations for JES3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398 12.6.5 Tape management system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399 12.6.6 DFSMSrmm support for tape data encryption. . . . . . . . . . . . . . . . . . . . . . . . . . 399 12.6.7 DFSMSdfp access method service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402 12.6.8 Data Facility Data Set Services considerations . . . . . . . . . . . . . . . . . . . . . . . . 403 12.6.9 DFSMS Hierarchal Storage Manager considerations . . . . . . . . . . . . . . . . . . . . 404 12.7 z/VM implementation steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405 12.7.1 Tape library and tape control unit implementation . . . . . . . . . . . . . . . . . . . . . . 406 12.7.2 Out-of-band encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406 12.7.3 Define key aliases to z/VM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410 12.7.4 Using ATTACH and DETACH to control encryption . . . . . . . . . . . . . . . . . . . . . 411 12.7.5 Using SET RDEVICE to control encryption. . . . . . . . . . . . . . . . . . . . . . . . . . . . 411 12.7.6 QUERY responses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412 12.7.7 z/VM DASD Dump Restore (DDR) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413 12.8 Miscellaneous implementation considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413 12.8.1 Data exchange with other data centers or business partners . . . . . . . . . . . . . . 414 12.8.2 Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414 12.9 TS1120 and TS1130 tape cartridge rekeying in z/OS. . . . . . . . . . . . . . . . . . . . . . . . 414 12.9.1 TS1120 Model E05 rekeying support in z/OS . . . . . . . . . . . . . . . . . . . . . . . . . . 415 12.9.2 IEHINITT enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415 12.9.3 Security considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 418 12.9.4 Packaging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 418 12.9.5 Rekeying exits and messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 418 Chapter 13. Implementing TS7700 Tape Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . 419 13.1 TS7700 Encryption overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 420 13.2 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421viii IBM System Storage Tape Encryption Solutions
  10. 10. 13.2.1 Tape drives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421 13.2.2 TS7700 Virtualization Engine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421 13.2.3 Library Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421 13.2.4 Encryption Key Manager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42113.3 Implementation overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422 13.3.1 Initial Tape Library hardware implementation . . . . . . . . . . . . . . . . . . . . . . . . . . 422 13.3.2 Initial TS7700 implementation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422 13.3.3 Initial z/OS software definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 423 13.3.4 EKM implementation overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42313.4 Tape library implementation and setup for encryption . . . . . . . . . . . . . . . . . . . . . . . 423 13.4.1 Enabling drives for encryption in the IBM TS3500 Tape Library. . . . . . . . . . . . 424 13.4.2 Enabling drives for encryption in the IBM 3494 Tape Library . . . . . . . . . . . . . . 426 13.4.3 Encryption-enabled drives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42813.5 Software implementation steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 428 13.5.1 z/OS software maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 428 13.5.2 EKM installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 429 13.5.3 Basic z/OS DFSMS implementation steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42913.6 TS7700 implementation steps. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 430 13.6.1 Configuring the TS7700 for encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 430 13.6.2 Creating TS7700 Storage Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431 13.6.3 Creating TS7700 Management Classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433 13.6.4 Activate the TS7700 Encryption Feature License . . . . . . . . . . . . . . . . . . . . . . . 435 13.6.5 EKM addresses. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 436 13.6.6 Testing EKM connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437 13.6.7 Configuring Pool Encryption Settings for the TS7700. . . . . . . . . . . . . . . . . . . . 43813.7 Implementation considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 440 13.7.1 Management construct definitions and transfer . . . . . . . . . . . . . . . . . . . . . . . . 440 13.7.2 Changing storage pool encryption settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . 440 13.7.3 Moving data to encrypted storage pools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 441 13.7.4 EKM operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443 13.7.5 Tracking encryption usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 444 13.7.6 Data exchange with other data centers or business partners . . . . . . . . . . . . . . 44413.8 TS7700 Encryption with z/VM, z/VSE, or z/TPF . . . . . . . . . . . . . . . . . . . . . . . . . . . . 444Chapter 14. Implementing TS1120 and TS1130 Encryption in an Open Systems environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44714.1 Encryption overview in an Open Systems environment . . . . . . . . . . . . . . . . . . . . . . 44814.2 Adding drives to a logical library . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 449 14.2.1 Advanced Library Management System considerations . . . . . . . . . . . . . . . . . . 44914.3 Managing the encryption and business partner exchange . . . . . . . . . . . . . . . . . . . . 450 14.3.1 Disaster recovery considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 451 14.3.2 Keeping track of key usage. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45214.4 Encryption implementation checklist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453 14.4.1 Planning your EKM environment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453 14.4.2 EKM setup tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 454 14.4.3 Application-Managed Encryption setup tasks . . . . . . . . . . . . . . . . . . . . . . . . . . 454 14.4.4 System-Managed (Atape) Encryption setup tasks . . . . . . . . . . . . . . . . . . . . . . 455 14.4.5 Library-Managed Encryption setup tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45614.5 Implementing Library-Managed Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 456 14.5.1 LME implementation tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 456 14.5.2 Upgrading firmware. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 457 14.5.3 Add EKM or TKLM IP addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 463 14.5.4 Enable Library-Managed Encryption. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 464 Contents ix
  11. 11. 14.5.5 Barcode Encryption Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 466 14.5.6 Testing encryption. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 472 14.6 Implementing System-Managed Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 473 14.6.1 System-Managed Encryption tasks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 474 14.6.2 Atape device driver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 475 14.6.3 Update Atape EKM proxy configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 476 14.6.4 System-Managed Encryption Atape device entries . . . . . . . . . . . . . . . . . . . . . 477 14.6.5 Updating the Atape device driver configuration . . . . . . . . . . . . . . . . . . . . . . . . 478 14.6.6 Enabling System-Managed Encryption using the TS3500 Web GUI . . . . . . . . 480 14.6.7 Using SMIT to enable System-Managed Encryption . . . . . . . . . . . . . . . . . . . . 481 14.6.8 Using tapeutil functions to verify EKM paths. . . . . . . . . . . . . . . . . . . . . . . . . . . 488 14.6.9 Managing System-Managed Encryption and business partner exchange . . . . 488 14.7 Application-Managed Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 491 14.7.1 IBM Tivoli Storage Manager overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 491 14.7.2 ITSM support for 3592 drive encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 493 14.7.3 Implementing Application-Managed Encryption . . . . . . . . . . . . . . . . . . . . . . . . 493 14.7.4 ITSM Encryption considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 496 14.8 IBM 3494 with TS1120 or TS1130 Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 497 14.8.1 Review the 3494 encryption-capable drives . . . . . . . . . . . . . . . . . . . . . . . . . . . 497 14.8.2 Specifying a Barcode Encryption Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 500 14.8.3 Entering the EKM IP address and key labels . . . . . . . . . . . . . . . . . . . . . . . . . . 503 14.8.4 ILEP key label mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 504 Chapter 15. Tape data encryption with i5/OS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 505 15.1 Planning for tape data encryption with i5/OS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 506 15.1.1 Hardware prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 506 15.1.2 Software prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 507 15.1.3 Disaster recovery considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 508 15.1.4 EKM keystore considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 509 15.1.5 TS1120 Tape Encryption policy considerations . . . . . . . . . . . . . . . . . . . . . . . . 510 15.1.6 Considerations for sharing tapes with partners. . . . . . . . . . . . . . . . . . . . . . . . . 511 15.1.7 Steps for implementing tape encryption with i5/OS . . . . . . . . . . . . . . . . . . . . . 512 15.2 Setup and usage of tape data encryption with i5/OS . . . . . . . . . . . . . . . . . . . . . . . . 513 15.2.1 Creating an EKM keystore and certificate. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 513 15.2.2 Configuring the TS3500 library for Library-Managed Encryption . . . . . . . . . . . 526 15.2.3 Importing and exporting encryption keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 536 15.2.4 Working with encrypted tape cartridges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 547 15.2.5 Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 552Part 5. Appendixes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 553 Appendix A. z/OS planning and implementation checklists . . . . . . . . . . . . . . . . . . . . 555 DFSMS Systems Managed Tape planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 556 DFSMS planning and the z/OS encryption planning checklist . . . . . . . . . . . . . . . . . . . 556 Storage administrator stand-alone environment planning. . . . . . . . . . . . . . . . . . . . . . . 557 Storage administrator tape library environment planning . . . . . . . . . . . . . . . . . . . . . . . 558 DFSMS Systems Managed Tape implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 559 Object access method planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 560 Storage administrator OAM planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 561 OAM implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 562 DFSMShsm tape environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 562 Appendix B. z/OS Java and Open Edition tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 563 JZOS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 564x IBM System Storage Tape Encryption Solutions
  12. 12. Console communication with batch jobs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 564 EKM and JZOS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 565MVS Open Edition tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 568 Exporting a variable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 568 Setting up an alias . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 568 Copying the escape character . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 569 Advantages of VT100 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 569Advanced security hwkeytool and keytool scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 571 Complete keytool example for JCEKS using hidden passwords . . . . . . . . . . . . . . . . . 571 Complete hwkeytool example for JCE4758KS using hidden passwords . . . . . . . . . . . 573Java . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 575 Security and providers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 575 Garbage Collector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 576 Verifying the installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 577 z/OS region size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 577 Policy files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 577Appendix C. Asymmetric and Symmetric Master Key change procedures. . . . . . . . 579Asymmetric Master Key change ceremony . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 580 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 580 Encryption and decryption test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 580 Pre-key change: Disable PKA services for all images in the Sysplex. . . . . . . . . . . . . . 580 Key change: First LPAR in the Sysplex . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 582 Key change: Subsequent LPARs in the Sysplex . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 588 Post-key change: All LPARs in the Sysplex . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 592ICSF tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 597 Creating a PKDS VSAM data set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 597Symmetric Master Key change ceremony . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 598 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 598 Encryption and decryption test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 599 Disable dynamic CKDS updates for all images in the Sysplex . . . . . . . . . . . . . . . . . . . 599 Key change: First LPAR in the Sysplex . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 600 Reencipher the CKDS under the new SYM-MK Master Key . . . . . . . . . . . . . . . . . . . . 604 Change the new SYM-MK Master Key and activate the reenciphered CKDS . . . . . . . 606 Key change: Subsequent LPARs in the Sysplex . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 607 Post-key change: All LPARs in the Sysplex . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 610Appendix D. z/OS tape data encryption diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . 617EKM problem determination when running z/OS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 618Error scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 618Diagnostic scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 621Encryption Key Manager error codes and recovery actions. . . . . . . . . . . . . . . . . . . . . . . . 623 Drive error codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 626 Control unit error codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 627 IOS628E message indicates connection failure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 628Appendix E. IEHINITT exits and messages for rekeying . . . . . . . . . . . . . . . . . . . . . . . 629Dynamic Exits Service Facility support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 630 Error conditions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 630 Programming considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 630REKEY messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 632 New messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 632 Modified messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 633 Contents xi
  13. 13. Appendix F. TS1100 and LTO4 SECURE key EKM on z/OS . . . . . . . . . . . . . . . . . . . . 635 Implementing the EKM in z/OS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 636 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 636 z/OS UNIX System Services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 636 Installing the Encryption Key Manager in z/OS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 637 Create a JCECCAKS for EKM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 639 Setting up the EKM environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 640 Starting EKM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 643 EKM TCP/IP configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 648 Enterprise-wide key management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 650 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 650 Related publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 651 IBM Redbooks publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 651 Other publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 651 Online resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 652 How to get IBM Redbooks publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 653 Help from IBM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 653 Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 655xii IBM System Storage Tape Encryption Solutions
  14. 14. NoticesThis information was developed for products and services offered in the U.S.A.IBM may not offer the products, services, or features discussed in this document in other countries. Consultyour local IBM representative for information on the products and services currently available in your area.Any reference to an IBM product, program, or service is not intended to state or imply that only that IBMproduct, program, or service may be used. Any functionally equivalent product, program, or service that doesnot infringe any IBM intellectual property right may be used instead. However, it is the users responsibility toevaluate and verify the operation of any non-IBM product, program, or service.IBM may have patents or pending patent applications covering subject matter described in this document. Thefurnishing of this document does not give you any license to these patents. You can send license inquiries, inwriting, to:IBM Director of Licensing, IBM Corporation, North Castle Drive, Armonk, NY 10504-1785 U.S.A.The following paragraph does not apply to the United Kingdom or any other country where suchprovisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATIONPROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS ORIMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT,MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer ofexpress or implied warranties in certain transactions, therefore, this statement may not apply to you.This information could include technical inaccuracies or typographical errors. Changes are periodically madeto the information herein; these changes will be incorporated in new editions of the publication. IBM may makeimprovements and/or changes in the product(s) and/or the program(s) described in this publication at any timewithout notice.Any references in this information to non-IBM Web sites are provided for convenience only and do not in anymanner serve as an endorsement of those Web sites. The materials at those Web sites are not part of thematerials for this IBM product and use of those Web sites is at your own risk.IBM may use or distribute any of the information you supply in any way it believes appropriate withoutincurring any obligation to you.Information concerning non-IBM products was obtained from the suppliers of those products, their publishedannouncements or other publicly available sources. IBM has not tested those products and cannot confirm theaccuracy of performance, compatibility or any other claims related to non-IBM products. Questions on thecapabilities of non-IBM products should be addressed to the suppliers of those products.This information contains examples of data and reports used in daily business operations. To illustrate themas completely as possible, the examples include the names of individuals, companies, brands, and products.All of these names are fictitious and any similarity to the names and addresses used by an actual businessenterprise is entirely coincidental.COPYRIGHT LICENSE:This information contains sample application programs in source language, which illustrate programmingtechniques on various operating platforms. You may copy, modify, and distribute these sample programs inany form without payment to IBM, for the purposes of developing, using, marketing or distributing applicationprograms conforming to the application programming interface for the operating platform for which the sampleprograms are written. These examples have not been thoroughly tested under all conditions. IBM, therefore,cannot guarantee or imply reliability, serviceability, or function of these programs.© Copyright IBM Corp. 2008, 2009. All rights reserved. xiii
  15. 15. TrademarksIBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International Business MachinesCorporation in the United States, other countries, or both. These and other IBM trademarked terms aremarked on their first occurrence in this information with the appropriate symbol (® or ™), indicating USregistered or common law trademarks owned by IBM at the time this information was published. Suchtrademarks may also be registered or common law trademarks in other countries. A current list of IBMtrademarks is available on the Web at http://www.ibm.com/legal/copytrade.shtmlThe following terms are trademarks of the International Business Machines Corporation in the United States,other countries, or both: AIX 5L™ OS/400® System z9® AIX® POWER® System z® alphaWorks® pSeries® Tivoli® AS/400® RACF® TotalStorage® CICS® Rational® VTAM® DB2® Redbooks® WebSphere® developerWorks® Redbooks (logo) ® xSeries® ESCON® RS/6000® z/OS® FICON® S/390® z/VM® i5/OS® System i5® z/VSE™ IBM® System i® z9® iSeries® System p® zSeries® Language Environment® System Storage™ Netfinity® System x®The following terms are trademarks of other companies:AMD, AMD Opteron, the AMD Arrow logo, and combinations thereof, are trademarks of Advanced MicroDevices, Inc.SUSE, the Novell logo, and the N logo are registered trademarks of Novell, Inc. in the United States and othercountries.ACS, Red Hat, and the Shadowman logo are trademarks or registered trademarks of Red Hat, Inc. in the U.S.and other countries.VMware, the VMware "boxes" logo and design are registered trademarks or trademarks of VMware, Inc. in theUnited States and/or other jurisdictions.J2SE, Java, JDK, JNI, JRE, JVM, S24, Solaris, StorageTek, Sun, ZFS, and all Java-based trademarks aretrademarks of Sun Microsystems, Inc. in the United States, other countries, or both.Internet Explorer, Microsoft, Windows Server, Windows, and the Windows logo are trademarks of MicrosoftCorporation in the United States, other countries, or both.Intel Itanium, Intel, Itanium, Intel logo, Intel Inside logo, and Intel Centrino logo are trademarks or registeredtrademarks of Intel Corporation or its subsidiaries in the United States, other countries, or both.UNIX is a registered trademark of The Open Group in the United States and other countries.Linux is a trademark of Linus Torvalds in the United States, other countries, or both.Other company, product, or service names may be trademarks or service marks of others.xiv IBM System Storage Tape Encryption Solutions
  16. 16. Preface This IBM® Redbooks® publication gives a comprehensive overview of the IBM System Storage™ Tape Encryption solutions that started with the TS1120 Tape Drive in 2006 and have been made available in the TS7700 Virtualization Engine in early 2007. Also in 2007, the IBM Ultrium Linear Tape-Open (LTO) Generation 4 Tape Drive was announced including its support for tape data encryption. In 2008, additional enhancements to the tape drives that support encryption and to key management have been made. This edition of the book has been updated with information about the TS1130 Tape Drive and the IBM Tivoli® Key Lifecycle Manager (TKLM). This publication is intended for System Programmers, Storage Administrators, Hardware and Software Planners, and other IT personnel involved in planning, implementing, and operating IBM tape data encryption solutions, and anyone seeking details about tape encryption. This book also provides practical guidance for how to implement an enterprise-wide encryption solution. We describe the general concepts of encryption and the implementation options that are available when using IBM Tape to encrypt tape data. We explain the key management options, including the Encryption Key Manager, which is a Java™ application that allows for enterprise-wide keystores and key management across a wide variety of platforms. We also provide detailed information for planning, implementation, and operation of tape data encryption for IBM z/OS® and Open Systems hosts.The team that wrote this book This book was produced by a team of specialists from around the world working at the International Technical Support Organization (ITSO), Austin Center. Babette Haeusser is an IBM Certified IT Specialist and Tape Server Support Specialist at IBM Deutschland GmbH, Germany. She writes extensively and teaches IBM classes worldwide on all areas of Enterprise and Open Systems Tape and Tape Virtualization. Babette joined IBM in 1973 as an application programmer. In 1987, she became an MVS Systems Engineer and specialized in IBM Storage hardware and software, which she has supported in various job roles since then. Before joining the ITSO in early 2005, Babette worked in the Advanced Technical Sales Support team Europe. She led a team of specialists for Enterprise Storage, while she focused on Enterprise Tape, including tape libraries and Virtual Tape Servers. Jonathan Barney is an Enterprise Security Architect with STG Lab Services, and CISSP. He works extensively on tape encryption customer implementations, and z/OS security solutions including PKI, TKE, and hardware cryptography. Jonathan joined IBM in August 2000 in the IBM System z® System Test Group. He has held various System z development and testing roles until moving to Lab Services. Arthur Colvig is an Advisory Software Engineer with IBM Tivoli in Beaverton, Oregon. He has 7 years of experience as a Firmware Engineer on the IBM System Storage TS3500 Tape Library (TS3500 tape library). He currently works on the IBM SAN Volume Controller SMI-S API. Art joined IBM in 2001 as a Firmware Engineer on the TS3500. His areas of expertise include storage management, tape libraries and drives, network protocols, and robotics. He has patents in the areas of tape library virtualization, management security and distributed system firmware management.© Copyright IBM Corp. 2008, 2009. All rights reserved. xv
  17. 17. The team: Babette, Arthur, and Jonathan Thanks to the following people for their contributions to this project: Alex R. Osuna, IBM International Technical Support Organization, Tucson Arizona Emma Jacobs, Ann Lund, Sangam Racherla, IBM International Technical Support Organization Arthur Bariska, Erika Dawson, Dan Estelle, MaYan Wilt, IBM Tucson Timothy Hahn, IBM Software Architect IBM Rational® Enterprise Tools Brian Goodman, Steven Hart, Sara Hughes, Khan V. Ngo, IBM Systems &Technology Group, Systems Software Development John Peck IBM Software Group, Tivoli Jeff Ziehm IBM LTO/3592, Tape Performance - ATS Americasxvi IBM System Storage Tape Encryption Solutions
  18. 18. Thanks to the authors of the previous editions of this book: Authors of the first edition, IBM System Storage TS1120 Tape Encryption: Planning, Implementation, and Usage Guide, published in December 2006: Anthony Abete, Arthur Bariska, Jonathan M. Barney, Babette Haeusser, Ulrich Nowotny Authors of the second edition, IBM System Storage Tape Encryption Solutions, published in March 2008: Anthony Abete, Babette Haeusser, Burt Loper, Axel MelberBecome a published author Join us for a two- to six-week residency program! Help write a book dealing with specific products or solutions, while getting hands-on experience with leading-edge technologies. You will have the opportunity to team with IBM technical professionals, Business Partners, and Clients. Your efforts will help increase product acceptance and customer satisfaction. As a bonus, you will develop a network of contacts in IBM development labs, and increase your productivity and marketability. Find out more about the residency program, browse the residency index, and apply online at: ibm.com/redbooks/residencies.htmlComments welcome Your comments are important to us! We want our books to be as helpful as possible. Send us your comments about this book or other IBM Redbooks in one of the following ways: Use the online Contact us review Redbooks form found at: ibm.com/redbooks Send your comments in an e-mail to: redbooks@us.ibm.com Mail your comments to: IBM Corporation, International Technical Support Organization Dept. HYTD Mail Station P099 2455 South Road Poughkeepsie, NY 12601-5400 Preface xvii
  19. 19. xviii IBM System Storage Tape Encryption Solutions
  20. 20. Summary of changes This section describes the technical changes made in this edition of the book and in previous editions. This edition also includes minor corrections and editorial changes that are not identified. Summary of Changes for SG24-7320-02 for IBM System Storage Tape Encryption Solutions as created or updated on February 15, 2011.May 2009, Third Edition This revision reflects the addition, deletion, or modification of new and changed information. New information New information includes: IBM TS1130 Tape Drive Tivoli Key Lifecycle Manager Changed information Changed information includes: Updates for TS7700 Encryption Updates for the Open Systems Tape Library Updates for System z Software support© Copyright IBM Corp. 2008, 2009. All rights reserved. xix
  21. 21. xx IBM System Storage Tape Encryption Solutions
  22. 22. Part 1Part 1 Introducing IBM tape encryption solutions In this part, we introduce you to the IBM data encryption solutions and describe the underlying concepts and the components that are required for tape encryption. We also provide you with general planning information.© Copyright IBM Corp. 2008, 2009. All rights reserved. 1
  23. 23. 2 IBM System Storage Tape Encryption Solutions
  24. 24. 1 Chapter 1. Introduction to tape encryption IBM has three tape drives that are capable of encrypting the data that is written on the tape cartridge: IBM System Storage TS1130 Model E06 and Model EU6 Tape Drive IBM System Storage TS1120 Model E05 Tape Drive IBM System Storage Linear Tape-Open (LTO) Ultrium Generation 4 Tape Drive In this document, we use abbreviations and refer to the drives as the TS1130 Tape Drive, TS1120 Tape Drive, and the LTO4 Tape Drive. The IBM System Storage TS1130 Tape Drive Model E06 and Model EU6 have the capability to encrypt data on tape cartridges. This encryption capability is standard on all TS1130 Tape Drives and is available as a chargeable upgrade feature for existing installed TS1120 Model E05 Tape Drives shipped prior to 8 September 2006. The encryption capability includes drive hardware, and microcode additions and changes. The IBM System Storage TS1120 Tape Drive Model E05 shown in Figure 1-1 has the capability to encrypt data on tape cartridges. The TS1120 Tape Drive Model E05 has been enhanced to support data encryption. Starting with shipments beginning 8 September 2006, this encryption capability is standard on all TS1120 Model E05 Tape Drives and is available as a chargeable upgrade feature for existing installed TS1120 Model E05 Tape Drives shipped prior to 8 September 2006. The encryption capability includes drive hardware, and licensed internal code additions and changes. Figure 1-1 IBM System Storage TS1120 Model E05 Tape Drive© Copyright IBM Corp. 2008, 2009. All rights reserved. 3
  25. 25. The IBM System Storage LTO Ultrium Generation 4 Tape Drive shown in Figure 1-2 has the capability to encrypt data on tape cartridges. The LTO4 Tape Drive was originally designed to support data encryption, and therefore, all LTO4 Tape Drives come standard with the data encryption capability. The encryption capability includes drive hardware, and licensed internal code additions and changes. Although the LTO4 drive can read LTO2 and LTO3 cartridges and can write to LTO3 cartridges, LTO Ultrium Generation 4 cartridges are required to support encryption. Figure 1-2 IBM System Storage LTO Ultrium Generation 4 Tape Drive Although other encryption solutions require hardware resources or processor power when using software encryption, tape data encryption is done with little or no impact on the performance of the TS1130 Tape Drive, TS1120 Tape Drive or the LTO4 Tape Drive. You can easily exchange encrypted tapes with your business partners or data centers that have the necessary key information to decrypt the data. With the original encryption announcement for the TS1120 Tape Drive, IBM also introduced an IBM Encryption Key Manager (EKM) component for the Java platform feature and is designed to generate and communicate encryption keys for tape drives across the enterprise. The feature uses standard key repositories on supported platforms. The IBM tape data encryption solution provides an enterprise key management solution with common software for Open Systems and mainframe environments that allows sharing of a common keystore across platforms. Integration with z/OS policy, key management, and security capabilities provides a proven, highly secure infrastructure for encryption key management. With the introduction of the Tivoli Key Lifecycle Manager (TKLM), IBM has made available the next generation of Key Manager software to enable serving keys to the encrypting tape drives. TKLM is intended to give a consistent look and feel for Key Management tasks across the brand, while simplifying those same key management tasks, The Encryption Facility for z/OS software provides a complementary encryption method for sharing tape data with business partners who utilize different tape formats (other than TS1130, TS1120 or LTO4). Encryption Facility for z/OS uses the same secure infrastructure as used with the TS1130, TS1120 or LTO4, thus, providing a comprehensive solution for z/OS clients, encrypting data for internal use, and even encrypting data to share with business partners. Encryption Facility supports decryption of Encryption Facility encrypted data on all platforms across the brand. IBM tape data encryption provides high performance data encryption. Encryption is performed at the tape drive hardware at the native speeds of the drive. It also supports encryption of large amounts of tape data for backup and archive purposes. The IBM tape data encryption solution, utilizing theTS1130 Tape Drive, TS1120 Tape Drive or the LTO4 Tape Drive, offers a cost-effective solution for tape data encryption by offloading encryption tasks from the servers, leveraging existing tape infrastructure incorporated in standard IBM Tape Libraries, and eliminating the need for unique appliance hardware.4 IBM System Storage Tape Encryption Solutions
  26. 26. You can greatly simplify your tape data encryption management, because the solution provides functions that are transparent to your applications when encryption is managed by the operating system (system-managed encryption) or when encryption is managed by the tape library (library-managed encryption). For TS1130 and TS1120 encryption, the cartridge data key is stored in an encrypted form on the tape cartridge. For LTO4 encryption, a pointer to the data key that is used to encrypt the tape is stored on the tape cartridge. Support of a single key management approach can help reduce audit and compliance costs. When taking a closer look at encryption, several of the most important questions that you want answered are: How does tape data encryption work? What should we encrypt, and what should we not encrypt? Why use tape data encryption? What are the benefits for my organization?1.1 How tape data encryption works Encryption, implemented in the tape drive, encrypts the data before it is written to the cartridge. When tape compression is enabled, the tape drive first compresses the data to be written and then encrypts it. This method means no loss of capacity with IBM tape data encryption. If the encryption solution encrypts the data first and then tries to compress the data, the encrypted data usually compresses very little, if at all. To encrypt the data, the tape drive requires a key to use. This key is provided by the Encryption Key Manager in an encrypted form to make the tape data encryption solution secure. Figure 1-3 summarizes the process for tape data encryption using TS1130 and TS1120. 1. Load cartridge, specify encryption Encryption 2. Tape drive requests a data key Key Manager Encrypted “Data Key” 5. Tape drive writes encrypted 3. Key manager 4.Encrypted keys data and stores encrypted data generates key and transmitted to tape drive key on cartridge encrypts it Encrypted “Data Keys” Figure 1-3 TS1120 and TS1130 tape data encryption process flow Figure 1-4 on page 6 summarizes the LTO4 tape data encryption process flow. Chapter 1. Introduction to tape encryption 5
  27. 27. 1. Load cartridge, specify encryption Encryption 2. Tape drive requests a data key Key Manager 5. Tape drive decrypts the data key, writes encrypted data and 3. Key manager keyid on the cartridge 4.Encrypted data key retrieves key and transmitted to tape drive encrypts it for transmission LTO 4 Encryption Encrypted “Data Key” Figure 1-4 LTO4 tape data encryption process For a detailed description of these processes, refer to Chapter 2, “IBM tape encryption methods” on page 23.1.2 What to encrypt Since 2005, over 250 million consumers have been notified of potential security breaches regarding personal information. The source for this information is: http://www.Privacyrights.org The loss of computer backup tapes is one type of event that triggers consumer notification. This has led to increasing data protection requirements as indicated in Figure 1-5. Data Center Secondary Site Business Partners In Transit Figure 1-5 Client data protection requirements6 IBM System Storage Tape Encryption Solutions

×