This document provides an overview of IBM DS8700 disk encryption and key management. It discusses how the DS8700 uses symmetric encryption and the Tivoli Key Lifecycle Manager for key management. It provides guidance on planning, implementing, and maintaining a DS8700 encryption environment including best practices for security, availability, and preventing encryption deadlocks. It also describes the configuration of encryption settings through the Tivoli Key Lifecycle Manager console and DS8700 GUI and CLI.
This document provides an overview and guide for planning and using the IBM TS7500 Virtualization Engine. The TS7500 consolidates backup storage and improves efficiency through data deduplication and compression. It introduces virtual tape support through its software architecture. The guide covers TS7500 components, disk architecture using RAID, and backup architectures like disk-to-disk-to-tape. It aims to help users understand and make the best use of the TS7500's virtualization capabilities.
This document provides an overview of tape encryption solutions from IBM, including IBM Tivoli Key Lifecycle Manager Version 2. It discusses IBM tape drives and libraries that support encryption, and the different methods of managing encryption at the system, library, and application levels. The document also covers planning for hardware and software requirements to implement a tape encryption solution.
This document provides an overview of IBM storage data encryption methods. It discusses encryption concepts and terminology. It then describes IBM tape drive, DS5000 series, and DS8000 series encryption support. It explains the Tivoli Key Lifecycle Manager and Encryption Key Manager components that are used to manage encryption keys. Finally, it compares the different encryption methods used for IBM tape drives, DS8000 disks, and with Tivoli Key Lifecycle Manager and Encryption Key Manager.
This document provides an overview and instructions for implementing the IBM System Storage SAN32B-E4 Encryption Switch. It discusses the hardware components of the encryption switch and SAN Director Encryption Blades. It also covers the interaction between the encryption switches and Tivoli Key Lifecycle Manager for centralized key management. The document includes steps for installing, configuring, and setting up the encryption switches as well as deployment scenarios.
This document provides an overview of IBM Tivoli Key Lifecycle Manager for z/OS, including how it works, how to plan an implementation, and how to install and configure the solution components. It discusses encryption of data on tape and disk using different methods, considerations for capacity planning, high availability and disaster recovery. The document also includes checklists for planning and installing Tivoli Key Lifecycle Manager.
This document is a study guide for the IBM Tivoli Configuration Manager 4.2 certification. It explains the certification path and prerequisites, provides an overview of the Tivoli Management Framework and Tivoli Configuration Manager components and installation, and includes sample test questions and answers to help readers prepare for the certification exam.
This document provides a practical guide to installing and configuring Tivoli SANergy. It begins with an introduction to SANergy and its benefits for sharing data on a SAN. It then provides step-by-step instructions for setting up SANergy with both Windows and UNIX management domains controllers (MDCs). Additional chapters cover advanced topics like performance tuning, high availability configurations, and integrating SANergy with other Tivoli applications like Tivoli Storage Manager. The document is intended to help readers successfully implement and use SANergy in their own environments.
This document provides an overview and introduction to IBM tape encryption solutions. It discusses how tape data encryption works, why it is used, and the key concepts behind encryption technologies. It also describes IBM's tape encryption methods using the IBM Encryption Key Manager and Tivoli Key Lifecycle Manager. Finally, it outlines the IBM tape drives, tape libraries, and controllers that support encryption functions.
This document provides an overview and guide for planning and using the IBM TS7500 Virtualization Engine. The TS7500 consolidates backup storage and improves efficiency through data deduplication and compression. It introduces virtual tape support through its software architecture. The guide covers TS7500 components, disk architecture using RAID, and backup architectures like disk-to-disk-to-tape. It aims to help users understand and make the best use of the TS7500's virtualization capabilities.
This document provides an overview of tape encryption solutions from IBM, including IBM Tivoli Key Lifecycle Manager Version 2. It discusses IBM tape drives and libraries that support encryption, and the different methods of managing encryption at the system, library, and application levels. The document also covers planning for hardware and software requirements to implement a tape encryption solution.
This document provides an overview of IBM storage data encryption methods. It discusses encryption concepts and terminology. It then describes IBM tape drive, DS5000 series, and DS8000 series encryption support. It explains the Tivoli Key Lifecycle Manager and Encryption Key Manager components that are used to manage encryption keys. Finally, it compares the different encryption methods used for IBM tape drives, DS8000 disks, and with Tivoli Key Lifecycle Manager and Encryption Key Manager.
This document provides an overview and instructions for implementing the IBM System Storage SAN32B-E4 Encryption Switch. It discusses the hardware components of the encryption switch and SAN Director Encryption Blades. It also covers the interaction between the encryption switches and Tivoli Key Lifecycle Manager for centralized key management. The document includes steps for installing, configuring, and setting up the encryption switches as well as deployment scenarios.
This document provides an overview of IBM Tivoli Key Lifecycle Manager for z/OS, including how it works, how to plan an implementation, and how to install and configure the solution components. It discusses encryption of data on tape and disk using different methods, considerations for capacity planning, high availability and disaster recovery. The document also includes checklists for planning and installing Tivoli Key Lifecycle Manager.
This document is a study guide for the IBM Tivoli Configuration Manager 4.2 certification. It explains the certification path and prerequisites, provides an overview of the Tivoli Management Framework and Tivoli Configuration Manager components and installation, and includes sample test questions and answers to help readers prepare for the certification exam.
This document provides a practical guide to installing and configuring Tivoli SANergy. It begins with an introduction to SANergy and its benefits for sharing data on a SAN. It then provides step-by-step instructions for setting up SANergy with both Windows and UNIX management domains controllers (MDCs). Additional chapters cover advanced topics like performance tuning, high availability configurations, and integrating SANergy with other Tivoli applications like Tivoli Storage Manager. The document is intended to help readers successfully implement and use SANergy in their own environments.
This document provides an overview and introduction to IBM tape encryption solutions. It discusses how tape data encryption works, why it is used, and the key concepts behind encryption technologies. It also describes IBM's tape encryption methods using the IBM Encryption Key Manager and Tivoli Key Lifecycle Manager. Finally, it outlines the IBM tape drives, tape libraries, and controllers that support encryption functions.
This document provides an overview of building a highly available clustered environment for IBM Tivoli Storage Manager. It discusses cluster concepts and high availability. It then describes testing a clustered Tivoli Storage Manager environment, including testing the cluster infrastructure and applications. The document focuses on configuring Microsoft Windows clusters with Tivoli Storage Manager for both Windows 2000 and Windows 2003 environments. It covers installing and configuring the Tivoli Storage Manager server and client within a Microsoft Cluster Server. It also includes testing the setup and configurations.
This document provides a deployment guide for Tivoli Continuous Data Protection for Files. It discusses the product architecture including main components, capabilities, directories and files, and integration with IBM Tivoli Storage Manager. It covers planning considerations for deployment such as critical files, backup needs, backup locations, and file backup frequencies. The guide also describes installing, configuring, and using Tivoli Continuous Data Protection for Files as well as troubleshooting, use case scenarios, and how it can work with IBM Tivoli Storage Manager.
This document provides instructions for installing and configuring IBM's Tivoli Intelligent ThinkDynamic Orchestrator software. It guides the reader through planning a demonstration of the software, installing necessary components on Windows systems, designing a sample data center model using XML, and loading and testing the model. The final chapter describes demonstrating the software's capabilities to monitor and manage resources and applications in the simulated data center.
This document provides an overview of tape backup solutions for Netfinity servers. It discusses various tape technologies like DLT, 8mm, and 4mm tapes. It also covers different system topologies for backups like direct tape connections, single server models, two-tier models, and multi-tier models. The document recommends strategies for backups, including scheduling, compression, and hierarchical storage. It provides details on specific IBM tape drives like 40/80GB DLT, 35/70GB DLT, and 20/40GB 8mm drives. The intended audience is IT professionals implementing backup solutions for Netfinity servers.
This document provides guidance on planning and deploying IBM Tivoli Composite Application Manager for Web Resources V6.2 (ITCAM) to monitor Web application server performance. It discusses the ITCAM architecture and how it interconnects with J2EE and WebSphere data collectors. It also covers hardware and software prerequisites, typical deployment environments, and provides a sample project plan for setting up ITCAM with tasks such as environment preparation, software installation, and customizing the product.
This document provides an overview and comparison of IBM tape library solutions for backing up IBM xSeries servers. It discusses factors to consider when selecting a tape library such as capacity, number of drives, and scalability. It also provides configuration details for backing up to tape libraries using Tivoli Storage Manager, VERITAS Backup Exec, and CA ARCserve. Recovery procedures using the backup software and Tivoli Disaster Recovery Manager are also covered.
This document provides notes from a Linux system administration course. It covers topics like installing Red Hat Linux, configuring XFree86 for graphics, managing software packages, understanding the boot sequence, basic network concepts, kernel functions, configuring services, managing users and groups, working with filesystems, and basic security measures. The document contains detailed sections on partitioning and formatting disks, mounting filesystems, and using common Linux administration tools.
This document provides an overview and how-to guide for setting up IBM Tivoli License Manager (ITLM), a software license management tool. It discusses the key components of ITLM including the Administration Server, Runtime Server, Agents, and Catalog Manager. It also provides guidance on planning the ITLM implementation including physical design considerations, logical design of the customer environment, disaster recovery procedures, and planning for each ITLM component. Finally, it walks through setting up the ITLM Administration Server with steps for installing required software like IBM DB2 and WebSphere and configuring the DB2 schema. The document aims to help IT professionals successfully set up their ITLM license management environment.
This document provides a draft summary of an IBM reference architecture for virtualized environments using IBM System Storage N series storage platforms. It includes chapters on architecture, Clustered Data ONTAP 8.2 features, VMware vSphere integration, and Microsoft Hyper-V integration. The document discusses storage configuration, provisioning, cloning, snapshots, and other topics to understand how to design scalable cloud solutions using N series storage and Clustered Data ONTAP.
This document is a guide to the differences between AIX 5L Version 5.3 and previous versions. It covers new features in virtualization, including the POWER Hypervisor, micro-partitioning, virtual Ethernet and SCSI devices. It also discusses enhancements to application development in AIX 5L Version 5.3, such as improved POSIX real-time functions, block device mapping, and scalability improvements. The document is intended as a reference for experts migrating to the new version.
Set Up Security and Integration with DataPower XI50zSarah Duffy
The document provides guidance on setting up security and integration between the IBM DataPower XI50z appliance and IBM zEnterprise systems. It discusses planning the network topology and initial setup of the virtual network. It also covers key security concepts and implementing authentication, authorization, and identity propagation when integrating the XI50z with z/OS mainframe systems like CICS, IMS, DB2 and WebSphere MQ. The document is intended to help users securely connect and integrate the XI50z with various zEnterprise applications and services.
This document provides an overview of implementing the Tivoli Enterprise Console (TEC). It discusses planning requirements such as the management software, managed devices, event sources, and rule policies. It then covers installing the required relational database management system (RDBMS), either Oracle or Sybase. Finally, it describes setting up the Tivoli Management Framework, installing the TEC software, configuring distributed monitoring and scripts, and deploying event adapters.
This document provides an overview of developing and deploying a secure portal solution using WebSphere Portal V5 and Tivoli Access Manager V5.1. It discusses the key concepts, high-level architecture, and software components involved. The target audience includes portal administrators, developers, and security administrators. The document covers topics such as security fundamentals, architecture and topology selection for runtime and development environments, design guidelines, and integration considerations. It also includes a working example solution to demonstrate an implementation based on the guidance provided.
This document provides an overview and guide for planning and implementing IBM's Tivoli Data Warehouse Version 1.3. It discusses key concepts in data warehousing and business intelligence. The document also covers planning a data warehouse project, including requirements, design considerations, and best practices. Implementation topics include hardware and software requirements, physical and logical design options, database sizing, security, and more. The goal is to help IT professionals successfully deploy Tivoli Data Warehouse.
This document provides instructions for creating Vuser scripts using LoadRunner. It discusses recording scripts with VuGen, enhancing scripts, defining parameters, correlating statements, and configuring run-time settings. It is protected by copyright and is intended to help users develop effective load tests using LoadRunner.
The document is a manual for Tivoli Business Systems Manager Version 2.1. It provides an overview of the product, which allows for end-to-end business impact management through integrated systems management. The manual details the product structure, components, functions, database structure, user interface, and planning requirements for implementation. It is intended to help users understand and implement the key capabilities of Tivoli Business Systems Manager.
This document provides an overview and introduction to IBM storage data deduplication solutions, including IBM N series, ProtecTIER, and IBM Tivoli Storage Manager deduplication technologies. It covers deduplication concepts and architectures, benefits of deduplication, and planning considerations for deployment. The document is intended for review on February 1, 2011 and contains several chapters on the different deduplication technologies.
2X ApplicationServer is a software that provides virtual desktops and applications that can be accessed from anywhere. It allows publishing full desktops and applications within a virtual environment to improve manageability, security, and performance. The document provides instructions on installing 2X ApplicationServer, configuring its console, adding servers and hosts to the farm, publishing applications and desktops, and setting up load balancing, printing, scanning and other features.
This document provides deployment best practices and guidance for installing and configuring IBM Tivoli Continuous Data Protection for Files V3.1. It includes information on planning a deployment, installing and configuring the software, proof of concept scenarios for single-user, home, small business and enterprise environments, and troubleshooting tips. The document is intended for IT professionals tasked with deploying Tivoli Continuous Data Protection for Files.
This document provides an overview and instructions for implementing the IBM System Storage SAN32B-E4 Encryption Switch. It discusses the hardware components of the encryption switch and SAN Director Encryption Blades. It also covers the interaction between the encryption switches and Tivoli Key Lifecycle Manager for centralized key management. The document includes steps for installing, configuring, and setting up the encryption switches as well as deployment scenarios.
This document provides a 3-page summary of the key points from a technical paper about IBM Tivoli Security Solutions for Microsoft software environments:
1. It explains IBM's security framework and service management strategy, which focuses on visibility, controls, and automation. It also discusses common security standards.
2. It provides an overview of IBM Tivoli security products and their support for Microsoft operating systems and middleware, including IBM Tivoli Directory Server, IBM Tivoli Access Manager, IBM Tivoli Identity Manager, and IBM Tivoli Security Information and Event Manager.
3. It describes how IBM Tivoli security solutions can integrate with Microsoft software environments to provide security compliance, identity and access management
This document provides an introduction to storage provisioning using IBM's Tivoli Provisioning Manager and TotalStorage Productivity Center. It discusses how these solutions can automate complex storage provisioning tasks, simplify infrastructure management, and eliminate human errors. Specifically, it explores how Tivoli Provisioning Manager can automate the provisioning of SAN File System volumes.
This document provides an overview of building a highly available clustered environment for IBM Tivoli Storage Manager. It discusses cluster concepts and high availability. It then describes testing a clustered Tivoli Storage Manager environment, including testing the cluster infrastructure and applications. The document focuses on configuring Microsoft Windows clusters with Tivoli Storage Manager for both Windows 2000 and Windows 2003 environments. It covers installing and configuring the Tivoli Storage Manager server and client within a Microsoft Cluster Server. It also includes testing the setup and configurations.
This document provides a deployment guide for Tivoli Continuous Data Protection for Files. It discusses the product architecture including main components, capabilities, directories and files, and integration with IBM Tivoli Storage Manager. It covers planning considerations for deployment such as critical files, backup needs, backup locations, and file backup frequencies. The guide also describes installing, configuring, and using Tivoli Continuous Data Protection for Files as well as troubleshooting, use case scenarios, and how it can work with IBM Tivoli Storage Manager.
This document provides instructions for installing and configuring IBM's Tivoli Intelligent ThinkDynamic Orchestrator software. It guides the reader through planning a demonstration of the software, installing necessary components on Windows systems, designing a sample data center model using XML, and loading and testing the model. The final chapter describes demonstrating the software's capabilities to monitor and manage resources and applications in the simulated data center.
This document provides an overview of tape backup solutions for Netfinity servers. It discusses various tape technologies like DLT, 8mm, and 4mm tapes. It also covers different system topologies for backups like direct tape connections, single server models, two-tier models, and multi-tier models. The document recommends strategies for backups, including scheduling, compression, and hierarchical storage. It provides details on specific IBM tape drives like 40/80GB DLT, 35/70GB DLT, and 20/40GB 8mm drives. The intended audience is IT professionals implementing backup solutions for Netfinity servers.
This document provides guidance on planning and deploying IBM Tivoli Composite Application Manager for Web Resources V6.2 (ITCAM) to monitor Web application server performance. It discusses the ITCAM architecture and how it interconnects with J2EE and WebSphere data collectors. It also covers hardware and software prerequisites, typical deployment environments, and provides a sample project plan for setting up ITCAM with tasks such as environment preparation, software installation, and customizing the product.
This document provides an overview and comparison of IBM tape library solutions for backing up IBM xSeries servers. It discusses factors to consider when selecting a tape library such as capacity, number of drives, and scalability. It also provides configuration details for backing up to tape libraries using Tivoli Storage Manager, VERITAS Backup Exec, and CA ARCserve. Recovery procedures using the backup software and Tivoli Disaster Recovery Manager are also covered.
This document provides notes from a Linux system administration course. It covers topics like installing Red Hat Linux, configuring XFree86 for graphics, managing software packages, understanding the boot sequence, basic network concepts, kernel functions, configuring services, managing users and groups, working with filesystems, and basic security measures. The document contains detailed sections on partitioning and formatting disks, mounting filesystems, and using common Linux administration tools.
This document provides an overview and how-to guide for setting up IBM Tivoli License Manager (ITLM), a software license management tool. It discusses the key components of ITLM including the Administration Server, Runtime Server, Agents, and Catalog Manager. It also provides guidance on planning the ITLM implementation including physical design considerations, logical design of the customer environment, disaster recovery procedures, and planning for each ITLM component. Finally, it walks through setting up the ITLM Administration Server with steps for installing required software like IBM DB2 and WebSphere and configuring the DB2 schema. The document aims to help IT professionals successfully set up their ITLM license management environment.
This document provides a draft summary of an IBM reference architecture for virtualized environments using IBM System Storage N series storage platforms. It includes chapters on architecture, Clustered Data ONTAP 8.2 features, VMware vSphere integration, and Microsoft Hyper-V integration. The document discusses storage configuration, provisioning, cloning, snapshots, and other topics to understand how to design scalable cloud solutions using N series storage and Clustered Data ONTAP.
This document is a guide to the differences between AIX 5L Version 5.3 and previous versions. It covers new features in virtualization, including the POWER Hypervisor, micro-partitioning, virtual Ethernet and SCSI devices. It also discusses enhancements to application development in AIX 5L Version 5.3, such as improved POSIX real-time functions, block device mapping, and scalability improvements. The document is intended as a reference for experts migrating to the new version.
Set Up Security and Integration with DataPower XI50zSarah Duffy
The document provides guidance on setting up security and integration between the IBM DataPower XI50z appliance and IBM zEnterprise systems. It discusses planning the network topology and initial setup of the virtual network. It also covers key security concepts and implementing authentication, authorization, and identity propagation when integrating the XI50z with z/OS mainframe systems like CICS, IMS, DB2 and WebSphere MQ. The document is intended to help users securely connect and integrate the XI50z with various zEnterprise applications and services.
This document provides an overview of implementing the Tivoli Enterprise Console (TEC). It discusses planning requirements such as the management software, managed devices, event sources, and rule policies. It then covers installing the required relational database management system (RDBMS), either Oracle or Sybase. Finally, it describes setting up the Tivoli Management Framework, installing the TEC software, configuring distributed monitoring and scripts, and deploying event adapters.
This document provides an overview of developing and deploying a secure portal solution using WebSphere Portal V5 and Tivoli Access Manager V5.1. It discusses the key concepts, high-level architecture, and software components involved. The target audience includes portal administrators, developers, and security administrators. The document covers topics such as security fundamentals, architecture and topology selection for runtime and development environments, design guidelines, and integration considerations. It also includes a working example solution to demonstrate an implementation based on the guidance provided.
This document provides an overview and guide for planning and implementing IBM's Tivoli Data Warehouse Version 1.3. It discusses key concepts in data warehousing and business intelligence. The document also covers planning a data warehouse project, including requirements, design considerations, and best practices. Implementation topics include hardware and software requirements, physical and logical design options, database sizing, security, and more. The goal is to help IT professionals successfully deploy Tivoli Data Warehouse.
This document provides instructions for creating Vuser scripts using LoadRunner. It discusses recording scripts with VuGen, enhancing scripts, defining parameters, correlating statements, and configuring run-time settings. It is protected by copyright and is intended to help users develop effective load tests using LoadRunner.
The document is a manual for Tivoli Business Systems Manager Version 2.1. It provides an overview of the product, which allows for end-to-end business impact management through integrated systems management. The manual details the product structure, components, functions, database structure, user interface, and planning requirements for implementation. It is intended to help users understand and implement the key capabilities of Tivoli Business Systems Manager.
This document provides an overview and introduction to IBM storage data deduplication solutions, including IBM N series, ProtecTIER, and IBM Tivoli Storage Manager deduplication technologies. It covers deduplication concepts and architectures, benefits of deduplication, and planning considerations for deployment. The document is intended for review on February 1, 2011 and contains several chapters on the different deduplication technologies.
2X ApplicationServer is a software that provides virtual desktops and applications that can be accessed from anywhere. It allows publishing full desktops and applications within a virtual environment to improve manageability, security, and performance. The document provides instructions on installing 2X ApplicationServer, configuring its console, adding servers and hosts to the farm, publishing applications and desktops, and setting up load balancing, printing, scanning and other features.
This document provides deployment best practices and guidance for installing and configuring IBM Tivoli Continuous Data Protection for Files V3.1. It includes information on planning a deployment, installing and configuring the software, proof of concept scenarios for single-user, home, small business and enterprise environments, and troubleshooting tips. The document is intended for IT professionals tasked with deploying Tivoli Continuous Data Protection for Files.
This document provides an overview and instructions for implementing the IBM System Storage SAN32B-E4 Encryption Switch. It discusses the hardware components of the encryption switch and SAN Director Encryption Blades. It also covers the interaction between the encryption switches and Tivoli Key Lifecycle Manager for centralized key management. The document includes steps for installing, configuring, and setting up the encryption switches as well as deployment scenarios.
This document provides a 3-page summary of the key points from a technical paper about IBM Tivoli Security Solutions for Microsoft software environments:
1. It explains IBM's security framework and service management strategy, which focuses on visibility, controls, and automation. It also discusses common security standards.
2. It provides an overview of IBM Tivoli security products and their support for Microsoft operating systems and middleware, including IBM Tivoli Directory Server, IBM Tivoli Access Manager, IBM Tivoli Identity Manager, and IBM Tivoli Security Information and Event Manager.
3. It describes how IBM Tivoli security solutions can integrate with Microsoft software environments to provide security compliance, identity and access management
This document provides an introduction to storage provisioning using IBM's Tivoli Provisioning Manager and TotalStorage Productivity Center. It discusses how these solutions can automate complex storage provisioning tasks, simplify infrastructure management, and eliminate human errors. Specifically, it explores how Tivoli Provisioning Manager can automate the provisioning of SAN File System volumes.
This document provides information about planning and deploying IBM TotalStorage Productivity Center for Data, including:
- An overview of the product, its features, architecture and supported levels
- Planning considerations for hardware, software, databases, user IDs and security
- Steps for installing the Agent Manager and other components on Windows and Linux
This document provides an overview and guide to implementing an extended agent for IBM Tivoli Workload Scheduler (TWS) and IBM Tivoli Storage Manager (TSM). It describes how to configure and use a TSM extended agent that allows TWS to execute TSM commands and integrate TSM backup operations with workload scheduling. The document includes chapters that provide background on TWS and TSM, describe the functions and code of the TSM extended agent, provide instructions for testing and using the agent through a case study, and offer sample scenarios for how the agent could be used to automate various TSM backup and recovery processes.
The document provides information about implementing Tivoli Data Warehouse 1.2, including its features, architecture, planning considerations, and setup instructions. It covers topics such as hardware and software requirements, physical and logical design choices, database sizing, security, and skills required. The document also provides step-by-step instructions for installing and deploying Tivoli Data Warehouse in both a single machine and distributed environment.
This document provides an overview of Enterprise Content Management (ECM) and discusses how ECM solutions can be supported by various storage technologies and solutions. It begins with introductions to ECM and storage concepts for specialists in the opposite fields. It then discusses business drivers for ECM and provides a reference architecture for matching ECM requirements to appropriate storage strategies. The reference architecture addresses requirements for security, integrity, retention, availability and cost, among others. It also covers storage considerations for availability, backup/recovery, business continuity and capacity planning.
This document provides an overview and details of the IBM Information Archive product. It describes the hardware and software components that make up the archive, including cluster nodes, storage controllers, switches and software like Tivoli Storage Manager. It also covers planning considerations for setting up the archive such as capacity needs, network configuration and high availability options. The document is intended to help customers understand what is required to deploy an IBM Information Archive solution.
This document provides an overview of backup and recovery solutions for IBM TotalStorage Network Attached Storage (NAS) appliances. It discusses hardware and software considerations for data availability and describes recovery procedures for the NAS 200 and 300. The document also examines the use of snapshot and replication technologies like Persistent Storage Manager (PSM) and Double-Take. Finally, it reviews several popular backup software solutions and how to implement backups from IBM NAS using them.
This document provides an overview of backup and recovery solutions for IBM TotalStorage Network Attached Storage (NAS) appliances. It discusses hardware and software considerations for data availability and describes recovery procedures for the NAS 200 and 300. The document also examines the use of snapshot and replication technologies like Persistent Storage Manager (PSM) and Double-Take. Finally, it reviews several popular backup software solutions and how to implement backups from IBM NAS using them.
This document provides guidance on planning for and implementing large-scale instances of IBM Tivoli Composite Application Manager for WebSphere and Response Time Tracking. It covers topics such as sizing servers, deploying components, ensuring high availability, and performing maintenance. The goal is to help organizations successfully manage thousands of applications and transactions across distributed environments.
This document provides guidance on planning for and implementing large-scale instances of IBM Tivoli Composite Application Manager for WebSphere and Response Time Tracking. It covers topics such as sizing servers, deploying components, ensuring high availability, and performing maintenance. The goal is to help organizations successfully manage thousands of applications and transactions across distributed environments.
The IBM® System Storage® Solutions Handbook helps you solve your current and future data storage business requirements. It helps you achieve enhanced storage efficiency by design to allow managed cost, capacity of growth , greater mobility, and stronger control over storage performance and management. It describes the most current IBM storage products, including the IBM Spectrum™ family, IBM FlashSystem®, disk, and tape, as well as virtualized solutions such IBM Storage Cloud
The document provides information about implementing the IBM Storwize V3700 storage system. It includes an overview of the hardware components and features of the Storwize V3700. The document also covers initial configuration tasks such as planning the hardware and network setup, performing the first-time setup, and configuring features like expansion enclosures, alerts, and inventory. It provides guidance on using the graphical and command-line interfaces to manage and monitor the storage system.
Implementing the
IBM Storwize V3700
Easily manage and deploy systems
with embedded GUI
Experience rapid and flexible
provisioning
Protect data with remote
mirroring
This document provides an overview and how-to guide for setting up IBM Tivoli License Manager (ITLM), which is a software license management tool. It discusses the key components of ITLM including the Administration Server, Runtime Server, agents, and database. It also provides guidance on planning the ITLM implementation including physical design considerations, logical design of the customer-division-node hierarchy, disaster recovery procedures, and planning for each ITLM component. Finally, it includes step-by-step instructions for setting up an example ITLM environment with Administration and Runtime Servers on AIX and Windows.
This document provides an overview and instructions for integrating Backup Recovery and Media Services (BRMS) with IBM Tivoli Storage Manager (TSM) on an IBM iSeries server. BRMS is used to back up user and system data on the iSeries, while TSM provides backup and recovery capabilities for multiple platforms. The document discusses the capabilities and interfaces of both products and provides best practices for backing up data to TSM using BRMS. It also covers installation, configuration, and use of the TSM server and client software on the iSeries.
This document provides an overview and guidelines for developing workflows and automation packages for IBM Tivoli Intelligent Orchestrator V3.1. It discusses the architectural design of an automated provisioning solution using Tivoli Intelligent Orchestrator, including defining the scope and functionality of automation packages and workflows. It also provides practical guidance on topics like authentication, documentation standards, and setting up a development environment. The intended audience is IT professionals tasked with implementing automated provisioning and orchestration solutions using Tivoli Intelligent Orchestrator.
This document provides an overview of using IBM Tivoli Storage Manager (ITSM) to perform bare metal recovery (BMR) of Microsoft Windows 2003 and XP systems. It describes setting up ITSM and customizing the client for backups. The document outlines the backup process for the Automated System Recovery (ASR) components and other files and shows how to copy backups to removable media. It then demonstrates how to use ASR and the ITSM backups to recover Windows 2003 and XP systems.
This document provides an overview and instructions for configuring and using IBM Tivoli System Automation for z/OS V3R1. It discusses new features of V3R1 including integration with IBM Tivoli OMEGAMON and enhanced GDPS support. The document then covers tasks for setting up and customizing System Automation for z/OS such as defining VTAM configurations, the policy database, and automating startup tasks. It also provides guidance on using functions like the OMEGAMON interface, end-to-end automation capabilities, and managing SYSPLEXes with the Processor Operations feature.
Similar to Ibm system storage ds8700 disk encryption redp4500 (20)
This document provides the table of contents and introduction for the PostgreSQL 15.1 documentation. It describes that PostgreSQL is an open-source object-relational database system that uses and extends the SQL language combined with many features that safely store and scale the most complicated data workloads. The documentation is copyrighted by the PostgreSQL Global Development Group and provides instructions for how to report bugs and get further information.
This document provides the table of contents and introduction for the PostgreSQL 14.6 documentation. It describes that PostgreSQL is an open-source object-relational database system that uses and extends the SQL language combined with many features that safely store and scale the most complicated data workloads. The documentation is copyrighted by the PostgreSQL Global Development Group and provides instructions for how to report bugs and get further information.
This document provides instructions for a lab exercise on getting started with IBM MobileFirst Platform. It introduces the key concepts of MobileFirst Platform Studio and walks through steps to import a sample banking application project, examine the project structure, add an Android environment, and preview the application in the Mobile Browser Simulator and an Android device. It also demonstrates how to invoke adapters and use the MobileFirst Platform Console and Operational Analytics. The lab aims to familiarize users with the MobileFirst Platform development tools and features.
The IBM MobileFirst Platform provides mobile application development tools and services. It allows developers to integrate backend data, continuously improve apps based on user feedback, and deliver personalized experiences. The platform provides modular services for contextualizing apps, securing data, and gaining insights from usage data. It supports both hybrid and native mobile application development.
IBM MobileFirst Foundation provides tools for developing hybrid, native, and mobile web applications using standards-based technologies. This proof of technology session will demonstrate how to use IBM MobileFirst Foundation to accelerate mobile app development, provide management of deployed apps, and utilize capabilities like in-app notifications, operational analytics, and sentiment analysis. The agenda includes presentations and hands-on labs covering app development, backend integration, app lifecycle management, quality assurance, and the MobileFirst architecture. The session is intended for IT professionals interested in a mobile application platform and will be offered free of charge with breakfast provided.
The document describes adding a mobile coupons ("My Offers") feature to the IBMBank mobile application. It involves using the MobileFirst Platform Service Discovery wizard to generate an adapter for a SOAP web service, adding HTML/JS to display offer data from the service, and implementing local storage of selected offers using the JSON Store database. Key steps include discovering and testing the SOAP service, importing JS files, initializing JSON Store, modifying the app code to retrieve and save offers, and previewing the updated app.
This document provides instructions for a lab exercise on getting started with IBM MobileFirst Platform. It introduces the key concepts of MobileFirst Platform Studio and walks through steps to import a sample banking application project, examine the project structure, add an Android environment, and preview the application in the Mobile Browser Simulator and an Android device. It also demonstrates how to invoke backend services using adapters and view analytics data from the MobileFirst Operations Console. The document contains detailed steps, screenshots and explanations to help users learn fundamental MobileFirst Platform development tasks.
This document describes a lab exercise to demonstrate application management functions in IBM MobileFirst using the MobileFirst Operations Console. The lab will:
1. Deploy an initial version of an IBMBank mobile application to a MobileFirst Server.
2. Publish an updated version of the application to fix a bug, and test the "Direct Update" feature which pushes changes to client devices.
3. Configure application status notifications via the MobileFirst Operations Console and see them displayed on an Android emulator.
This document provides an overview of IBM MobileFirst Platform's operational analytics features. It describes how the analytics platform collects and analyzes data from mobile applications, servers, and devices to provide visibility into performance and usage. The analytics console contains various views and capabilities for searching logs, viewing charts and reports, and diagnosing issues. It summarizes the different data sources, events captured, and the client and server APIs used to log additional analytics data. The document then outlines the steps to access the analytics console and walk through its key pages and functionality.
This document provides instructions for using the MobileFirst Quality Assurance tool on Bluemix to perform sentiment analysis. It first gives a brief overview of MobileFirst Quality Assurance and its capabilities. It then outlines the steps to set up a Mobile Quality Assurance service instance on Bluemix and link it to an iOS app. Finally, it describes how to view the sentiment analysis results in production, including overall sentiment scores, attribute dashboards, comparison to other apps, and attribute trend statistics.
The document describes an exercise using IBM Mobile Quality Assurance (MQA) to test a mobile banking application and report bugs. Students will launch an Android emulator containing the instrumented app. They can test the app functionality and use MQA's in-app notification to report bugs found, such as a misspelled button label. MQA will capture screenshots which students can annotate to describe the issue. All bug reports are uploaded to MQA and viewed by instructors in Bluemix to share with the class. The goal is to introduce MQA's capabilities for mobile app testing and feedback.
This document provides an overview and instructions for installing and configuring the Tivoli Management Environment (TME) platform. It discusses planning the installation, installing TME software on UNIX and PC nodes, configuring the TME management regions and resources, creating administrators and policy regions, and diagnosing common installation issues. It also provides guidance on setting up backups and describes capabilities of the Tivoli/Courier deployment application for managing file packages.
This document provides an overview of firewalls and demilitarized zones (DMZs), and summarizes Tivoli Framework solutions for communicating across firewalls in a secure manner. It describes how Tivoli Framework 3.7.1 introduced single port bulk data transfer and endpoint upcall port consolidation to reduce open ports. The Firewall Solutions Toolbox further improves security with endpoint and gateway proxies, relays to cross multiple DMZs adhering to no direct routing, and supporting unidirectional communications. It also describes the event sink for collecting events from non-Tivoli sources.
This document provides an overview of planning and implementing Tivoli Data Warehouse Version 1.3. It discusses the key components of Tivoli Data Warehouse including the control center server, source databases, central data warehouse, data marts, warehouse agents, and Crystal Enterprise server. It also covers planning considerations such as hardware and software requirements, physical and logical design choices, database sizing, security, network traffic, and skills required. The document is intended as a guide for implementing and managing a Tivoli Data Warehouse.
This document provides an overview and guide for using Business Objects reporting tools with Tivoli Data Warehouse 1.2. It covers Business Objects products and platform, installing Business Objects desktop components, configuring Business Objects for Tivoli Data Warehouse, creating reports, advanced reporting and security features, and deploying reports. The document contains examples and step-by-step instructions for setting up Business Objects and generating simple to advanced reports on Tivoli Data Warehouse data.
This document provides a release guide for IBM Tivoli Storage Productivity Center Version 4.2. It includes information on the new features and functions of Tivoli Storage Productivity Center V4.2, an overview of the product architecture and family, and instructions for installing Tivoli Storage Productivity Center on Windows and Linux systems. The document covers preinstallation steps, installing prerequisite software like DB2, and installing the Tivoli Storage Productivity Center servers, graphical user interface (GUI), and command line interface (CLI).
This document discusses data synchronization features in IBM Tivoli Directory Integrator 6.1, including delta detection, delta tagging, and delta application. Delta detection discovers changes in a data source and retrieves only the modified data. Delta tagging stores change information in the retrieved data using operation codes. Delta application then uses these tags to efficiently propagate only necessary changes to target systems.
This document discusses strategies for migrating and consolidating storage using IBM TotalStorage products. It describes migrating a storage volume from one SAN to another using IBM SAN Volume Controller without interrupting access. It also outlines two methods for migrating data between tape technologies using IBM Tivoli Storage Manager: migrating individual nodes or migrating entire storage pools to a new tape technology.
This document provides guidance on deploying IBM Tivoli Composite Application Manager for WebSphere (ITCAM for WebSphere). It includes sample code, installation instructions, and assistance with scope development for a services engagement with ITCAM for WebSphere. The document covers planning the engagement, demonstrating the key capabilities of ITCAM for WebSphere through a sample implementation, and implementing the full ITCAM for WebSphere solution. It also discusses complementary solutions that can be bundled with an ITCAM for WebSphere engagement.
This document provides guidance on migrating from IBM Service Level Reporter (SLR) to Tivoli Performance Reporter for OS/390. It describes the key differences between the two products and discusses different migration approaches. The bulk of the document consists of examples and step-by-step instructions for migrating different types of SLR data, including predefined SLR tables, user-defined tables, parameter tables, and reports. It also covers related tasks like setting purge conditions.
Ivanti’s Patch Tuesday breakdown goes beyond patching your applications and brings you the intelligence and guidance needed to prioritize where to focus your attention first. Catch early analysis on our Ivanti blog, then join industry expert Chris Goettl for the Patch Tuesday Webinar Event. There we’ll do a deep dive into each of the bulletins and give guidance on the risks associated with the newly-identified vulnerabilities.
Skybuffer SAM4U tool for SAP license adoptionTatiana Kojar
Manage and optimize your license adoption and consumption with SAM4U, an SAP free customer software asset management tool.
SAM4U, an SAP complimentary software asset management tool for customers, delivers a detailed and well-structured overview of license inventory and usage with a user-friendly interface. We offer a hosted, cost-effective, and performance-optimized SAM4U setup in the Skybuffer Cloud environment. You retain ownership of the system and data, while we manage the ABAP 7.58 infrastructure, ensuring fixed Total Cost of Ownership (TCO) and exceptional services through the SAP Fiori interface.
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Speck&Tech
ABSTRACT: A prima vista, un mattoncino Lego e la backdoor XZ potrebbero avere in comune il fatto di essere entrambi blocchi di costruzione, o dipendenze di progetti creativi e software. La realtà è che un mattoncino Lego e il caso della backdoor XZ hanno molto di più di tutto ciò in comune.
Partecipate alla presentazione per immergervi in una storia di interoperabilità, standard e formati aperti, per poi discutere del ruolo importante che i contributori hanno in una comunità open source sostenibile.
BIO: Sostenitrice del software libero e dei formati standard e aperti. È stata un membro attivo dei progetti Fedora e openSUSE e ha co-fondato l'Associazione LibreItalia dove è stata coinvolta in diversi eventi, migrazioni e formazione relativi a LibreOffice. In precedenza ha lavorato a migrazioni e corsi di formazione su LibreOffice per diverse amministrazioni pubbliche e privati. Da gennaio 2020 lavora in SUSE come Software Release Engineer per Uyuni e SUSE Manager e quando non segue la sua passione per i computer e per Geeko coltiva la sua curiosità per l'astronomia (da cui deriva il suo nickname deneb_alpha).
For the full video of this presentation, please visit: https://www.edge-ai-vision.com/2024/06/building-and-scaling-ai-applications-with-the-nx-ai-manager-a-presentation-from-network-optix/
Robin van Emden, Senior Director of Data Science at Network Optix, presents the “Building and Scaling AI Applications with the Nx AI Manager,” tutorial at the May 2024 Embedded Vision Summit.
In this presentation, van Emden covers the basics of scaling edge AI solutions using the Nx tool kit. He emphasizes the process of developing AI models and deploying them globally. He also showcases the conversion of AI models and the creation of effective edge AI pipelines, with a focus on pre-processing, model conversion, selecting the appropriate inference engine for the target hardware and post-processing.
van Emden shows how Nx can simplify the developer’s life and facilitate a rapid transition from concept to production-ready applications.He provides valuable insights into developing scalable and efficient edge AI solutions, with a strong focus on practical implementation.
Digital Marketing Trends in 2024 | Guide for Staying AheadWask
https://www.wask.co/ebooks/digital-marketing-trends-in-2024
Feeling lost in the digital marketing whirlwind of 2024? Technology is changing, consumer habits are evolving, and staying ahead of the curve feels like a never-ending pursuit. This e-book is your compass. Dive into actionable insights to handle the complexities of modern marketing. From hyper-personalization to the power of user-generated content, learn how to build long-term relationships with your audience and unlock the secrets to success in the ever-shifting digital landscape.
UiPath Test Automation using UiPath Test Suite series, part 6DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 6. In this session, we will cover Test Automation with generative AI and Open AI.
UiPath Test Automation with generative AI and Open AI webinar offers an in-depth exploration of leveraging cutting-edge technologies for test automation within the UiPath platform. Attendees will delve into the integration of generative AI, a test automation solution, with Open AI advanced natural language processing capabilities.
Throughout the session, participants will discover how this synergy empowers testers to automate repetitive tasks, enhance testing accuracy, and expedite the software testing life cycle. Topics covered include the seamless integration process, practical use cases, and the benefits of harnessing AI-driven automation for UiPath testing initiatives. By attending this webinar, testers, and automation professionals can gain valuable insights into harnessing the power of AI to optimize their test automation workflows within the UiPath ecosystem, ultimately driving efficiency and quality in software development processes.
What will you get from this session?
1. Insights into integrating generative AI.
2. Understanding how this integration enhances test automation within the UiPath platform
3. Practical demonstrations
4. Exploration of real-world use cases illustrating the benefits of AI-driven test automation for UiPath
Topics covered:
What is generative AI
Test Automation with generative AI and Open AI.
UiPath integration with generative AI
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Main news related to the CCS TSI 2023 (2023/1695)Jakub Marek
An English 🇬🇧 translation of a presentation to the speech I gave about the main changes brought by CCS TSI 2023 at the biggest Czech conference on Communications and signalling systems on Railways, which was held in Clarion Hotel Olomouc from 7th to 9th November 2023 (konferenceszt.cz). Attended by around 500 participants and 200 on-line followers.
The original Czech 🇨🇿 version of the presentation can be found here: https://www.slideshare.net/slideshow/hlavni-novinky-souvisejici-s-ccs-tsi-2023-2023-1695/269688092 .
The videorecording (in Czech) from the presentation is available here: https://youtu.be/WzjJWm4IyPk?si=SImb06tuXGb30BEH .
Programming Foundation Models with DSPy - Meetup SlidesZilliz
Prompting language models is hard, while programming language models is easy. In this talk, I will discuss the state-of-the-art framework DSPy for programming foundation models with its powerful optimizers and runtime constraint system.
HCL Notes and Domino License Cost Reduction in the World of DLAUpanagenda
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-and-domino-license-cost-reduction-in-the-world-of-dlau/
The introduction of DLAU and the CCB & CCX licensing model caused quite a stir in the HCL community. As a Notes and Domino customer, you may have faced challenges with unexpected user counts and license costs. You probably have questions on how this new licensing approach works and how to benefit from it. Most importantly, you likely have budget constraints and want to save money where possible. Don’t worry, we can help with all of this!
We’ll show you how to fix common misconfigurations that cause higher-than-expected user counts, and how to identify accounts which you can deactivate to save money. There are also frequent patterns that can cause unnecessary cost, like using a person document instead of a mail-in for shared mailboxes. We’ll provide examples and solutions for those as well. And naturally we’ll explain the new licensing model.
Join HCL Ambassador Marc Thomas in this webinar with a special guest appearance from Franz Walder. It will give you the tools and know-how to stay on top of what is going on with Domino licensing. You will be able lower your cost through an optimized configuration and keep it low going forward.
These topics will be covered
- Reducing license cost by finding and fixing misconfigurations and superfluous accounts
- How do CCB and CCX licenses really work?
- Understanding the DLAU tool and how to best utilize it
- Tips for common problem areas, like team mailboxes, functional/test users, etc
- Practical examples and best practices to implement right away
Your One-Stop Shop for Python Success: Top 10 US Python Development Providersakankshawande
Simplify your search for a reliable Python development partner! This list presents the top 10 trusted US providers offering comprehensive Python development services, ensuring your project's success from conception to completion.
Driving Business Innovation: Latest Generative AI Advancements & Success StorySafe Software
Are you ready to revolutionize how you handle data? Join us for a webinar where we’ll bring you up to speed with the latest advancements in Generative AI technology and discover how leveraging FME with tools from giants like Google Gemini, Amazon, and Microsoft OpenAI can supercharge your workflow efficiency.
During the hour, we’ll take you through:
Guest Speaker Segment with Hannah Barrington: Dive into the world of dynamic real estate marketing with Hannah, the Marketing Manager at Workspace Group. Hear firsthand how their team generates engaging descriptions for thousands of office units by integrating diverse data sources—from PDF floorplans to web pages—using FME transformers, like OpenAIVisionConnector and AnthropicVisionConnector. This use case will show you how GenAI can streamline content creation for marketing across the board.
Ollama Use Case: Learn how Scenario Specialist Dmitri Bagh has utilized Ollama within FME to input data, create custom models, and enhance security protocols. This segment will include demos to illustrate the full capabilities of FME in AI-driven processes.
Custom AI Models: Discover how to leverage FME to build personalized AI models using your data. Whether it’s populating a model with local data for added security or integrating public AI tools, find out how FME facilitates a versatile and secure approach to AI.
We’ll wrap up with a live Q&A session where you can engage with our experts on your specific use cases, and learn more about optimizing your data workflows with AI.
This webinar is ideal for professionals seeking to harness the power of AI within their data management systems while ensuring high levels of customization and security. Whether you're a novice or an expert, gain actionable insights and strategies to elevate your data processes. Join us to see how FME and AI can revolutionize how you work with data!
Monitoring and Managing Anomaly Detection on OpenShift.pdfTosin Akinosho
Monitoring and Managing Anomaly Detection on OpenShift
Overview
Dive into the world of anomaly detection on edge devices with our comprehensive hands-on tutorial. This SlideShare presentation will guide you through the entire process, from data collection and model training to edge deployment and real-time monitoring. Perfect for those looking to implement robust anomaly detection systems on resource-constrained IoT/edge devices.
Key Topics Covered
1. Introduction to Anomaly Detection
- Understand the fundamentals of anomaly detection and its importance in identifying unusual behavior or failures in systems.
2. Understanding Edge (IoT)
- Learn about edge computing and IoT, and how they enable real-time data processing and decision-making at the source.
3. What is ArgoCD?
- Discover ArgoCD, a declarative, GitOps continuous delivery tool for Kubernetes, and its role in deploying applications on edge devices.
4. Deployment Using ArgoCD for Edge Devices
- Step-by-step guide on deploying anomaly detection models on edge devices using ArgoCD.
5. Introduction to Apache Kafka and S3
- Explore Apache Kafka for real-time data streaming and Amazon S3 for scalable storage solutions.
6. Viewing Kafka Messages in the Data Lake
- Learn how to view and analyze Kafka messages stored in a data lake for better insights.
7. What is Prometheus?
- Get to know Prometheus, an open-source monitoring and alerting toolkit, and its application in monitoring edge devices.
8. Monitoring Application Metrics with Prometheus
- Detailed instructions on setting up Prometheus to monitor the performance and health of your anomaly detection system.
9. What is Camel K?
- Introduction to Camel K, a lightweight integration framework built on Apache Camel, designed for Kubernetes.
10. Configuring Camel K Integrations for Data Pipelines
- Learn how to configure Camel K for seamless data pipeline integrations in your anomaly detection workflow.
11. What is a Jupyter Notebook?
- Overview of Jupyter Notebooks, an open-source web application for creating and sharing documents with live code, equations, visualizations, and narrative text.
12. Jupyter Notebooks with Code Examples
- Hands-on examples and code snippets in Jupyter Notebooks to help you implement and test anomaly detection models.
OpenID AuthZEN Interop Read Out - AuthorizationDavid Brossard
During Identiverse 2024 and EIC 2024, members of the OpenID AuthZEN WG got together and demoed their authorization endpoints conforming to the AuthZEN API
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc
How does your privacy program stack up against your peers? What challenges are privacy teams tackling and prioritizing in 2024?
In the fifth annual Global Privacy Benchmarks Survey, we asked over 1,800 global privacy professionals and business executives to share their perspectives on the current state of privacy inside and outside of their organizations. This year’s report focused on emerging areas of importance for privacy and compliance professionals, including considerations and implications of Artificial Intelligence (AI) technologies, building brand trust, and different approaches for achieving higher privacy competence scores.
See how organizational priorities and strategic approaches to data security and privacy are evolving around the globe.
This webinar will review:
- The top 10 privacy insights from the fifth annual Global Privacy Benchmarks Survey
- The top challenges for privacy leaders, practitioners, and organizations in 2024
- Key themes to consider in developing and maintaining your privacy program
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfMalak Abu Hammad
Discover how MongoDB Atlas and vector search technology can revolutionize your application's search capabilities. This comprehensive presentation covers:
* What is Vector Search?
* Importance and benefits of vector search
* Practical use cases across various industries
* Step-by-step implementation guide
* Live demos with code snippets
* Enhancing LLM capabilities with vector search
* Best practices and optimization strategies
Perfect for developers, AI enthusiasts, and tech leaders. Learn how to leverage MongoDB Atlas to deliver highly relevant, context-aware search results, transforming your data retrieval process. Stay ahead in tech innovation and maximize the potential of your applications.
#MongoDB #VectorSearch #AI #SemanticSearch #TechInnovation #DataScience #LLM #MachineLearning #SearchTechnology
Fueling AI with Great Data with Airbyte WebinarZilliz
This talk will focus on how to collect data from a variety of sources, leveraging this data for RAG and other GenAI use cases, and finally charting your course to productionalization.
Ibm system storage ds8700 disk encryption redp4500
1. IBM System Storage DS8700
Disk Encryption
Benefit from a robust and
sophisticated key management
Learn about recovery key and
dual platform key servers
Encrypt data at rest with no
performance degradation
Bertrand Dufrasne
Antonio Rainero
Roland Wolf
ibm.com/redbooks Redpaper
10. Trademarks
IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International Business Machines
Corporation in the United States, other countries, or both. These and other IBM trademarked terms are
marked on their first occurrence in this information with the appropriate symbol (® or ™), indicating US
registered or common law trademarks owned by IBM at the time this information was published. Such
trademarks may also be registered or common law trademarks in other countries. A current list of IBM
trademarks is available on the Web at http://www.ibm.com/legal/copytrade.shtml
The following terms are trademarks of the International Business Machines Corporation in the United States,
other countries, or both:
AIX® Redbooks® System z®
DB2® Redpaper™ Tivoli®
DS8000® Redbooks (logo) ® WebSphere®
FlashCopy® S/390® XIV®
IBM® System Storage® z/OS®
RACF® System x®
The following terms are trademarks of other companies:
SUSE, the Novell logo, and the N logo are registered trademarks of Novell, Inc. in the United States and other
countries.
Java, and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other
countries, or both.
Windows, and the Windows logo are trademarks of Microsoft Corporation in the United States, other
countries, or both.
Intel Xeon, Intel, Intel logo, Intel Inside logo, and Intel Centrino logo are trademarks or registered trademarks
of Intel Corporation or its subsidiaries in the United States and other countries.
UNIX is a registered trademark of The Open Group in the United States and other countries.
Linux is a trademark of Linus Torvalds in the United States, other countries, or both.
Other company, product, or service names may be trademarks or service marks of others.
viii IBM System Storage DS8700 Disk Encryption
12. Special thanks to Rick Ripberger for his input and advice in preparation of this paper.
Thanks to the authors of the previous editions of this paper, Kerstin Blum, Uwe Dubberke,
Marcus Gorzellik, Gabor Penzes.
Now you can become a published author, too!
Here's an opportunity to spotlight your skills, grow your career, and become a published
author - all at the same time! Join an ITSO residency project and help write a book in your
area of expertise, while honing your experience using leading-edge technologies. Your efforts
will help to increase product acceptance and customer satisfaction, as you expand your
network of technical contacts and relationships. Residencies run from two to six weeks in
length, and you can participate either in person or as a remote resident working from your
home base.
Find out more about the residency program, browse the residency index, and apply online at:
ibm.com/redbooks/residencies.html
x IBM System Storage DS8700 Disk Encryption
13. Comments welcome
Your comments are important to us!
We want our papers to be as helpful as possible. Send us your comments about this paper or
other IBM Redbooks publications in one of the following ways:
Use the online Contact us review Redbooks form found at:
ibm.com/redbooks
Send your comments in an email to:
redbooks@us.ibm.com
Mail your comments to:
IBM Corporation, International Technical Support Organization
Dept. HYTD Mail Station P099
2455 South Road
Poughkeepsie, NY 12601-5400
Stay connected to IBM Redbooks
Find us on Facebook:
http://www.facebook.com/IBMRedbooks
Follow us on twitter:
http://twitter.com/ibmredbooks
Look for us on LinkedIn:
http://www.linkedin.com/groups?home=&gid=2130806
Explore new Redbooks publications, residencies, and workshops with the IBM Redbooks
weekly newsletter:
https://www.redbooks.ibm.com/Redbooks.nsf/subscribe?OpenForm
Stay current on recent Redbooks publications with RSS Feeds:
http://www.redbooks.ibm.com/rss.html
Preface xi
18. 1.1 Business context
Businesses today need tools to protect against the known threats, but also guard against as
yet unknown threats. Effective threat and vulnerability management must be proactive rather
than reactive, preventing problems rather than responding to them. To be efficient and
effective, businesses must address prevention, detection, and compliance in an integrated
way.
1.1.1 Threats and security challenges
Figure 1-1 illustrates how threats and challenges add to the complexity, hence cost of running
your business.
Figure 1-1 Business complexity
Companies face certain threats and security challenges:
Increasing number and sophistication of threats. Businesses face more than just viruses
and worms. You have to be able to defend against all threats rather than just respond to
intrusions.
Preventing data breaches and inappropriate data disclosure, while ensuring no impact on
business and productivity.
Intrusions that affect the bottom line in both customer confidence and business
productivity. Security breaches can destroy your brand image and affect your critical
business processes.
Growing demand for regulatory compliance and reporting. You must be able to meet a
growing number of compliance initiatives without diverting resources from core activities.
Protecting your data and maintaining appropriate levels of access.
Security issues are both internal and external. How do you protect against the
well-intentioned employee who mishandles information, and the malicious outsider?
Having your business comply with a growing number of corporate standards and
government regulations; you must have tools that can document the status of your
application security.
Growing number of regulatory mandates. You have to prove that your physical assets are
secure.
2 IBM System Storage DS8700 Disk Encryption
19. 1.1.2 Need for encryption
In particular, organizations experience a continued push to minimize the risks of data
breaches. There is a new focus on privacy management tools with the capability to mask
data. This focus reinforces the need for cryptography, and subsequent demand to simplify the
complexity of the key-based algorithms and management of keys throughout the life cycle.
A big concern is often when disk drives leave the company premises, which usually happens
when a disk drive fails and the IBM technician replaces it with a new drive. Often, the drive is
not really damaged and data can still be accessed. Of course, IBM has a procedure to delete
all data on the drive. However, this task is no longer under the control of the customer. Some
customers buy the drives back and destroy them themselves. This can be quite expensive.
Another concern is when the whole DS8000 is going to be returned to IBM. The IBM
technician will erase all data, but this is not sufficient for some customers. IBM offers a service
(IBM Certified Secure Data Overwrite) to erase all data (several passes) in compliance with
the American Department of Defense regulations (DoD 5220.20-M).
All these concerns become obsolete when data on the drives is encrypted. Without a
decryption key the data is unreadable.
What should you encrypt, and just as important, what should you not encrypt? Simply encrypt
everything that you can encrypt and still be able to recover data in event of a disaster. As long
as system data can be separated from application data, encrypting everything with no
performance impact is easier than choosing which data falls into which legislation for
encryption, and trying to keep current on the dynamic privacy rights rules and regulations.
Before using any encryption technology, understanding the encryption concepts and the
requirements to maintain the security and the accessibility of the encrypted data is absolutely
important.
Indeed, you do not want the encryption solution to negatively affect your storage environment
and the applications that depend on it. You want an encryption solution that will not degrade
application performance or jeopardize your disaster recovery plan. You also need the
assurance that encryption will not cause any data loss and that all the appropriate measures
have been taken to protect and safeguard the encryption keys.
To address these concerns, the DS8700 encryption solution approach use disks that have
encryption hardware, and can perform symmetric encryption and decryption of data at full
disk speed with no impact on performance. The disk-based encryption is combined with an
enterprise-scale key management infrastructure. That infrastructure is based on the IBM
Tivoli Key Lifecycle Manager and life cycle management tools to help organizations efficiently
deploy, back up, restore, and delete keys and certificates in a secure and consistent fashion.
The DS8000 solution is further described in Chapter 2, “DS8000 encryption mechanism” on
page 13.
Important: The DS8700 provides disk-based encryption, for data at rest on disk. If
encryption over the network is required, additional encryption services have to be
investigated and deployed as appropriate.
For a successful deployment, following the instructions and guidelines outlined in this
document is also imperative.
For more information about IBM security solutions in general, refer to the IBM security site:
http://www.ibm.com/security/index.html
Chapter 1. Encryption overview 3
20. 1.2 Encryption concepts and terminology
Encryption transforms data that is unprotected, or plain text, into encrypted data, or
ciphertext, using a key. Without knowledge of the encryption key, the ciphertext cannot be
converted back to plain text.
Computer technology has enabled increasingly sophisticated encryption algorithms. Working
with the U.S. Government National Institute of Standards and Technology (NIST), IBM
invented one of the first computer-based algorithms, Data Encryption Standard (DES), in
1974. Today, several widely used encryption algorithms exist, including triple DES (TDES)
and Advanced Encryption Standard (AES).
1.2.1 Symmetric key encryption
Early encryption methods used the same key to encrypt plain text to generate ciphertext, and
to decrypt the ciphertext to regenerate the plain text. Because the same key is used for both
encryption and decryption, this method is called symmetric encryption. All of the encryption
algorithms previously mentioned use symmetric encryption.
Everyone who gets knowledge of the key can transform the ciphertext back to plain text. If you
want to preserve confidentiality, you must protect your key and keep it a secret. Therefore,
symmetric encryption is also called private or secret key encryption, which is not to be
confused with the private key in an asymmetric key system.
In Figure 1-2, we show a sample encryption and decryption data flow path. Here, we use the
symmetric key AES_256_ITSO to encrypt plain text using the AES encryption algorithm,
which yields encrypted data. The decryption of the enciphered text uses the same
AES_256_ITSO symmetric key and the AES algorithm to decrypt the data back to its plain
text format.
Symmetric key encryption algorithms are significantly faster than asymmetric encryption
algorithms, which makes symmetric encryption an ideal candidate for encrypting large
amounts of data.
Encryption Process
Algorithm
Plain Text Encrypted Data
AES
Symmetric Key
AES_256_ITSO
Decryption Process
Algorithm
Plain Text Encrypted Data
AES
Symmetric Key
AES_256_ITSO
Figure 1-2 Symmetric key encryption
4 IBM System Storage DS8700 Disk Encryption
21. 1.2.2 Asymmetric key encryption
It was only in the 1970s that cryptographers invented asymmetric key algorithms for
encryption and decryption. Encryption methods using separate keys for encryption and
decryption are called asymmetric encryption. Asymmetric encryption addresses certain
drawbacks of symmetric encryption, which became more important with computer-based
cryptography.
Asymmetric key encryption uses one key for encrypting (public key) and one key (private key)
for decrypting data. Because the key used for encrypting a message cannot be used for
decrypting, this key does not have to be kept a secret. It can be widely shared and is therefore
called a public key.
Anyone who wants to send secure data to an organization can use its public key. The
receiving organization then uses its private key to decrypt the data. The private key must
always be kept a secret. Because asymmetric encryption uses public/private key pairs, it is
also called public/private key encryption or public key encryption.
Public/private key encryption is widely used on the Internet today to secure transactions,
including Secure Sockets Layer (SSL).
To encrypt data requires an algorithm. Today, the RSA algorithm is the most widely used
public key technique. It is named after the surnames of the three developers, Ronald L.
Rivest, Adi Shamir, and Leonard Adleman. who developed this algorithm in 1977.
The advantage of asymmetric key encryption is the ability to share secret data without
sharing the same encryption key. But disadvantages exist too. Asymmetric key encryption is
computationally more intensive and therefore significantly slower than symmetric key
encryption.
In practice, you will often use a combination of symmetric and asymmetric encryption. We
describe this method in 1.2.3, “Hybrid encryption” on page 9. With the DS8000, the IBM
Encryption solution uses a combination of symmetric and asymmetric encryption
methods.This combination of symmetric and asymmetric encryption algorithms (hybrid
encryption) is prevalent in many security solutions.
Important: The IBM Full Disk Encryption (FDE) solution utilizes the asymmetric RSA
algorithm only to encrypt symmetric AES keys used for data encryption.
Chapter 1. Encryption overview 5
22. Figure 1-3 shows an encryption and decryption data path when using public key encryption
algorithms.
Public/Private Key Encryption
Algorithm Encrypted
Plain Text
RSA Data
Asymetric Public Key
Decryption Process
Algorithm Encrypted
Plain Text
RSA
AES Data
Asymetric Private Key
Figure 1-3 Public/private key encryption
Digital signature
You can use public/private key pairs to protect the content of a message, and also to digitally
sign a message. When a digitally signed message is sent, the receiver can be sure that the
sender has sent it because the receiver can prove it by using the public key from the sender.
In practice, predominantly for efficiency reasons, a hash value of the message is signed
rather than the whole message, but the overall procedure is the same.
In Figure 1-4 on page 7, we show how the digital signature is used in the communication
between the DS8000 and Tivoli Key Lifecycle Manager, using an asymmetric key pair. It
illustrates a mechanism used as part of the DS8000 encryption process. The DS8000 has a
private key, and the Tivoli Key Lifecycle Manager has a copy of DS8000 public key. The
DS8000 sends the Tivoli Key Lifecycle Manager a message that is encrypted with DS8000’s
private key. The Tivoli Key Lifecycle Manager then uses the public key to validate the
message sent from the DS8000. The Tivoli Key Lifecycle Manager cannot use the public key
for decryption of encrypted data, but the Tivoli Key Lifecycle Manager is able, with the
DS8000 public key, to validate that the message was encrypted with the DS8000 private key.
This approach proves to the Tivoli Key Lifecycle Manager that it is in fact communicating with
the DS8000, because only the DS8000 has a copy of its private key. Then, the Tivoli Key
Lifecycle Manager uses the DS8000 public key to encrypt the data that it wants to protect and
sends the data to the DS8000. The DS8000 can use his private key to decrypt the data.
6 IBM System Storage DS8700 Disk Encryption
23. Network
DS8000 TKLM
Private Key
Private Key Encrypted Public Key
Message
Message Message
Public Key
Data Encrypted Data
Data
Figure 1-4 Identity verification using public/private key encryption
Figure 1-5 on page 8 shows a more detailed flow of actions. A hash of the message is
created, encrypted with the sender’s private key and attached to the message. Both the
message and the digital certificate (the encrypted hash) are encrypted with the receiver’s
public key and transmitted to the receiver.
The receiver uses the receiver’s private key to decrypt the message and digital certificate.
Note, that the digital certificate is the hash that is encrypted with the sender’s private key. The
receiver cannot decrypt this, but the receiver can also produce the hash and encrypt it, this
time, however with the sender’s public key. If both match, the receiver can be sure of the
identity of the sender.
Chapter 1. Encryption overview 7
24. Message exchange and sender verification
Sender
Receiver‘s
public key
Message Message
The quick
The quick
brown fox brown fox
Send
M
6
Digital
1 signature
Encrypt message and
signature with receiver’s 5
public key
Attach to
2
message
Receiver‘s
Hash the Receiver private key
message
4
101..Hash..010 Decrypt message and
M
signature with receiver’s
Compare to verify
private key
Sender‘s message integrity
private key 7
8
10 Decrypt digital sigature
with sender‘s public key Digital
signature
? Message
101..Hash..010 = 101..Hash..010 The quick
101..Hash..010 ..Hash..
brown fox
3 9
Encrypt Hash with
sender‘s private key Digital Hash the
101..Hash..010
= digital signature signature
message
Figure 1-5 Verification of identity of sender
Digital certificates
Another possibility is to make sure that the sender can trust the receiver by using a
certificate, which is signed by a certificate authority (CA).
Digital certificates are a way to bind public key information with an identity. The certificates
are signed by a CA. If users trust the CA and can verify the CA's signature, then they can also
verify that a certain public key does indeed belong to whomever (person or entity) is identified
in the certificate.
Part of the information that is stored in a digital certificate includes the following items:
Name of the issuer
Subject Distinguished Name (DN)
Public key belonging to the owner
Validity date for the public key
Serial number of the digital certificate
Digital signature of the issuer
Note: For the DS8700, digital certificates are created and set by manufacturing for each
Storage Facility Image.
Both asymmetric and symmetric key encryption schemes are powerful ways to protect and
secure data. In 2.2, “Encryption key management” on page 16, we discuss in details their use
with the IBM System Storage DS8000 Series family that provides an extremely secure way of
protecting data.
8 IBM System Storage DS8700 Disk Encryption
25. 1.2.3 Hybrid encryption
In practice, encryption methods often combine symmetric and asymmetric encryption. Thus,
they can take advantage of fast encryption with symmetric encryption and still securely
exchange keys using asymmetric encryption.
Hybrid methods use a symmetric data key to actually encrypt and decrypt data. They do not
transfer this symmetric data key in the clear, but use public/private key encryption to encrypt
the data key. The recipient is able to decrypt the encrypted data key and use the data key to
encrypt or decrypt a message.
Hybrid encryption methods allow you to combine secure and convenient key exchange with
fast and efficient encryption of large amounts of data.
The IBM Full Disk Encryption (FDE) solution uses a symmetric AES data key to encrypt and
decrypt data. This data key is protected by the asymmetric RSA algorithm and is not available
in plaintext when storage device and the Tivoli Key Lifecycle Manager communicate. For
details, refer to 1.4, “Tivoli Key Lifecycle Manager” on page 10
1.3 Encryption challenges
Encryption, as we have seen, is dependent upon encryption keys. Those keys have to be, at
the same time, kept secure and available, and responsibilities have to be split:
Keys security
To preserve the security of encryption keys, the implementation must be such that no one
individual (system or person) has access to all the information required to determine the
encryption key. In a system-based solution, the encryption data keys are encrypted with a
wrapping key (that is another key to encrypt/decrypt the data keys). This wrapped key
method is used with the DS8000 by separating the storage of a wrapped data key stored
on the disk from the storage of the wrap/unwrap keys within a key server.
Key availability
More than one individual (person or system) has access to any single piece of information
necessary to determine the encryption key. In a system-based solution, redundancy is
provided by having multiple isolated key servers. Additionally, backups of key server’s data
are maintained.
Separation of responsibilities
The DS8700 offers a recovery key to get access to data if none of the key servers are
available. To prevent one person from gaining access to the data, the handling of a
recovery key requires two people (separate roles): a security administrator and a storage
administrator. Starting with DS8000 Licensed Machine Code (LMC) level 6.5.1.xx, you
also have the possibility to disable the recovery key.
The sensitivity of possessing and maintaining encryption keys and the complexity of
managing the number of encryption keys in a typical environment results in a customer
requirement for a key server. A key server is integrated with encrypting storage products to
resolve most of the security and usability issues associated with key management for
encrypted storage.
Chapter 1. Encryption overview 9
26. Note: IBM offers an enterprise-scale key management infrastructure through IBM Tivoli
Key Lifecycle Manager and life cycle management tools to help organizations efficiently
deploy, back up, restore and delete keys and certificates in a secure and consistent
fashion.
However, the customer must still be sufficiently aware of how these products interact to be
able to provide appropriate management of the IT environment. Even with a key server,
generally at least one encryption key (the overall key that manages access to all other
encryption keys, or a key that encrypts the data used by the key server) or a recovery key
must be maintained manually.
On critical consideration with a key server implementation is that all code and data objects
required to make the key server operational must not be stored on storage that is dependent
on any key server to be accessed.
A situation where all key servers cannot become operational because there is data or code
that cannot be accessed without an operational key server is referred to as an encryption
deadlock. It is analogous to having a bank vault that is unlocked with a combination and the
only copy of the combination is locked inside the vault.
This situation, and the policies and mechanisms required to avoid it, are discussed more fully
in Chapter 2, “DS8000 encryption mechanism” on page 13.
1.4 Tivoli Key Lifecycle Manager
The IBM approach to key management revolves around IBM Tivoli Key Lifecycle Manager
that is enhanced in phases. From an initial focus on key management for tape and disk
encryption, IBM is expanding Tivoli Key Lifecycle Manager into a centralized key
management facility for managing encryption across a range of deployments.
In your enterprise, a large number of symmetric keys, asymmetric keys, and certificates can
exist. All of these keys and certificates have to be managed and can be handled by Tivoli Key
Lifecycle Manager.
The Tivoli Key Lifecycle Manager application performs key management tasks for IBM
encryption-enabled hardware such as the IBM System Storage DS8000 Series family and
IBM encryption-enabled tape drives (TS1130 and TS1040). Tivoli Key Lifecycle Manager
provides, protects, stores, and maintains encryption keys that are used to encrypt information
being written to, and decrypt information being read from, an encryption-enabled disk. Tivoli
Key Lifecycle Manager operates on a variety of operating systems. Currently, the supported
operating systems are as follows:
AIX® 5.3 and AIX 6.1 (64 bit)
Red Hat AS 4.0 x86 (32 bit)
SUSE Linux® Enterprise Server (SLES) 9.0 and 10 x86 (32 bit)
Solaris 10 Sparc (64 bit)
Windows® Server 2003 (32 bit)
IBM z/OS V1.9 and V1.10 (Tivoli Key Lifecycle Manager hosted in the System Service
Runtime Environment for z/OS)
10 IBM System Storage DS8700 Disk Encryption
27. Tivoli Key Lifecycle Manager is designed to be a shared resource, deployed in several
locations within an enterprise. It is capable of serving numerous IBM encrypting-enabled
types of hardware regardless of where those devices reside.
Note: For the DS8700, an isolated primary Tivoli Key Lifecycle Manager key server is
required and must be deployed on an IBM System x® running SLES 9.0 with storage that
is not provisioned on the DS8700. Additionally, secondary key servers can be deployed on
any of the previously mentioned platforms.
1.4.1 Tivoli Key Lifecycle Manager components
With the DS8700, Tivoli Key Lifecycle Manager is used to handle serving keys to the
encrypting disk drives. In addition to the key-serving function, the Tivoli Key Lifecycle
Manager offers the following functions, which can also be used for IBM encryption-enabled
tape drives:
Lifecycle functions
– Notification of certificate expiration through the Tivoli Integrated Portal
– Automated rotation of certificates
– Automated rotation of groups of keys
Usability features
– Provides a graphical user interface (GUI)
– Initial configuration wizards
– Migration wizards
Integrated backup and restore of Tivoli Key Lifecycle Manager files
– One button to create and restore a single backup packaged as a .jar file
To perform these tasks, Tivoli Key Lifecycle Manager relies on external components. The
Tivoli Key Lifecycle Manager solution includes the Tivoli Key Lifecycle Manager server, an
IBM embedded WebSphere® Application Server, and a database server (IBM DB2®).
The solution also incorporates the Tivoli Integrated Portal installation manager which
provides simple to use installation for Windows, Linux, AIX, and Solaris.
In Tivoli Key Lifecycle Manager, the Drive Table, LTO Key Group, and metadata are all kept in
DB2 tables. The Tivoli Key Lifecycle Manager DB2 tables enable the user to search and query
that information much easier. Note that the keystore, configuration file, audit log, and debug
log are still flat files.
Chapter 1. Encryption overview 11
28. 1.4.2 Tivoli Key Lifecycle Manager resources
Tivoli Key Lifecycle Manager also relies on the following resources:
Configuration file
Tivoli Key Lifecycle Manager has a an editable configuration file with additional
configuration parameters that is not offered in the GUI. The file can be text-edited,
however the preferred method is modifying the file through the Tivoli Key Lifecycle
Manager command-line interface (CLI).
We discuss installation and configuration in Appendix A, “Tivoli Key Lifecycle Manager
Installation” on page 143, and also describe a set of configuration options.
Java™ security keystore
The keystore is defined as part of the Java Cryptography Extension (JCE) and an element
of the Java Security components, which are, in turn, part of the Java Runtime
Environment. A keystore holds the certificates and keys (or pointers to the certificates and
keys) used by Tivoli Key Lifecycle Manager to perform cryptographic operations. A
keystore can be either hardware-based or software-based. Tivoli Key Lifecycle Manager
supports several types of Java keystores, offering a variety of operational characteristics to
meet your needs.
Tivoli Key Lifecycle Manager on open systems supports the JCEKS keystore. This
keystore supports both CLEAR key symmetric keys, and CLEAR key asymmetric keys.
Symmetric keys are used for LTO 4 encryption drives, and asymmetric keys are used for
DS8000 and TS1100 tape drives.
Cryptographic Services
Tivoli Key Lifecycle Manager uses the IBM Java Security components for its cryptographic
capabilities. Tivoli Key Lifecycle Manager does not provide cryptographic capabilities and
therefore does not require, nor is allowed to obtain, FIPS 140-2 certification. However,
Tivoli Key Lifecycle Manager takes advantage of the cryptographic capabilities of the IBM
Java Virtual Machine in the IBM Java Cryptographic Extension component and allows the
selection and use of the IBMJCEFIPS cryptographic provider, which has a FIPS 140-2
level 1 certification.
By setting the FIPS configuration parameter to ON in the Configuration Properties file either
through text editing or by using the Tivoli Key Lifecycle Manager CLI, you can make Tivoli
Key Lifecycle Manager use the IBMJCEFIPS provider for all cryptographic functions.
Important: Tivoli Key Lifecycle Manager takes advantage of the cryptographic
capabilities of the IBM Java virtual machine in the IBM Java Cryptographic Extension
component and allows the selection and use of the IBMJCEFIPS cryptographic
provider
You can find more information about the IBMJCEFIPS provider, its selection, and its use at
the following website:
http://www.ibm.com/developerworks/java/jdk/security/50/FIPShowto.html
12 IBM System Storage DS8700 Disk Encryption
30. 2.1 DS8700 disk encryption
The DS8700 disk subsystem supports data encryption with the IBM Full Disk Encryption
(FDE) drives. These drives are available in 300 GB, 450 GB, and 600 GB capacity, with a
rotational speed of 15,000 RPM. All disks in the DS8700 must be FDE drives, no intermix is
allowed.
These disks have encryption hardware, and can perform symmetric encryption and
decryption of data at full disk speed with no impact on performance.
The disk encryption hardware is used in conjunction with Tivoli Key Lifecycle Manager. Tivoli
Key Lifecycle Manager and the DS8700 use asymmetric encryption to encrypt and decrypt
the data key. When connected to the DS8700, Tivoli Key Lifecycle Manager generates
encryption and decryption keys that are used to lock each FDE drive.
Without these keys managed by Tivoli Key Lifecycle Manager, the customer can no longer
decrypt the data on disk.
Note: If all copies of the decryption key are lost (whether intentionally or accidentally), then
no feasible way exists to decrypt the associated ciphertext, and the data contained in the
ciphertext is said to have been cryptographically erased. The data is lost, because it
cannot be decrypted without the key.
For more details about the encryption key management, see 2.2, “Encryption key
management” on page 16.
To be able to use data encryption, the DS8700 must be ordered from manufacturing with FDE
drives (replacing regular FC drives with FDE drives in a an existing DS8700 is not supported).
Details about the ordering process are given in 4.1, “Tivoli Key Lifecycle Manager
configuration” on page 50.
Currently the DS8700 does not support intermix of FDE and non-FDE drives, so any
additional disks must be consistent with the drives that are already installed. A DS8700 with
FDE drives is referred to as being encryption-capable. An encryption-capable DS8700 can be
configured to either enable or disable encryption for all data that is stored on customer disks.
Attention: Enabling encryption cryptographically erases all data on the drives. Therefore,
encryption must be enabled directly at the beginning, not when data is already stored in
the DS8700.
The DS8700 must be configured to communicate with at least two Tivoli Key Lifecycle
Manager key servers to enable encryption. Two Tivoli Key Lifecycle Manager key servers are
required for redundancy. After the DS8700 powers on, it must be able to communicate to at
least one of the Tivoli Key Lifecycle Manager servers to get the unlock keys. The
communication between the DS8700 and the Tivoli Key Lifecycle Manager key server is done
through the Hardware Management Console (HMC). Therefore, having two HMCs to also
provide redundancy on the storage-device side is important. For details, refer to 3.5, “Dual
HMC and redundancy” on page 44.
The physical connection between the DS8700 HMC and the key server is through a TCP/IP
network, as depicted in Figure 2-1 on page 15.
14 IBM System Storage DS8700 Disk Encryption
31. Storage Admin StoragePlex
DS8700
Storage Facility Image
DSGUI / DS-CLI SFI Server StoragePlex
SFI Server
HMC Dual HMCs HMC
recommended
Customer IP Network
TKLM GUI primary and secondary
TKLM servers
Key Lifecycle Manager
Cryto-Services Key-Store
Security / Storage
Admin
Figure 2-1 Connection between DS8000 HMC and Tivoli Key Lifecycle Manager
Before we explain the various keys used by DS8700 and Tivoli Key Lifecycle Manager for
encryption, we discuss how messages can be exchanged between two systems in a secure
way. We discuss the concept of digital signatures.
Digital signatures are used to authenticate a sender. The digital signatures are generated
using the private and public keys. Figure 2-2 on page 16 explains the following steps:
1. The Sender writes its message.
2. According to a mathematical formula, a digital string, usually of a fixed length, is derived
from the message. This is called a hash. Although a hash is derived from and uniquely
linked to the data, deriving the data from the hash is not possible.
3. The hash is encrypted with the sender’s private key. The encrypted hash is called a digital
signature.
4. The digital signature is attached to the message.
5. Both message and digital signature are encrypted with the receiver’s public key.
6. The encrypted message is sent to the receiver.
7. The receiver decrypts the message and signature combination.
Now the sender reproduces the message hash in two ways:
– The receiver decrypts the digital signature with the sender’s public key to get the
original hash.
– The receiver calculates the hash from the received message.
8. If both hashes match, the receiver has good reason to trust the message.
Chapter 2. DS8000 encryption mechanism 15
32. Message exchange and sender verification
Sender
Receiver‘s
pu blic key
Messag e Message
The quick
The quick
brown fox brownfox
Send
M
6
Digital
1 signatur e
Encrypt m essage and
signature with receiver ’s 5
public key
Attac h to
2
message
Receiver‘s
Hash the Receiver private key
m essag e
4
101..H ash ..010 Decrypt mes sage and
M
signature with receiver’s
Compare to verify
private key
Sender‘s message integrity
private key 7
8
10 Dec rypt digital sigature
with sender‘s pu blic key Digital
signature
? Message
101..Hash..010 = 101. .Hash .. 010 The quick
101..Hash ..010 ..Has h..
brown fox
3 9
Encrypt Hash with
sender‘s private key Digital
101..Hash..010 Hash the
= digital signature signature
m essage
Figure 2-2 Authentication with digital signatures
2.2 Encryption key management
In this section, we provide details about how the Tivoli Key Lifecycle Manager key server
manages and creates the encryption keys used by the DS8700 during key label, encryption
group, rank creation, and at DS8700 power-on time.
Important: Key negotiation and authentication between the Tivoli Key Lifecycle Manager
and DS8700 takes place at DS8700 power-on time only. In other words, there is no traffic
overhead in an encrypted DS8700 at run time that is created by key negotiation.
Tivoli Key Lifecycle Manager uses the wrapped key method to serve keys to
encryption-enabled DS8700. The wrap and unwrap keys on Tivoli Key Lifecycle Manager are
a public/private asymmetric key pair referred to as the public key encrypting key (KEK) and
the private key encrypting key (KEK’), respectively.
The configuration processes on Tivoli Key Lifecycle Manager and the storage device
(DS8700) define one or more key labels. Refer to 4.1, “Tivoli Key Lifecycle Manager
configuration” on page 50.
The key label is a user-specified text string that is associated with the asymmetric key label
pair (KEK/KEK’), generated by Tivoli Key Lifecycle Manager (TKLM) when the key label is
configured (see Figure 2-3 on page 17). The key generation and propagation processes on
the Tivoli Key Lifecycle Manager associates a key label with each wrap/unwrap key pair. This
key label is a user-specified text string that is retained with each wrap/unwrap key pair. The
key encrypting key-pair key is kept secret by Tivoli Key Lifecycle Manager in a keystore.
16 IBM System Storage DS8700 Disk Encryption
33. TKLM
TKLM generates keys: public / private Keystores
key pair for a certain Key Label
(associated with a DS8000) JCEKS
and puts them into the keystore
3
1
Password
locked
2
Wrapping
keys KEK‘ KEK
TKLM
Privat Public
This key will be used
Key to communicate with Different keystores supported
Label: „DS8K1“
Key for
DS8K1 • JCEKS keystore file
• JCERACFKS z/OS RACF
• JCECCARACFKS z/OS HW
encryption
Figure 2-3 Configure Tivoli Key Lifecycle Manager key label
Note: The Licensed Machine Code (LMC) level 6.5.1.xx (bundle version 75.1.xx.xx)
enables the rekey data key feature. This feature allows a user to change the data key
labels (see 5.5, “Rekey data key” on page 118).
Now the user (storage administrator) can use the DS8000 GUI to register the key server on
the DS8700. Next, still using the DS8000 GUI, an encryption group is created. For details,
refer to 4.2.1, “Configuring Tivoli Key Lifecycle Manager server connection to DS8700” on
page 62).
As part of creating the encryption group, you must specify the key label that was set when
configuring the Tivoli Key Lifecycle Manager server, which was configured for a certain
DS8000.
Note: Currently, the DS8700 has only one encryption group.
While creating the encryption group, the DS8700, which we are referring to as DS8K1,
generates a device session key pair (device session public key/device session private key,
respectively noted as DSK/DSK’) from a random number. The public/private key pair is
associated with a key label. The device session private key (DSK’) is kept secret by the
DS8700.
Chapter 2. DS8000 encryption mechanism 17
34. The key label, device session public key (DSK), and the DS8700 storage facility certificate
(which was set and stored on the DS8700 by manufacturing) are sent to Tivoli Key Lifecycle
Manager to request a data key (see Figure 2-4).
DS8700 – establish communication
and request a data key
DS8K1 generates keys: public / private Send this information to
key pair for communication with TKLMs TKLM server to exchange
1 keys for communication
Note: DS8K1 has to know
DS8K1 the key label
3
Key
DS8K1
Label:
Key for
DS8K1
DSK‘ DSK
DS8K DS8K
Private Public Public
DSK
DS8K1 got a Session keys used as
„Certificate“ 2 wrapping keys
from the „Hey, Mr. TKLM, I am DS8K1,
factory This key will be used here is my ID, generate a
to communicate with Data Key for me, wrap it with
„TKLMs“ YOUR public key and MY public key
and send both to me.“
Figure 2-4 DS8000 creates session keys and requests a data key
Upon reception of these elements, Tivoli Key Lifecycle Manager carries out the following
steps (see Figure 2-5 on page 19):
1. It validates the DS8700 certificate (its ID).
2. It generates the data key (DK).
3. The data key (DK) is wrapped with DS8700’s device session public key (DSK) and stored
in a structure referred to as the session encrypted data key (SEDK).
4. From the key label, Tivoli Key Lifecycle Manager retrieves the key pair (KEK/KEK’) for the
specified key label. The data key (DK) is wrapped with the key-label public key (or public
key encrypting key, KEK) and stored in a structure referred to as the externally encrypted
data key (EEDK).
18 IBM System Storage DS8700 Disk Encryption
35. TKLM – generates data key
2 TKLM generates
symmetric key TKLM deletes the 6
1 Random
for DS8K1 number data key
256 bits long generator
TKLM verifies DK Data
Data
Symmetric key Symmetric key
sender by
key key
validating DS8K1‘s
Data Key for DS8K1
certificate 3
DSK
Wrap
Key data key SEDK
Label:
Key for
with
DS8K1 DS8K1‘s Data
DS8K
public Symmetric key
Public key
key
DSK Send both locked
4 5 (encrypted) envelopes
KEK to DS8K1
JCEKS Wrap
data key EEDK
with
TKLM‘s Data Note: TKLM keeps only
Symmetric key
KEK/KEK‘ public key the wrapping keys
key in his keystore
Figure 2-5 Tivoli Key Lifecycle Manager generates data key
Now, Tivoli Key Lifecycle Manager transfers the SEDK key and EEDK key to the DS8000 and
the following steps are carried out at the DS8700:
1. The DS8000 receives the encrypted structures with the data key in it.
2. To recreate the data key (DK) at the DS8700, the session encryption data key (SEDK) is
unwrapped with DS8000’s device session private key (DSK’). The DS8700 holds the data
key (DK) in memory. See Figure 2-6 on page 20.
3. The encrypted data key EEDK is stored in DS8700’s keystore. Note, that the DS8700
does not have the key to unlock this structure.
4. The DS8000 generates a random 256-bit group key (GK) for the encryption group. See
Figure 2-7 on page 21.
5. The group key (GK) is wrapped with the data key and stored in a structure referred as the
encrypted group key (EGK).
6. The EGK is persistently stored on the system disk in the key repository. Both the externally
encrypted data key (EEDK) and the EGK are stored in multiple places for reliability.
Chapter 2. DS8000 encryption mechanism 19
36. DS8700
DS8K1 receives two
1
encrypted structures
with the data key in it
At the end, DS8K1
has the data key
• Data key encrypted with DS8K1‘s public key in memory,
2
which is lost
DSK‘
DS8K at a power drop……
Private
DS8K1 unlocks to envelope with
SEDK his private key and keeps DK
Data
data key in memory Symmetric key
Data key
Symmetric key (not stored in DS8700)
key
….and the
data key
• Data key encrypted with TKLM‘s private key unreadable
encrypted on
DS8K1 has no key to unlock internal disk
EEDK
this envelope as it was encrypted DS8K keystore
with TKLM‘s public key.
Data
Symmetric key
DS8K1 stores this envelope EEDK
key
3
Figure 2-6 DS8700 unwraps data key and stores encrypted data key
This dual control, (from DS8700 and Tivoli Key Lifecycle Manager) improves security: the
DS8000 does not maintain a persistent copy of the DK in the clear and is thus unable to
encrypt or decrypt data without access to Tivoli Key Lifecycle Manager.
Note that the DK is erased by the DS8700 at power off, such that each time it is powered on,
the DS8700 must communicate with Tivoli Key Lifecycle Manager to obtain the DK again.
20 IBM System Storage DS8700 Disk Encryption
37. DS8700 – setting up encryption
….the group key
DS8K1 generates is volatile and lost
4 7
symmetric 256-bit after a power drop
group key
Group key used to
lock / unlock
disk drives…
Random
number
generator
GK DS8700 keystore:
Data
Symmetric key DS8K‘s communication keys
key DS8K
Private Private DSK
Group key
Encrypted data key
The data key is used to wrap the group key
EEDK
5
DK The encrypted group key
Data
Symmetric key is stored in keystore on 6
key EGK internal disk
EGK
Data
Symmetric key
key
Encrypted group keys
Figure 2-7 Setting up encryption
When the user configures a rank, the DS8700 creates for each DDM in this rank, an access
credential to lock the drive. See Figure 2-8 on page 22. The following steps occur during
configuration of the rank:
1. The DS8700 reads the serial number of each disk.
2. The serial number is hashed with the group key to create the access credential.
3. The access credential is sent to the drive.
4. In the drive the encryption key is wrapped with the access credential. A hash of the access
credential is also stored on the drive.
The drives are locked now. This means after a power off and a power on the drives will only
grant access to data when the encrypted encryption key that is stored on the drives is
unlocked by providing access credentials and an unlock key. See Figure 2-9 on page 23.
Chapter 2. DS8000 encryption mechanism 21