This document provides an overview of IBM Tivoli Key Lifecycle Manager for z/OS, including how it works, how to plan an implementation, and how to install and configure the solution components. It discusses encryption of data on tape and disk using different methods, considerations for capacity planning, high availability and disaster recovery. The document also includes checklists for planning and installing Tivoli Key Lifecycle Manager.
This document provides an overview and comparison of IBM tape library solutions for backing up IBM xSeries servers. It discusses factors to consider when selecting a tape library such as capacity, number of drives, and scalability. It also provides configuration details for backing up to tape libraries using Tivoli Storage Manager, VERITAS Backup Exec, and CA ARCserve. Recovery procedures using the backup software and Tivoli Disaster Recovery Manager are also covered.
This document provides an overview of implementing the Tivoli Enterprise Console (TEC). It discusses planning requirements such as the management software, managed devices, event sources, and rule policies. It then covers installing the required relational database management system (RDBMS), either Oracle or Sybase. Finally, it describes setting up the Tivoli Management Framework, installing the TEC software, configuring distributed monitoring and scripts, and deploying event adapters.
This document provides guidance on planning and deploying IBM Tivoli Composite Application Manager for Web Resources V6.2 (ITCAM) to monitor Web application server performance. It discusses the ITCAM architecture and how it interconnects with J2EE and WebSphere data collectors. It also covers hardware and software prerequisites, typical deployment environments, and provides a sample project plan for setting up ITCAM with tasks such as environment preparation, software installation, and customizing the product.
This document provides a release guide for IBM Tivoli Storage Productivity Center Version 4.2. It includes information on the new features and functions of Tivoli Storage Productivity Center V4.2, an overview of the product architecture and family, and instructions for installing Tivoli Storage Productivity Center on Windows and Linux systems. The document covers preinstallation steps, installing prerequisite software like DB2, and installing the Tivoli Storage Productivity Center servers, graphical user interface (GUI), and command line interface (CLI).
This document provides an overview and introduction to IBM Tivoli Storage Area Network Manager. It discusses why SAN management is needed as storage environments have become more complex. It also covers the components, functions, and highlights of IBM Tivoli SAN Manager version 1.2, including its ability to discover SAN topology and iSCSI environments, monitor events, provide reports, and integrate with other vendor management applications. The document is intended to help readers understand how IBM Tivoli SAN Manager can help manage and monitor SAN environments.
This document provides a practical guide to installing and configuring Tivoli SANergy. It begins with an introduction to SANergy and its benefits for sharing data on a SAN. It then provides step-by-step instructions for setting up SANergy with both Windows and UNIX management domains controllers (MDCs). Additional chapters cover advanced topics like performance tuning, high availability configurations, and integrating SANergy with other Tivoli applications like Tivoli Storage Manager. The document is intended to help readers successfully implement and use SANergy in their own environments.
The document provides information about implementing Tivoli Data Warehouse 1.2, including its features, architecture, planning considerations, and setup instructions. It covers topics such as hardware and software requirements, physical and logical design choices, database sizing, security, and skills required. The document also provides step-by-step instructions for installing and deploying Tivoli Data Warehouse in both a single machine and distributed environment.
This document provides an overview and guide for using Business Objects reporting tools with Tivoli Data Warehouse 1.2. It covers Business Objects products and platform, installing Business Objects desktop components, configuring Business Objects for Tivoli Data Warehouse, creating reports, advanced reporting and security features, and deploying reports. The document contains examples and step-by-step instructions for setting up Business Objects and generating simple to advanced reports on Tivoli Data Warehouse data.
This document provides an overview and comparison of IBM tape library solutions for backing up IBM xSeries servers. It discusses factors to consider when selecting a tape library such as capacity, number of drives, and scalability. It also provides configuration details for backing up to tape libraries using Tivoli Storage Manager, VERITAS Backup Exec, and CA ARCserve. Recovery procedures using the backup software and Tivoli Disaster Recovery Manager are also covered.
This document provides an overview of implementing the Tivoli Enterprise Console (TEC). It discusses planning requirements such as the management software, managed devices, event sources, and rule policies. It then covers installing the required relational database management system (RDBMS), either Oracle or Sybase. Finally, it describes setting up the Tivoli Management Framework, installing the TEC software, configuring distributed monitoring and scripts, and deploying event adapters.
This document provides guidance on planning and deploying IBM Tivoli Composite Application Manager for Web Resources V6.2 (ITCAM) to monitor Web application server performance. It discusses the ITCAM architecture and how it interconnects with J2EE and WebSphere data collectors. It also covers hardware and software prerequisites, typical deployment environments, and provides a sample project plan for setting up ITCAM with tasks such as environment preparation, software installation, and customizing the product.
This document provides a release guide for IBM Tivoli Storage Productivity Center Version 4.2. It includes information on the new features and functions of Tivoli Storage Productivity Center V4.2, an overview of the product architecture and family, and instructions for installing Tivoli Storage Productivity Center on Windows and Linux systems. The document covers preinstallation steps, installing prerequisite software like DB2, and installing the Tivoli Storage Productivity Center servers, graphical user interface (GUI), and command line interface (CLI).
This document provides an overview and introduction to IBM Tivoli Storage Area Network Manager. It discusses why SAN management is needed as storage environments have become more complex. It also covers the components, functions, and highlights of IBM Tivoli SAN Manager version 1.2, including its ability to discover SAN topology and iSCSI environments, monitor events, provide reports, and integrate with other vendor management applications. The document is intended to help readers understand how IBM Tivoli SAN Manager can help manage and monitor SAN environments.
This document provides a practical guide to installing and configuring Tivoli SANergy. It begins with an introduction to SANergy and its benefits for sharing data on a SAN. It then provides step-by-step instructions for setting up SANergy with both Windows and UNIX management domains controllers (MDCs). Additional chapters cover advanced topics like performance tuning, high availability configurations, and integrating SANergy with other Tivoli applications like Tivoli Storage Manager. The document is intended to help readers successfully implement and use SANergy in their own environments.
The document provides information about implementing Tivoli Data Warehouse 1.2, including its features, architecture, planning considerations, and setup instructions. It covers topics such as hardware and software requirements, physical and logical design choices, database sizing, security, and skills required. The document also provides step-by-step instructions for installing and deploying Tivoli Data Warehouse in both a single machine and distributed environment.
This document provides an overview and guide for using Business Objects reporting tools with Tivoli Data Warehouse 1.2. It covers Business Objects products and platform, installing Business Objects desktop components, configuring Business Objects for Tivoli Data Warehouse, creating reports, advanced reporting and security features, and deploying reports. The document contains examples and step-by-step instructions for setting up Business Objects and generating simple to advanced reports on Tivoli Data Warehouse data.
This document provides an overview and introduction to IBM storage data deduplication solutions, including IBM N series, ProtecTIER, and IBM Tivoli Storage Manager deduplication technologies. It covers deduplication concepts and architectures, benefits of deduplication, and planning considerations for deployment. The document is intended for review on February 1, 2011 and contains several chapters on the different deduplication technologies.
This document provides an installation and integration guide for IBM Tivoli Provisioning Manager V7.1.1. It begins with an overview of TPM concepts and architecture. It then covers planning considerations for deployment scenarios including installation requirements, topologies and firewall configurations. The document provides step-by-step instructions for installing TPM and integrating with other IBM products like CCMDB and Tivoli Service Request Manager. Finally, it describes customizing TPM after installation including security, implementing the scalable distribution infrastructure and software deployment capabilities.
This document provides guidance on selecting IBM tape products and solutions. It begins with an introduction and overview of IBM's tape offering portfolio. The bulk of the document then focuses on gathering information about a company's current and future backup environment and data needs. This includes questions about hardware, software, backup volumes, restore requirements, budgets and more. The guide then uses the collected information to recommend appropriate entry-level, LTO or enterprise tape solutions that would best meet the company's needs.
This document provides instructions for installing and configuring IBM's Tivoli Intelligent ThinkDynamic Orchestrator software. It guides the reader through planning a demonstration of the software, installing necessary components on Windows systems, designing a sample data center model using XML, and loading and testing the model. The final chapter describes demonstrating the software's capabilities to monitor and manage resources and applications in the simulated data center.
This document provides an overview and guide for planning and implementing IBM's Tivoli Data Warehouse Version 1.3. It discusses key concepts in data warehousing and business intelligence. The document also covers planning a data warehouse project, including requirements, design considerations, and best practices. Implementation topics include hardware and software requirements, physical and logical design options, database sizing, security, and more. The goal is to help IT professionals successfully deploy Tivoli Data Warehouse.
This document provides an overview of tape backup solutions for Netfinity servers. It discusses various tape technologies like DLT, 8mm, and 4mm tapes. It also covers different system topologies for backups like direct tape connections, single server models, two-tier models, and multi-tier models. The document recommends strategies for backups, including scheduling, compression, and hierarchical storage. It provides details on specific IBM tape drives like 40/80GB DLT, 35/70GB DLT, and 20/40GB 8mm drives. The intended audience is IT professionals implementing backup solutions for Netfinity servers.
This document provides an overview and introduction to IBM TotalStorage SAN File System version 2.2.2. It discusses the growth of storage area networks (SANs) and storage networking technology trends. It also covers SAN File System architecture, prerequisites, features like policy-based storage management and FlashCopy, and reliability. The document is intended to help readers understand and plan SAN File System implementations.
This document is the user manual for Snort version 2.8.6. It provides an overview of Snort's capabilities in different operating modes like sniffer, packet logger, and network intrusion detection system modes. It also describes how to configure Snort, including preprocessor and rule configuration, as well as output and logging options. The document contains detailed information on topics like includes, rule profiling, output modules, and more.
This document provides an introduction to the IBM GDPS family of offerings. It discusses business resilience requirements and how GDPS supports IT resilience through technologies like disk replication and automation. The document covers GDPS/PPRC, which uses IBM's Peer-to-Peer Remote Copy (PPRC) technology for continuous availability and disaster recovery. It also addresses infrastructure planning considerations for GDPS implementations.
This document provides an introduction to IBM Tivoli Storage Resource Manager. It discusses storage resource management issues such as growth in data storage needs and inefficient use of storage resources. It describes the objectives of storage resource management to address these issues through functions like discovery, monitoring, reporting, alerts and chargeback. It provides an overview of IBM Tivoli Storage Resource Manager, its components, supported platforms, and functions for managing storage resources across the enterprise.
This document provides an overview and how-to guide for setting up IBM Tivoli License Manager (ITLM), a software license management tool. It discusses the key components of ITLM including the Administration Server, Runtime Server, Agents, and Catalog Manager. It also provides guidance on planning the ITLM implementation including physical design considerations, logical design of the customer environment, disaster recovery procedures, and planning for each ITLM component. Finally, it walks through setting up the ITLM Administration Server with steps for installing required software like IBM DB2 and WebSphere and configuring the DB2 schema. The document aims to help IT professionals successfully set up their ITLM license management environment.
This document provides an overview of robust data synchronization with IBM Tivoli Directory Integrator. It discusses business drivers for data synchronization and different architectural approaches. It also describes the components of Tivoli Directory Integrator, including AssemblyLines, Connectors, Parsers and other elements. Finally, it covers best practices for designing, implementing, administering and monitoring an enterprise data synchronization solution with Tivoli Directory Integrator.
This document provides an overview and design guide for implementing Tivoli Decision Support (TDS). It describes the TDS product components, implementation modes, supported platforms, concepts and terminology. The document then discusses a methodology for a TDS implementation project including requirements gathering, systems analysis, project planning, deployment, testing and documentation phases. It also covers TDS architecture and design considerations such as integrating TDS with Tivoli applications, component integration, stand-alone vs. network options, and case studies. Finally, it includes a case study of a TDS implementation project at a customer site.
This document provides a deployment guide for IBM Tivoli Usage and Accounting Manager V7.1. It discusses planning the solution environment including hardware and software prerequisites. It also covers installing and configuring the product, including the database, server components, and data collection packs. Finally it demonstrates basic product usage through setting up accounting resources, running a data collection job, and generating reports. The document aims to help deploy and demonstrate the key capabilities of the IBM financial management solution.
This document is a study guide for the IBM Tivoli Configuration Manager 4.2 certification. It explains the certification path and prerequisites, provides an overview of the Tivoli Management Framework and Tivoli Configuration Manager components and installation, and includes sample test questions and answers to help readers prepare for the certification exam.
Ibm info sphere datastage data flow and job designdivjeev
This document provides an overview of IBM InfoSphere DataStage and discusses its key functions and best practices. It contains chapters that describe various IBM InfoSphere DataStage stages and components, present a retail industry scenario to demonstrate how to design and implement ETL jobs, and include additional reference material.
This document provides an overview of IBM DS8700 disk encryption and key management. It discusses how the DS8700 uses symmetric encryption and the Tivoli Key Lifecycle Manager for key management. It provides guidance on planning, implementing, and maintaining a DS8700 encryption environment including best practices for security, availability, and preventing encryption deadlocks. It also describes the configuration of encryption settings through the Tivoli Key Lifecycle Manager console and DS8700 GUI and CLI.
This document provides an overview and instructions for implementing the IBM System Storage SAN32B-E4 Encryption Switch. It discusses the hardware components of the encryption switch and SAN Director Encryption Blades. It also covers the interaction between the encryption switches and Tivoli Key Lifecycle Manager for centralized key management. The document includes steps for installing, configuring, and setting up the encryption switches as well as deployment scenarios.
This document provides an overview and instructions for implementing the IBM System Storage SAN32B-E4 Encryption Switch. It discusses the hardware components of the encryption switch and SAN Director Encryption Blades. It also covers the interaction between the encryption switches and Tivoli Key Lifecycle Manager for centralized key management. The document includes steps for installing, configuring, and setting up the encryption switches as well as deployment scenarios.
This document is a deployment guide for IBM Tivoli Application Dependency Discovery Manager V7.1. It provides an overview of TADDM, including its functions, architecture and how it fits within IBM Service Management. The guide also covers planning and installing a TADDM environment, including sizing considerations, deployment best practices and configuration options. Key topics include TADDM's automated discovery capabilities, integration with the eCMDB and how TADDM supports IT service management processes like change and configuration management.
This document is a deployment guide for IBM Tivoli Application Dependency Discovery Manager V7.1. It provides an overview of TADDM, including its functions, architecture and how it fits within IBM Service Management. The guide also covers installing and configuring TADDM, customizing discovery profiles, integrating with other IBM products, and tips for using TADDM.
This document provides an overview of tape encryption solutions from IBM, including IBM Tivoli Key Lifecycle Manager Version 2. It discusses IBM tape drives and libraries that support encryption, and the different methods of managing encryption at the system, library, and application levels. The document also covers planning for hardware and software requirements to implement a tape encryption solution.
This document provides an overview and introduction to IBM storage data deduplication solutions, including IBM N series, ProtecTIER, and IBM Tivoli Storage Manager deduplication technologies. It covers deduplication concepts and architectures, benefits of deduplication, and planning considerations for deployment. The document is intended for review on February 1, 2011 and contains several chapters on the different deduplication technologies.
This document provides an installation and integration guide for IBM Tivoli Provisioning Manager V7.1.1. It begins with an overview of TPM concepts and architecture. It then covers planning considerations for deployment scenarios including installation requirements, topologies and firewall configurations. The document provides step-by-step instructions for installing TPM and integrating with other IBM products like CCMDB and Tivoli Service Request Manager. Finally, it describes customizing TPM after installation including security, implementing the scalable distribution infrastructure and software deployment capabilities.
This document provides guidance on selecting IBM tape products and solutions. It begins with an introduction and overview of IBM's tape offering portfolio. The bulk of the document then focuses on gathering information about a company's current and future backup environment and data needs. This includes questions about hardware, software, backup volumes, restore requirements, budgets and more. The guide then uses the collected information to recommend appropriate entry-level, LTO or enterprise tape solutions that would best meet the company's needs.
This document provides instructions for installing and configuring IBM's Tivoli Intelligent ThinkDynamic Orchestrator software. It guides the reader through planning a demonstration of the software, installing necessary components on Windows systems, designing a sample data center model using XML, and loading and testing the model. The final chapter describes demonstrating the software's capabilities to monitor and manage resources and applications in the simulated data center.
This document provides an overview and guide for planning and implementing IBM's Tivoli Data Warehouse Version 1.3. It discusses key concepts in data warehousing and business intelligence. The document also covers planning a data warehouse project, including requirements, design considerations, and best practices. Implementation topics include hardware and software requirements, physical and logical design options, database sizing, security, and more. The goal is to help IT professionals successfully deploy Tivoli Data Warehouse.
This document provides an overview of tape backup solutions for Netfinity servers. It discusses various tape technologies like DLT, 8mm, and 4mm tapes. It also covers different system topologies for backups like direct tape connections, single server models, two-tier models, and multi-tier models. The document recommends strategies for backups, including scheduling, compression, and hierarchical storage. It provides details on specific IBM tape drives like 40/80GB DLT, 35/70GB DLT, and 20/40GB 8mm drives. The intended audience is IT professionals implementing backup solutions for Netfinity servers.
This document provides an overview and introduction to IBM TotalStorage SAN File System version 2.2.2. It discusses the growth of storage area networks (SANs) and storage networking technology trends. It also covers SAN File System architecture, prerequisites, features like policy-based storage management and FlashCopy, and reliability. The document is intended to help readers understand and plan SAN File System implementations.
This document is the user manual for Snort version 2.8.6. It provides an overview of Snort's capabilities in different operating modes like sniffer, packet logger, and network intrusion detection system modes. It also describes how to configure Snort, including preprocessor and rule configuration, as well as output and logging options. The document contains detailed information on topics like includes, rule profiling, output modules, and more.
This document provides an introduction to the IBM GDPS family of offerings. It discusses business resilience requirements and how GDPS supports IT resilience through technologies like disk replication and automation. The document covers GDPS/PPRC, which uses IBM's Peer-to-Peer Remote Copy (PPRC) technology for continuous availability and disaster recovery. It also addresses infrastructure planning considerations for GDPS implementations.
This document provides an introduction to IBM Tivoli Storage Resource Manager. It discusses storage resource management issues such as growth in data storage needs and inefficient use of storage resources. It describes the objectives of storage resource management to address these issues through functions like discovery, monitoring, reporting, alerts and chargeback. It provides an overview of IBM Tivoli Storage Resource Manager, its components, supported platforms, and functions for managing storage resources across the enterprise.
This document provides an overview and how-to guide for setting up IBM Tivoli License Manager (ITLM), a software license management tool. It discusses the key components of ITLM including the Administration Server, Runtime Server, Agents, and Catalog Manager. It also provides guidance on planning the ITLM implementation including physical design considerations, logical design of the customer environment, disaster recovery procedures, and planning for each ITLM component. Finally, it walks through setting up the ITLM Administration Server with steps for installing required software like IBM DB2 and WebSphere and configuring the DB2 schema. The document aims to help IT professionals successfully set up their ITLM license management environment.
This document provides an overview of robust data synchronization with IBM Tivoli Directory Integrator. It discusses business drivers for data synchronization and different architectural approaches. It also describes the components of Tivoli Directory Integrator, including AssemblyLines, Connectors, Parsers and other elements. Finally, it covers best practices for designing, implementing, administering and monitoring an enterprise data synchronization solution with Tivoli Directory Integrator.
This document provides an overview and design guide for implementing Tivoli Decision Support (TDS). It describes the TDS product components, implementation modes, supported platforms, concepts and terminology. The document then discusses a methodology for a TDS implementation project including requirements gathering, systems analysis, project planning, deployment, testing and documentation phases. It also covers TDS architecture and design considerations such as integrating TDS with Tivoli applications, component integration, stand-alone vs. network options, and case studies. Finally, it includes a case study of a TDS implementation project at a customer site.
This document provides a deployment guide for IBM Tivoli Usage and Accounting Manager V7.1. It discusses planning the solution environment including hardware and software prerequisites. It also covers installing and configuring the product, including the database, server components, and data collection packs. Finally it demonstrates basic product usage through setting up accounting resources, running a data collection job, and generating reports. The document aims to help deploy and demonstrate the key capabilities of the IBM financial management solution.
This document is a study guide for the IBM Tivoli Configuration Manager 4.2 certification. It explains the certification path and prerequisites, provides an overview of the Tivoli Management Framework and Tivoli Configuration Manager components and installation, and includes sample test questions and answers to help readers prepare for the certification exam.
Ibm info sphere datastage data flow and job designdivjeev
This document provides an overview of IBM InfoSphere DataStage and discusses its key functions and best practices. It contains chapters that describe various IBM InfoSphere DataStage stages and components, present a retail industry scenario to demonstrate how to design and implement ETL jobs, and include additional reference material.
This document provides an overview of IBM DS8700 disk encryption and key management. It discusses how the DS8700 uses symmetric encryption and the Tivoli Key Lifecycle Manager for key management. It provides guidance on planning, implementing, and maintaining a DS8700 encryption environment including best practices for security, availability, and preventing encryption deadlocks. It also describes the configuration of encryption settings through the Tivoli Key Lifecycle Manager console and DS8700 GUI and CLI.
This document provides an overview and instructions for implementing the IBM System Storage SAN32B-E4 Encryption Switch. It discusses the hardware components of the encryption switch and SAN Director Encryption Blades. It also covers the interaction between the encryption switches and Tivoli Key Lifecycle Manager for centralized key management. The document includes steps for installing, configuring, and setting up the encryption switches as well as deployment scenarios.
This document provides an overview and instructions for implementing the IBM System Storage SAN32B-E4 Encryption Switch. It discusses the hardware components of the encryption switch and SAN Director Encryption Blades. It also covers the interaction between the encryption switches and Tivoli Key Lifecycle Manager for centralized key management. The document includes steps for installing, configuring, and setting up the encryption switches as well as deployment scenarios.
This document is a deployment guide for IBM Tivoli Application Dependency Discovery Manager V7.1. It provides an overview of TADDM, including its functions, architecture and how it fits within IBM Service Management. The guide also covers planning and installing a TADDM environment, including sizing considerations, deployment best practices and configuration options. Key topics include TADDM's automated discovery capabilities, integration with the eCMDB and how TADDM supports IT service management processes like change and configuration management.
This document is a deployment guide for IBM Tivoli Application Dependency Discovery Manager V7.1. It provides an overview of TADDM, including its functions, architecture and how it fits within IBM Service Management. The guide also covers installing and configuring TADDM, customizing discovery profiles, integrating with other IBM products, and tips for using TADDM.
This document provides an overview of tape encryption solutions from IBM, including IBM Tivoli Key Lifecycle Manager Version 2. It discusses IBM tape drives and libraries that support encryption, and the different methods of managing encryption at the system, library, and application levels. The document also covers planning for hardware and software requirements to implement a tape encryption solution.
This document provides an overview of building a highly available clustered environment for IBM Tivoli Storage Manager. It discusses cluster concepts and high availability. It then describes testing a clustered Tivoli Storage Manager environment, including testing the cluster infrastructure and applications. The document focuses on configuring Microsoft Windows clusters with Tivoli Storage Manager for both Windows 2000 and Windows 2003 environments. It covers installing and configuring the Tivoli Storage Manager server and client within a Microsoft Cluster Server. It also includes testing the setup and configurations.
This document provides a guide to selecting and differentiating IBM tape products. It begins with an introduction and overview of IBM tape offerings. The guide then presents a questioning format to gather information about a user's current and future backup environment. This includes questions about hardware, software, data, backup processes, restore needs and financial considerations. The document helps users find the best tape solution by comparing entry-level, LTO and enterprise tape subsystem options. It provides positioning matrices and summaries to aid in selecting the most appropriate tape drives, libraries and components for a user's backup strategy.
This document provides an overview of robust data synchronization with IBM Tivoli Directory Integrator. It discusses business drivers for data synchronization and different architectural approaches. It also describes the components of Tivoli Directory Integrator, including AssemblyLines, Connectors, Parsers and other elements. Finally, it covers best practices for designing, implementing, administering and monitoring an enterprise data synchronization solution with Tivoli Directory Integrator.
This document provides an overview of how to integrate IBM Tivoli Workload Scheduler (TWS) with various IBM Tivoli products. It describes common integration scenarios for both TWS for z/OS and the distributed version of TWS. Specific chapters then dive deeper into integrating TWS for z/OS with products like Tivoli Information Management, Tivoli NetView, Tivoli System Automation, and Tivoli Business Systems Manager. The document provides guidance on configuring each product for the integration and testing the new functionality.
This document provides guidance for IBM Tivoli Netcool/OMNIbus V7.2 certification. It discusses the certification program and test objectives, and provides an overview of the installation, configuration, and customization processes for Netcool/OMNIbus. Key topics covered include planning the Netcool/OMNIbus architecture and components, installing and configuring various elements like the ObjectServer and gateways, and setting up security through roles, groups and users. The document aims to prepare readers for the certification exam by explaining the essential tasks and concepts relating to a Netcool/OMNIbus implementation.
This document provides an overview and how-to guide for setting up IBM Tivoli License Manager (ITLM), which is a software license management tool. It discusses the key components of ITLM including the Administration Server, Runtime Server, agents, and database. It also provides guidance on planning the ITLM implementation including physical design considerations, logical design of the customer-division-node hierarchy, disaster recovery procedures, and planning for each ITLM component. Finally, it includes step-by-step instructions for setting up an example ITLM environment with Administration and Runtime Servers on AIX and Windows.
This document provides a 3-page summary of the key points from a technical paper about IBM Tivoli Security Solutions for Microsoft software environments:
1. It explains IBM's security framework and service management strategy, which focuses on visibility, controls, and automation. It also discusses common security standards.
2. It provides an overview of IBM Tivoli security products and their support for Microsoft operating systems and middleware, including IBM Tivoli Directory Server, IBM Tivoli Access Manager, IBM Tivoli Identity Manager, and IBM Tivoli Security Information and Event Manager.
3. It describes how IBM Tivoli security solutions can integrate with Microsoft software environments to provide security compliance, identity and access management
The document is a manual for Tivoli Business Systems Manager Version 2.1. It provides an overview of the product, which allows for end-to-end business impact management through integrated systems management. The manual details the product structure, components, functions, database structure, user interface, and planning requirements for implementation. It is intended to help users understand and implement the key capabilities of Tivoli Business Systems Manager.
This document provides information about planning and deploying IBM TotalStorage Productivity Center for Data, including:
- An overview of the product, its features, architecture and supported levels
- Planning considerations for hardware, software, databases, user IDs and security
- Steps for installing the Agent Manager and other components on Windows and Linux
The document provides information about implementing the IBM Storwize V3700 storage system. It includes an overview of the hardware components and features of the Storwize V3700. The document also covers initial configuration tasks such as planning the hardware and network setup, performing the first-time setup, and configuring features like expansion enclosures, alerts, and inventory. It provides guidance on using the graphical and command-line interfaces to manage and monitor the storage system.
Implementing the
IBM Storwize V3700
Easily manage and deploy systems
with embedded GUI
Experience rapid and flexible
provisioning
Protect data with remote
mirroring
This document provides an overview and instructions for integrating Backup Recovery and Media Services (BRMS) with IBM Tivoli Storage Manager (TSM) on an IBM iSeries server. BRMS is used to back up user and system data on the iSeries, while TSM provides backup and recovery capabilities for multiple platforms. The document discusses the capabilities and interfaces of both products and provides best practices for backing up data to TSM using BRMS. It also covers installation, configuration, and use of the TSM server and client software on the iSeries.
This document provides best practices for planning and implementing large scale IBM Tivoli Monitoring environments. It discusses hardware sizing, scalability considerations, and performance optimization for the Tivoli Enterprise Monitoring Server, Tivoli Enterprise Portal Server, Tivoli Data Warehouse, and Tivoli Enterprise Monitoring agents. Firewall configuration and historical data collection are also addressed. The goal is to help customers deploy Tivoli Monitoring in a way that meets their monitoring needs as their environments grow to support thousands of devices and applications.
This document provides an overview and comparison of IBM Tivoli NetView and Netcool/Precision for IP Networks. It discusses the capabilities of each product for discovery, monitoring, network visualization, event management, diagnostic tools, user consoles, and integration with other IBM products. The document aims to help NetView customers understand options for migrating to the Netcool/Precision platform.
Similar to Ibm tivoli key lifecycle manager for z os redp4472 (20)
This document provides the table of contents and introduction for the PostgreSQL 15.1 documentation. It describes that PostgreSQL is an open-source object-relational database system that uses and extends the SQL language combined with many features that safely store and scale the most complicated data workloads. The documentation is copyrighted by the PostgreSQL Global Development Group and provides instructions for how to report bugs and get further information.
This document provides the table of contents and introduction for the PostgreSQL 14.6 documentation. It describes that PostgreSQL is an open-source object-relational database system that uses and extends the SQL language combined with many features that safely store and scale the most complicated data workloads. The documentation is copyrighted by the PostgreSQL Global Development Group and provides instructions for how to report bugs and get further information.
This document provides instructions for a lab exercise on getting started with IBM MobileFirst Platform. It introduces the key concepts of MobileFirst Platform Studio and walks through steps to import a sample banking application project, examine the project structure, add an Android environment, and preview the application in the Mobile Browser Simulator and an Android device. It also demonstrates how to invoke adapters and use the MobileFirst Platform Console and Operational Analytics. The lab aims to familiarize users with the MobileFirst Platform development tools and features.
The IBM MobileFirst Platform provides mobile application development tools and services. It allows developers to integrate backend data, continuously improve apps based on user feedback, and deliver personalized experiences. The platform provides modular services for contextualizing apps, securing data, and gaining insights from usage data. It supports both hybrid and native mobile application development.
IBM MobileFirst Foundation provides tools for developing hybrid, native, and mobile web applications using standards-based technologies. This proof of technology session will demonstrate how to use IBM MobileFirst Foundation to accelerate mobile app development, provide management of deployed apps, and utilize capabilities like in-app notifications, operational analytics, and sentiment analysis. The agenda includes presentations and hands-on labs covering app development, backend integration, app lifecycle management, quality assurance, and the MobileFirst architecture. The session is intended for IT professionals interested in a mobile application platform and will be offered free of charge with breakfast provided.
The document describes adding a mobile coupons ("My Offers") feature to the IBMBank mobile application. It involves using the MobileFirst Platform Service Discovery wizard to generate an adapter for a SOAP web service, adding HTML/JS to display offer data from the service, and implementing local storage of selected offers using the JSON Store database. Key steps include discovering and testing the SOAP service, importing JS files, initializing JSON Store, modifying the app code to retrieve and save offers, and previewing the updated app.
This document provides instructions for a lab exercise on getting started with IBM MobileFirst Platform. It introduces the key concepts of MobileFirst Platform Studio and walks through steps to import a sample banking application project, examine the project structure, add an Android environment, and preview the application in the Mobile Browser Simulator and an Android device. It also demonstrates how to invoke backend services using adapters and view analytics data from the MobileFirst Operations Console. The document contains detailed steps, screenshots and explanations to help users learn fundamental MobileFirst Platform development tasks.
This document describes a lab exercise to demonstrate application management functions in IBM MobileFirst using the MobileFirst Operations Console. The lab will:
1. Deploy an initial version of an IBMBank mobile application to a MobileFirst Server.
2. Publish an updated version of the application to fix a bug, and test the "Direct Update" feature which pushes changes to client devices.
3. Configure application status notifications via the MobileFirst Operations Console and see them displayed on an Android emulator.
This document provides an overview of IBM MobileFirst Platform's operational analytics features. It describes how the analytics platform collects and analyzes data from mobile applications, servers, and devices to provide visibility into performance and usage. The analytics console contains various views and capabilities for searching logs, viewing charts and reports, and diagnosing issues. It summarizes the different data sources, events captured, and the client and server APIs used to log additional analytics data. The document then outlines the steps to access the analytics console and walk through its key pages and functionality.
This document provides instructions for using the MobileFirst Quality Assurance tool on Bluemix to perform sentiment analysis. It first gives a brief overview of MobileFirst Quality Assurance and its capabilities. It then outlines the steps to set up a Mobile Quality Assurance service instance on Bluemix and link it to an iOS app. Finally, it describes how to view the sentiment analysis results in production, including overall sentiment scores, attribute dashboards, comparison to other apps, and attribute trend statistics.
The document describes an exercise using IBM Mobile Quality Assurance (MQA) to test a mobile banking application and report bugs. Students will launch an Android emulator containing the instrumented app. They can test the app functionality and use MQA's in-app notification to report bugs found, such as a misspelled button label. MQA will capture screenshots which students can annotate to describe the issue. All bug reports are uploaded to MQA and viewed by instructors in Bluemix to share with the class. The goal is to introduce MQA's capabilities for mobile app testing and feedback.
This document provides an overview and instructions for installing and configuring the Tivoli Management Environment (TME) platform. It discusses planning the installation, installing TME software on UNIX and PC nodes, configuring the TME management regions and resources, creating administrators and policy regions, and diagnosing common installation issues. It also provides guidance on setting up backups and describes capabilities of the Tivoli/Courier deployment application for managing file packages.
This document provides an overview of firewalls and demilitarized zones (DMZs), and summarizes Tivoli Framework solutions for communicating across firewalls in a secure manner. It describes how Tivoli Framework 3.7.1 introduced single port bulk data transfer and endpoint upcall port consolidation to reduce open ports. The Firewall Solutions Toolbox further improves security with endpoint and gateway proxies, relays to cross multiple DMZs adhering to no direct routing, and supporting unidirectional communications. It also describes the event sink for collecting events from non-Tivoli sources.
This document provides an overview of planning and implementing Tivoli Data Warehouse Version 1.3. It discusses the key components of Tivoli Data Warehouse including the control center server, source databases, central data warehouse, data marts, warehouse agents, and Crystal Enterprise server. It also covers planning considerations such as hardware and software requirements, physical and logical design choices, database sizing, security, network traffic, and skills required. The document is intended as a guide for implementing and managing a Tivoli Data Warehouse.
This document discusses data synchronization features in IBM Tivoli Directory Integrator 6.1, including delta detection, delta tagging, and delta application. Delta detection discovers changes in a data source and retrieves only the modified data. Delta tagging stores change information in the retrieved data using operation codes. Delta application then uses these tags to efficiently propagate only necessary changes to target systems.
This document discusses strategies for migrating and consolidating storage using IBM TotalStorage products. It describes migrating a storage volume from one SAN to another using IBM SAN Volume Controller without interrupting access. It also outlines two methods for migrating data between tape technologies using IBM Tivoli Storage Manager: migrating individual nodes or migrating entire storage pools to a new tape technology.
This document provides guidance on deploying IBM Tivoli Composite Application Manager for WebSphere (ITCAM for WebSphere). It includes sample code, installation instructions, and assistance with scope development for a services engagement with ITCAM for WebSphere. The document covers planning the engagement, demonstrating the key capabilities of ITCAM for WebSphere through a sample implementation, and implementing the full ITCAM for WebSphere solution. It also discusses complementary solutions that can be bundled with an ITCAM for WebSphere engagement.
This document provides guidance on migrating from IBM Service Level Reporter (SLR) to Tivoli Performance Reporter for OS/390. It describes the key differences between the two products and discusses different migration approaches. The bulk of the document consists of examples and step-by-step instructions for migrating different types of SLR data, including predefined SLR tables, user-defined tables, parameter tables, and reports. It also covers related tasks like setting purge conditions.
This document provides instructions for setting up and configuring IBM Tivoli Access Manager for Enterprise Single Sign-On 8.1 in both single-server and clustered environments. It discusses installing and configuring the necessary software components like DB2, WebSphere Application Server, IBM HTTP Server, and the IMS server. It also covers steps for configuration of these components as well as the IMS server for single sign-on functionality. The document is intended as a guide for carrying out an end-to-end installation and configuration of the IBM Tivoli Access Manager single sign-on solution.
ADSM is backup and recovery software that provides centralized management of backups. It includes components like backup clients, an administrative client, servers, and application clients. ADSM can back up and restore Windows NT systems and applications. It also enables disaster recovery through features like backing up to remote sites. Some common customer scenarios using ADSM include single server backup/recovery, adding additional NT servers, and separate onsite or remote ADSM servers with server-to-server communications.
Driving Business Innovation: Latest Generative AI Advancements & Success StorySafe Software
Are you ready to revolutionize how you handle data? Join us for a webinar where we’ll bring you up to speed with the latest advancements in Generative AI technology and discover how leveraging FME with tools from giants like Google Gemini, Amazon, and Microsoft OpenAI can supercharge your workflow efficiency.
During the hour, we’ll take you through:
Guest Speaker Segment with Hannah Barrington: Dive into the world of dynamic real estate marketing with Hannah, the Marketing Manager at Workspace Group. Hear firsthand how their team generates engaging descriptions for thousands of office units by integrating diverse data sources—from PDF floorplans to web pages—using FME transformers, like OpenAIVisionConnector and AnthropicVisionConnector. This use case will show you how GenAI can streamline content creation for marketing across the board.
Ollama Use Case: Learn how Scenario Specialist Dmitri Bagh has utilized Ollama within FME to input data, create custom models, and enhance security protocols. This segment will include demos to illustrate the full capabilities of FME in AI-driven processes.
Custom AI Models: Discover how to leverage FME to build personalized AI models using your data. Whether it’s populating a model with local data for added security or integrating public AI tools, find out how FME facilitates a versatile and secure approach to AI.
We’ll wrap up with a live Q&A session where you can engage with our experts on your specific use cases, and learn more about optimizing your data workflows with AI.
This webinar is ideal for professionals seeking to harness the power of AI within their data management systems while ensuring high levels of customization and security. Whether you're a novice or an expert, gain actionable insights and strategies to elevate your data processes. Join us to see how FME and AI can revolutionize how you work with data!
Project Management Semester Long Project - Acuityjpupo2018
Acuity is an innovative learning app designed to transform the way you engage with knowledge. Powered by AI technology, Acuity takes complex topics and distills them into concise, interactive summaries that are easy to read & understand. Whether you're exploring the depths of quantum mechanics or seeking insight into historical events, Acuity provides the key information you need without the burden of lengthy texts.
Monitoring and Managing Anomaly Detection on OpenShift.pdfTosin Akinosho
Monitoring and Managing Anomaly Detection on OpenShift
Overview
Dive into the world of anomaly detection on edge devices with our comprehensive hands-on tutorial. This SlideShare presentation will guide you through the entire process, from data collection and model training to edge deployment and real-time monitoring. Perfect for those looking to implement robust anomaly detection systems on resource-constrained IoT/edge devices.
Key Topics Covered
1. Introduction to Anomaly Detection
- Understand the fundamentals of anomaly detection and its importance in identifying unusual behavior or failures in systems.
2. Understanding Edge (IoT)
- Learn about edge computing and IoT, and how they enable real-time data processing and decision-making at the source.
3. What is ArgoCD?
- Discover ArgoCD, a declarative, GitOps continuous delivery tool for Kubernetes, and its role in deploying applications on edge devices.
4. Deployment Using ArgoCD for Edge Devices
- Step-by-step guide on deploying anomaly detection models on edge devices using ArgoCD.
5. Introduction to Apache Kafka and S3
- Explore Apache Kafka for real-time data streaming and Amazon S3 for scalable storage solutions.
6. Viewing Kafka Messages in the Data Lake
- Learn how to view and analyze Kafka messages stored in a data lake for better insights.
7. What is Prometheus?
- Get to know Prometheus, an open-source monitoring and alerting toolkit, and its application in monitoring edge devices.
8. Monitoring Application Metrics with Prometheus
- Detailed instructions on setting up Prometheus to monitor the performance and health of your anomaly detection system.
9. What is Camel K?
- Introduction to Camel K, a lightweight integration framework built on Apache Camel, designed for Kubernetes.
10. Configuring Camel K Integrations for Data Pipelines
- Learn how to configure Camel K for seamless data pipeline integrations in your anomaly detection workflow.
11. What is a Jupyter Notebook?
- Overview of Jupyter Notebooks, an open-source web application for creating and sharing documents with live code, equations, visualizations, and narrative text.
12. Jupyter Notebooks with Code Examples
- Hands-on examples and code snippets in Jupyter Notebooks to help you implement and test anomaly detection models.
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Speck&Tech
ABSTRACT: A prima vista, un mattoncino Lego e la backdoor XZ potrebbero avere in comune il fatto di essere entrambi blocchi di costruzione, o dipendenze di progetti creativi e software. La realtà è che un mattoncino Lego e il caso della backdoor XZ hanno molto di più di tutto ciò in comune.
Partecipate alla presentazione per immergervi in una storia di interoperabilità, standard e formati aperti, per poi discutere del ruolo importante che i contributori hanno in una comunità open source sostenibile.
BIO: Sostenitrice del software libero e dei formati standard e aperti. È stata un membro attivo dei progetti Fedora e openSUSE e ha co-fondato l'Associazione LibreItalia dove è stata coinvolta in diversi eventi, migrazioni e formazione relativi a LibreOffice. In precedenza ha lavorato a migrazioni e corsi di formazione su LibreOffice per diverse amministrazioni pubbliche e privati. Da gennaio 2020 lavora in SUSE come Software Release Engineer per Uyuni e SUSE Manager e quando non segue la sua passione per i computer e per Geeko coltiva la sua curiosità per l'astronomia (da cui deriva il suo nickname deneb_alpha).
Ivanti’s Patch Tuesday breakdown goes beyond patching your applications and brings you the intelligence and guidance needed to prioritize where to focus your attention first. Catch early analysis on our Ivanti blog, then join industry expert Chris Goettl for the Patch Tuesday Webinar Event. There we’ll do a deep dive into each of the bulletins and give guidance on the risks associated with the newly-identified vulnerabilities.
In the rapidly evolving landscape of technologies, XML continues to play a vital role in structuring, storing, and transporting data across diverse systems. The recent advancements in artificial intelligence (AI) present new methodologies for enhancing XML development workflows, introducing efficiency, automation, and intelligent capabilities. This presentation will outline the scope and perspective of utilizing AI in XML development. The potential benefits and the possible pitfalls will be highlighted, providing a balanced view of the subject.
We will explore the capabilities of AI in understanding XML markup languages and autonomously creating structured XML content. Additionally, we will examine the capacity of AI to enrich plain text with appropriate XML markup. Practical examples and methodological guidelines will be provided to elucidate how AI can be effectively prompted to interpret and generate accurate XML markup.
Further emphasis will be placed on the role of AI in developing XSLT, or schemas such as XSD and Schematron. We will address the techniques and strategies adopted to create prompts for generating code, explaining code, or refactoring the code, and the results achieved.
The discussion will extend to how AI can be used to transform XML content. In particular, the focus will be on the use of AI XPath extension functions in XSLT, Schematron, Schematron Quick Fixes, or for XML content refactoring.
The presentation aims to deliver a comprehensive overview of AI usage in XML development, providing attendees with the necessary knowledge to make informed decisions. Whether you’re at the early stages of adopting AI or considering integrating it in advanced XML development, this presentation will cover all levels of expertise.
By highlighting the potential advantages and challenges of integrating AI with XML development tools and languages, the presentation seeks to inspire thoughtful conversation around the future of XML development. We’ll not only delve into the technical aspects of AI-powered XML development but also discuss practical implications and possible future directions.
Best 20 SEO Techniques To Improve Website Visibility In SERPPixlogix Infotech
Boost your website's visibility with proven SEO techniques! Our latest blog dives into essential strategies to enhance your online presence, increase traffic, and rank higher on search engines. From keyword optimization to quality content creation, learn how to make your site stand out in the crowded digital landscape. Discover actionable tips and expert insights to elevate your SEO game.
UiPath Test Automation using UiPath Test Suite series, part 6DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 6. In this session, we will cover Test Automation with generative AI and Open AI.
UiPath Test Automation with generative AI and Open AI webinar offers an in-depth exploration of leveraging cutting-edge technologies for test automation within the UiPath platform. Attendees will delve into the integration of generative AI, a test automation solution, with Open AI advanced natural language processing capabilities.
Throughout the session, participants will discover how this synergy empowers testers to automate repetitive tasks, enhance testing accuracy, and expedite the software testing life cycle. Topics covered include the seamless integration process, practical use cases, and the benefits of harnessing AI-driven automation for UiPath testing initiatives. By attending this webinar, testers, and automation professionals can gain valuable insights into harnessing the power of AI to optimize their test automation workflows within the UiPath ecosystem, ultimately driving efficiency and quality in software development processes.
What will you get from this session?
1. Insights into integrating generative AI.
2. Understanding how this integration enhances test automation within the UiPath platform
3. Practical demonstrations
4. Exploration of real-world use cases illustrating the benefits of AI-driven test automation for UiPath
Topics covered:
What is generative AI
Test Automation with generative AI and Open AI.
UiPath integration with generative AI
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
OpenID AuthZEN Interop Read Out - AuthorizationDavid Brossard
During Identiverse 2024 and EIC 2024, members of the OpenID AuthZEN WG got together and demoed their authorization endpoints conforming to the AuthZEN API
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on integration of Salesforce with Bonterra Impact Management.
Interested in deploying an integration with Salesforce for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Skybuffer SAM4U tool for SAP license adoptionTatiana Kojar
Manage and optimize your license adoption and consumption with SAM4U, an SAP free customer software asset management tool.
SAM4U, an SAP complimentary software asset management tool for customers, delivers a detailed and well-structured overview of license inventory and usage with a user-friendly interface. We offer a hosted, cost-effective, and performance-optimized SAM4U setup in the Skybuffer Cloud environment. You retain ownership of the system and data, while we manage the ABAP 7.58 infrastructure, ensuring fixed Total Cost of Ownership (TCO) and exceptional services through the SAP Fiori interface.
GraphRAG for Life Science to increase LLM accuracyTomaz Bratanic
GraphRAG for life science domain, where you retriever information from biomedical knowledge graphs using LLMs to increase the accuracy and performance of generated answers
Ocean lotus Threat actors project by John Sitima 2024 (1).pptxSitimaJohn
Ocean Lotus cyber threat actors represent a sophisticated, persistent, and politically motivated group that poses a significant risk to organizations and individuals in the Southeast Asian region. Their continuous evolution and adaptability underscore the need for robust cybersecurity measures and international cooperation to identify and mitigate the threats posed by such advanced persistent threat groups.
Fueling AI with Great Data with Airbyte WebinarZilliz
This talk will focus on how to collect data from a variety of sources, leveraging this data for RAG and other GenAI use cases, and finally charting your course to productionalization.
Your One-Stop Shop for Python Success: Top 10 US Python Development Providersakankshawande
Simplify your search for a reliable Python development partner! This list presents the top 10 trusted US providers offering comprehensive Python development services, ensuring your project's success from conception to completion.
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Ibm tivoli key lifecycle manager for z os redp4472
1. Front cover
IBM Tivoli Key Lifecycle
Manager for z/OS
Features and benefits
Planning, installation, and use
Troubleshooting tips
Karan Singh
Steven Hart
William C. Johnston
Lynda Kunz
Irene Penney
ibm.com/redbooks Redpaper
12. Trademarks
IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International Business Machines
Corporation in the United States, other countries, or both. These and other IBM trademarked terms are
marked on their first occurrence in this information with the appropriate symbol (® or ™), indicating US
registered or common law trademarks owned by IBM at the time this information was published. Such
trademarks may also be registered or common law trademarks in other countries. A current list of IBM
trademarks is available on the Web at http://www.ibm.com/legal/copytrade.shtml
The following terms are trademarks of the International Business Machines Corporation in the United States,
other countries, or both:
AIX® Rational® VTAM®
DB2® Redbooks® WebSphere®
DS8000® Redbooks (logo) ® z/OS®
FICON® System p® z/VM®
IBM® System Storage™ z/VSE™
Language Environment® System z9® z9®
OS/390® System z® zSeries®
Parallel Sysplex® Tivoli®
RACF® TotalStorage®
The following terms are trademarks of other companies:
SUSE, the Novell logo, and the N logo are registered trademarks of Novell, Inc. in the United States and other
countries.
Red Hat, and the Shadowman logo are trademarks or registered trademarks of Red Hat, Inc. in the U.S. and
other countries.
SAP, and SAP logos are trademarks or registered trademarks of SAP AG in Germany and in several other
countries.
J2EE, Java, Java runtime environment, JDBC, JVM, Solaris, Sun, Sun Java, ZFS, and all Java-based
trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both.
Windows Server, Windows, and the Windows logo are trademarks of Microsoft Corporation in the United
States, other countries, or both.
UNIX is a registered trademark of The Open Group in the United States and other countries.
Linux is a trademark of Linus Torvalds in the United States, other countries, or both.
Other company, product, or service names may be trademarks or service marks of others.
x IBM Tivoli Key Lifecycle Manager for z/OS
14. SAP® Architecture and infrastructure. She also has extensive experience with SAP Basis
and AIX®, VM and MVS Systems Administration and Operations.
Thanks to the following people for their contributions to this project:
Rich Conway, Bob Haimowitz
International Technical Support Organization, Poughkeepsie Center
Jonathan Barney, Tom Benjamin, John Dayka, James Ebert, Krishna Yellepeddy
IBM
Become a published author
Join us for a two- to six-week residency program! Help write a book dealing with specific
products or solutions, while getting hands-on experience with leading-edge technologies. You
will have the opportunity to team with IBM technical professionals, Business Partners, and
Clients.
Your efforts will help increase product acceptance and customer satisfaction. As a bonus, you
will develop a network of contacts in IBM development labs, and increase your productivity
and marketability.
Find out more about the residency program, browse the residency index, and apply online at:
ibm.com/redbooks/residencies.html
Comments welcome
Your comments are important to us!
We want our papers to be as helpful as possible. Send us your comments about this paper or
other IBM Redbooks publications in one of the following ways:
Use the online Contact us review Redbooks form found at:
ibm.com/redbooks
Send your comments in an e-mail to:
redbooks@us.ibm.com
Mail your comments to:
IBM Corporation, International Technical Support Organization
Dept. HYTD Mail Station P099
2455 South Road
Poughkeepsie, NY 12601-5400
xii IBM Tivoli Key Lifecycle Manager for z/OS
16. 1.1 Tivoli Key Lifecycle Manager
Tivoli Key Lifecycle Manager provides you a simplified key management solution that is easy
to install, deploy, and manage. Tivoli Key Lifecycle Manager allows you to create, back up,
and manage the keys and certificates your enterprise uses. Through its graphical and
command line interfaces you can manage symmetric keys, asymmetric keys, and certificates.
Tivoli Key Lifecycle Manager provides:
Key serving with lifecycle management using a graphical user interface and a command
line interface.
Support for encryption-enabled IBM System Storage™ TS1100 Family Tape Drives (3592
tape drives).
Support for IBM Systems Storage Linear Tape-Open (LTO) Ultrium Generation 4 Tape
Drives.
Support for the DS8000® Storage Controller (IBM System Storage DS8000 Turbo drive).
This support requires the appropriate microcode bundle version on the DS8000 Storage
Controller, Licensed Internal Code level 64.2.xxx.0 or higher.
Backup and recovery to protect your keys and certificates.
Notification on expiration of certificates.
Audit records to allow you to track the encryption of your data.
Support for RACF® and ICSF protected keystores.
Auto roll-over of key groups and certificates. This capability applies to 3592 and LTO
drives; it does not apply to DS8000. Provides key life-cycle management function that
allows a user to define when a new key group should be used with LTO drives or new
certificates with 3592 drives.
While other encryption solutions require processor power, encryption using Tivoli Key
Lifecycle Manager in concert with IBM encryption-capable tape and disk drives is done with
little or no impact on performance. You can easily exchange encrypted tapes with your
business partners or data centers that have the necessary key information to decrypt the
data.
With the introduction of the Tivoli Key Lifecycle Manager, IBM has made available the next
generation of Key Manager software to enable serving keys to encrypting drives. Tivoli Key
Lifecycle Manager is intended to give a consistent look and feel for Key Management tasks
across the brand, while simplifying those same key management tasks.
Tivoli Key Lifecycle Manager and IBM encryption-capable tape drives provide high
performance data encryption. Encryption is performed by the tape drive hardware at native
drive speeds. It also supports encryption of large amounts of tape data for backup and
archive purposes. Utilizing the TS1130 Tape Drive, TS1120 Tape Drive, or LTO4 Tape Drive
offers a cost-effective solution for tape data encryption by offloading encryption tasks from
servers, leveraging existing tape infrastructure incorporated in standard IBM Tape Libraries,
and eliminating the need for unique appliance hardware.
Tivoli Key Lifecycle Manager and the DS8000 drives provide high performance data
encryption for all your data on disk. Encryption is performed by the disk drive hardware at
native drive speeds, providing economical encryption for large amounts of data on disk.
Utilizing the DS8000 disk drives to encrypt your data provides a cost-effective solution for disk
data encryption by offloading encryption tasks from the servers, leveraging existing disk
infrastructure and eliminating the need for unique appliance hardware.
2 IBM Tivoli Key Lifecycle Manager for z/OS
17. Adding encryption to the enterprise by using IBM encrypting devices and Tivoli Key Lifecycle
Manager is transparent to the applications and operations using the devices and therefore
adds valuable security and loss prevention for data without expensive changes to the
applications or operations procedure.
See Appendix B, “Basics of cryptography” on page 149 for an overview of cryptographic
concepts.
1.2 How tape encryption works
Encryption, implemented in the tape drive, encrypts the data before it is written to the
cartridge. When tape compression is enabled, the tape drive first compresses the data then
encrypts it. This means that there is no loss of capacity with IBM Tape Encryption. If the
encryption solution encrypts the data first, then the tape drive tries to compress the data,
there will be very little space saved because encrypted data does not compress well.
To encrypt the data, the tape drive needs a key. This key is provided by Tivoli Key Lifecycle
Manager in an encrypted form to make the Tape Encryption solution secure.
Figure 1-1 summarizes the process flow for Tape Encryption using TS1130 and TS1120.
1. Load cartridge, specify
encryption
Encryption 2. Tape drive requests a data key
Key
Manager Encrypted “Data Key”
5. Tape drive writes encrypted
3. Key manager 4.Encrypted keys data and stores encrypted data
generates key and transmitted to tape drive key on cartridge
encrypts it
Encrypted “Data Keys”
Figure 1-1 TS1120 and TS1130 Tape Encryption process flow
Figure 1-2 on page 4 summarizes the LTO4 Tape Encryption process flow.
Chapter 1. Introduction 3
18. 1. Load cartridge, specify
encryption
Encryption 2. Tape drive requests a data key
Key
Manager
5. Tape drive decrypts the data
key, writes encrypted data and
3. Key manager keyid on the cartridge
4.Encrypted data key
retrieves key and transmitted to tape drive
encrypts it for
transmission
LTO 4 Encryption
Encrypted “Data Key”
Figure 1-2 LTO4 Tape Encryption process
1.3 How DS8000 encryption works
Encryption, implemented in the disk drive, encrypts the data before it is written to the disk.
When compression is enabled, the disk drive first compresses the data to be written, then
encrypts it. This means that there is no loss of capacity with IBM Disk Encryption. If the
encryption solution encrypted the data first, then tried to compress it, there would be little
space savings because encrypted data does not compress well.
To encrypt the data, the disk drive needs a key. This key is provided by Tivoli Key Lifecycle
Manager in an encrypted form to make the Disk Encryption solution secure.
When a DS8000 is installed the protected AES key is requested from Tivoli Key Lifecycle
Manager. This key is used to wrap and unwrap the keys the DS8000 will use to encrypt the
data on disk. Unlike tape, the AES key request from Tivoli Key Lifecycle Manager is a one
time occurrence and is used to wrap all the data keys used by this disk. When sent from Tivoli
Key Lifecycle Manager to the DS8000, the AES key is wrapped with a different key for secure
transfer back to the DS8000 where it is stored.
Figure 1-3 on page 5 summarizes the process flow for Disk Encryption using a DS8000.
4 IBM Tivoli Key Lifecycle Manager for z/OS
19. Tivoli Key Lifecycle Manager
1) Power on DS8000
2) Request unlock key from TKLM
3) Key manager
generates key and
encrypts (wraps) it
4) Encrypted (wrapped) key is sent back to the DS8000
5) DS8000 unwraps key.
Data is encrypted when written
to disk, and decrypted when
read from disk
Figure 1-3 DS8000 Turbo drive encryption process
1.4 Why use Tivoli Key Lifecycle Manager and Tape/DS8000
encryption
Tape and disk encryption is used to hide and protect sensitive data. If a retired DS8000 unit
or tape cartridge leaves the data centers, the data is no longer protected through Resource
Access Control Facility (RACF) or similar access protection mechanisms. Tape and DS8000
encryption will secure the data and can help you fulfill security regulations.
Important and sensitive data can be protected in many ways. Data can be encrypted by
means of special software programs, hardware adapters, hardware appliances, or by the
tape/disk drive as the data is written. Encrypting data with software programs utilizes
processor power, and encrypting data with hardware appliances requires additional
investment in hardware. Using the disk or tape drive needed to write the data on media
provides encryption in a cost-effective manner.
One of the advantages of IBM Tape and DS8000 Encryption is that the data is encrypted after
compression. This saves space on tape cartridges and disk drives, thus sparing the cost of
additional hardware investments. Data on cartridges does not have to be “degaussed” or
overwritten with patterns of x’FF’ at the end of life of the cartridge, which will provide a cost
savings when the tape cartridge or disk reaches end of life. This is true for both Write Once
Read Many (WORM) cartridges and normal tape cartridges. DS8000 units, with the use of
encryption, can have disk drives replaced or discarded without removing the data contained
on the unit, thus saving time and money.
Additionally, a clever use of encryption is for data shredding. If you delete an encryption key,
all the data that encryption key protected becomes, in effect, garbage. This use of the feature
requires extreme care. You need to know exactly what data was encrypted with the key you
are deleting. Remember that without the key you cannot decrypt the data.
Chapter 1. Introduction 5
20. Finally, one of the most important aspects of using Tivoli Key Lifecycle Manager with IBM
encryption-capable devices is transparent encryption. An enterprise gains the ability to
secure data without having to make costly changes to the code of existing applications that
use the devices or to the existing operations procedures. With IBM encryption-capable
devices and Tivoli Key Lifecycle Manager, a security administrator can quickly and easily set
up the encrypting environment and turn on encryption without having to make any other
changes to the applications or procedures.
1.5 Encryption key management
A large number of symmetric keys, asymmetric keys, and certificates can exist in your
enterprise. All of these keys and certificates need to be managed. Key management can be
handled either internally by an application, such as Tivoli Storage Manager, or externally by
an Key Manager such as IBM Encryption Key Manager or Tivoli Key Lifecycle Manager.
The Tivoli Key Lifecycle Manager product is an application that will perform key management
tasks for IBM encryption-enabled hardware (for example, the IBM encryption-enabled
TS1100 family of tape drives, Linear Tape-Open (LTO) Ultrium 4 tape drives, and the
DS8000 Turbo drives) by providing, protecting, storing, and maintaining encryption keys that
are used to encrypt information being written to, and decrypt information being read from,
tape and disk media. Tivoli Key Lifecycle Manager operates on a variety of operating
systems. Currently, the supported operating systems are:
Supported with initial release installed:
AIX 5.3 64-bit1
AIX 6.1 64-bit1
Red Hat® Enterprise Linux 4 32-bit
Solaris™ 10 SPARC 64-bit1
SUSE® Linux Enterprise Server 9 32-bit
SUSE Linux Enterprise Server 10 32-bit
Windows Server® 2003 R2 32-bit
z/OS Version 1 Release 9 or later
Supported with fix pack 1 installed
Red Hat Enterprise Linux 5 32-bit
Red Hat Enterprise Linux 5 64-bit1
Solaris 9 SPARC 64-bit1
SUSE Linux Enterprise Server 10 64-bit1
Windows Server 2003 64-bit1 . Requires both new installation image and Fix Pack 1 (or
later).
Windows Server 2008 32-bit. Requires both new installation image and Fix Pack 1 (or
later).
Windows Server 2008 64-bit1 . Requires both new installation image and Fix Pack 1 (or
later).
Tivoli Key Lifecycle Manager is designed to be a shared resource deployed in several
locations within an enterprise. It is capable of serving numerous IBM encrypting tape and
1 Tivoli Key Lifecycle Manager runs as a 32-bit application on 64-bit operating systems.
6 IBM Tivoli Key Lifecycle Manager for z/OS
21. DS8000 drives regardless of where those drives reside (for example, in tape library
subsystems, connected to mainframe systems through various types of channel connections,
or installed in other computing systems).
1.5.1 Tivoli Key Lifecycle Manager services
You can use Tivoli Key Lifecycle Manager to manage encryption keys and certificates. Tivoli
Key Lifecycle Manager allows you to create, back up, and manage the lifecycle of keys and
certificates that your enterprise uses. This includes the management of symmetric keys,
asymmetric keys, and certificates. Tivoli Key Lifecycle Manager waits for and responds to key
generation or key retrieval requests that arrive through TCP/IP communication for a tape
library, tape controller, tape subsystem, device drive, tape drive, or DS8000 drive. Tivoli Key
Lifecycle Manager provides you with additional functions beyond those offered in the
previous IBM key management product (IBM Encryption Key Manager), including:
Lifecycle functions
– Notification of certificate expiration
– Automated rotation of certificates
– Automated rotation of groups of keys
Usability enhancements
– Provides a graphical user interface
– Initial configuration wizards
– Migration wizards
– Provides a command line interface through WSAdmin
Integrated backup and restore of Tivoli Key Lifecycle Manager file
– One button to create and restore a single backup packaged as a jar file
Security policy
– Leverages the Security Infrastructure of the IBM System Services Runtime
Environment
Audit enhancements
– Provides audit records in SMF Type 83 sub-type 6 format
DB2
Tivoli Key Lifecycle Manager stores the drive table in DB2®, giving the user a more robust
interface for managing drives and the keys and certificates that are associated with those
drives. With IBM Encryption Key Manager, the previous key management product, the only
place to determine the key used to encrypt a tape cartridge, and similar audit information, was
in the IBM Encryption Key Manager audit log and the IBM Encryption Key Manager
metadata.xml file. With Tivoli Key Lifecycle Manager this information is stored in the Tivoli
Key Lifecycle Manager DB2 tables, enabling the user to search and query that information
with ease.
Tip: The option to automatically accept unknown tape drives can facilitate the task of
populating the drive table with your drives. For security reasons, you might want to turn off
this option as soon as all of your drives have been added to the table. In a business and
continuity recovery site, however, it may be required to accept unknown tape drives.
Configuration file
Tivoli Key Lifecycle Manager also has an editable configuration file with additional
configuration parameters that are not accessible through the GUI. The file can be text edited.
Chapter 1. Introduction 7
22. However, the preferred method is modifying the file through the Tivoli Key Lifecycle Manager
command line interface (CLI).
Java security keystore
The keystore is defined as part of the Java Cryptography Extension (JCE) and is an element
of the Java Security components, which are, in turn, part of the Java Runtime Environment. A
keystore holds the certificates and keys (or pointers to the certificates and keys) used by
Tivoli Key Lifecycle Manager to perform cryptographic operations. A keystore can be either
hardware-based or software-based.
Tivoli Key Lifecycle Manager supports several types of Java keystores, offering a variety of
operational characteristics to meet your needs.
Tivoli Key Lifecycle Manager on distributed systems
Tivoli Key Lifecycle Manager on distributed systems supports the JCEKS keystore. This
keystore supports both symmetric keys and asymmetric keys. Symmetric keys are used for
LTO 4 encryption drives, while asymmetric keys are used for the TS1100 family of tape drives
and the DS8000 drives.
Cryptographic services
Tivoli Key Lifecycle Manager uses the IBM Java Security components for its cryptographic
capabilities. Tivoli Key Lifecycle Manager does not provide cryptographic capabilities and
therefore does not require, nor is it allowed to obtain, FIPS 140-2 certification. However, Tivoli
Key Lifecycle Manager takes advantage of the cryptographic capabilities of the IBM Java
Virtual Machine in the IBM Java Cryptographic Extension component and allows the selection
and use of the IBMJCEFIPS cryptographic provider, which has a FIPS 140-2 level 1
certification. By setting the FIPS configuration parameter to ON in the Configuration
Properties file, either through text editing or using the Tivoli Key Lifecycle Manager CLI, you
can make Tivoli Key Lifecycle Manager use the IBMJCEFIPS provider for all cryptographic
functions.
For more information about the IBMJCEFIPS provider, its selection and use, see:
http://www.ibm.com/developerworks/java/jdk/security/50/FIPShowto.html
1.5.2 Key exchange
Tivoli Key Lifecycle Manager acts as a process awaiting key generation or key retrieval
requests sent to it through a TCP/IP communication path between Tivoli Key Lifecycle
Manager and the tape library, tape controller, tape subsystem, device driver, tape drive, or
DS8000 drive. When a drive writes encrypted data, it first requests an encryption key from
Tivoli Key Lifecycle Manager. The tasks that the Tivoli Key Lifecycle Manager performs upon
receipt of the request are different for the asymmetric keys used by the TS1100 family of tape
drives and the DS8000 drives, and symmetric keys used by the TS1040 tape drive.
Asymmetric and symmetric keys
Tivoli Key Lifecycle Manager requests an Advanced Encryption Standard (AES) key from the
cryptographic services and serves it to the drives in one of the following forms:
Encrypted or wrapped, using Rivest-Shamir-Adleman (RSA) key pairs. This form is used
for the TS1100 family of tape drives and the DS8000 drives.
8 IBM Tivoli Key Lifecycle Manager for z/OS
23. Separately wrapped for secure transfer to the tape drive, where it is unwrapped upon
arrival and the key inside is used to encrypt the data being written to tape. This form is
used for the TS1040 tape drives.
Additionally, the libraries now support SSL-encrypted connections between the Tivoli Key
Lifecycle Manager and library for key exchanges. When SSL is not used for key
exchange, the key material will be encrypted in another fashion. The transport of the keys
is always secure across the TCP/IP connection.
Note: For z/OS systems at or below Integrated Cryptographic Services Facility version
7740, the zOSCompatibility flag should be set in the Tivoli Key Lifecycle Manager
configuration file. This setting can be turned on using either the Tivoli Key Lifecycle
Manager CLI or by editing the Tivoli Key Lifecycle Manager configuration file. When
true is specified, Triple Data Encryption Standard (Triple DES or DESede) symmetric
keys are used instead of AES symmetric keys.
TS1100 family of tape drives and DS8000
When an encrypted tape cartridge is read by a TS1100 tape drive, the protected AES key on
the tape is sent to Tivoli Key Lifecycle Manager, where the wrapped AES key is unwrapped.
The AES key is then wrapped with a different key for secure transfer back to the tape drive,
where it is unwrapped and used to decrypt the data stored on the tape. Tivoli Key Lifecycle
Manager also allows protected AES keys to be rewrapped, or rekeyed, using different RSA
keys from the original keys that were used when the tape was written. Rekeying is useful
when an unexpected need arises to export volumes to business partners whose public keys
were not included; it eliminates the need to rewrite the entire tape and enables a tape
cartridge’s data key to be reencrypted with a business partner’s public key.
Rekeying of the DS8000 is currently not available and would require a complete
re-initialization of the drive.
LTO Ultrium 4 tape drives
The Tivoli Key Lifecycle Manager fetches an existing AES key from a keystore and wraps it
for secure transfer to the tape drive, where it is unwrapped upon arrival and used to encrypt
the data being written to tape.
When an encrypted tape is read by an LTO Ultrium 4 tape drive, the Tivoli Key Lifecycle
Manager fetches the required key from the keystore, based on the information in the Key ID
on the tape, and serves it to the tape drive wrapped for secure transfer.
1.6 Encryption key methods
Tape methods
There are three methods of tape encryption management supported by the IBM Tape
Encryption solution. These methods differ in where the encryption policy engine resides,
where key management is performed, and how Tivoli Key Lifecycle Manager is connected to
the drive. Encryption policies control which volumes need to be encrypted.
Key management and the encryption policies can be located in any one of the following
environmental layers:
System layer
Library layer
Application layer
Chapter 1. Introduction 9
24. In accordance with the layers we call these methods:
System-managed encryption (SME)
Library-managed encryption (LME)
Application-managed encryption (AME)
Only two of these methods, SME and LME, require the implementation of an external
component, the Tivoli Key Lifecycle Manager, to provide and manage keys. With AME, key
provisioning and key management are handled by the application. All three methods allow
you to specify which tape cartridges will be encrypted and which will not.
Not all operating systems, applications, and tape libraries support all of these methods, and
where they are supported, not all of the methods are equally suitable. When you plan for tape
encryption, select the encryption method depending on your operating environment. In the
following sections, we explain the characteristics of AME, SME, and LME.
DS8000 methods
Full Disk Encryption (FDE) is provided for the DS8000. All data on the disk will be encrypted.
1.6.1 System-managed encryption
In a system-managed encryption (SME) implementation, encryption policies reside within the
system layer. This method of tape encryption requires a key server (Tivoli Key Lifecycle
Manager) for key management. SME is fully transparent to the application and library layers.
Figure 1-4 on page 11 shows an illustration of system-managed encryption.
System-managed encryption is supported on z/OS, z/VM®, z/VSE™, z/TPF, zLinux, and a
number of distributed system platforms. On z/OS, z/VM, z/VSE, z/TPF, and zLinux,
system-managed encryption is the only encryption method supported. SME is supported on
z/OS using Data Facility Storage Management Subsystem (DFSMS). On distributed systems
platforms, the IBM tape device driver is used for specifying encryption policies on a per-drive
basis.
The following distributed systems operating systems are currently supported:
AIX
Windows
Linux
Solaris
System-managed encryption offers you centralized enterprise-class key management, which
facilitates tape interchange and migration. Another advantage is its support for stand-alone
drives. The drawbacks of SME are its policy granularity on distributed systems, additional
responsibilities for the storage administrator, and the dependency of data access on the
availability of the key server and the key path.
SME shares most of its advantages and disadvantages with library-managed encryption
(LME), but there are two major differences. Naturally, LME does not support stand-alone tape
drives. However, in a distributed systems environment, LME gives you better policy
granularity than SME because you can control encryption on a per-volume basis with TS3500
and 3494 tape libraries. On z/OS, you can control encryption on the volume level through the
use of DSMFS.
In a System z environment that does not support encryption, or in an distributed systems
environment with stand-alone drives and an application that does not support encryption,
SME is the only choice. In all other environments, consider LME as an alternative.
10 IBM Tivoli Key Lifecycle Manager for z/OS
25. Application
Layer
Tivoli Key
Lifecycle
Manager Policy
System
Layer
Library
Layer
Figure 1-4 System-managed encryption (SME)
System-managed encryption for distributed systems
Encryption policies specifying when to use encryption are set up in the IBM tape device
driver. For details about setting up system-managed encryption on tape drives in a distributed
systems environment, refer to the IBM Tape Device Driver Installation and User’s Guide,
GC27-2130, and the Planning and Operator Guide for your tape library.
On distributed systems, this support can be described as in-band, meaning tape drive
requests to the Tivoli Key Lifecycle Manager component travel over the Fibre Channels to the
server hosting the Tivoli Key Lifecycle Manager.
System-managed encryption for System z
On z/OS, policies specifying when to use encryption are set up in DFSMS. You can also use
additional software products, such as IBM Integrated Cryptographic Service Facility (ICSF)
and IBM Resource Access Control Facility (RACF). Key generation and management is
performed by the Tivoli Key Lifecycle Manager, running on the host or externally on another
host. Policy controls and keys pass through the data path between the system layer and the
encrypting tape drives. Encryption is transparent to the applications.
For TS1120 tape drives that are connected to an IBM Virtualization Engine TS7700,
encryption key labels are assigned using the Maintenance Interface on a per-storage-pool
basis. DFSMS storage constructs are used by z/OS to control the use of storage pools for
logical volumes, resulting in an indirect form of encryption policy management. For more
information, refer to the white paper, IBM Virtualization Engine TS7700 Series Encryption
Overview, which is available at:
http://www.ibm.com/support/docview.wss?&uid=ssg1S4000504
For details about setting up system-managed encryption on the TS1120 tape drive in a
System z platform environment, refer to z/OS DFSMS Software Support for IBM System
Storage TS1120 Tape Drive (3592), SC26-7514.
Chapter 1. Introduction 11
26. Encryption key paths
System-managed encryption on z/OS can use either the in-band or out-of-band encryption
key flow. For in-band the key request flows from the tape drive over the ESCON/FICON®
channel to the server proxy (a component of z/OS), which will translate the request into IP
protocols. The server proxy will then send the key request to Tivoli Key Lifecycle Manager
using its TCP/IP connection. In an out-of-band configuration, the tape controller establishes
the communication to the Tivoli Key Lifecycle Manager server over a TCP/IP connection. The
use of out-of-band support requires the use of a router for the control unit.
Out-of-band support runs on VM, VSE, TPF, and zLinux, and is your only option on those
operating system platforms. The TS7700 Virtualization Engine only uses out-of-band support.
In-band key flow
In-band key flow, illustrated in Figure 1-5, occurs between Tivoli Key Lifecycle Manager and
the tape drive through a FICON proxy on the FICON/ESCON interface. The FICON proxy
supports failover to the secondary key path on failure of the first-specified Tivoli Key Lifecycle
Manager path addresses. Impact on controller service requirements is minimal.
The controller does the following:
Reports drive status in SMIT displays
Passes encryption-related errors from the drive to the host
Reports “encryption failure unit checks” to the host
Must be reconfigured whenever new encryption drives are introduced for attachment or
when an encryption-capable drive is enabled for encryption
System z
Tivoli Key
Lifecycle Library Manager
Manager 3953 / 3494
Library
Manager
Interface
IOS Key
Exchange
Interface
FICON Subsystem TS1120
Proxy Proxy Drive Tape Drive
Interface
Encryption ESCON/ TS1120 Tape
FICON
Control Controller
Interface
or 3592-J70
Figure 1-5 In-band encryption key flow
Out-of-band key flow
Out-of-band key flow, shown in Figure 1-6 on page 13, occurs between Tivoli Key Lifecycle
Manager and the tape drive through a subsystem proxy that is located in the 3592 controller
or TS7700 Virtualization Engine on the Tivoli Key Lifecycle Manager interface. Impact on
12 IBM Tivoli Key Lifecycle Manager for z/OS
27. service requirements can be greater than for in-band key flow due to the introduction of two
routers on the Tivoli Key Lifecycle Manager interface, to and from the controller.
The controller and the TS7700:
Support failover to the secondary key path on failure of the first-specified Tivoli Key
Lifecycle Manager path addresses
Report drive status in SMIT displays
Pass encryption-related errors from the drive to the host
Report “encryption failure unit checks” to the host
Must be reconfigured whenever new encryption drives are introduced for attachment or
when an encryption-capable drive is enabled for encryption
You can enter up to two Tivoli Key Lifecycle Manager IP/domain addresses (and up to two
ports) for each controller, as well as two Domain Name Server IP addresses.
Tivoli Key TS7700
Tivoli Key Lifecycle Manager Interface
Lifecycle Virtualization
Manager Library Engine
Tivoli Key Manager
Lifecycle Library Manager Interface
Manager
Interface 3953 / 3494 Subsystem
Proxy
Library Manager
Interface
Drive
System z Interface
TS1120
Tape Drive
FICON Subsystem (Back End)
Proxy Proxy
ESCON/
Encryption FICON TS1120 Tape Drive
Control Interface Interface TS1120
Controller
or 3592-J70 Tape Drive
Figure 1-6 Out-of-band encryption key flow
1.6.2 Library-managed encryption
In a library-managed encryption (LME) implementation, encryption policies reside within the
tape library. This method of tape encryption requires a Tivoli Key Lifecycle Manager for key
management. LME is fully transparent to the application and system layers. Figure 1-7 on
page 14 shows an example of library-managed encryption.
Library-managed encryption offers you the broadest range of application and operating
system support. Centralized enterprise-class key management facilitates tape interchange
and migration. If you implement LME on a TS3500 or 3494 tape library, you get policy
granularity on a per-volume basis. LME comes with additional responsibilities for the storage
Chapter 1. Introduction 13
28. administrator as compared to AME. Data access depends on the availability of Tivoli Key
Lifecycle Manager and the key path.
In most distributed systems environments, LME is the preferred method for tape encryption.
Application
Layer
Tivoli Key
Lifecycle
Manager System
Layer
Library
Policy
Layer
Figure 1-7 Library-managed encryption (LME)
LME can be implemented:
On a distributed systems-attached TS3500 tape library with TS1120 and LTO Ultrium 4
tape drives
On an distributed systems-attached 3494 or TS3400 tape library with TS1120 tape drives
On a TS3310, TS3200, or TS3100 tape library with LTO Ultrium 4 tape drives
Key generation and management is handled by Tivoli Key Lifecycle Manager, running on a
host with a TCP/IP connection to the library. Policy control and keys pass through the
library-to-drive interface; therefore, encryption is transparent to the applications.
For TS3500 and IBM 3494 tape libraries, you can use barcode encryption policies (BEPs) to
specify when to use encryption. On an IBM TS3500 Tape Library, you set these policies
through the IBM System Storage Tape Library Specialist Web interface. On a 3494 tape
library, you can use the Enterprise Automated Tape Library Specialist Web interface or the
Library Manager Console. With BEPs, policies are based on cartridge volume serial numbers.
Library-managed encryption also allows for encryption of all volumes in a library, independent
of barcodes.
For certain applications, such as Symantec Netbackup, library-managed encryption includes
support for Internal Label Encryption Policy (ILEP). When ILEP is configured, the TS1120 or
LTO Ultrium 4 Tape Drive automatically derives the encryption policy and key information from
the metadata written on the tape volume by the application. For more information, refer to
your Tape Library Operator’s Guide.
The following IBM tape libraries support library-managed encryption:
IBM System Storage TS3500 Tape Library
IBM TotalStorage® 3494 Tape Library
IBM System Storage TS3310 Tape Library
14 IBM Tivoli Key Lifecycle Manager for z/OS
29. IBM System Storage TS3200 Tape Library
IBM System Storage TS3100 Tape Library
Note: System-managed encryption and library-managed encryption interoperate with one
another. A tape that is encrypted using SME can be decrypted using LME, and the other
way around, provided that they both have access to the same keys and certificates.
1.6.3 Encrypting and decrypting with SME and LME
Encrypting and decrypting with system-managed encryption and with library-managed
encryption have identical process flows.
SME and LME encryption processes
Figure 1-8 on page 16 describes the flow of encrypted data to tape, and how keys are
communicated to the tape drive and then stored on the tape media. In this particular example,
assume a TLKM is running on an abstract server, and that the tape library and, consequently,
the tape drives are connected to another abstract server. These can be the same server or
different servers, because whether the server is the same or not does not affect the outcome.
Assume that a certificate from a business partner had been imported into this keystore. It only
has a public key associated with it; the business partner has the corresponding private key.
Now, the server sends a write request to the drive. The drive is encryption-capable, and the
host has requested encryption. As part of this initial write, the drive obtains from the host or a
proxy two Key Encrypting Key (KEK) labels, which are aliases for two Rivest-Shamir-
Adleman (RSA) algorithm KEKs. The drive requests that the Tivoli Key Lifecycle Manager
send it a data key (DK), and encrypt the DK using the public KEKs aliased by the two KEK
labels.
Tivoli Key Lifecycle Manager validates that the drive is in its list of valid drives or that
accept.Unknown.drives is specified. After validation, Tivoli Key Lifecycle Manager obtains a
random DK from cryptographic services. Tivoli Key Lifecycle Manager then retrieves the
public halves of the KEKs aliased by the two KEK labels. Tivoli Key Lifecycle Manager then
requests that cryptographic services create two encrypted instances of the DK using the
public halves of the KEKs, thus creating two Externally Encrypted Data Keys (EEDKs).
Tivoli Key Lifecycle Manager sends both EEDKs to the tape drive. The drive stores the
EEDKs in the cartridge memory (CM) and three locations on the tape. The Tivoli Key
Lifecycle Manager also sends the DK to the drive in a secure manner. The drive uses the
separately secured DK to encrypt the data.
There are two modes for creating the EEDK:
The first mode is CLEAR or LABEL. In this mode, the KEK label is stored in the EEDK.
The second mode is Hash. In this mode, a Hash of the public half of the KEK is stored in
the EEDK.
When sharing business partner KEKs, we recommend using the Hash mode. The Hash mode
lets each party use any KEK label when importing a certificate into their keystore. The
alternative is to use the CLEAR or LABEL mode and then have each party agree on a KEK
label.
Chapter 1. Introduction 15
30. Obtains KEK labels/methods
Requests DK using
KEK labels/methods
Validates drive in Drive Table
Requests a Data Key (DK)
Generates a random DK
Requests KEKs using
KEK labels/method
Retrieves KEK pairs
Requests DK to be wrapped
with public half of KEKs
generating two EEDKs
Creates EEDKs
Sends EEDKs
Writes EEDKs to
three locations on
tape and into CM
Encrypts write data using DK
Tivoli Key
Keystore Crypto Services Lifecycle Manager TS1120
Figure 1-8 Key and data flow for encryption using SME or LME
SME and LME decrypting processes for TS1120
Figure 1-9 on page 17 shows the key and data flow for decrypting data. In this example, we
assume that the data was encrypted at another site. For the decrypting process, the tape has
two EEDKs stored in its cartridge memory. We call these EEDK1 and EEDK2. EEDK1 was
stored with the CLEAR (or LABEL) mode selected, and EEDK2 was stored with the Hash
mode selected.
An encrypted tape is mounted for a read or a write append. The two EEDKs are read from the
tape. The drive asks the Tivoli Key Lifecycle Manager to decrypt the DK from the EEDKs. The
Tivoli Key Lifecycle Manager validates that the drive is in its list of valid drives. After validation,
the Tivoli Key Lifecycle Manager requests the keystore to provide the private half of each
KEK used to create the EEDKs. The KEK label associated with EEDK1 cannot be found in
the keystore, but the Hash of the public key for EEDK2 is found in the keystore.
The Tivoli Key Lifecycle Manager asks cryptographic services to decrypt the DK from EEDK2
using the private half of the KEK associated with EEDK2. The Tivoli Key Lifecycle Manager
then sends the DK to the drive in a secure manner. The drive then decrypts the data on the
tape. In our example, we described reading from an encrypted tape. Exactly the same
communication between tape drive and the Tivoli Key Lifecycle Manager takes place for a
write-append.
16 IBM Tivoli Key Lifecycle Manager for z/OS
31. Reads EEDKs from
tape or from CM
Requests unwrap of
DK from EEDKs
Validates drive in Drive Table
Requests KEKs
for EEDKs
Retrieves KEK pairs
Requests unwrap of DK
from EEDKs using KEKs
Unwraps DK from EEDKs
Sends DK
Encrypts/decrypts
data using DK
Tivoli Key
Keystore Crypto Services Lifecycle Manager TS1120
Figure 1-9 Key and data flow for decrypting using SME or LME
1.6.4 Application-managed encryption
For application-managed encryption, illustrated in Figure 1-10 on page 18, the application
has to be capable of generating and managing encryption keys and of managing encryption
policies. At the time of writing, the only application with this capability is Tivoli Storage
Manager. Policies specifying when encryption is to be used are defined through the
application interface. The policies and keys pass through the data path between the
application layer and the encrypting tape drives. Encryption is the result of interaction
between the application and the encryption-enabled tape drive and does not require any
changes to the system and library layers.
AME is the easiest encryption method to implement and adds the fewest responsibilities for
the storage administrator. Because the data path and the key path are the same, there is no
additional risk to data and drive availability. Policy granularity depends on the application.
With Tivoli Storage Manager, you control encryption on a storage pool basis. There is no
centralized key management with AME because the application generates, stores, and
manages the encryption keys. The lack of centralized key management makes tape
interchange and migration more difficult.
AME can be the most convenient solution when Tivoli Storage Manager is the only application
that utilizes tape encryption.
Tivoli Storage Manager does not restrict you to using AME. You can also choose SME or
LME to encrypt Tivoli Storage Manager data.
Chapter 1. Introduction 17
32. Note: Tape volumes written and encrypted using the application-managed encryption
method can only be decrypted with an application-managed encryption solution. In
addition, because the data keys reside only in the Tivoli Storage Manager database, the
same database must be used.
Policy
Application
Layer
System
Layer
Library
Layer
Figure 1-10 Application-managed encryption
Application-managed encryption on IBM TS1120 and LTO Ultrium 4 tape drives can use
either of two encryption command sets, the IBM encryption command set developed for Tivoli
Key Lifecycle Manager or the T10 command set defined by the International Committee for
Information Technology Standards (INCITS).
Application-managed encryption is supported in the following IBM tape drives and libraries.
TS1120 Tape Drives:
IBM System Storage TS3400 Tape Library
IBM System Storage TS3500 Tape Library
IBM TotalStorage 3494 Tape Library
LTO Ultrium 4 Tape Drives:
IBM System Storage TS2340 Tape Drive Express Model S43 and by use of Xcc/HVEC
3580S4X
IBM System Storage TS3100 Tape Library
IBM System Storage TS3200 Tape Library
IBM System Storage TS3310 Tape Library
IBM System Storage TS3500 Tape Library
For details about setting up application-managed encryption, refer to your Tivoli Storage
Manager documentation or the following Web site:
http://publib.boulder.ibm.com/infocenter/tivihelp/v1r1/index.jsp
18 IBM Tivoli Key Lifecycle Manager for z/OS