Date post: | 12-Mar-2015 |
Category: |
Documents |
Upload: | vandana-singh |
View: | 136 times |
Download: | 5 times |
IBM : System i
© 2006 IBM Corporation
IBM Tape Encryption Solution with BRMS on system i
Revised by Mervyn Venter [email protected]
Original doc created by Sanjay A Patel
IBM : System i
© 2006 IBM Corporation2
Acknowledgements Bob Gintowt Jeff Uehling Dave Bhaskaran Scott Maxson Barb Smith Duane Wenzel Joe Kochan John Halda Sanjay Patel Mervyn Venter
IBM : System i
© 2006 IBM Corporation3
High performance data encryption Data encryption capabilities are now standard on newly ordered IBM
System Storage™ TS1120 Model E05 Tape Drives and LTO4 Tape Drives
Encrypting data at tape speed helps to avoid the need for host-based encryption of data — and the concurrent drain on host performance — or the use of specialized encryption appliances.
This capability supports high volume data encryption of tape data, helping protect information if tape cartridges are lost or stolen.
Encryption Key Manager that is designed to support the generation and communication of encryption keys for the TS1120 and LTO4 tape drives across the enterprise.
IBM : System i
© 2006 IBM Corporation4
Overview Planning
System i solution
– Encryption Key Manager
– Library manager encryption setup
– Backup Recovery and Media Recovery Services (BRMS )
Requirements
IBM : System i
© 2006 IBM Corporation
Planning
IBM : System i
© 2006 IBM Corporation6
Critical component
Encryption capable Tape Library
Library Manager
Key Management via Encryption Key Manager (EKM)
Digital certificate Manager (DCM) on i5/OS if EKM is on i5/OS
Backup Recovery and Media Recovery Services (BRMS)
Media Management
Media Movement
Backup planning for encrypted save and EKM save
Disaster Recovery Planning
IBM : System i
© 2006 IBM Corporation7
Planning TS3500 Encryption - Choices for Library-Managed Encryption
Before the Library-Managed Method can be Enabled...
Which EKM servers will I use for each Library-Managed logical library?
Do I want to encrypt some but not all cartridges in my library?– If yes, can I identify those cartridges by VolSer range?
• If ranges can be specified, then Cartridge Assignment Policy will be required in order to assign cartridges to the same Library-managed logical library
• If ranges cannot be specified, then the cartridges will need to be separated into different logical libraries with Library-managed encryption enabled for only one of the two logical libraries
– If encrypting all cartridges, then the cartridges can optionally be assigned to one Library-managed logical library
Do I want to specify keys to be used with the cartridges in my library that are different from the defaults keys that have been configured at the EKM?– If yes, then those key labels must be established ahead of time in order to be
entered using the Scratch Encryption Policy • The key labels must be specified regardless of whether the same keys are to be applied
to all encrypted cartridges or differing sets of keys are to be specified by VolSer range.– If not specifying keys different from the EKM defaults, then no further planning is
required.
IBM : System i
© 2006 IBM Corporation8
Planning TS3100, TS3200, TS3310 or TS3400 Encryption - Choices for Library-Managed Encryption
Before the Library-Managed Method can be Enabled... Which EKM servers will I use for each Library-Managed logical
library?
When using any of these tape libraries, all cartridges in the logical tape library will be encrypted.
If there are multiple logical tape libraries, encryption needs to be enable on each partition
Activation key is required for LTO tape libraries
IBM : System i
© 2006 IBM Corporation9
TS35xx Encryption – General Rules
All encryption related settings will be performed using the library web interface
Encryption will be set per logical library for a subset of drives to be encryption enabled support for a Partitioned TS35xx tape library
Different methods can be used on separate logical libraries.
Key managers can be shared by any or all System-Managed and Library-Managed solutions
Plan for 24x7, 100% availability of EKM.
IBM : System i
© 2006 IBM Corporation
System i solution
IBM : System i
© 2006 IBM Corporation11
System i Library managed Encryption solution
Any os TS35xx
Tape
Library
Primary EKM server
TCP/IP
Secondary EKM server
TCP/IP
EKM Server
i5/OS
Windows
Linux
Unix
AIX
System i
System i
i5/OS
EKM server
1
2
EKM Setup
Key manager configuration file
Key store files , current and all digital certificates
Device table file
3
4
Library Manager Setup
Where is EKM
Encryption method
5
6
BRMS Setup on i5/OS
Device
Media class
Media policy
7
No Encrypted Save for this
partition
IBM : System i
© 2006 IBM Corporation12
System i Library managed solution: Disaster recovery Process
Recover System i
TS35xx
Tape
Library
EKM Server
TCP/IP
EKM Server
i5/OS
Windows
Linux
Unix
AIX
1
3
6
If EKM is on same i5/OS
which is being recovered, and
no Other EKM is available, You
can not recover any Encrypted
data.
EKM Setup
Key manager configuration file
Key store files , current and all digital certificates
Device table file
Library Manager Setup
Where is EKM
Encryption method
4 2
BRMS
Recovery Report
5
IBM : System i
© 2006 IBM Corporation13
Encrypted
Media
Media Movement
Any os TS35xx
Tape
Library
Primary EKM server
TCP/IP
Secondary EKM server
TCP/IP
EKM Server
i5/OS
Windows
Linux
Unix
AIX
System i
System i
None Encrypted
Media
UPS
Media
Location 1
Fed-
Ex
Fed-
Ex
Fed-
Ex
Media
Location 2
Media
Location 3
Media
Location 4
IBM : System i
© 2006 IBM Corporation14
Encryption Key Manager : Critical component
In order to save all critical components of key manager keep all key manager configuration and data files in one directory. Encryption key manager must be saved without encryption.
Key manager configuration file
Key store files , current and all digital certificates
Device table file
Key manager audit file
Encryption Activation Key for TS3100, TS3200 TS3310 and TS3500 (with only LTO4 drives)
IBM : System i
© 2006 IBM Corporation15
Encryption – Setup TS3500 (LME)
IBM : System i
© 2006 IBM Corporation16
Encryption – Setup TS3500 (LME)
IBM : System i
© 2006 IBM Corporation17
Encryption – Setup TS3500 (LME)Customer Responsibility
IBM : System i
© 2006 IBM Corporation18
Encryption – Setup TS3500 (LME)
IBM : System i
© 2006 IBM Corporation19
Encryption – Setup TS3500 (LME)
IBM : System i
© 2006 IBM Corporation20
Encryption – Setup TS3100/TS3310
First require the activation key
IBM : System i
© 2006 IBM Corporation21
Encryption – Setup TS3100/TS3200
IBM : System i
© 2006 IBM Corporation22
Encryption – Setup TS3310
IBM : System i
© 2006 IBM Corporation23
Encryption – Setup TS3310
IBM : System i
© 2006 IBM Corporation24
Encryption – Setup TS3400
IBM : System i
© 2006 IBM Corporation25
System i and Library Managed Summary
Can either have multiple logical partitions, some used for encryption, some not
Or if all drives are encryption capable, can have one logical library and control encryption by VOLSER ranges
– i.e. can have some VOLSER’s for encryption, some can be written non-encrypted
IBM : System i
© 2006 IBM Corporation26
System i and Software – BRMS
BRMS is strongly recommended whenever a System i connects to a tape library
BRMS (5722-BR1) can be acquired 2 ways:
– i5/OS Standard Edition - purchase the 5722-BR1 LP
– i5 OS Enterprise Edition - included in package but need to load/implement it explicitly
Customer sets backup policies using BRMS
Data to be encrypted can be sent to a specific VOLSER range of tapes using BRMS policies
IBM : System i
© 2006 IBM Corporation27
BRMS Setup: Add Device to BRMSUse Work with Devices using BRM (WRKDEVBRM) command, Option 1 to Add Device TAPMLB19.
IBM : System i
© 2006 IBM Corporation28
BRMS Setup: Media ClassUse Work with Media Classes (WRKCLSBRM) command, Option 1 to add Media Class FMT3592A2E which uses density FMT3592A2E.
IBM : System i
© 2006 IBM Corporation29
BRMS Setup: Media PolicyUse Work with Media Policies (WRKPCYBRM TYPE(*MED)) command option 1 to create Media Policy ENCRYPTED which uses media class FMT3592A2E.
IBM : System i
© 2006 IBM Corporation30
BRMS Setup: Encrypted backupEncrypted backup control group using media policy ENCRYPTED
IBM : System i
© 2006 IBM Corporation31
Summary: How to setup BRMS for encrypted save
– Initialize new device by using Initialize BRMS (INZBRM) command or Use WRKDEVBRM option 1 to add new device.
– For encrypted media i5 OS will report media density as FMT3592A2E.
– To distinguish between densities or even volumes, a media class will need to be created. Media enrolled in encryption pool will have a density of FMT3592A2E. Create a media class called FMT3592A2E by using the new media density FMT3592A2E.
– Use media class FMT3592A2E to enroll encryption capable media into BRMS inventory.
– Use media class FMT3592A2E for all media policies which require encrypted saves and archive operations.
– User is responsible for enrolling encrypted and none-encrypted media into the correct media class.
– All backup and archive operations performed on i5 OS V5R2 and above which use media class FMT3592A2E will be encrypted.
– LTO4 Media uses the same density for encrypted and non-encrypted saves.• Create different media classes for encrypted media if required• LTO3 media will not be encrypted on a LTO4 drive.
IBM : System i
© 2006 IBM Corporation
Requirements
IBM : System i
© 2006 IBM Corporation33
Tape encryption solution and system i System i supports Library managed encryption with the TS3500,
TS3400, TS3310, TS3200 Tape Library only
Supported Operating system levels i5/OS V5.2, or later
Any System i, i5, or iSeries with fiber adapter support
TS3500 with TS1120 encryption capable drives• Ethernet• ALMS – not required, but recommended
TS35xx needs access to a Java Virtual Machine with the Encryption Key Manager (EKM) component available to the TS35xx tape library
– Ethernet connection
– Encryption Key Manager (EKM) can be on different System i (or LPAR), or on a different server in the enterprise
Digital certificate Manager (DCM) on i5/OS
Backup Recovery and Media Recovery Services (BRMS) for i5/OS, 5722-BR1
IBM : System i
© 2006 IBM Corporation34
System i and Digital certificate Manager (DCM) requirement on i5/OS is EKM is on i5/OSRequirements for Digital certificate Manager (DCM) on i5 OS V5R3
Digital Certificate Manager (DCM) is a free feature that allows you to centrally manage digital certificates for your applications. To use DCM successfully, ensure that you do the following: – Install the cryptographic access provider licensed program (5722–AC3). This cryptographic
product determines the maximum key length that is permitted for cryptographic algorithms based on export and import regulations. You must install this product before you can create certificates.
– Install option 34 of i5/OS™. This is the browser-based DCM feature. – Install the IBM® HTTP Server for iSeries™ (5722–DG1) and start the Administrative server
instance. – Ensure that TCP is configured for your system so that you can use a Web browser and the HTTP
Server Administrative server instance to access DCM.
Requirements for Digital certificate Manager (DCM) on i5 OS V5R4 DCM is a free iSeries™ feature that allows you to centrally manage digital certificates for your
applications. To use DCM successfully, ensure that you do the following:
– Install option 34 of i5/OS™. This is the browser-based DCM feature. – Install the IBM® HTTP Server for i5/OS (5722–DG1) and start the Administrative server instance. – Ensure that TCP is configured for your system so that you can use a Web browser and the HTTP
Server Administrative server instance to access DCM. Note: You will not be able to create certificates unless you install all the required products. If a required
product is not installed, DCM displays an error message instructing you to install the missing component.
IBM : System i
© 2006 IBM Corporation35
Encryption Key Manager requirements
The System i support will require the EKM server to be run on a different partition or system other than where the encrypted save is being performed. Failure to do so could result in data loss. Prior to recovering encrypted data, EKM must be running or recovered on another system.
Maintaining primary and secondary EKM servers is desired for maximum availability of encrypted backup and recovery. EKM and its associated data must be saved regularly without encryption.
Encrypted save or archive operations must not be performed on the partition or system where the EKM server is running. If data on the system where EKM is running is encrypted, EKM cannot be recovered without availability of a secondary EKM server.
IBM : System i
© 2006 IBM Corporation36
Backup Recovery and Media Services (BRMS) PTF requirements
BRMS is enhanced via specified PTF to ensure encrypted media are used for encryption enabled media class . Prior to specified PTF BRMS does not validate media type for encryption.
V5R2: SI24932 Tentative date 10/15/2006
V5R3: SI24933 Tentative date 10/15/2006
V5R4: SI24934 Tentative date 10/15/2006
IBM : System i
© 2006 IBM Corporation37
Resources
http://www-03.ibm.com/servers/storage/enewscast/data_encryption/
EKM Home Page http://www.ibm.com/support/docview.wss?&uid=ssg1S4000504
IBM : System i
© 2006 IBM Corporation38
Disclaimers Copyright© 2006 by International Business Machines Corporation.
No part of this document may be reproduced or transmitted in any form without written permission from IBM Corporation.
The performance data contained herein were obtained in a controlled, isolated environment. Results obtained in other operating environments may vary significantly. While IBM has reviewed each item for accuracy in a specific situation, there is no guarantee that the same or similar results will be obtained elsewhere. These values do not constitute a guarantee of performance. The use of this information or the implementation of any of the techniques discussed herein is a customer responsibility and depends on the customer's ability to evaluate and integrate them into their operating environment. Customers attempting to adapt these techniques to their own environments do so at their own risk.
Product data has been reviewed for accuracy as of the date of initial publication. Product data is subject to change without notice. This information could include technical inaccuracies or typographical errors. IBM may make improvements and/or changes in the product(s) and/or programs(s) at any time without notice. Any statements regarding IBM's future direction and intent are subject to change or withdrawal without notice, and represent goals and objectives only
References in this document to IBM products, programs, or services does not imply that IBM intends to make such products, programs or services available in all countries in which IBM operates or does business. Any reference to an IBM Program Product in this document is not intended to state or imply that only that program product may be used. Any functionally equivalent program, that does not infringe IBM's intellectually property rights, may be used instead. It is the user's responsibility to evaluate and verify the operation of any on-IBM product, program or service.
IBM : System i
© 2006 IBM Corporation39
Disclaimers (continued) THE INFORMATION PROVIDED IN THIS DOCUMENT IS DISTRIBUTED "AS IS" WITHOUT ANY
WARRANTY, EITHER EXPRESS OR IMPLIED. IBM EXPRESSLY DISCLAIMS ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NONINFRINGEMENT.
IBM shall have no responsibility to update this information. IBM products are warranted according to the terms and conditions of the agreements (e.g. IBM Customer Agreement, Statement of Limited Warranty, International Program License Agreement, etc.) under which they are provided. IBM is not responsible for the performance or interoperability of any non-IBM products discussed herein.
Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products in connection with this publication and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products.
The provision of the information contained herein is not intended to, and does not, grant any right or license under any IBM patents or copyrights. Inquiries regarding patent or copyright licenses should be made, in writing, to:
IBM Director of LicensingIBM CorporationNorth Castle DriveArmonk, NY 10504-1785U.S.A.
IBM : System i
© 2006 IBM Corporation40
Trademarks The following terms are trademarks or registered trademarks of the IBM Corporation
in either the United States, other countries or both.
– IBM, TotalStorage, zSeries, pSeries, xSeries, iSeries, S/390, ES/9000, AS/400, RS/6000
– z/OS, z/VM, VM/ESA, OS/390, AIX, DFSMS/MVS, OS/2, OS/400, i5, FICON, ESCON, Tivoli
– ES/3090, VSE/ESA, TPF, DFSMSdfp, DFSMSdss, DFSMShsm, DFSMSrmm
Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both.
Other company, product, and service names mentioned may be trademarks or registered trademarks of their respective companies.