Tape Encryption and BRMS on System i

IBM : System i

© 2006 IBM Corporation

IBM Tape Encryption Solution with BRMS on system i

Revised by Mervyn Venter [email protected]

Original doc created by Sanjay A Patel

IBM : System i

© 2006 IBM Corporation2

Acknowledgements Bob Gintowt Jeff Uehling Dave Bhaskaran Scott Maxson Barb Smith Duane Wenzel Joe Kochan John Halda Sanjay Patel Mervyn Venter

IBM : System i


High performance data encryption Data encryption capabilities are now standard on newly ordered IBM

System Storage™ TS1120 Model E05 Tape Drives and LTO4 Tape Drives

Encrypting data at tape speed helps to avoid the need for host-based encryption of data — and the concurrent drain on host performance — or the use of specialized encryption appliances.

This capability supports high volume data encryption of tape data, helping protect information if tape cartridges are lost or stolen.

Encryption Key Manager that is designed to support the generation and communication of encryption keys for the TS1120 and LTO4 tape drives across the enterprise.

IBM : System i


Overview Planning

System i solution

– Encryption Key Manager

– Library manager encryption setup

– Backup Recovery and Media Recovery Services (BRMS )

Requirements

IBM : System i


Planning

IBM : System i


Critical component

Encryption capable Tape Library

Library Manager

Key Management via Encryption Key Manager (EKM)

Digital certificate Manager (DCM) on i5/OS if EKM is on i5/OS

Backup Recovery and Media Recovery Services (BRMS)

Media Management

Media Movement

Backup planning for encrypted save and EKM save

Disaster Recovery Planning

IBM : System i


Planning TS3500 Encryption - Choices for Library-Managed Encryption

Before the Library-Managed Method can be Enabled...

Which EKM servers will I use for each Library-Managed logical library?

Do I want to encrypt some but not all cartridges in my library?– If yes, can I identify those cartridges by VolSer range?

• If ranges can be specified, then Cartridge Assignment Policy will be required in order to assign cartridges to the same Library-managed logical library

• If ranges cannot be specified, then the cartridges will need to be separated into different logical libraries with Library-managed encryption enabled for only one of the two logical libraries

– If encrypting all cartridges, then the cartridges can optionally be assigned to one Library-managed logical library

Do I want to specify keys to be used with the cartridges in my library that are different from the defaults keys that have been configured at the EKM?– If yes, then those key labels must be established ahead of time in order to be

entered using the Scratch Encryption Policy • The key labels must be specified regardless of whether the same keys are to be applied

to all encrypted cartridges or differing sets of keys are to be specified by VolSer range.– If not specifying keys different from the EKM defaults, then no further planning is

required.

IBM : System i


Planning TS3100, TS3200, TS3310 or TS3400 Encryption - Choices for Library-Managed Encryption

Before the Library-Managed Method can be Enabled... Which EKM servers will I use for each Library-Managed logical

library?

When using any of these tape libraries, all cartridges in the logical tape library will be encrypted.

If there are multiple logical tape libraries, encryption needs to be enable on each partition

Activation key is required for LTO tape libraries

IBM : System i


TS35xx Encryption – General Rules

All encryption related settings will be performed using the library web interface

Encryption will be set per logical library for a subset of drives to be encryption enabled support for a Partitioned TS35xx tape library

Different methods can be used on separate logical libraries.

Key managers can be shared by any or all System-Managed and Library-Managed solutions

Plan for 24x7, 100% availability of EKM.

IBM : System i


System i solution

IBM : System i


System i Library managed Encryption solution

Any os TS35xx

Tape

Library

Primary EKM server

TCP/IP

Secondary EKM server

TCP/IP

EKM Server

i5/OS

Windows

Linux

Unix

AIX

System i

System i

i5/OS

EKM server

1

2

EKM Setup

Key manager configuration file

Key store files , current and all digital certificates

Device table file

3

4

Library Manager Setup

Where is EKM

Encryption method

5

6

BRMS Setup on i5/OS

Device

Media class

Media policy

7

No Encrypted Save for this

partition

IBM : System i


System i Library managed solution: Disaster recovery Process

Recover System i

TS35xx

Tape

Library

EKM Server

TCP/IP

EKM Server

i5/OS

Windows

Linux

Unix

AIX

1

3

6

If EKM is on same i5/OS

which is being recovered, and

no Other EKM is available, You

can not recover any Encrypted

data.

EKM Setup



Device table file

Library Manager Setup

Where is EKM

Encryption method

4 2

BRMS

Recovery Report

5

IBM : System i


Encrypted

Media

Media Movement

Any os TS35xx

Tape

Library

Primary EKM server

TCP/IP

Secondary EKM server

TCP/IP

EKM Server

i5/OS

Windows

Linux

Unix

AIX

System i

System i

None Encrypted

Media

UPS

Media

Location 1

Fed-

Ex

Fed-

Ex

Fed-

Ex

Media

Location 2

Media

Location 3

Media

Location 4

IBM : System i


Encryption Key Manager : Critical component

In order to save all critical components of key manager keep all key manager configuration and data files in one directory. Encryption key manager must be saved without encryption.



Device table file

Key manager audit file

Encryption Activation Key for TS3100, TS3200 TS3310 and TS3500 (with only LTO4 drives)

IBM : System i


Encryption – Setup TS3500 (LME)

IBM : System i



IBM : System i


Encryption – Setup TS3500 (LME)Customer Responsibility

IBM : System i



IBM : System i



IBM : System i


Encryption – Setup TS3100/TS3310

First require the activation key

IBM : System i


Encryption – Setup TS3100/TS3200

IBM : System i


Encryption – Setup TS3310

IBM : System i



IBM : System i



IBM : System i


System i and Library Managed Summary

Can either have multiple logical partitions, some used for encryption, some not

Or if all drives are encryption capable, can have one logical library and control encryption by VOLSER ranges

– i.e. can have some VOLSER’s for encryption, some can be written non-encrypted

IBM : System i


System i and Software – BRMS

BRMS is strongly recommended whenever a System i connects to a tape library

BRMS (5722-BR1) can be acquired 2 ways:

– i5/OS Standard Edition - purchase the 5722-BR1 LP

– i5 OS Enterprise Edition - included in package but need to load/implement it explicitly

Customer sets backup policies using BRMS

Data to be encrypted can be sent to a specific VOLSER range of tapes using BRMS policies

IBM : System i


BRMS Setup: Add Device to BRMSUse Work with Devices using BRM (WRKDEVBRM) command, Option 1 to Add Device TAPMLB19.

IBM : System i


BRMS Setup: Media ClassUse Work with Media Classes (WRKCLSBRM) command, Option 1 to add Media Class FMT3592A2E which uses density FMT3592A2E.

IBM : System i


BRMS Setup: Media PolicyUse Work with Media Policies (WRKPCYBRM TYPE(*MED)) command option 1 to create Media Policy ENCRYPTED which uses media class FMT3592A2E.

IBM : System i


BRMS Setup: Encrypted backupEncrypted backup control group using media policy ENCRYPTED

IBM : System i


Summary: How to setup BRMS for encrypted save

– Initialize new device by using Initialize BRMS (INZBRM) command or Use WRKDEVBRM option 1 to add new device.

– For encrypted media i5 OS will report media density as FMT3592A2E.

– To distinguish between densities or even volumes, a media class will need to be created. Media enrolled in encryption pool will have a density of FMT3592A2E. Create a media class called FMT3592A2E by using the new media density FMT3592A2E.

– Use media class FMT3592A2E to enroll encryption capable media into BRMS inventory.

– Use media class FMT3592A2E for all media policies which require encrypted saves and archive operations.

– User is responsible for enrolling encrypted and none-encrypted media into the correct media class.

– All backup and archive operations performed on i5 OS V5R2 and above which use media class FMT3592A2E will be encrypted.

– LTO4 Media uses the same density for encrypted and non-encrypted saves.• Create different media classes for encrypted media if required• LTO3 media will not be encrypted on a LTO4 drive.

IBM : System i


Requirements

IBM : System i


Tape encryption solution and system i System i supports Library managed encryption with the TS3500,

TS3400, TS3310, TS3200 Tape Library only

Supported Operating system levels i5/OS V5.2, or later

Any System i, i5, or iSeries with fiber adapter support

TS3500 with TS1120 encryption capable drives• Ethernet• ALMS – not required, but recommended

TS35xx needs access to a Java Virtual Machine with the Encryption Key Manager (EKM) component available to the TS35xx tape library

– Ethernet connection

– Encryption Key Manager (EKM) can be on different System i (or LPAR), or on a different server in the enterprise

Digital certificate Manager (DCM) on i5/OS

Backup Recovery and Media Recovery Services (BRMS) for i5/OS, 5722-BR1

IBM : System i


System i and Digital certificate Manager (DCM) requirement on i5/OS is EKM is on i5/OSRequirements for Digital certificate Manager (DCM) on i5 OS V5R3

Digital Certificate Manager (DCM) is a free feature that allows you to centrally manage digital certificates for your applications. To use DCM successfully, ensure that you do the following: – Install the cryptographic access provider licensed program (5722–AC3). This cryptographic

product determines the maximum key length that is permitted for cryptographic algorithms based on export and import regulations. You must install this product before you can create certificates.

– Install option 34 of i5/OS™. This is the browser-based DCM feature. – Install the IBM® HTTP Server for iSeries™ (5722–DG1) and start the Administrative server

instance. – Ensure that TCP is configured for your system so that you can use a Web browser and the HTTP

Server Administrative server instance to access DCM.

Requirements for Digital certificate Manager (DCM) on i5 OS V5R4 DCM is a free iSeries™ feature that allows you to centrally manage digital certificates for your

applications. To use DCM successfully, ensure that you do the following:

– Install option 34 of i5/OS™. This is the browser-based DCM feature. – Install the IBM® HTTP Server for i5/OS (5722–DG1) and start the Administrative server instance. – Ensure that TCP is configured for your system so that you can use a Web browser and the HTTP

Server Administrative server instance to access DCM. Note: You will not be able to create certificates unless you install all the required products. If a required

product is not installed, DCM displays an error message instructing you to install the missing component.

IBM : System i


Encryption Key Manager requirements

The System i support will require the EKM server to be run on a different partition or system other than where the encrypted save is being performed. Failure to do so could result in data loss. Prior to recovering encrypted data, EKM must be running or recovered on another system.

Maintaining primary and secondary EKM servers is desired for maximum availability of encrypted backup and recovery. EKM and its associated data must be saved regularly without encryption.

Encrypted save or archive operations must not be performed on the partition or system where the EKM server is running. If data on the system where EKM is running is encrypted, EKM cannot be recovered without availability of a secondary EKM server.

IBM : System i


Backup Recovery and Media Services (BRMS) PTF requirements

BRMS is enhanced via specified PTF to ensure encrypted media are used for encryption enabled media class . Prior to specified PTF BRMS does not validate media type for encryption.

V5R2: SI24932 Tentative date 10/15/2006



IBM : System i


Resources

http://www-03.ibm.com/servers/storage/enewscast/data_encryption/

EKM Home Page http://www.ibm.com/support/docview.wss?&uid=ssg1S4000504

IBM : System i


Disclaimers Copyright© 2006 by International Business Machines Corporation.

No part of this document may be reproduced or transmitted in any form without written permission from IBM Corporation.

The performance data contained herein were obtained in a controlled, isolated environment. Results obtained in other operating environments may vary significantly. While IBM has reviewed each item for accuracy in a specific situation, there is no guarantee that the same or similar results will be obtained elsewhere. These values do not constitute a guarantee of performance. The use of this information or the implementation of any of the techniques discussed herein is a customer responsibility and depends on the customer's ability to evaluate and integrate them into their operating environment. Customers attempting to adapt these techniques to their own environments do so at their own risk.

Product data has been reviewed for accuracy as of the date of initial publication. Product data is subject to change without notice. This information could include technical inaccuracies or typographical errors. IBM may make improvements and/or changes in the product(s) and/or programs(s) at any time without notice. Any statements regarding IBM's future direction and intent are subject to change or withdrawal without notice, and represent goals and objectives only

References in this document to IBM products, programs, or services does not imply that IBM intends to make such products, programs or services available in all countries in which IBM operates or does business. Any reference to an IBM Program Product in this document is not intended to state or imply that only that program product may be used. Any functionally equivalent program, that does not infringe IBM's intellectually property rights, may be used instead. It is the user's responsibility to evaluate and verify the operation of any on-IBM product, program or service.

IBM : System i


Disclaimers (continued) THE INFORMATION PROVIDED IN THIS DOCUMENT IS DISTRIBUTED "AS IS" WITHOUT ANY

WARRANTY, EITHER EXPRESS OR IMPLIED. IBM EXPRESSLY DISCLAIMS ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NONINFRINGEMENT.

IBM shall have no responsibility to update this information. IBM products are warranted according to the terms and conditions of the agreements (e.g. IBM Customer Agreement, Statement of Limited Warranty, International Program License Agreement, etc.) under which they are provided. IBM is not responsible for the performance or interoperability of any non-IBM products discussed herein.

Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products in connection with this publication and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products.

The provision of the information contained herein is not intended to, and does not, grant any right or license under any IBM patents or copyrights. Inquiries regarding patent or copyright licenses should be made, in writing, to:

IBM Director of LicensingIBM CorporationNorth Castle DriveArmonk, NY 10504-1785U.S.A.

IBM : System i


Trademarks The following terms are trademarks or registered trademarks of the IBM Corporation

in either the United States, other countries or both.

– IBM, TotalStorage, zSeries, pSeries, xSeries, iSeries, S/390, ES/9000, AS/400, RS/6000

– z/OS, z/VM, VM/ESA, OS/390, AIX, DFSMS/MVS, OS/2, OS/400, i5, FICON, ESCON, Tivoli

– ES/3090, VSE/ESA, TPF, DFSMSdfp, DFSMSdss, DFSMShsm, DFSMSrmm

Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both.

Other company, product, and service names mentioned may be trademarks or registered trademarks of their respective companies.

Date post:	12-Mar-2015
Category:	Documents
Upload:	vandana-singh
View:	136 times
Download:	5 times

Tape Encryption and BRMS on System i

Documents