IBM DS8880 Data-at-rest Encryption - IBM Redbooks

1 RedpaperFront coverIBM DS8880 Data-at-rest EncryptionBert DufrasneSherry BrunsonAndreas ReinhardtRobert TondiniRoland WolfInternational Technical Support OrganizationIBM DS8880 Data-at-rest EncryptionDecember 2016 REDP-4500-06 Copyright International Business Machines Corporation 2009, 2016. All rights to Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP ScheduleContract with IBM Edition (December 2016)This edition applies to the IBM DS8880 system with firmware Release : Before using this information and the product it supports, read the information in Notices on page vii. Copyright IBM Corp. 2009, 2016. All rights .. viiTrademarks .. viiiPreface .. ixAuthors .. ixNow you can become a published author, too ..xComments welcome..xStay connected to IBM Redbooks .. xiSummary of changes.. xiiiDecember 2016, Seventh Edition .. xiiiChapter 1. Encryption overview.

2 Business context .. Threats and security challenges .. Need for Encryption .. Encryption concepts and terminology .. Symmetric key Encryption .. Asymmetric key Encryption .. Hybrid Encryption .. Communication protocols IPP, SSL/TLS , and KMIP .. Encryption challenges .. Key Lifecycle Manager .. IBM Security Key Lifecycle Manager features overview .. New in IBM Security Key Lifecycle Manager .. Key serving .. How to protect IBM Security Key Lifecycle Manager data .. IBM Security Key Lifecycle Manager for open systems .. IBM Security Key Lifecycle Manager for z/OS .. IBM Security Key Lifecycle Manager for z/OS components .. Functions that are performed by IBM SKLM for z/OS.. Preventing a deadlock situation .. Installing the IBM Security Key Lifecycle Manager for z/OS and keystores .. Gemalto SafeNet KeySecure .. 19 Chapter 2. IBM DS8000 Encryption mechanism.

3 DS8000 disk Encryption .. IBM Security Key Lifecycle Manager Encryption key management .. SafeNet KeySecure key management with KMIP .. Encryption deadlock .. Working with a recovery key .. Recovery key management .. Disabling or enabling a recovery key .. Dual key server support .. 42 Chapter 3. Planning and guidelines for IBM DS8000 Encryption .. About certificates.. Planning and implementation process flow .. Encryption -capable DS8000 ordering and configuration.. 48iv IBM DS8880 Data-at-rest Licensing .. Requirements for encrypting storage .. Advice for Encryption in storage environments .. Using LDAP authentication .. Availability .. Encryption deadlock prevention .. Multiple IBM Security Key Lifecycle Managers for redundancy .. 53 Chapter 4. IBM DS8000 Encryption implementation .. Installing IBM Security Key Lifecycle Manager Version in silent mode (quick installation guide).

4 Before starting the installation.. Silent mode installation on Linux .. Installing Fix Pack 1 (or later) for IBM Security Key Lifecycle Manager .. Issues with IBM Security Key Lifecycle Manager DB2/WebSphere Application Server starting correctly after a restart on Linux .. IBM Security Key Lifecycle Manager Version configuration .. Logging in to the IBM Security Key Lifecycle Manager console .. Creating the SSL certificate .. Creating a backup .. Restoring the backup .. Setting up remote replication between IBM Security Key Lifecycle Manager key servers .. Defining the DS8000 storage facility image to use with IBM Security Key Lifecycle Manager .. Configuring Gemalto SafeNet KeySecure with KMIP .. Preparation .. Configuration.. DS8000 GUI configuration for Encryption .. Applying the drive Encryption authorization license key .. Assigning additional storage and Security Administrators.

5 Creating the recovery key .. GUI configuration for DS8000 Encryption .. Configuring and administering encrypted arrays, ranks, and extent pools .. Command-line configuration for DS8000 Encryption .. Configuring the key server connection .. Managing the recovery key .. Configuring and administering the Encryption group.. Applying the Encryption activation key .. Creating encrypted arrays.. Creating encrypted ranks .. Creating encrypted extent pools .. Encryption and Copy Services functions.. NIST SP 800-131a requirements for key servers .. Configuration steps for changing IBM Security Key Lifecycle Manager to use TLS .. Migration from a Gen-1 to a Gen-2 certificate for Encryption .. Using A Custom Generated Certificate .. Configuring a Custom Certificate via DSGUI .. Configuring a Custom Certificate via DSCLI .. 146 Chapter 5. Maintaining the IBM DS8000 Encryption environment.

6 Rekeying the data key.. 150 Contents Recovery key use and maintenance .. Validating or testing a recovery key .. Using the recovery key in an emergency-deadlock situation (recovery action) . Rekeying the recovery key .. Deleting or deconfiguring a recovery key .. Recovery key state summary .. 168 Related publications .. 169 IBM Redbooks .. 169 Other publications .. 169 Online resources .. 169 Help from IBM .. 169vi IBM DS8880 Data-at-rest Encryption Copyright IBM Corp. 2009, 2016. All rights information was developed for products and services offered in the US. This material might be available from IBM in other languages. However, you may be required to own a copy of the product or product version in that language in order to access it. IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area.

7 Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any non-IBM product, program, or service. IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not grant you any license to these patents. You can send license inquiries, in writing, to:IBM Director of Licensing, IBM Corporation, North Castle Drive, MD-NC119, Armonk, NY 10504-1785, US INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION AS IS WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

8 Some jurisdictions do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you. This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice. Any references in this information to non-IBM websites are provided for convenience only and do not in any manner serve as an endorsement of those websites. The materials at those websites are not part of the materials for this IBM product and use of those websites is at your own risk. IBM may use or distribute any of the information you provide in any way it believes appropriate without incurring any obligation to you. The performance data and client examples cited are presented for illustrative purposes only.

9 Actual performance results may vary depending on specific configurations and operating conditions. Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. Statements regarding IBM's future direction or intent are subject to change or withdrawal without notice, and represent goals and objectives only. This information contains examples of data and reports used in daily business operations. To illustrate them as completely as possible, the examples include the names of individuals, companies, brands, and products. All of these names are fictitious and any similarity to actual people or business enterprises is entirely coincidental.

10 COPYRIGHT LICENSE:This information contains sample application programs in source language, which illustrate programming techniques on various operating platforms. You may copy, modify, and distribute these sample programs in any form without payment to IBM, for the purposes of developing, using, marketing or distributing application programs conforming to the application programming interface for the operating platform for which the sample programs are written. These examples have not been thoroughly tested under all conditions. IBM, therefore, cannot guarantee or imply reliability, serviceability, or function of these programs. The sample programs are provided AS IS , without warranty of any kind. IBM shall not be liable for any damages arising out of your use of the sample programs. viii IBM DS8880 Data-at-rest EncryptionTrademarksIBM, the IBM logo, and are trademarks or registered trademarks of International Business Machines Corporation, registered in many jurisdictions worldwide.