Crypto and Disaster Recovery Greg Boyd gregboyd@mainframecrypto.com www.mainframecrypto.com October 2014
Agenda Crypto and Disaster Recovery How Do You Do DR? Technology Hardware Domains Master Keys Restoring the DR environment Encrypting tape drives Encryption Facility or OEM product TKE October 2014 zexchange Crypto and Disaster Recovery Page 2
How do you do DR? Hardware Same machine type? DR site is newer technology? DR site is older technology? Operationally Hot site? Warm site? Cold site? Virtual machines for DR testing? October 2014 zexchange Crypto and Disaster Recovery Page 3
System z Clear Key Cryptographic Hardware z890/z990, z9 (EC & BC), z10 (EC (GA3) & BC (GA2)), z196/z114, zec12/zbc12 CP Assist for Cryptographic Function (CPACF) DES (56-, 112-, 168-bit), new chaining options AES (128-, -192, 256-bit), new chaining options SHA-1, SHA-256, SHA-512 (SHA-2) PRNG Protected Key TechDoc WP100810 A Synopsis of System z Crypto Hardware FC #3863 October 2014 zexchange Crypto and Disaster Recovery Page 4
System z Secure Key Crypto Hardware PCIXCC/PCICA, CEX2/CEX2-1P, CEX3/CEX3-1P, CEX4S Secure Key DES/TDES Secure Key AES Financial (PIN) Functions*** Key Generate/Key Management*** Random Number Generate / Generate Long SSL Handshakes (2048-, 4096- bit keys) Protected Key Support ECC (z196/z114 only) EP11 *** Additional functionality on later machines TechDoc WP100810 A Synopsis of System z Crypto Hardware October 2014 zexchange Crypto and Disaster Recovery Page 5
How do you do DR? Hardware Same machine type? Same MCLs? Shouldn t be any issues DR site is using newer hardware? New machines can do everything the old machines could do But you might need toleration PTFs on your production system (CEX3 in production, but CEX4S at DR) DR site is using older technology? Are you using the latest functionality? Test! October 2014 zexchange Crypto and Disaster Recovery Page 6
LPAR Activation Profile From CPC Operational Customization, click on View LPAR Cryptographic Controls Must match the DOMAIN parm in the Options data set! October 2014 zexchange Crypto and Disaster Recovery Page 7
ICSF and Domains ICSF Domains cannot be shared by LPAR images or guests First LPAR to activate or VM Guest to start will get access, later images will fail to activate or start If only one domain assigned in the LPAR Activation profile or VM directory, then ICSF will figure that out and use it If multiple domains assigned in the LPAR Activation profile or VM directory, then you must tell ICSF which one to use in ICSF Options October 2014 zexchange Crypto and Disaster Recovery Page 8
Crypto Support in the VM Directory CRYPTO authorizes guest machine to use crypto APVIRTual provides access to clear key devices (PCICA, CEX2A, CEX3A) for Linux and VSE Guests APDEDicated ap, ap assigns crypto devices DOMAIN n assigns a domain(s) to the guest CSU 0,1,* assigns zero, one or both CCFs KEYENTRY PCCF functions SPECIAL Enable Special Secure Mode MODIFY provides access to a TKE from this guest OPTION CRYMeasure authorizes access to crypto measurement data on the crypto hardware October 2014 zexchange Crypto and Disaster Recovery Page 9
Master Keys at the DR site Master keys are installed into secure hardware Master keys must be available to the DR hardware Once loaded, no way to retrieve them so make sure you know what you loaded in production! Where do you store the master key components? Loading Master Keys Passphrase Initialization, PPINIT ISPF Panels for ICSF Trusted Key Entry Workstation Use the MKVP (SYM-MK/CKDS) and the Hash Pattern (ASYM-MK/PKDS) to ensure you re loading the right keys October 2014 zexchange Crypto and Disaster Recovery Page 10
Master Keys on the DR System Hot-site (DASD mirroring) CKDS/PKDS are mirrored, master key changes are made on the production system and DR system Warm/Cold-site (Restore from Tape) Are your System Volumes Encrypted? - If the keys are stored on the z/os system, then the driver system that restores the tapes, must have access to those keys Only Application Data Encrypted DR system may be used to recover data October 2014 zexchange Crypto and Disaster Recovery Page 11
Exactly what are you encrypting? System Volumes? Application Volumes? Specific application data? And how are you encrypting? Encrypting tape drives Encryption Facility for z/os OEM Product October 2014 zexchange Crypto and Disaster Recovery Page 12
Restoring the DR environment Encrypted Tape Drives If your backups are encrypted where is your key repository? IBM Security Key LifeCycle Manager (ISKLM, aka TKLM, EKM) under Unix System Services (USS) and key repository using RACF, or ICSF or RACF and ICSF Plus key security provided by RACF, ICSF and secure key hardware Minus must make the RSA keys available on the driver system, where the tapes are restored If the RSA keys are stored in ICSF, then the PKDS must be available to the driver system, which means the driver system must have secure hardware and the associated RSA-MK must be loaded ISKLM for z/os Java JCE Provider IBMJCE SAF based Keyring ICSF PKDS Diagram from REDP-4646 October 2014 zexchange Crypto and Disaster Recovery Page 13
Restoring Tapes Encrypted Tape Drives If your backups are encrypted where is your key repository? keystore a remote system (z/os or not) Plus driver system can connect to the production ISKLM and key repository Minus key protection provided by the non-z/os platform z/os Java keystore October 2014 zexchange Crypto and Disaster Recovery Page 14
Restoring tapes Encryption Facility Password option the password must be provided to the restore job on the driver system RSA Option RSA keys in the PKDS must be available on the driver system, along with the RSA-MK that is associated with that PKDS AND Specific hardware may be required CLRAES potential performance issues if the driver system doesn t provide AES hardware ENCTDES driver system must have secure hardware RSA Keys require CEX card October 2014 zexchange Crypto and Disaster Recovery Page 15
Restoring tapes OEM Products Where is the key repository? If it uses the CKDS or PKDS, then the CKDS and/or PKDS must be available on the driver system October 2014 zexchange Crypto and Disaster Recovery Page 16
Using a TKE to manage the DR site DR IBM System z9 EC/BC Crypto Express 2 IBM System z10 EC/BC Crypto Express / Crypto Express3 TKE Z114 Crypto Express3 Production z196 Crypto Express3 October 2014 zexchange Crypto and Disaster Recovery Page 17
Using a TKE to manage the DR site DR IBM System z9 EC/BC Crypto Express 2 IBM System z10 EC/BC Crypto Express / Crypto Express3 TKE DR TKE Z114 Crypto Express3 Production z196 Crypto Express3 October 2014 zexchange Crypto and Disaster Recovery Page 18
Disaster Recovery TKE Host files TKECM Crypto Module Data set defined to the Host Transaction Program Contains info about TKE application windows Crypto module notebooks (descriptions, domain descriptions, authority information) Backup for recovery purposes, but may need to be recreated at a DR site if the crypto modules and configuration are not identical Host Configuration IP Addresses must be configured properly Workstation Files Backup Critical Console Data intended for protecting from a failed harddrive, applicable for DR IF the TKEs are identical TKE File Management Utility (TKE V5 and later) October 2014 zexchange Crypto and Disaster Recovery Page 19
TKE Backup/Recovery of Keys Keys Master Keys Signature Keys Operational Keys Storage Smart Card Floppy Keystore Print October 2014 zexchange Crypto and Disaster Recovery Page 20
TKE Migration Wizard Wizard is the implementation of a secure protocol for collecting, saving, and installing data from one cryptographic adapter to another. Data includes Master Key Material! October 2014 zexchange Crypto and Disaster Recovery Page 21
A couple of final thoughts After a DR exercise or the real thing Clear your master keys at the DR site And maybe - Change your master keys October 2014 zexchange Crypto and Disaster Recovery Page 22
Consider your crypto users System SSL DB2 Built-In Functions Infosphere Guardium Data Encryption Tool for IMS and DB2 Encryption Facility Encryption Key Manager (EKM) OEM products Applications TEST! October 2014 zexchange Crypto and Disaster Recovery Page 23
IBM Pubs ICSF Overview, SA22-7519 ICSF Administrator s Guide, SA22-7521 ICSF Application Programmer s Guide, SA22-7522 ICSF System Programmer s Guide, SA22-7520 October 2014 zexchange Crypto and Disaster Recovery Page 24
IBM Resources (on the web) ATS TechDocs Web Site www.ibm.com/support/techdocs (Search All Documents for keyword of Crypto ) WP100810 A Synopsis of System z Crypto Hardware How to Setup TKE for Disaster Recovery in Hot Topics Aug. 2007 Issue 17 http://publibz.boulder.ibm.com/epubs/pdf/ e0z2n180.pdf October 2014 zexchange Crypto and Disaster Recovery Page 25
Redbooks www.ibm.com/redbooks SG24-7320 IBM System Storage Tape Encryption Solutions REDP-4646 IBM Security Key Lifecycle Manager for z/os: Deployment and Migration Considerations October 2014 zexchange Crypto and Disaster Recovery Page 26
Questions? October 2014 zexchange Crypto and Disaster Recovery Page 27