Crypto and Disaster Recovery. Greg Boyd gregboyd@mainframecrypto.com www.mainframecrypto.com

Similar documents
10195 Crypto And Disaster Recovery

z/os Cryptographic Services - ICSF Best Practices

Sharing Secrets Using Encryption Facility

Tools for Managing Big Data Analytics on z/os

Understanding Digital Certificates on z/os Vanguard Las Vegas, NV Session AST3 June 26th 2012

Alliance Key Manager Solution Brief

IBM Security Key Lifecycle Manager for z/os: Deployment and Migration Considerations

Secure Managed File Transfer with Connect:Direct

Configuring and Tuning SSH/SFTP on z/os

IBM Crypto Server Management General Information Manual

BackupAssist v6 quickstart guide

How To Use Attix5 Pro For A Fraction Of The Cost Of A Backup

Lesson Plans Microsoft s Managing and Maintaining a Microsoft Windows Server 2003 Environment

How to setup NovaBACKUP DataCenter to backup data to Amazon S3 using Amazon s AWS Storage Gateway

Altaro Hyper-V Backup

BackupAssist v6 quickstart guide

Configuring Security Features of Session Recording

DNS must be up and running. Both the Collax server and the clients to be backed up must be able to resolve the FQDN of the Collax server correctly.

Disaster Recovery Remote off-site Storage for single server environment

UPSTREAM for Linux on System z

WebSphere DataPower Release FIPS and NIST SP a support.

Comparing Online Enterprise Backup Systems. A reliable online backup system is essential for any business running workstations and

Service Overview CloudCare Online Backup

BackupAssist v5 vs. v6

Introweb Remote Backup Client for Mac OS X User Manual. Version 3.20

Thirtyseven4 Endpoint Security (EPS) Upgrading Instructions

ERserver. iseries. Secure Sockets Layer (SSL)

Integration Guide Microsoft Internet Information Services (IIS) 7.5 Windows Server 2008 R2

Acronis Backup & Recovery for Mac. Acronis Backup & Recovery & Acronis ExtremeZ-IP REFERENCE ARCHITECTURE

Implementing SSL Security on a PowerExchange Network

Veeam Cloud Connect. Version 8.0. Administrator Guide

Overview. Timeline Cloud Features and Technology

Digital Certificates Demystified

1. Management Application (or Console), including Deferred Processor & Encryption Key 2. Database 3. Website

CA ARCserve Replication and High Availability Deployment Options for Hyper-V

Deployment Scenarios

Installation Guide. SAP Control Center 3.3

PowerChute TM Network Shutdown Security Features & Deployment

Moving the TRITON Reporting Databases

Online Backup and Recovery Manager Setup for Microsoft Windows.

Netop Remote Control Security Server

Creating a Domain Tree

End to end security for WebSphere MQ

Kerberos on z/os. Active Directory On Windows Server William Mosley z/os NAS Development. December Interaction with.

z/vm and Linux Disaster Recovery A Customer Experience Lee Stewart Sirius Computer Solutions (DSP)

Encryption? Yeah, We Do That. Encryption facilities, challenges, and choices on System z

Disaster Recovery System Administration Guide for Cisco Unified Contact Center Express Release 8.0(2)

Understanding Digital Certificates on z/os Share Anaheim, CA Session 8349 March 2nd 2011

Encryption Facility for z/os Version 1.10

Bookstore credit card application

AVLOR SERVER CLOUD RECOVERY

OS/390 Firewall Technology Overview

Licensed Programming Specifications

z/os Firewall Technology Overview

How To Install Powerpoint 6 On A Windows Server With A Powerpoint 2.5 (Powerpoint) And Powerpoint On A Microsoft Powerpoint 4.5 Powerpoint (Powerpoints) And A Powerpoints 2

Availability for your modern datacenter

McAfee Firewall Enterprise 8.2.1

Kaseya 2. User Guide. Version 7.0. English

Using etoken for SSL Web Authentication. SSL V3.0 Overview

External Data Connector (EMC Networker)

Zerto Virtual Manager Administration Guide

Managing Remote Access

F-Secure Messaging Security Gateway. Deployment Guide

Attix5 Pro Storage Platform

DRAFT Standard Statement Encryption

Availability for the modern datacentre Veeam Availability Suite v8 & Sneakpreview v9

Whitepaper Enhancing BitLocker Deployment and Management with SimplySecure. Addressing the Concerns of the IT Professional Rob Weber February 2015

המרכז ללימודי חוץ המכללה האקדמית ספיר. ד.נ חוף אשקלון טל' פקס בשיתוף עם מכללת הנגב ע"ש ספיר

How to Backup and Restore a VM using Veeam

Disaster Recovery System Administration Guide for Cisco Unified Contact Center Express Release 8.5(1)

A Nemaris Company. Formal Privacy & Security Assessment For Surgimap version and higher

Veeam Summer School. Thomas Zaatman Veeam Software

Disaster Recovery System Administration Guide for Cisco Unified Contact Center Express Release 8.5(1)

FIPS Security Policy 3Com Embedded Firewall PCI Cards

IM and Presence Disaster Recovery System

Disk Encryption. Aaron Howard IT Security Office

IBM Systems Director Navigator for i5/os New Web console for i5, Fast, Easy, Ready

Centralize AIX LPAR and Server Management With NIM

Flexible Decision Automation for Your zenterprise with Business Rules and Events

One Solution for Real-Time Data protection, Disaster Recovery & Migration

Deployment Options for Microsoft Hyper-V Server

Protecting your SQL database with Hybrid Cloud Backup and Recovery. Session Code CL02

Renewing default certificates for Tivoli Workload Scheduler

IF DISASTER STRIKES IS YOUR BUSINESS READY?

BDR for ShadowProtect Solution Guide and Best Practices

Tivoli Storage Manager Lunch and Learn Bare Metal Restore Dave Daun, IBM Advanced Technical Support

Contingency Access to Enterprise Encrypted Data

Proof of Concept Guide

Veeam Backup and Replication Architecture and Deployment. Nelson Simao Systems Engineer

Deploying BitDefender Client Security and BitDefender Windows Server Solutions

Upgrading Client Security and Policy Manager in 4 easy steps

Digital Certificate Goody Bags on z/os

IBM Client Security Solutions. Client Security User's Guide

Creating a New Domain Tree in the Forest

PrivateServer HSM Integration with Microsoft IIS

Table of Contents Introduction and System Requirements 9 Installing VMware Server 35

SafeGuard Enterprise Web Helpdesk. Product version: 6.1

Guide to the MySQL Workbench Migration Wizard: From Microsoft SQL Server to MySQL

Creating a Cloud Backup Service. Deon George

UserLock advanced documentation

Transcription:

Crypto and Disaster Recovery Greg Boyd gregboyd@mainframecrypto.com www.mainframecrypto.com October 2014

Agenda Crypto and Disaster Recovery How Do You Do DR? Technology Hardware Domains Master Keys Restoring the DR environment Encrypting tape drives Encryption Facility or OEM product TKE October 2014 zexchange Crypto and Disaster Recovery Page 2

How do you do DR? Hardware Same machine type? DR site is newer technology? DR site is older technology? Operationally Hot site? Warm site? Cold site? Virtual machines for DR testing? October 2014 zexchange Crypto and Disaster Recovery Page 3

System z Clear Key Cryptographic Hardware z890/z990, z9 (EC & BC), z10 (EC (GA3) & BC (GA2)), z196/z114, zec12/zbc12 CP Assist for Cryptographic Function (CPACF) DES (56-, 112-, 168-bit), new chaining options AES (128-, -192, 256-bit), new chaining options SHA-1, SHA-256, SHA-512 (SHA-2) PRNG Protected Key TechDoc WP100810 A Synopsis of System z Crypto Hardware FC #3863 October 2014 zexchange Crypto and Disaster Recovery Page 4

System z Secure Key Crypto Hardware PCIXCC/PCICA, CEX2/CEX2-1P, CEX3/CEX3-1P, CEX4S Secure Key DES/TDES Secure Key AES Financial (PIN) Functions*** Key Generate/Key Management*** Random Number Generate / Generate Long SSL Handshakes (2048-, 4096- bit keys) Protected Key Support ECC (z196/z114 only) EP11 *** Additional functionality on later machines TechDoc WP100810 A Synopsis of System z Crypto Hardware October 2014 zexchange Crypto and Disaster Recovery Page 5

How do you do DR? Hardware Same machine type? Same MCLs? Shouldn t be any issues DR site is using newer hardware? New machines can do everything the old machines could do But you might need toleration PTFs on your production system (CEX3 in production, but CEX4S at DR) DR site is using older technology? Are you using the latest functionality? Test! October 2014 zexchange Crypto and Disaster Recovery Page 6

LPAR Activation Profile From CPC Operational Customization, click on View LPAR Cryptographic Controls Must match the DOMAIN parm in the Options data set! October 2014 zexchange Crypto and Disaster Recovery Page 7

ICSF and Domains ICSF Domains cannot be shared by LPAR images or guests First LPAR to activate or VM Guest to start will get access, later images will fail to activate or start If only one domain assigned in the LPAR Activation profile or VM directory, then ICSF will figure that out and use it If multiple domains assigned in the LPAR Activation profile or VM directory, then you must tell ICSF which one to use in ICSF Options October 2014 zexchange Crypto and Disaster Recovery Page 8

Crypto Support in the VM Directory CRYPTO authorizes guest machine to use crypto APVIRTual provides access to clear key devices (PCICA, CEX2A, CEX3A) for Linux and VSE Guests APDEDicated ap, ap assigns crypto devices DOMAIN n assigns a domain(s) to the guest CSU 0,1,* assigns zero, one or both CCFs KEYENTRY PCCF functions SPECIAL Enable Special Secure Mode MODIFY provides access to a TKE from this guest OPTION CRYMeasure authorizes access to crypto measurement data on the crypto hardware October 2014 zexchange Crypto and Disaster Recovery Page 9

Master Keys at the DR site Master keys are installed into secure hardware Master keys must be available to the DR hardware Once loaded, no way to retrieve them so make sure you know what you loaded in production! Where do you store the master key components? Loading Master Keys Passphrase Initialization, PPINIT ISPF Panels for ICSF Trusted Key Entry Workstation Use the MKVP (SYM-MK/CKDS) and the Hash Pattern (ASYM-MK/PKDS) to ensure you re loading the right keys October 2014 zexchange Crypto and Disaster Recovery Page 10

Master Keys on the DR System Hot-site (DASD mirroring) CKDS/PKDS are mirrored, master key changes are made on the production system and DR system Warm/Cold-site (Restore from Tape) Are your System Volumes Encrypted? - If the keys are stored on the z/os system, then the driver system that restores the tapes, must have access to those keys Only Application Data Encrypted DR system may be used to recover data October 2014 zexchange Crypto and Disaster Recovery Page 11

Exactly what are you encrypting? System Volumes? Application Volumes? Specific application data? And how are you encrypting? Encrypting tape drives Encryption Facility for z/os OEM Product October 2014 zexchange Crypto and Disaster Recovery Page 12

Restoring the DR environment Encrypted Tape Drives If your backups are encrypted where is your key repository? IBM Security Key LifeCycle Manager (ISKLM, aka TKLM, EKM) under Unix System Services (USS) and key repository using RACF, or ICSF or RACF and ICSF Plus key security provided by RACF, ICSF and secure key hardware Minus must make the RSA keys available on the driver system, where the tapes are restored If the RSA keys are stored in ICSF, then the PKDS must be available to the driver system, which means the driver system must have secure hardware and the associated RSA-MK must be loaded ISKLM for z/os Java JCE Provider IBMJCE SAF based Keyring ICSF PKDS Diagram from REDP-4646 October 2014 zexchange Crypto and Disaster Recovery Page 13

Restoring Tapes Encrypted Tape Drives If your backups are encrypted where is your key repository? keystore a remote system (z/os or not) Plus driver system can connect to the production ISKLM and key repository Minus key protection provided by the non-z/os platform z/os Java keystore October 2014 zexchange Crypto and Disaster Recovery Page 14

Restoring tapes Encryption Facility Password option the password must be provided to the restore job on the driver system RSA Option RSA keys in the PKDS must be available on the driver system, along with the RSA-MK that is associated with that PKDS AND Specific hardware may be required CLRAES potential performance issues if the driver system doesn t provide AES hardware ENCTDES driver system must have secure hardware RSA Keys require CEX card October 2014 zexchange Crypto and Disaster Recovery Page 15

Restoring tapes OEM Products Where is the key repository? If it uses the CKDS or PKDS, then the CKDS and/or PKDS must be available on the driver system October 2014 zexchange Crypto and Disaster Recovery Page 16

Using a TKE to manage the DR site DR IBM System z9 EC/BC Crypto Express 2 IBM System z10 EC/BC Crypto Express / Crypto Express3 TKE Z114 Crypto Express3 Production z196 Crypto Express3 October 2014 zexchange Crypto and Disaster Recovery Page 17

Using a TKE to manage the DR site DR IBM System z9 EC/BC Crypto Express 2 IBM System z10 EC/BC Crypto Express / Crypto Express3 TKE DR TKE Z114 Crypto Express3 Production z196 Crypto Express3 October 2014 zexchange Crypto and Disaster Recovery Page 18

Disaster Recovery TKE Host files TKECM Crypto Module Data set defined to the Host Transaction Program Contains info about TKE application windows Crypto module notebooks (descriptions, domain descriptions, authority information) Backup for recovery purposes, but may need to be recreated at a DR site if the crypto modules and configuration are not identical Host Configuration IP Addresses must be configured properly Workstation Files Backup Critical Console Data intended for protecting from a failed harddrive, applicable for DR IF the TKEs are identical TKE File Management Utility (TKE V5 and later) October 2014 zexchange Crypto and Disaster Recovery Page 19

TKE Backup/Recovery of Keys Keys Master Keys Signature Keys Operational Keys Storage Smart Card Floppy Keystore Print October 2014 zexchange Crypto and Disaster Recovery Page 20

TKE Migration Wizard Wizard is the implementation of a secure protocol for collecting, saving, and installing data from one cryptographic adapter to another. Data includes Master Key Material! October 2014 zexchange Crypto and Disaster Recovery Page 21

A couple of final thoughts After a DR exercise or the real thing Clear your master keys at the DR site And maybe - Change your master keys October 2014 zexchange Crypto and Disaster Recovery Page 22

Consider your crypto users System SSL DB2 Built-In Functions Infosphere Guardium Data Encryption Tool for IMS and DB2 Encryption Facility Encryption Key Manager (EKM) OEM products Applications TEST! October 2014 zexchange Crypto and Disaster Recovery Page 23

IBM Pubs ICSF Overview, SA22-7519 ICSF Administrator s Guide, SA22-7521 ICSF Application Programmer s Guide, SA22-7522 ICSF System Programmer s Guide, SA22-7520 October 2014 zexchange Crypto and Disaster Recovery Page 24

IBM Resources (on the web) ATS TechDocs Web Site www.ibm.com/support/techdocs (Search All Documents for keyword of Crypto ) WP100810 A Synopsis of System z Crypto Hardware How to Setup TKE for Disaster Recovery in Hot Topics Aug. 2007 Issue 17 http://publibz.boulder.ibm.com/epubs/pdf/ e0z2n180.pdf October 2014 zexchange Crypto and Disaster Recovery Page 25

Redbooks www.ibm.com/redbooks SG24-7320 IBM System Storage Tape Encryption Solutions REDP-4646 IBM Security Key Lifecycle Manager for z/os: Deployment and Migration Considerations October 2014 zexchange Crypto and Disaster Recovery Page 26

Questions? October 2014 zexchange Crypto and Disaster Recovery Page 27

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information