630 likes | 878 Views
IBM Tape Encryption Jeff Ziehm Storage Systems Advanced Technical Skills. Accelerate with Americas Advanced Technical Skills webinars. ….a series of Customer directed technically oriented 90 minute webinars on various storage topics. 2010 Classes
E N D
IBM Tape EncryptionJeff ZiehmStorage Systems Advanced Technical Skills
Accelerate with Americas Advanced Technical Skills webinars ….a series of Customer directed technically oriented 90 minute webinars on various storage topics • 2010 Classes • Tape Encryption with Tivoli Key Lifecycle Manager (TKLM) • TS7650 ProtecTier Solution Fundamentals • TS7700 Update – scheduled 10/12 • IBM System Storage TS3500 Tape Library Update • Ten Things for the new TPC Administrator to do to make TPC 4.1.1 more useful. • XIV Asynchronous Mirror • IBM Easy Tier Enables DS8700 Users to Optimize Use of Solid State Drives • Installing and Tailoring TPC Disk – Midrange Edition For further information and session notification please Subscribe to the ATS blog https://www.ibm.com/developerworks/mydeveloperworks/blogs/accelerate/?lang=en
Agenda • Tape Encryption Overview • TKLM – Tivoli Key Lifecycle Manager • Implementation Considerations
IBM Tape Data Encryption • LTO5 / LTO4 Tape Drive • Standard feature on all FC & SAS LTO5/4 Tape Drives • Supports “traditional” and “encrypted” modes of operation • TS1130 / TS1120 Tape Drive • Standard feature on all new TS1130 Tape Drives • Supports “traditional” and “encrypted” modes of operation • TKLM – Tivoli Key Lifecycle Manager • z/OS, AIX, Sun, Linux and Windows • Serves keys Tivoli Key Lifecycle Manager
Library Managed Encryption Components Open Systems Host • TKLM/drive key exchange occurs over the LDI and TCP/IP paths Host – zOS, AIX, Linux, Windows, Solaris Fibre Key Store TKLM Crypto Services TCP/IP LDI Host – zOS, AIX, Linux, Windows, Solaris Key Store TCP/IP Proxy TKLM Crypto Services
System Managed Encryption Components – zOS zOS Java Virtual Machine Key Store TKLM Crypto Services Host - zOS, AIX, zLinux, Linux, Windows, Sun TCP/IP And/Or FICON/ESCON Proxy Key Store TKLM TCP/IP Crypto Services DFSMS SMS Policy Data Class • TKLM/drive key exchange occurs over the fibre and FICON/ESCON paths • Encryption Policy defined by SMS policy, DD statement FICON/ESCON Fibre Control Unit
Symmetric EncryptionPrivate Key, Secret Key, Data Key • User Data Encryption • Keystore Encryption • TKLM Backup Encryption
Asymmetric EncryptionPublic Key, Public/Private Key Pair, Key Encrypting Key • Drive authentication • Session security • Encrypting Data Keys • SSL between TKLM and device • TKLM web GUI communications
Built-in AES 256-bit data encryption engine Look-aside decryption & decompression help assure data integrity. <1%performance and capacity impact Authentication: TKLM queries drive certificate and uses public key to authenticate exchanges ear #*4msW Clear Clear w*q03!k3iKm4Aw^1* Decompression Cl TS1130, TS1120, LTO5 and LTO4 Encryption FC Port 0 FC Port 0 Tape Drive with Private Key Drive Firmware Clear Clear Clear Host Interface DMA Processor Application Specific Integrated Circuit Compression Code Memory AES Decryption AES Encryption Buffer Drive Certificate with Drive’s Public Key ECC and Format Encoding @MA8%w*q03!k3iKm4*^Fj&fgtrSIaasl Read/Write Electronics Read/Write Head Tape Media
Key Store & Configuration Files LTO5/4 Encryption Process (SME or LME) Write Request Tivoli Key Lifecycle Manager 1) LTO5/4 Receives Mount Request for write from BOT w/ Encryption 2) LTO5/4 Initiates Session w/ TKLM, passes session key to TKLM, requests Data Key (DK) or passes optional key label 3) TKLM Authenticates Drive in Drive Table 4) TKLM retrieves pre-generated AES-256 Data Key 5) TKLM Encrypts Data Key (DK) with drive session key to create the Session Encrypted Data Key (SEDK) 6) TKLM passes the SEDK and the Data Key identifier (DKi) to the LTO5/4 Tape drive. 7) LTO5/4 decrypts Data Key 8) LTO5/4 encrypts data and writes data and DKi to cartridge
Key Store & Configuration Files TS1130/20 Encryption Process (SME or LME) Write Request Tivoli Key Lifecycle Manager 1) TS1130 / TS1120 Receives Mount Request for write from BOT w/ Encryption 2) TS1130 / TS1120 Initiates Session w/ TKLM, passes session key to TKLM, requests Data Key (DK) and optionally passes key label 3) TKLM Authenticates Drive in Drive Table 4) TKLM generates AES-256 random Data Key (DK). TKLM retrieves public key (KEK) from keystore. TKLM wraps Data Key (DK) w public key to create EEDK. 5) TKLM Encrypts Data Key (DK) with drive session key to create the Session Encrypted Data Key (SEDK) 6) TKLM passes the EEDK & SEDK to the TS1130 / TS1120Tape drive 7) TS1130 / TS1120 decrypts Data Key 8) TS1130/20 writes EEDK on tape leader and CM. TS1130/20 encrypts & writes data to cart.
LTO5/4 Consortium based format • Standard LTO5/4 media • Entire volume is encrypted or non-encrypted • Common scratch pool with full re-format between encrypted and non-encrypted cartridge memory Control Structures End of Data Volume Label Encrypted Host Records and/or File Marks EOT BOT Data area symmetric encryption AES-256 with DK “KeyIdentifier” generated from Key Label/Alias or provided by the application is encoded in each Host Data Record & format recording element per LTO specification.
TS1130 / TS1120 Media Format Elements • Standard 3592 media • Entire volume is encrypted or non-encrypted • Common scratch pool with full re-format between encrypted and non-encrypted • Full support for wrapping keys • Simplifies key management and DR/ BP scenarios • Two Wrapped Key Structures (EEDKs) may be active on a cartridge cartridge memory EEDK1/2 Control Structures Data area symmetric encryption AES-256 with DK End of Data Volume Label Encrypted Host Records and/or File Marks EOT BOT EEDK1/2 "wrapped keys" KEK[DK] Asymmetric encryption RSA-2048 with KEK
Agenda • Tape Encryption Overview • TKLM – Tivoli Key Lifecycle Manager • TKLM v2 • Implementation Considerations
TKLM – Tivoli Key Lifecycle Manager • Follow-on to EKM (Encryption Key Manager) • AIX, Windows, Linux, Solaris • November 4, 2008 GA • z/OS • March 6, 2009 GA • EKM – Functionally stabilized
Tivoli Key Lifecycle Manager (TKLM) • IBM Licensed Program • Serves data keys to drive • TS1130 / TS1120 • LTO5 / LTO4 • DS8000 • Runs on the same or different server than the tape application AIX IP TKLM Other OS Fibre Channel SAS FICON Other OS
IBM Tivoli Key Lifecycle Manager • Focused on device key serving • IBM encrypting tape – TS1120, TS1130, LTO5, LTO4 • IBM encrypting disk - DS8000 • Installer to simplify installation experience • Simple to use install for Windows, Linux, AIX, Solaris • z/OS SMP/E install with scripts for post install configuration • Designed to be Easy to use • Graphical User Interface • Lifecycle functions • Automated key rotation • Notification of certificate expiration • Easy backup and restore of TKLM files • One button, single jar file
TKLM OS Support • z/OS 1.9, 1.10, 1.11 • AIX 5.3 or later • AIX 6.1 or later • Red Hat Enterprise Linux 4.0 (32 bit) • Red Hat Enterprise Linux 5.0 (32 bit and 64 bit) • SuSE Linux 9 (32 bit) • SuSE Linux 10 (32 bit and 64 bit) • Solaris 9 Sparc • Solaris 10 Sparc • Windows Server 2003 (32 bit and 64 bit) • Windows Server 2008 (32 bit and 64 bit),
TKLM Resources • TKLM Website:www.ibm.com/software/tivoli/products/key-lifecycle-mgr • TKLM Info Center • TKLM Installation and Configuration Guide • Flash Demos • Information Infrastructure Security with IBM • TKLM GUI demo • TKLM Data Sheet • ftp://ftp.software.ibm.com/common/ssi/pm/sp/n/tid14031usen/TID14031USEN.PDF • White Paper: Simplifying Key Management with Tivoli Key Lifecycle Manager • ftp://ftp.software.ibm.com/common/ssi/sa/wh/n/tiw14026usen/TIW14026USEN.PDF • Red Book: IBM System Storage Tape Encryption Solutions • http://www.redbooks.ibm.com/abstracts/sg247320.html?Open • Red Paper: TKLM for z/OS • http://www.redbooks.ibm.com/abstracts/redp4472.html?Open
TKLM v2 • Enhancements • Device Groups • Role Based Access Control • KMIP • Additional device support • UI Improvements • Not serving keys that are not backed up • Metadata command • Version command • Installation • Migration • From EKM • From TKLM v1 20
TKLM V2 Constructs TIPAdmin • User Groups • klmSecurityOfficerGroup • LTOAdmin • LTOOperator • Roles • klmView • klmCreate • Device Group Name • Users • TKLMAdmin • User1 (user defined) Devices • Device Groups • Devices • Certificates • Key Groups • Keys • Rollover Policy RSA Key Pairs Key Groups Symmetric Keys
Pre-defined Device Groups LTO LTO device family TS3592 3592 device family DS8000 DS8000 device family DS5000 DS5000 device family BRCD_ENCRYPTOR BRCD_ENCRYPTOR device group ONESECURE ONESECURE device group GENERIC Objects in the GENERIC device family. Userdevicegroup A user-defined instance such as myLTO that you manually create, based on a predefined device family such as LTO.
User Defined Device Groups • Subset of existing device families • LTO • 3592 • DS5000 • Unique key or key group • Unique rollover policy • Unique Key and Device Management page • klmAdminDeviceType role can create and delete new device groups. • Every key group, certificate and device is associated with a device group
Role Based Access Control • Device Groups • Pre-defined, eg. LTO, TS3592 • User defined. Eg. MyLTODrives • User Groups • Pre-defined, eg. LTOAdmin • User defined • Users • TIPAdmin: Controls Users, User Groups, and Roles • TKLMAdmin: Controls Device Groups, Keys, Certificates • User defined • Permissions (Roles)
Pre-defined User Groups • klmSecurityOfficerGroup • Permissions: klmSecurityOfficer, suppressmonitor • klmBackupRestoreGroup • Permissions: klmBackup, klmRestore, suppressmonitor • LTOAdmin • Permissions: LTO, klmCreate, klmModify, klmDelete, klmView, klmGet, klmAudit, klmBackup, klmConfigure, suppressmonitor • LTOOperator • Permissions: LTO, klmCreate, klmModify, klmDelete, klmView, klmBackup, suppressmonitor • LTOAuditor • Permissions: LTO, klmView, klmAudit, suppressmonitor
Permissions • Super user permission • klmSecurityOfficer • Device group specific action permissions • klmView, klmCreate, klmModify, klmDelete, klmGet(to export a key or certificate) • Stand-alone permissions • klmAdminDeviceGroup (to create, view or delete a new device group), klmConfigure, klmBackup, klmRestore, klmAudit (to view audit data) • Permissions corresponding to device groups • Each pre-defined device group has a matching permission: LTO, TS3592, DS5000, DS8000, GENERIC, BRCD_ENCRYPTOR, ONESECURE. • Permission for new user-defined device group must be created manually using TIP role management panel.
Default Users • TKLM installs two default users: • tipadmin: has TIP/WAS administrative authority • tklmadmin: is TKLM administrator, has klmSecurityOfficer role
TKLM V2 Constructs TIPAdmin • User Groups • klmSecurityOfficerGroup • LTOAdmin • LTOOperator • Roles • klmView • klmCreate • Device Group Name • Users • TKLMAdmin • User1 (user defined) Devices • Device Groups • Devices • Certificates • Key Groups • Keys • Rollover Policy RSA Key Pairs Key Groups Symmetric Keys
Production Database eCommerce Applications Disk Arrays WAN LAN VPN Backup Tape Enterprise Applications Business Analytics Replica Backup System File Server Staging Portals Dev/Test Obfuscation Backup Disk Collaboration & Content Mgmt Systems Today’s Cryptographic Environment Enterprise Cryptographic Environments CRM Email Key Management System Key Management System Key Management System Key Management System Key Management System Key Management System Key Management System Key Management System
KMIP Overview • Key Management Interoperability Protocol (KMIP) • Key-management to encryption client protocol • Enables key lifecycle management • Generation, submission, retrieval, and deletion • Supports • Symmetric keys • Asymmetric keys • Digital certificates • http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=kmip
IBM Tape Drives LTO4 / LTO5 TS1120 / TS1130 IBM Tape Libraries TS3500 3494 TS3400 TS3310 TS3200 / TS3100 TS2900 Non-IBM Tape Libraries Quantum (ADIC) i2000 Quantum (ADIC) i500 IBM Disk Drives DS8000 DS5000 KMIP Supported Devices Emulex OneSecure HBAs Brocade (IBM OEM) IBM SAN32B-E4 (2498-E32) FC: 3895 - Encryption Blade TKLM v2 Supported Devices
Do not serve keys unless backed up • Prevent keys from being served for write requests, until a backup is performed • Read requests are not affected • Prevents potential data loss • Configuration file, true/false • backup.keycert.before.serving • Default: true • Automatic backup script provided • At fixed intervals.
MetaData command • Adds meta data for existing asymmetric keys in the keystore • Shows up in TKLM as a new certificate • Only available through the CLI • tklmKeyStoreEntryMetaDataCreate Uses • Quickly create meta data for existing keys (e.g. reusing existing keystore) • Previously, required to export from keystore and import into TKLM.
Version Command • Displays version of TKLM and associated middleware. • TKLM Version • TKLM Build Level • Tivoli Integrated Portal version • Embedded Websphere Application Server version • Java version • DB2 version • IBM Deployment Engine version • Only available through CLI
Syntax and Parameters • tklmVersionInfo() • There are no parameters. • Required permission is klmConfigure.
Installation • Launch install by • install.exe (windows) • install.sh (Unix and Linux) • 3 modes available: GUI, Console, Silent • Support for more languages 37
Installation - continued • Bundled software: • DB2 • DB2 v9.7 fp2 (Windows, AIX, Solaris, Linux) • DB2 v9.5 fp4 (SuSE9 and RHL4) • Tivoli Integrated Portal v1.1.1.2 plus TIP fixpack 1.1.1.11 which includes: • eWAS 6.1.0.29 • Runtime Java 1.5 SR10a • DE (Deployment Engine) 1.4.0.6 • WebSphere Update Installer v7.0.0.7 38
Installation - continued • Disk Space checking • DB2 improvements: • Detect all copies of DB2 9.5 or DB2 9.7 on appropriate platforms • User allowed to select from list of valid DB2 copies or install new copy • If DB2TKLMV2 copy name present on Windows this is used • Auto start eWAS and DB2 • Windows start menu link for Tivoli Integrated Portal and DB2 • TKLMAdmin panel to prompt for password for TKLMAdmin ID • Password for any TIP user cannot be saved in browser 39
Migration to TKLM V2 • EKM 2.1 to V2. If you are using earlier versions of EKM(1.0, 2.0) you must migrate to EKM 2.1 before migrating to TKLM V2. • TKLM V1 – V2 • Apply TKLM V1, latest recommended fixpack (1.0.0.3) before starting migration.
TKLM V1 to TKLM V2 • Migration tool performs the following steps: • Validates V1 and V2 passwords • V1 tipadmin, Database instance owner,V2 tipadmin, V2 tklmadmin • Migrates TKLMgrConfig.properties • Copies user keystore from V1 location to V2 location • If Keystore is located outside of V1 TIP then, then after V2, the keystore location will not change. • Migrates the instance from DB2 V9.1 to DB2 V9.7 • Migrates the database
Pricing • TKLM pricing consists of three components • Server install • Encrypting device capacity measured in TBs (RVUs) • Service and support • Server install • No charge for warm backups or test instances • Does not include first two VRUs • Charge for secondary / DR copies if the tape libraries are configured to automatically failover and the secondary / DR TKLM is up and running 42
Pricing - continued • Encrypting device capacity measured in TBs • Jag3 (3592-E06) = 1TB = 1 RVU • LTO5 = 1.5TB = 1 RVU (discounted) • LTO4 = 800GB = .8 RVU • Jag2 (3592-E05) = 700GB = .7 RVU • Optionally: 1 tape drive = 1TB = 1 RVU • Real physical tape drives • Not the number of cartridges • Not the amount of data • Service and support • Entitles customers for support • Also entitled customers for free upgrades • V2 is free for TKLM V1 customers who are current with support 43
Agenda • Tape Encryption Overview • TKLM – Tivoli Key Lifecycle Manager • Implementation Considerations • Design Considerations • TS3500 (3584) Implementation
TKLM Design Considerations • What Keystore? • What Operating System? • Dedicated Server or LPAR? • Dedicated LPAR or Shared LPAR? • TKLM - Local or Remote? • How implement HA? • Moving keys offsite • What to Encrypt? • Key rotation? • Number of Keys?
TKLM What Operating System? • AIX • Linux • Solaris • Windows • z/OS Keystore and Crypto Services Drive Table Configuration
What Size Server? • CPU • Memory • Disk
TKLM TKLM High Availability Keystore and Crypto Services Keystore and Crypto Services Drive Table Drive Table Configuration Configuration
Dedicated Server or LPAR? Option 1 Option 2 Option 3 Option 4 TKLM Other Apps TKLM TKLM Tape Application Tape Application Tape Application TKLM Tape Application