1. Front cover
IBM System Storage
Tape Encryption
Solutions
Learn about IBM TS1130 Tape Drive
and Tivoli Key Lifecycle Manager
Encrypt data on LTO and TS1100
series cartridges
Discover usability
enhancements
Babette Haeusser
Jonathan Barney
Arthur Colvig
ibm.com/redbooks

3. International Technical Support Organization
IBM System Storage Tape Encryption Solutions
May 2009
SG24-7320-02

4. Note: Before using this information and the product it supports, read the information in “Notices” on
page xiii.
Third Edition (May 2009)
This edition applies to the introduction of the IBM TS1130 Tape Drive and Tivoli Lifecycle Manager (TKLM)
© Copyright International Business Machines Corporation 2008, 2009. All rights reserved.
Note to U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP Schedule
Contract with IBM Corp.

5. Contents
Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii
Trademarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv
Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv
The team that wrote this book . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv
Become a published author . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii
Comments welcome. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii
Summary of changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xix
May 2009, Third Edition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xix
Part 1. Introducing IBM tape encryption solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Chapter 1. Introduction to tape encryption. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1 How tape data encryption works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.2 What to encrypt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
1.3 Why use tape data encryption. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
1.3.1 Why encrypt data in the drive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
1.3.2 Fundamental to encryption: Policy and key management . . . . . . . . . . . . . . . . . . . 8
1.3.3 Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
1.4 Concepts of tape data encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
1.4.1 Symmetric key encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
1.4.2 Asymmetric key encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
1.4.3 Hybrid encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
1.4.4 Digital certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Chapter 2. IBM tape encryption methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
2.1 IBM Encryption Key Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
2.1.1 Encryption Key Manager components and resources . . . . . . . . . . . . . . . . . . . . . 25
2.1.2 Encryption keys and 3592 and LTO4 differences . . . . . . . . . . . . . . . . . . . . . . . . . 27
2.1.3 Key exchange . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
2.2 Tivoli Key Lifecycle Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
2.2.1 Tivoli Lifecycle Key Manager components and resources . . . . . . . . . . . . . . . . . . 30
2.2.2 Key exchange . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
2.3 Methods of managing IBM tape encryption. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
2.3.1 System-Managed Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
2.3.2 Library-Managed Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
2.3.3 Encrypting and decrypting with SME and LME . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
2.3.4 Application-Managed Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
2.3.5 Mixed mode example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Chapter 3. IBM System Storage tape and tape automation for encryption . . . . . . . . . 45
3.1 IBM System Storage TS1130 and TS1120 Tape Drive . . . . . . . . . . . . . . . . . . . . . . . . 46
3.1.1 Tape data encryption support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
3.1.2 TS1120 characteristics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
3.1.3 TS1130 characteristics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
3.1.4 3592 cartridges and media . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
3.2 IBM System Storage TS1120 Tape Controller . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
3.2.1 IBM TS1120 Tape Controller characteristics . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
© Copyright IBM Corp. 2008, 2009. All rights reserved. iii

6. 3.2.2 IBM TS1120 Tape Controller encryption support . . . . . . . . . . . . . . . . . . . . . . . . . 55
3.2.3 Installation with an IBM TS3500 Tape Library . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
3.2.4 Installation with an IBM TS3400 Tape Library . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
3.2.5 Installation with an IBM 3494 Tape Library . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
3.2.6 IBM TotalStorage 3592 Model J70 Tape Controller . . . . . . . . . . . . . . . . . . . . . . . 59
3.3 IBM Virtualization Engine TS7700 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
3.4 IBM LTO Ultrium tape drives and libraries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
3.4.1 LTO overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
3.4.2 LTO media . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
3.4.3 IBM System Storage TS2240 Tape Drive Express Model . . . . . . . . . . . . . . . . . . 66
3.4.4 IBM System Storage TS2340 Tape Drive Express Model . . . . . . . . . . . . . . . . . . 67
3.4.5 IBM System Storage TS1040 Tape Drive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
3.4.6 IBM System Storage TS2900 Tape Autoloader . . . . . . . . . . . . . . . . . . . . . . . . . . 68
3.4.7 IBM System Storage TS3100 Tape Library . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
3.4.8 IBM System Storage TS3200 Tape Library . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
3.4.9 IBM System Storage TS3310 Tape Library . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
3.5 IBM System Storage TS3400 Tape Library . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
3.6 IBM System Storage TS3500 Tape Library . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
3.6.1 TS3500 frames . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
3.6.2 TS3500 characteristics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
3.7 IBM TotalStorage 3494 Tape Library . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Chapter 4. Planning for software and hardware. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
4.1 Encryption planning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
4.2 Planning assumptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
4.3 Encryption planning quick-reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
4.4 Choosing encryption methods. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
4.4.1 Encryption method comparison. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
4.4.2 System z encryption methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
4.4.3 Open Systems encryption methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
4.4.4 Decision time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
4.5 Solutions available by operating system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
4.5.1 The z/OS solution components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
4.5.2 z/VM, z/VSE, and z/TPF solution components for TS1120 drives . . . . . . . . . . . 102
4.5.3 IBM System i encryption solution components . . . . . . . . . . . . . . . . . . . . . . . . . . 104
4.5.4 AIX solution components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
4.5.5 Linux on System z. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
4.5.6 Linux on System p, System x, and other Intel or AMD Opteron servers. . . . . . . 109
4.5.7 HP-UX, Sun, and Windows components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
4.5.8 Tivoli Storage Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
4.6 Ordering information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
4.6.1 TS1120 tape drive prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
4.6.2 Tape controller prerequisites. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
4.6.3 LTO4 tape drive prerequisites. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
4.6.4 Tape library prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
4.6.5 Other library and rack Open Systems installations . . . . . . . . . . . . . . . . . . . . . . . 120
4.6.6 TS7700 Virtualization Engine prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
4.6.7 General software prerequisites for encryption . . . . . . . . . . . . . . . . . . . . . . . . . . 121
4.6.8 TS1120 and TS1130 supported platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
4.6.9 IBM LTO4 tape drive supported platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
4.7 Other planning considerations for tape data encryption . . . . . . . . . . . . . . . . . . . . . . . 124
4.7.1 In-band and out-of-band . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
4.7.2 Performance considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
iv IBM System Storage Tape Encryption Solutions

7. 4.7.3 Encryption with other backup applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
4.7.4 ALMS and encryption in the TS3500 library . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
4.7.5 TS1120 and TS1130 rekeying considerations . . . . . . . . . . . . . . . . . . . . . . . . . . 127
4.8 Upgrade and migration considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
4.8.1 Look out for potential problems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
4.8.2 TS1120 and TS1130 compatibility considerations . . . . . . . . . . . . . . . . . . . . . . . 129
4.8.3 DFSMSdss host-based encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
4.8.4 Positioning TS1120 Tape Encryption and Encryption Facility for z/OS . . . . . . . 134
Part 2. Implementing and operating the EKM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Chapter 5. Planning for EKM and its keystores . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
5.1 EKM planning quick-reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
5.2 Ordering information and requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
5.2.1 EKM on z/OS or z/OS.e requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
5.2.2 EKM on z/VM, z/VSE, and z/TPF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
5.2.3 EKM on IBM System i5 requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
5.2.4 EKM on AIX requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
5.2.5 EKM on Linux requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
5.2.6 EKM on Hewlett-Packard, Sun, and Windows requirements . . . . . . . . . . . . . . . 143
5.3 EKM and keystore considerations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
5.3.1 EKM configuration planning checklist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
5.3.2 Best security practices for working with keys and certificates. . . . . . . . . . . . . . . 147
5.3.3 Acting on the advice . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
5.3.4 Typical EKM implementations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
5.3.5 Multiple EKMs for redundancy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
5.3.6 Using Virtual IP Addressing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
5.3.7 Key Manager backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
5.3.8 FIPS 140-2 certification. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
5.4 Other EKM considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
5.4.1 EKM Release 1 to EKM Release 2 migration . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
5.4.2 Data exchange with business partners or different platforms . . . . . . . . . . . . . . . 154
5.4.3 Disaster recovery considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
5.4.4 i5/OS disaster recovery considerations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
5.4.5 EKM performance considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
Chapter 6. Implementing EKM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
6.1 Implementing the EKM in z/OS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
6.1.1 z/OS UNIX System Services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
6.1.2 Installing the EKM in z/OS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
6.1.3 Security products involved: RACF, Top Secret, and ACF2. . . . . . . . . . . . . . . . . 161
6.1.4 Create a JCE4758RACFKS for EKM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
6.1.5 Setting up the EKM environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
6.1.6 Starting EKM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
6.1.7 Additional definitions of hardware keystores for z/OS. . . . . . . . . . . . . . . . . . . . . 172
6.1.8 Virtual IP Addressing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
6.1.9 EKM TCP/IP configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
6.2 Installing EKM on AIX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
6.2.1 Install the IBM Software Developer Kit (SDK). . . . . . . . . . . . . . . . . . . . . . . . . . . 175
6.3 Installing EKM on a Windows platform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
6.3.1 EKM setup tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
6.3.2 Installing the IBM Software Developer Kit on Windows . . . . . . . . . . . . . . . . . . . 182
6.3.3 Starting EKM on Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
6.3.4 Configuring and starting EKM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
Contents v

8. 6.4 Installing the EKM in i5/OS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
6.4.1 New installation of the Encryption Key Manager. . . . . . . . . . . . . . . . . . . . . . . . . 194
6.4.2 Upgrading the Encryption Key Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
6.4.3 Configuring EKM for tape data encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
6.5 LTO4 Encryption implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
6.5.1 LTO4 EKM implementation checklist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
6.5.2 Download the latest EKM software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
6.5.3 Create a JCEKS keystore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
6.5.4 Off-site or business partner exchange with LTO4 compared to 3592. . . . . . . . . 210
6.5.5 EKM Version 2 installation and customization on Windows . . . . . . . . . . . . . . . . 211
6.5.6 Start EKM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
6.5.7 Starting EKM as a windows Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
6.6 LTO4 Library-Managed Encryption implementation . . . . . . . . . . . . . . . . . . . . . . . . . . 215
6.6.1 Barcode Encryption Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
6.6.2 Specifying a Barcode Encryption Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
6.6.3 TS3500 Library-Managed Encryption differences from TS3310, TS3200, TS3100,
and TS2900 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
6.7 LTO4 System-Managed Encryption implementation. . . . . . . . . . . . . . . . . . . . . . . . . . 223
6.7.1 LTO4 SME implementation checklist for Windows . . . . . . . . . . . . . . . . . . . . . . . 224
Chapter 7. Planning and managing your keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
7.1 Keystore and SAF Digital Certificates (keyrings) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
7.2 JCEKS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
7.2.1 Examples of managing public-private key pairs . . . . . . . . . . . . . . . . . . . . . . . . . 227
7.2.2 Managing symmetric keys in a JCEKS keystore. . . . . . . . . . . . . . . . . . . . . . . . . 230
7.2.3 Example using IKEYMAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234
7.3 JCE4758KS and JCECCAKS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
7.3.1 Script notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
7.3.2 Symmetric keys in a JCECCAKS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243
7.4 JCERACFKS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244
7.5 JCE4758RACFKS and JCECCARACFKS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246
7.5.1 RACDCERT keywords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
7.5.2 Best practice . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
7.6 PKCS#11 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250
7.7 IBMi5OSKeyStore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250
7.7.1 Digital Certificate Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
7.7.2 How to set up an IBMi5OSKeyStore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
7.8 ShowPrivateTool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265
7.9 MatchKeys tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267
7.10 Hardware cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270
Chapter 8. EKM operational considerations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273
8.1 EKM commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274
8.1.1 The EKM sync command and EKM properties file . . . . . . . . . . . . . . . . . . . . . . . 274
8.1.2 EKM command line interface and command set. . . . . . . . . . . . . . . . . . . . . . . . . 275
8.2 Backup procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
8.2.1 EKM file system backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
8.2.2 Identifying DFSMShsm to z/OS UNIX System Services . . . . . . . . . . . . . . . . . . . 281
8.2.3 Keystore backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282
8.2.4 RACF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282
8.3 ICSF disaster recovery procedures. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284
8.3.1 Key recovery checklist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284
8.3.2 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284
vi IBM System Storage Tape Encryption Solutions

9. 8.3.3 Pre-key change: All LPARs in the Sysplex . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285
8.3.4 Check the ICSF installation options data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287
8.3.5 Disable all services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
8.3.6 Entering Master Keys for all LPARs in the Sysplex . . . . . . . . . . . . . . . . . . . . . . 289
8.3.7 Post-key change for all LPARs in the Sysplex . . . . . . . . . . . . . . . . . . . . . . . . . . 294
8.3.8 Exiting disaster recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296
8.4 Business partner tape-sharing example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296
8.4.1 Key-sharing steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296
8.4.2 Exporting a public key and certificate to a business partner . . . . . . . . . . . . . . . . 296
8.4.3 Exporting a symmetric key from a JCEKS keystore . . . . . . . . . . . . . . . . . . . . . . 300
8.4.4 Importing a public key and a certificate from a business partner . . . . . . . . . . . . 301
8.4.5 Tape exchange and verification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303
8.4.6 Importing symmetric keys to a JCEKS keystore . . . . . . . . . . . . . . . . . . . . . . . . . 304
8.5 RACF export tool for z/OS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305
8.6 Audit log considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306
8.6.1 Audit overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306
8.6.2 Audit log parsing tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307
Part 3. Implementing and operating the TKLM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313
Chapter 9. Planning for TKLM and its keystores . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315
9.1 TKLM planning quick-reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316
9.2 TKLM and keystore considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318
9.2.1 TKLM configuration planning checklist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318
9.2.2 Best security practices for working with keys and certificates. . . . . . . . . . . . . . . 319
9.2.3 Acting on the advice . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319
9.2.4 Multiple TKLMs for redundancy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320
9.3 Other TKLM considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320
9.3.1 Database selection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320
9.3.2 EKM to TKLM migration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320
9.3.3 Data exchange with business partners or different platforms . . . . . . . . . . . . . . . 321
9.3.4 Disaster recovery considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
Chapter 10. Implementing TKLM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
10.1 Implementation notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324
10.2 Installing TKLM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324
10.3 Configuring TKLM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335
10.4 Conclusions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345
Chapter 11. TKLM operational considerations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347
11.1 Scripting with TKLM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348
11.1.1 Simple Linux backup script example. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348
11.2 Synchronizing primary TKLM configuration data. . . . . . . . . . . . . . . . . . . . . . . . . . . . 349
11.2.1 Setting up primary and secondary TKLM servers . . . . . . . . . . . . . . . . . . . . . . . 349
11.2.2 Synchronizing the primary and secondary TKLM servers. . . . . . . . . . . . . . . . . 350
11.3 TKLM maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350
11.3.1 Adding and removing drives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350
11.3.2 Scheduling key group rollover. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353
11.3.3 Scheduling certificate rollover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356
11.4 TKLM backup and restore procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
11.4.1 Backup by using the GUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360
11.4.2 Restore by using the GUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361
11.4.3 Backup by using the command line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363
11.4.4 Restore by using the command line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364
Contents vii

10. 11.5 Data sharing with business partners . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365
11.5.1 Sharing TS1100 certificate data with a business partner . . . . . . . . . . . . . . . . . 365
11.5.2 Sharing LTO key data with a business partner . . . . . . . . . . . . . . . . . . . . . . . . . 368
11.6 Removing TKLM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371
11.6.1 Backing up the keystore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371
11.6.2 Removing TKLM from a Windows system . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371
11.7 Fixing the security warnings in your Web browser . . . . . . . . . . . . . . . . . . . . . . . . . . 375
11.7.1 Fixing the security warning in Internet Explorer browser . . . . . . . . . . . . . . . . . 375
11.7.2 Fixing the security warning in Firefox 2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376
Part 4. Implementing tape data encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377
Chapter 12. Implementing TS1100 series Encryption in System z. . . . . . . . . . . . . . . 379
12.1 Implementation overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380
12.2 Implementation prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380
12.2.1 Initial tape library hardware implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . 381
12.2.2 Initial z/OS software definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382
12.3 EKM implementation overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383
12.4 Tape library implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384
12.4.1 Implementation steps for the IBM TS3500 Tape Library. . . . . . . . . . . . . . . . . . 384
12.4.2 Implementation steps for the IBM 3494 Tape Library . . . . . . . . . . . . . . . . . . . . 387
12.4.3 Implementation steps for the IBM TS3400 Tape Library. . . . . . . . . . . . . . . . . . 391
12.5 Tape control unit implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392
12.6 z/OS implementation steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392
12.6.1 z/OS software maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392
12.6.2 Update PARMLIB member IECIOSxx. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393
12.6.3 Define or update Data Class definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394
12.6.4 Considerations for JES3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398
12.6.5 Tape management system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399
12.6.6 DFSMSrmm support for tape data encryption. . . . . . . . . . . . . . . . . . . . . . . . . . 399
12.6.7 DFSMSdfp access method service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402
12.6.8 Data Facility Data Set Services considerations . . . . . . . . . . . . . . . . . . . . . . . . 403
12.6.9 DFSMS Hierarchal Storage Manager considerations . . . . . . . . . . . . . . . . . . . . 404
12.7 z/VM implementation steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405
12.7.1 Tape library and tape control unit implementation . . . . . . . . . . . . . . . . . . . . . . 406
12.7.2 Out-of-band encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406
12.7.3 Define key aliases to z/VM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410
12.7.4 Using ATTACH and DETACH to control encryption . . . . . . . . . . . . . . . . . . . . . 411
12.7.5 Using SET RDEVICE to control encryption. . . . . . . . . . . . . . . . . . . . . . . . . . . . 411
12.7.6 QUERY responses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412
12.7.7 z/VM DASD Dump Restore (DDR) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413
12.8 Miscellaneous implementation considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413
12.8.1 Data exchange with other data centers or business partners . . . . . . . . . . . . . . 414
12.8.2 Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414
12.9 TS1120 and TS1130 tape cartridge rekeying in z/OS. . . . . . . . . . . . . . . . . . . . . . . . 414
12.9.1 TS1120 Model E05 rekeying support in z/OS . . . . . . . . . . . . . . . . . . . . . . . . . . 415
12.9.2 IEHINITT enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415
12.9.3 Security considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 418
12.9.4 Packaging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 418
12.9.5 Rekeying exits and messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 418
Chapter 13. Implementing TS7700 Tape Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . 419
13.1 TS7700 Encryption overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 420
13.2 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421
viii IBM System Storage Tape Encryption Solutions

11. 13.2.1 Tape drives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421
13.2.2 TS7700 Virtualization Engine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421
13.2.3 Library Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421
13.2.4 Encryption Key Manager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421
13.3 Implementation overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422
13.3.1 Initial Tape Library hardware implementation . . . . . . . . . . . . . . . . . . . . . . . . . . 422
13.3.2 Initial TS7700 implementation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422
13.3.3 Initial z/OS software definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 423
13.3.4 EKM implementation overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 423
13.4 Tape library implementation and setup for encryption . . . . . . . . . . . . . . . . . . . . . . . 423
13.4.1 Enabling drives for encryption in the IBM TS3500 Tape Library. . . . . . . . . . . . 424
13.4.2 Enabling drives for encryption in the IBM 3494 Tape Library . . . . . . . . . . . . . . 426
13.4.3 Encryption-enabled drives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 428
13.5 Software implementation steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 428
13.5.1 z/OS software maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 428
13.5.2 EKM installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 429
13.5.3 Basic z/OS DFSMS implementation steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . 429
13.6 TS7700 implementation steps. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 430
13.6.1 Configuring the TS7700 for encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 430
13.6.2 Creating TS7700 Storage Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431
13.6.3 Creating TS7700 Management Classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433
13.6.4 Activate the TS7700 Encryption Feature License . . . . . . . . . . . . . . . . . . . . . . . 435
13.6.5 EKM addresses. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 436
13.6.6 Testing EKM connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437
13.6.7 Configuring Pool Encryption Settings for the TS7700. . . . . . . . . . . . . . . . . . . . 438
13.7 Implementation considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 440
13.7.1 Management construct definitions and transfer . . . . . . . . . . . . . . . . . . . . . . . . 440
13.7.2 Changing storage pool encryption settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . 440
13.7.3 Moving data to encrypted storage pools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 441
13.7.4 EKM operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443
13.7.5 Tracking encryption usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 444
13.7.6 Data exchange with other data centers or business partners . . . . . . . . . . . . . . 444
13.8 TS7700 Encryption with z/VM, z/VSE, or z/TPF . . . . . . . . . . . . . . . . . . . . . . . . . . . . 444
Chapter 14. Implementing TS1120 and TS1130 Encryption in an Open Systems
environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 447
14.1 Encryption overview in an Open Systems environment . . . . . . . . . . . . . . . . . . . . . . 448
14.2 Adding drives to a logical library . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 449
14.2.1 Advanced Library Management System considerations . . . . . . . . . . . . . . . . . . 449
14.3 Managing the encryption and business partner exchange . . . . . . . . . . . . . . . . . . . . 450
14.3.1 Disaster recovery considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 451
14.3.2 Keeping track of key usage. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 452
14.4 Encryption implementation checklist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453
14.4.1 Planning your EKM environment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453
14.4.2 EKM setup tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 454
14.4.3 Application-Managed Encryption setup tasks . . . . . . . . . . . . . . . . . . . . . . . . . . 454
14.4.4 System-Managed (Atape) Encryption setup tasks . . . . . . . . . . . . . . . . . . . . . . 455
14.4.5 Library-Managed Encryption setup tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 456
14.5 Implementing Library-Managed Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 456
14.5.1 LME implementation tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 456
14.5.2 Upgrading firmware. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 457
14.5.3 Add EKM or TKLM IP addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 463
14.5.4 Enable Library-Managed Encryption. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 464
Contents ix

12. 14.5.5 Barcode Encryption Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 466
14.5.6 Testing encryption. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 472
14.6 Implementing System-Managed Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 473
14.6.1 System-Managed Encryption tasks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 474
14.6.2 Atape device driver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 475
14.6.3 Update Atape EKM proxy configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 476
14.6.4 System-Managed Encryption Atape device entries . . . . . . . . . . . . . . . . . . . . . 477
14.6.5 Updating the Atape device driver configuration . . . . . . . . . . . . . . . . . . . . . . . . 478
14.6.6 Enabling System-Managed Encryption using the TS3500 Web GUI . . . . . . . . 480
14.6.7 Using SMIT to enable System-Managed Encryption . . . . . . . . . . . . . . . . . . . . 481
14.6.8 Using tapeutil functions to verify EKM paths. . . . . . . . . . . . . . . . . . . . . . . . . . . 488
14.6.9 Managing System-Managed Encryption and business partner exchange . . . . 488
14.7 Application-Managed Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 491
14.7.1 IBM Tivoli Storage Manager overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 491
14.7.2 ITSM support for 3592 drive encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 493
14.7.3 Implementing Application-Managed Encryption . . . . . . . . . . . . . . . . . . . . . . . . 493
14.7.4 ITSM Encryption considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 496
14.8 IBM 3494 with TS1120 or TS1130 Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 497
14.8.1 Review the 3494 encryption-capable drives . . . . . . . . . . . . . . . . . . . . . . . . . . . 497
14.8.2 Specifying a Barcode Encryption Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 500
14.8.3 Entering the EKM IP address and key labels . . . . . . . . . . . . . . . . . . . . . . . . . . 503
14.8.4 ILEP key label mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 504
Chapter 15. Tape data encryption with i5/OS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 505
15.1 Planning for tape data encryption with i5/OS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 506
15.1.1 Hardware prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 506
15.1.2 Software prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 507
15.1.3 Disaster recovery considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 508
15.1.4 EKM keystore considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 509
15.1.5 TS1120 Tape Encryption policy considerations . . . . . . . . . . . . . . . . . . . . . . . . 510
15.1.6 Considerations for sharing tapes with partners. . . . . . . . . . . . . . . . . . . . . . . . . 511
15.1.7 Steps for implementing tape encryption with i5/OS . . . . . . . . . . . . . . . . . . . . . 512
15.2 Setup and usage of tape data encryption with i5/OS . . . . . . . . . . . . . . . . . . . . . . . . 513
15.2.1 Creating an EKM keystore and certificate. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 513
15.2.2 Configuring the TS3500 library for Library-Managed Encryption . . . . . . . . . . . 526
15.2.3 Importing and exporting encryption keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 536
15.2.4 Working with encrypted tape cartridges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 547
15.2.5 Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 552
Part 5. Appendixes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 553
Appendix A. z/OS planning and implementation checklists . . . . . . . . . . . . . . . . . . . . 555
DFSMS Systems Managed Tape planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 556
DFSMS planning and the z/OS encryption planning checklist . . . . . . . . . . . . . . . . . . . 556
Storage administrator stand-alone environment planning. . . . . . . . . . . . . . . . . . . . . . . 557
Storage administrator tape library environment planning . . . . . . . . . . . . . . . . . . . . . . . 558
DFSMS Systems Managed Tape implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 559
Object access method planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 560
Storage administrator OAM planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 561
OAM implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 562
DFSMShsm tape environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 562
Appendix B. z/OS Java and Open Edition tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 563
JZOS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 564
x IBM System Storage Tape Encryption Solutions

13. Console communication with batch jobs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 564
EKM and JZOS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 565
MVS Open Edition tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 568
Exporting a variable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 568
Setting up an alias . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 568
Copying the escape character . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 569
Advantages of VT100 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 569
Advanced security hwkeytool and keytool scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 571
Complete keytool example for JCEKS using hidden passwords . . . . . . . . . . . . . . . . . 571
Complete hwkeytool example for JCE4758KS using hidden passwords . . . . . . . . . . . 573
Java . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 575
Security and providers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 575
Garbage Collector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 576
Verifying the installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 577
z/OS region size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 577
Policy files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 577
Appendix C. Asymmetric and Symmetric Master Key change procedures. . . . . . . . 579
Asymmetric Master Key change ceremony . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 580
Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 580
Encryption and decryption test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 580
Pre-key change: Disable PKA services for all images in the Sysplex. . . . . . . . . . . . . . 580
Key change: First LPAR in the Sysplex . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 582
Key change: Subsequent LPARs in the Sysplex . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 588
Post-key change: All LPARs in the Sysplex . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 592
ICSF tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 597
Creating a PKDS VSAM data set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 597
Symmetric Master Key change ceremony . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 598
Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 598
Encryption and decryption test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 599
Disable dynamic CKDS updates for all images in the Sysplex . . . . . . . . . . . . . . . . . . . 599
Key change: First LPAR in the Sysplex . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 600
Reencipher the CKDS under the new SYM-MK Master Key . . . . . . . . . . . . . . . . . . . . 604
Change the new SYM-MK Master Key and activate the reenciphered CKDS . . . . . . . 606
Key change: Subsequent LPARs in the Sysplex . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 607
Post-key change: All LPARs in the Sysplex . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 610
Appendix D. z/OS tape data encryption diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . 617
EKM problem determination when running z/OS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 618
Error scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 618
Diagnostic scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 621
Encryption Key Manager error codes and recovery actions. . . . . . . . . . . . . . . . . . . . . . . . 623
Drive error codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 626
Control unit error codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 627
IOS628E message indicates connection failure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 628
Appendix E. IEHINITT exits and messages for rekeying . . . . . . . . . . . . . . . . . . . . . . . 629
Dynamic Exits Service Facility support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 630
Error conditions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 630
Programming considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 630
REKEY messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 632
New messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 632
Modified messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 633
Contents xi

14. Appendix F. TS1100 and LTO4 SECURE key EKM on z/OS . . . . . . . . . . . . . . . . . . . . 635
Implementing the EKM in z/OS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 636
Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 636
z/OS UNIX System Services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 636
Installing the Encryption Key Manager in z/OS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 637
Create a JCECCAKS for EKM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 639
Setting up the EKM environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 640
Starting EKM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 643
EKM TCP/IP configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 648
Enterprise-wide key management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 650
Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 650
Related publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 651
IBM Redbooks publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 651
Other publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 651
Online resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 652
How to get IBM Redbooks publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 653
Help from IBM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 653
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 655
xii IBM System Storage Tape Encryption Solutions

15. Notices
This information was developed for products and services offered in the U.S.A.
IBM may not offer the products, services, or features discussed in this document in other countries. Consult
your local IBM representative for information on the products and services currently available in your area.
Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM
product, program, or service may be used. Any functionally equivalent product, program, or service that does
not infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to
evaluate and verify the operation of any non-IBM product, program, or service.
IBM may have patents or pending patent applications covering subject matter described in this document. The
furnishing of this document does not give you any license to these patents. You can send license inquiries, in
writing, to:
IBM Director of Licensing, IBM Corporation, North Castle Drive, Armonk, NY 10504-1785 U.S.A.
The following paragraph does not apply to the United Kingdom or any other country where such
provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION
PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR
IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT,
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of
express or implied warranties in certain transactions, therefore, this statement may not apply to you.
This information could include technical inaccuracies or typographical errors. Changes are periodically made
to the information herein; these changes will be incorporated in new editions of the publication. IBM may make
improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time
without notice.
Any references in this information to non-IBM Web sites are provided for convenience only and do not in any
manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the
materials for this IBM product and use of those Web sites is at your own risk.
IBM may use or distribute any of the information you supply in any way it believes appropriate without
incurring any obligation to you.
Information concerning non-IBM products was obtained from the suppliers of those products, their published
announcements or other publicly available sources. IBM has not tested those products and cannot confirm the
accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the
capabilities of non-IBM products should be addressed to the suppliers of those products.
This information contains examples of data and reports used in daily business operations. To illustrate them
as completely as possible, the examples include the names of individuals, companies, brands, and products.
All of these names are fictitious and any similarity to the names and addresses used by an actual business
enterprise is entirely coincidental.
COPYRIGHT LICENSE:
This information contains sample application programs in source language, which illustrate programming
techniques on various operating platforms. You may copy, modify, and distribute these sample programs in
any form without payment to IBM, for the purposes of developing, using, marketing or distributing application
programs conforming to the application programming interface for the operating platform for which the sample
programs are written. These examples have not been thoroughly tested under all conditions. IBM, therefore,
cannot guarantee or imply reliability, serviceability, or function of these programs.
© Copyright IBM Corp. 2008, 2009. All rights reserved. xiii

16. Trademarks
IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International Business Machines
Corporation in the United States, other countries, or both. These and other IBM trademarked terms are
marked on their first occurrence in this information with the appropriate symbol (® or ™), indicating US
registered or common law trademarks owned by IBM at the time this information was published. Such
trademarks may also be registered or common law trademarks in other countries. A current list of IBM
trademarks is available on the Web at http://www.ibm.com/legal/copytrade.shtml
The following terms are trademarks of the International Business Machines Corporation in the United States,
other countries, or both:
AIX 5L™ OS/400® System z9®
AIX® POWER® System z®
alphaWorks® pSeries® Tivoli®
AS/400® RACF® TotalStorage®
CICS® Rational® VTAM®
DB2® Redbooks® WebSphere®
developerWorks® Redbooks (logo) ® xSeries®
ESCON® RS/6000® z/OS®
FICON® S/390® z/VM®
i5/OS® System i5® z/VSE™
IBM® System i® z9®
iSeries® System p® zSeries®
Language Environment® System Storage™
Netfinity® System x®
The following terms are trademarks of other companies:
AMD, AMD Opteron, the AMD Arrow logo, and combinations thereof, are trademarks of Advanced Micro
Devices, Inc.
SUSE, the Novell logo, and the N logo are registered trademarks of Novell, Inc. in the United States and other
countries.
ACS, Red Hat, and the Shadowman logo are trademarks or registered trademarks of Red Hat, Inc. in the U.S.
and other countries.
VMware, the VMware "boxes" logo and design are registered trademarks or trademarks of VMware, Inc. in the
United States and/or other jurisdictions.
J2SE, Java, JDK, JNI, JRE, JVM, S24, Solaris, StorageTek, Sun, ZFS, and all Java-based trademarks are
trademarks of Sun Microsystems, Inc. in the United States, other countries, or both.
Internet Explorer, Microsoft, Windows Server, Windows, and the Windows logo are trademarks of Microsoft
Corporation in the United States, other countries, or both.
Intel Itanium, Intel, Itanium, Intel logo, Intel Inside logo, and Intel Centrino logo are trademarks or registered
trademarks of Intel Corporation or its subsidiaries in the United States, other countries, or both.
UNIX is a registered trademark of The Open Group in the United States and other countries.
Linux is a trademark of Linus Torvalds in the United States, other countries, or both.
Other company, product, or service names may be trademarks or service marks of others.
xiv IBM System Storage Tape Encryption Solutions

17. Preface
This IBM® Redbooks® publication gives a comprehensive overview of the IBM System
Storage™ Tape Encryption solutions that started with the TS1120 Tape Drive in 2006 and
have been made available in the TS7700 Virtualization Engine in early 2007. Also in 2007,
the IBM Ultrium Linear Tape-Open (LTO) Generation 4 Tape Drive was announced including
its support for tape data encryption. In 2008, additional enhancements to the tape drives that
support encryption and to key management have been made. This edition of the book has
been updated with information about the TS1130 Tape Drive and the IBM Tivoli® Key
Lifecycle Manager (TKLM).
This publication is intended for System Programmers, Storage Administrators, Hardware and
Software Planners, and other IT personnel involved in planning, implementing, and operating
IBM tape data encryption solutions, and anyone seeking details about tape encryption.
This book also provides practical guidance for how to implement an enterprise-wide
encryption solution. We describe the general concepts of encryption and the implementation
options that are available when using IBM Tape to encrypt tape data. We explain the key
management options, including the Encryption Key Manager, which is a Java™ application
that allows for enterprise-wide keystores and key management across a wide variety of
platforms. We also provide detailed information for planning, implementation, and operation
of tape data encryption for IBM z/OS® and Open Systems hosts.
The team that wrote this book
This book was produced by a team of specialists from around the world working at the
International Technical Support Organization (ITSO), Austin Center.
Babette Haeusser is an IBM Certified IT Specialist and Tape Server Support Specialist at
IBM Deutschland GmbH, Germany. She writes extensively and teaches IBM classes
worldwide on all areas of Enterprise and Open Systems Tape and Tape Virtualization.
Babette joined IBM in 1973 as an application programmer. In 1987, she became an MVS
Systems Engineer and specialized in IBM Storage hardware and software, which she has
supported in various job roles since then. Before joining the ITSO in early 2005, Babette
worked in the Advanced Technical Sales Support team Europe. She led a team of specialists
for Enterprise Storage, while she focused on Enterprise Tape, including tape libraries and
Virtual Tape Servers.
Jonathan Barney is an Enterprise Security Architect with STG Lab Services, and CISSP.
He works extensively on tape encryption customer implementations, and z/OS security
solutions including PKI, TKE, and hardware cryptography. Jonathan joined IBM in August
2000 in the IBM System z® System Test Group. He has held various System z development
and testing roles until moving to Lab Services.
Arthur Colvig is an Advisory Software Engineer with IBM Tivoli in Beaverton, Oregon. He
has 7 years of experience as a Firmware Engineer on the IBM System Storage TS3500 Tape
Library (TS3500 tape library). He currently works on the IBM SAN Volume Controller SMI-S
API. Art joined IBM in 2001 as a Firmware Engineer on the TS3500. His areas of expertise
include storage management, tape libraries and drives, network protocols, and robotics. He
has patents in the areas of tape library virtualization, management security and distributed
system firmware management.
© Copyright IBM Corp. 2008, 2009. All rights reserved. xv

18. The team: Babette, Arthur, and Jonathan
Thanks to the following people for their contributions to this project:
Alex R. Osuna,
IBM International Technical Support Organization, Tucson Arizona
Emma Jacobs, Ann Lund, Sangam Racherla,
IBM International Technical Support Organization
Arthur Bariska, Erika Dawson, Dan Estelle, MaYan Wilt,
IBM Tucson
Timothy Hahn,
IBM Software Architect IBM Rational® Enterprise Tools
Brian Goodman, Steven Hart, Sara Hughes, Khan V. Ngo,
IBM Systems &Technology Group, Systems Software Development
John Peck
IBM Software Group, Tivoli
Jeff Ziehm
IBM LTO/3592, Tape Performance - ATS Americas
xvi IBM System Storage Tape Encryption Solutions

19. Thanks to the authors of the previous editions of this book:
Authors of the first edition, IBM System Storage TS1120 Tape Encryption: Planning,
Implementation, and Usage Guide, published in December 2006:
Anthony Abete, Arthur Bariska, Jonathan M. Barney, Babette Haeusser, Ulrich Nowotny
Authors of the second edition, IBM System Storage Tape Encryption Solutions, published
in March 2008:
Anthony Abete, Babette Haeusser, Burt Loper, Axel Melber
Become a published author
Join us for a two- to six-week residency program! Help write a book dealing with specific
products or solutions, while getting hands-on experience with leading-edge technologies. You
will have the opportunity to team with IBM technical professionals, Business Partners, and
Clients.
Your efforts will help increase product acceptance and customer satisfaction. As a bonus, you
will develop a network of contacts in IBM development labs, and increase your productivity
and marketability.
Find out more about the residency program, browse the residency index, and apply online at:
ibm.com/redbooks/residencies.html
Comments welcome
Your comments are important to us!
We want our books to be as helpful as possible. Send us your comments about this book or
other IBM Redbooks in one of the following ways:
Use the online Contact us review Redbooks form found at:
ibm.com/redbooks
Send your comments in an e-mail to:
redbooks@us.ibm.com
Mail your comments to:
IBM Corporation, International Technical Support Organization
Dept. HYTD Mail Station P099
2455 South Road
Poughkeepsie, NY 12601-5400
Preface xvii

20. xviii IBM System Storage Tape Encryption Solutions

21. Summary of changes
This section describes the technical changes made in this edition of the book and in previous
editions. This edition also includes minor corrections and editorial changes that are not
identified.
Summary of Changes
for SG24-7320-02
for IBM System Storage Tape Encryption Solutions
as created or updated on February 15, 2011.
May 2009, Third Edition
This revision reflects the addition, deletion, or modification of new and changed information.
New information
New information includes:
IBM TS1130 Tape Drive
Tivoli Key Lifecycle Manager
Changed information
Changed information includes:
Updates for TS7700 Encryption
Updates for the Open Systems Tape Library
Updates for System z Software support
© Copyright IBM Corp. 2008, 2009. All rights reserved. xix

22. xx IBM System Storage Tape Encryption Solutions

23. Part 1
Part 1 Introducing IBM tape
encryption solutions
In this part, we introduce you to the IBM data encryption solutions and describe the
underlying concepts and the components that are required for tape encryption. We also
provide you with general planning information.
© Copyright IBM Corp. 2008, 2009. All rights reserved. 1

24. 2 IBM System Storage Tape Encryption Solutions

25. 1
Chapter 1. Introduction to tape encryption
IBM has three tape drives that are capable of encrypting the data that is written on the tape
cartridge:
IBM System Storage TS1130 Model E06 and Model EU6 Tape Drive
IBM System Storage TS1120 Model E05 Tape Drive
IBM System Storage Linear Tape-Open (LTO) Ultrium Generation 4 Tape Drive
In this document, we use abbreviations and refer to the drives as the TS1130 Tape Drive,
TS1120 Tape Drive, and the LTO4 Tape Drive.
The IBM System Storage TS1130 Tape Drive Model E06 and Model EU6 have the capability
to encrypt data on tape cartridges. This encryption capability is standard on all TS1130 Tape
Drives and is available as a chargeable upgrade feature for existing installed TS1120 Model
E05 Tape Drives shipped prior to 8 September 2006. The encryption capability includes drive
hardware, and microcode additions and changes.
The IBM System Storage TS1120 Tape Drive Model E05 shown in Figure 1-1 has the
capability to encrypt data on tape cartridges. The TS1120 Tape Drive Model E05 has been
enhanced to support data encryption. Starting with shipments beginning 8 September 2006,
this encryption capability is standard on all TS1120 Model E05 Tape Drives and is available
as a chargeable upgrade feature for existing installed TS1120 Model E05 Tape Drives
shipped prior to 8 September 2006. The encryption capability includes drive hardware, and
licensed internal code additions and changes.
Figure 1-1 IBM System Storage TS1120 Model E05 Tape Drive
© Copyright IBM Corp. 2008, 2009. All rights reserved. 3

26. The IBM System Storage LTO Ultrium Generation 4 Tape Drive shown in Figure 1-2 has the
capability to encrypt data on tape cartridges. The LTO4 Tape Drive was originally designed to
support data encryption, and therefore, all LTO4 Tape Drives come standard with the data
encryption capability. The encryption capability includes drive hardware, and licensed internal
code additions and changes.
Although the LTO4 drive can read LTO2 and LTO3 cartridges and can write to LTO3
cartridges, LTO Ultrium Generation 4 cartridges are required to support encryption.
Figure 1-2 IBM System Storage LTO Ultrium Generation 4 Tape Drive
Although other encryption solutions require hardware resources or processor power when
using software encryption, tape data encryption is done with little or no impact on the
performance of the TS1130 Tape Drive, TS1120 Tape Drive or the LTO4 Tape Drive. You
can easily exchange encrypted tapes with your business partners or data centers that have
the necessary key information to decrypt the data.
With the original encryption announcement for the TS1120 Tape Drive, IBM also introduced
an IBM Encryption Key Manager (EKM) component for the Java platform feature and is
designed to generate and communicate encryption keys for tape drives across the enterprise.
The feature uses standard key repositories on supported platforms. The IBM tape data
encryption solution provides an enterprise key management solution with common software
for Open Systems and mainframe environments that allows sharing of a common keystore
across platforms. Integration with z/OS policy, key management, and security capabilities
provides a proven, highly secure infrastructure for encryption key management.
With the introduction of the Tivoli Key Lifecycle Manager (TKLM), IBM has made available the
next generation of Key Manager software to enable serving keys to the encrypting tape
drives. TKLM is intended to give a consistent look and feel for Key Management tasks across
the brand, while simplifying those same key management tasks,
The Encryption Facility for z/OS software provides a complementary encryption method for
sharing tape data with business partners who utilize different tape formats (other than
TS1130, TS1120 or LTO4). Encryption Facility for z/OS uses the same secure infrastructure
as used with the TS1130, TS1120 or LTO4, thus, providing a comprehensive solution for
z/OS clients, encrypting data for internal use, and even encrypting data to share with
business partners. Encryption Facility supports decryption of Encryption Facility encrypted
data on all platforms across the brand.
IBM tape data encryption provides high performance data encryption. Encryption is
performed at the tape drive hardware at the native speeds of the drive. It also supports
encryption of large amounts of tape data for backup and archive purposes.
The IBM tape data encryption solution, utilizing theTS1130 Tape Drive, TS1120 Tape Drive
or the LTO4 Tape Drive, offers a cost-effective solution for tape data encryption by offloading
encryption tasks from the servers, leveraging existing tape infrastructure incorporated in
standard IBM Tape Libraries, and eliminating the need for unique appliance hardware.
4 IBM System Storage Tape Encryption Solutions

27. You can greatly simplify your tape data encryption management, because the solution
provides functions that are transparent to your applications when encryption is managed by
the operating system (system-managed encryption) or when encryption is managed by the
tape library (library-managed encryption). For TS1130 and TS1120 encryption, the cartridge
data key is stored in an encrypted form on the tape cartridge. For LTO4 encryption, a pointer
to the data key that is used to encrypt the tape is stored on the tape cartridge. Support of a
single key management approach can help reduce audit and compliance costs.
When taking a closer look at encryption, several of the most important questions that you
want answered are:
How does tape data encryption work?
What should we encrypt, and what should we not encrypt?
Why use tape data encryption? What are the benefits for my organization?
1.1 How tape data encryption works
Encryption, implemented in the tape drive, encrypts the data before it is written to the
cartridge. When tape compression is enabled, the tape drive first compresses the data to be
written and then encrypts it. This method means no loss of capacity with IBM tape data
encryption. If the encryption solution encrypts the data first and then tries to compress the
data, the encrypted data usually compresses very little, if at all.
To encrypt the data, the tape drive requires a key to use. This key is provided by the
Encryption Key Manager in an encrypted form to make the tape data encryption solution
secure.
Figure 1-3 summarizes the process for tape data encryption using TS1130 and TS1120.
1. Load cartridge, specify
encryption
Encryption 2. Tape drive requests a data key
Key
Manager Encrypted “Data Key”
5. Tape drive writes encrypted
3. Key manager 4.Encrypted keys data and stores encrypted data
generates key and transmitted to tape drive key on cartridge
encrypts it
Encrypted “Data Keys”
Figure 1-3 TS1120 and TS1130 tape data encryption process flow
Figure 1-4 on page 6 summarizes the LTO4 tape data encryption process flow.
Chapter 1. Introduction to tape encryption 5

28. 1. Load cartridge, specify
encryption
Encryption 2. Tape drive requests a data key
Key
Manager
5. Tape drive decrypts the data
key, writes encrypted data and
3. Key manager keyid on the cartridge
4.Encrypted data key
retrieves key and transmitted to tape drive
encrypts it for
transmission
LTO 4 Encryption
Encrypted “Data Key”
Figure 1-4 LTO4 tape data encryption process
For a detailed description of these processes, refer to Chapter 2, “IBM tape encryption
methods” on page 23.
1.2 What to encrypt
Since 2005, over 250 million consumers have been notified of potential security breaches
regarding personal information. The source for this information is:
http://www.Privacyrights.org
The loss of computer backup tapes is one type of event that triggers consumer notification.
This has led to increasing data protection requirements as indicated in Figure 1-5.
Data Center
Secondary Site
Business Partners
In Transit
Figure 1-5 Client data protection requirements
6 IBM System Storage Tape Encryption Solutions

29. What should you encrypt, and just as important, what should you not encrypt? The focus on
data security is an ever-increasing:
California is generally considered the first state to implement a law requiring disclosure of
security breaches (July, 2003).
Legislation has been enacted by 38 states that requires notification in cases of security
breaches. The source for this is:
http://www.Privacyrights.org
Similar federal legislation has been proposed. The source for this is:
http://www.epic.org/privacy/bill_track.html
Data protection requirements are driven by a variety of reasons. In addition to regulatory
requirements that are driving the need for greater data security, integrity, retention,
auditability, and privacy, the reasons for increasing data protection are:
Severe business impacts that might be caused by loss or theft of data, including financial
liability, reputation damage, legal risk, and compliance risk
Requirement to share data securely with IBM Business Partners and maintain backups at
remote locations is increasing
Requirement to reduce complexity and improve processes around enterprise encryption
management is increasing
Requirement to cost-effectively encrypt large quantities of tape data
The additional drivers for encryption in financial services are:
A riskier environment
Internet Banking, for example, relies on open networks with multiple access points to
conduct business in real time to drive down costs and improve response times to revenue
generating opportunities.
Growing regulatory burden, such as:
– Gramm-Leach-Bliley Act (GLBA) of 1999
– California Law No. SB 1386
– FCRA/FACTA amendments
– Basel II
Not all of the regulations specifically require the use of stored data encryption. However,
many organizations are implementing encryption for their protected information in
conjunction with other security layers to protect Personally-Identifiable Information.
Maturing industry standards, such as the Payment Card Industry (PCI) Data Security
Standard (DSS)
In summary, simply encrypt everything that you can encrypt and still be able to recover data
in event of a disaster. As long as system data can be separated from application data,
encrypting everything with no performance impact is easier than choosing which data falls
into which legislation for encryption, and trying to keep current on the dynamic privacy rights
rules and regulations.
1.3 Why use tape data encryption
Tape data encryption is used to hide and protect sensitive data. If tape data on cartridges
leaves data centers, the data is no longer protected through Resource Access Control Facility
(RACF®) or similar access protection mechanisms. Tape data encryption can help fulfill
Chapter 1. Introduction to tape encryption 7