Chapter 9. Planning For Security; Planning For Data Encryption; Planning For Encryption-Key Servers - IBM DS8882F Introduction And Planning Manual

Chapter 9. Planning for security

The storage system provides functions to manage data secrecy and networking
security, including data encryption, user account management, and functions that
enable the storage system to conform with NIST SP 800-131A requirements.

Planning for data encryption

The storage system supports data encryption by using IBM Security Key Lifecycle
Manager key servers.
To enable disk encryption, the storage system must be configured to communicate
with two or more IBM Security Key Lifecycle Manager key servers. The physical
connection between the Hardware Management Console (HMC) and the key server
is through an Internet Protocol network.
Planning for encryption is a customer responsibility. There are three major
planning components to the implementation of an encryption environment. Review
all planning requirements and include them in the installation considerations.

Planning for encryption-key servers

Two encryption-key servers and associated software are required for each site that
has one or more encryption-enabled storage systems.
One encryption-key server must be isolated. An isolated encryption-key server is a
set of dedicated server resources that run only the encryption-key lifecycle
manager application and its associated software stack. This server is attached
directly to dedicated non-encrypting storage resources containing only key server
code and data objects.
The remaining key servers can be of any supported key-server configuration. Any
site that operates independently of other sites must have key servers for the
encryption-enabled storage systems at that site.
Important: You are responsible for replicating key labels and their associated key
material across all key servers that are attached to the encryption-enabled storage
system before you configure those key labels on the system.
You can configure each encryption-enabled storage system with two independent
key labels. This capability allows the use of two independent key-servers when one
or both key-servers are using secure-key mode keystores. The isolated key-server
can be used with a second key-server that is operating with a secure-key mode
keystore.
For dual-platform key server support, the installation of IBM Security Key
Lifecycle Manager interim fix 2 (V1.0.0.2 or later) is recommended to show both
key labels in the DS8000 Storage Management GUI. If you intend to replicate keys
between separate IBM Z sysplexes by using ICSF with the JCECCARACFKS
keystore in secure-key mode and with the secure-key configuration flag set in IBM
Security Key Lifecycle Manager, then IBM Security Key Lifecycle Manager 3
(V1.0.0.3 or later) is required.
© Copyright IBM Corp. 2018
111