Table of Contents
Advertisement
obtain the data key, wraps the data key with the storage device public key
to create an SEDK, and returns an SEDK to the storage device.
The storage device does not maintain a persistent copy of the data key. Therefore,
the storage device must access the Tivoli Key Lifecycle Manager to encrypt or
decrypt data. Different key life cycles are appropriate for different types of storage
devices. For example, the EEDKs for a removable media device might be stored on
the media when it is initially written and the data key removed from immediate
access when the media is dismounted such that each time the media is remounted,
the storage device must communicate with the Tivoli Key Lifecycle Manager to
obtain the data key. The EEDKs for a nonremovable storage device might be stored
as persistent metadata within the storage device. The data key can become
inaccessible when the storage device is powered off. Each time the storage device
is powered on, it must communicate with the Tivoli Key Lifecycle Manager to
obtain the data key. When the wrapped key model is used, access to data that is
encrypted with a data key requires access to both the EEDKs and the Tivoli Key
Lifecycle Manager with the private key that is required to decrypt the EEDKs to
obtain the data key.
Note: On zSeries platforms, the length of the key labels is limited to 32 characters
when the Tivoli Key Lifecycle Manager is configured to use a RACF based
key method (either JCERACFKS or JCECCARACFKS) is used. You must
limit key labels to 32 characters on those key servers and on storage devices
that must interoperate or share keys with zSeries key servers using RACF
based key methods.
IBM Tivoli Key Lifecycle Manager server
The IBM Tivoli Key Lifecycle Manager (TKLM) server is available with feature
code 1760. A TKLM license is required for use with the TKLM software. The
software is purchased separately from the TKLM isolated server hardware.
The TKLM server runs on the Linux operating system (SUSE Linux Enterprise
Server 10 Service Pack 3). You must register for Linux support with Novell. Go to
the support.novell.com/contact/getsupport.html. Contact Novell directly for all
Linux-related problems.
The TKLM server consists of software and hardware:
Hardware
The TKLM server hardware is a specially configured xSeries
incorporated into the DS8000 as hardware feature code 1760. For
hardware-related problems, contact the IBM hardware support for
assistance. Be prepared to provide the correct DS8000 machine type and
serial number for which feature code 1760 is a part.
Software
The TKLM server includes licensed TKLM software, which you order
separately. For TKLM-related problems, contact IBM software support. Be
prepared to provide the software product identification (PID) when you
call for assistance.
TKLM installation
The TKLM server is installed and configured by the IBM Lab Services group. After
the TKLM server is configured, each installation receives key settings of
®
server,
Chapter 3. Data management features
73
- Quick Links:
- Disk Drives
Hide quick links:
Advertisement
Table of Contents
