Table of Contents
Advertisement
Chapter 9. Planning for security
The storage system provides functions to manage data secrecy and networking security, including data
encryption, user account management, and functions that enable the storage system to conform with
NIST SP 800-131A requirements.
Planning for data encryption
The storage system supports data encryption by using IBM Security Key Lifecycle Manager key servers.
To enable disk encryption, the storage system must be configured to communicate with two or more IBM
Security Key Lifecycle Manager key servers. The physical connection between the Hardware Management
Console (HMC) and the key server is through an Internet Protocol network.
Planning for encryption is a customer responsibility. There are three major planning components to the
implementation of an encryption environment. Review all planning requirements and include them in the
installation considerations.
Planning for encryption-key servers
Two encryption-key servers and associated software are required for each site that has one or more
encryption-enabled storage systems.
One encryption-key server must be isolated. An isolated encryption-key server is a set of dedicated server
resources that run only the encryption-key lifecycle manager application and its associated software
stack. This server is attached directly to dedicated non-encrypting storage resources containing only key
server code and data objects.
The remaining key servers can be of any supported key-server configuration. Any site that operates
independently of other sites must have key servers for the encryption-enabled storage systems at that
site.
For DS8000 encryption environments a second Hardware Management Console (HMC) should be
configured for high availability.
Important: You are responsible for replicating key labels and their associated key material across all key
servers that are attached to the encryption-enabled storage system before you configure those key labels
on the system.
You can configure each encryption-enabled storage system with two independent key labels. This
capability allows the use of two independent key-servers when one or both key-servers are using secure-
key mode keystores. The isolated key-server can be used with a second key-server that is operating with
a secure-key mode keystore.
For dual-platform key server support, the installation of IBM Security Key Lifecycle Manager interim fix 2
(V1.0.0.2 or later) is recommended to show both key labels in the DS8000 Storage Management GUI. If
you intend to replicate keys between separate IBM Z sysplexes by using ICSF with the JCECCARACFKS
keystore in secure-key mode and with the secure-key configuration flag set in IBM Security Key Lifecycle
Manager, then IBM Security Key Lifecycle Manager 3 (V1.0.0.3 or later) is required.
To enable encryption on a storage system with version 8.1 (88.10.112.0) or later using TKLM or SKLM,
you must upgrade to one of the following versions of TKLM or SKLM that has the Gen2 CA root installed:
• TKLM version 2.0.1 or later on Open Systems
• SKLM (all versions) on Open Systems
• SKLM version 1.1.0.2 or later on z/OS
This SKLM/TKLM upgrade requirement applies to DS8000 shipped with version 8.1 (88.10.112.0) and
later.
©
Copyright IBM Corp. 2019
115
Hide quick links:
Advertisement
Table of Contents
