Presentation is loading. Please wait.

Presentation is loading. Please wait.

IBM z14 / Dataset Encryption

Published byCorey Carr Modified over 6 years ago

Similar presentations

Presentation on theme: "IBM z14 / Dataset Encryption"— Presentation transcript:

1 IBM z14 / Dataset Encryption
Arnaud MANTE IBM z/OS IT Specialist

2 Multiple layers of encryption
Complexity & Security Control App Encryption hyper-sensitive data Database Encryption Provide protection for very sensitive in-use (DB level), in-flight & at-rest data File or Dataset Level Encryption Provide broad coverage for sensitive data using encryption tied to access control for in-flight & at-rest data protection Full Disk and Tape Encryption Provide 100% coverage for at-rest data with zero host CPU cost Coverage 2

3 Data Protection // z/OS Dataset Encryption
Protection of data at-rest z/OS CF abc DB2,IMS, zFS, etc... CPACF Storage System SAN Network *** *** z/OS Dataset Encryption: Application transparent & enabled by policy Encryption tied to fine grained access control Host encryption via CPACF as data written-to or read-from disk. Supports ext. format sequential & VSAM Includes HSM & DSS migration/backup of encrypted data sets Replicated data remains encrypted Supports: CICS, DB2, IMS, Logger, & zFS In-memory system or application data buffers will not be encrypted Client Value Proposition: Reduced cost of encryption along with simple policy controls allows clients to enable extensive encryption to protect data in mission critical databases including DB2, IMS and VSAM Text from IBM z/OS Version 2 Release 2 enhancements and statements of direction (IBM United States Software Announcement , dated October 4, 2016) IBM plans to deliver application transparent, policy-controlled dataset encryption in IBM zTM/OS. IBM DB2 for z/OS and IBM Information Management System (IMS) intend to exploit z/OS dataset encryption. As indicated above, IBM plans to support z/OS data set encryption for DB2, IMS and CICS (e.g. CICS VSAM) data, as well as sequential data (BSAM, QSAM) for batch workloads (see page 30 & 31 for more details). Data sets must be extended format BSAM, QSAM or VSAM. LinuxONE/Linux on z

4 Data Protection // Coupling Facility Encryption
z/OS 2.3 Data Protection // Coupling Facility Encryption Protection of data in-flight and in-use (CF) z/OS CF abc XES Storage System CPACF CPACF Network *** SAN *** End-to-End encryption of CF Data: Host Protected key CPACF Encryption (High Performance / Low Latency) Data encrypted in the host and remains encrypted until decrypted by host No application enablement required List & Cache Structures only – No Lock! Client Value Proposition: Simplify and reduce cost of compliance by removing CF and CF data from compliance scope (i.e. ability to encrypt all CF data) CPACF CPACF z/OS Parallel Sysplex Cluster

5 Data Protection // z/OS Network Security
Protection of data in-flight CF z/OS *** abc App A App B abc COMM SERVER COMM SERVER Storage System Network *** SAN Communication Server z Encryption Readiness Technology (zERT): A z/OS administrator can determine when network traffic meets specified policy with new discovery and reporting capabilities Currently no single method to easily determine which application traffic patterns are protected Client Value Proposition: Not all organizations use host-based network encryption today. Reduced cost of encryption enables broad use of network encryption and enhanced audit simplifies compliance. LinuxONE/Linux on z

6 Data Protection // Existing Disk Encryption
Protection of data at-rest z/OS abc abc CF Network Storage System SAN *** z/OS z/OS *** DS8000 Disk Encryption Encrypting disk drives protect data at rest when disk drives are retired, sent for repair or repurposed Once the key has been served to storage system any system connecting to storage system can retrieve unencrypted data LinuxONE/Linux on z xyz xyz

7 Data Protection // Linux on z File Encryption
Submitted Upstream Data Protection // Linux on z File Encryption Protection of data at-rest z/OS CF Client Value Proposition: Integration of hardware accelerated Crypto into standard components for wide reach into solutions z/OS Storage System Network SAN *** Linux on z and LinuxONE Focus on Transparent Enablement: Transparent data encryption optimized with z14 CPACF hardware performance gains Leverage industry-unique CPACF encryption which prevents raw key material from being visible to OS and applications. *** LinuxONE/Linux on z DB server block device encryption abc CPACF Status: dm-crypt enhancements for CPACF protected-key submitted upstream

8 Data Protection // Linux on z Network Security
Submitted Upstream Data Protection // Linux on z Network Security Protection of data in-flight CF z/OS Storage System Network *** SAN Linux on z and LinuxONE Focus on Transparent Enablement: Transparently accelerate TLS & IPSec using CPACF & SIMD to leverage hardware performance gains Client Value Proposition: Not organizations use host-based network encryption today… reduced cost of encryption enables broad use of network encryption LinuxONE/Linux on z Open SSL, Java, or GSKIT App *** abc CPACF Status: dm-crypt enhancements for CPACF protected-key submitted upstream

9 - Hardware / HMC - z/OS parmlib - ICSF part - RACF part - DFSMS configuration - Démo et Test - Quelles cléfs? Comment? Quand? Où? - Gestion des Master key et sauvegardes

10 How to encrypt existing dataset?

11 Be careful in case of restore or move !!!

12 How to create encrypted dataset?
In order of preference: Using RACF Through a JCL with new label: DSKEYLBL Using the SMS / ACS routines All dataset must be extended and SMS managed!

13 HMC – hardware part Assign crypto card to your LPAR

14 Crypto card is now assigned to your LPAR.

15 PARMLIB configuration
PARMLIB member CSFPRMxx CKDSN(SYSP.CSFCKDS) PKDSN(SYSP.CSFPKDS) DOMAIN(4) PARMLIB member IGDSMSxx ACSDEFAULTS = ON PARMLIB member CTICSFxx TRACEOPTS ON BUFSISZE(2M) OPTIONS(‘ALL’) Link to the physical crypto card.

16 ICSF Definition of the datasets: CKPD & PKDS
Creation of the master key Creation of the key-label Load the key Check your ICSF status

17 CKDS & PKDS datasets Create your two datasets
//DEFINE EXEC PGM=IDCAMS,REGION=4M //SYSPRINT DD SYSOUT=* //SYSIN DD * DEFINE CLUSTER (NAME(SYSD.CSF.CSFCKDS) - VOLUMES(BA0C01) - RECORDS(100 50) - RECORDSIZE(372,2048) - KEYS(72 0) - FREESPACE(10,10) - SHAREOPTIONS(2 3)) - DATA (NAME(SYSD.CSF.CSFCKDS.DATA) - BUFFERSPACE(100000) - ERASE - WRITECHECK) - INDEX (NAME(SYSD.CSF.CSFCKDS.INDEX)) ... Create your two datasets

18 Master Key management Start ICSF
CSFM100E CRYPTOGRAPHIC KEY DATA SET, SYSP.CSFCKDS IS NOT INITIALIZED. CSFM101E PKA KEY DATA SET, SYSP.CSFPKDS IS NOT INITIALIZED.

19 ICSF: Master Key initialization

20 Master Key management Stop and Start ICSF
CSFM129I MASTER KEY DES ON CRYPTO EXPRESS5 COPROCESSOR 5C00, SERIAL NUMBER DV4CX413, IS CORRECT

21 KGUP: Key Generator Utility Processes is your friend!!
Key Label KGUP: Key Generator Utility Processes is your friend!!

22 Create the Key Label:

23 Submit the Key Label: //ICSF JOB CLASS=A,REGION=4M,
// MSGLEVEL=(1,1),MSGCLASS=X,NOTIFY=&SYSUID //* //KGUP EXEC PGM=CSFKGUP,PARM=(‘SSM’) //CSFCKDS DD DSN=SYSP.CSFCKDS, // DISP=OLD ...

24 Refresh the Key Label: Log output : JCL output : ...
CSFM653I CKDS LOADED 2 RECORDS WITH AVERAGE SIZE 248 Log output : JCL output :

25 Double check! Don’t go further if you don’t see your key label when you make a “view” on your CSFCKDS dataset, or use other utility like print!!!

26 SMS – ACS routines Update ACS routines
Create specific dataclass for crypto

27 SMS – ACS routines PROC DATACLAS
FILTLIST VSAMBIG INCLUDE (OMVSSMPE.**, ... 'SOFT.SMPE.ORDER') FILTLIST RRS INCLUDE (IXGLOGR*.**,HZS.**,SMPENTS.**) FILTLIST CRYPTO INCLUDE (MPLBANK.**) SELECT WHEN (&DSN=&CRYPTO) SET &DATACLAS='DSCRYPTO' WHEN (&DSN=&RRS) SET &DATACLAS='RRSDC' OTHERWISE SET &DATACLAS = '' END

28 SMS – ACS routines

29 RACF ALTDSD ‘MANTE.TEST.*’ UACC(NONE) DFP(RESOWNER(MANTE) DATAKEY(LABEL.FOR.CRYPTO)) RDEFINE CSFKEYS LABEL.FOR.CRYPTO UACC(NONE) PERMIT LABEL.FOR.CRYPTO CLASS(CSFKEYS) ID(CRYPTRD) ACCESS(READ) PERMIT LABEL.FOR.CRYPTO CLASS(CSFKEYS) ID(CRYPTWR) ACCESS(ALTER) RALTER CSFKEYS LABEL.FOR.CRYPTO ICSF(SYMCPACFWRAP(YES) SYMCPACFRET(YES))

30 RACF ********************************* Top of Data ************************** INFORMATION FOR DATASET MANTE.TEST.* (G) LEVEL OWNER UNIVERSAL ACCESS WARNING ERASE 00 SYS NONE NO NO AUDITING FAILURES(READ) NOTIFY NO USER TO BE NOTIFIED YOUR ACCESS CREATION GROUP DATASET TYPE ALTER SYS NON-VSAM NO INSTALLATION DATA DFP INFORMATION RESOWNER= MANTE DATAKEY= LABEL.FOR.CRYPTO ******************************** Bottom of Data ************************

31 How to know if a dataset is encrypted or not?
In front of a dataset, enter command: LISTC EN(/) ALL Not encrypted: Encrypted with SMS rules: Encrypted with RACF or JCL key-label:

32

33 Encryption process overview:
1 2 3 4 Generate an encryption key and key label, store it in the CKDS . Setup for use of key label in RACF. Associate the key label with the desired data set(s). Migrate to encrypted data Allow secure key to be used as protected key via ICSF segment SYMCPACFWRAP SYMCPACFRET DB2: Online Reorg Non-disruptive In RACF, alter DFP segment in data set profile - DATAKEY() IMS HA Database: Online Reorg Non-disruptive zFS Container: zfsadmin encrypt Non-disruptive Grant access to key label In DFSMS, assign to data class VSAM or Seq data set: Stop application Copy data Restart application

34 Demo time!

35 Sample User TSO NOT ENCRYPTED ENCRYPTED MANTE
ALTER access for the key-label ALTER RACF for the dataset READ, WRITE, DELETE TSOMANT READ access for the key-label READ, DELETE STGADMN NONE access for the key-label NOT READ but DELETE

36 Prêt pour la compréhension du mécanisme des “keys”?

37 Gestion des master keys et sauvegardes
Master Key : sauvegarde uniquement: inutile!! CKDS: sauvegarde uniquement: inutile!! Master Key + CKDS: indispensable !

38 Pourquoi la pervasive encryption?
- Ai-je confiance dans mon « outsourcer »? - Qui peut réellement accéder/lire mes disques et données?

39 Thank you Arnaud MANTE IT Specialist, IBM Z

Download ppt "IBM z14 / Dataset Encryption"

Similar presentations

1 DB2 Access Recording Services Auditing DB2 on z/OS with “DBARS” A product developed by Software Product Research.

1 DB2 Access Recording Services Auditing DB2 on z/OS with “DBARS” A product developed by Software Product Research.
Cacti Workshop Tony Roman 20112 Agenda What is Cacti? The Origins of Cacti Large Installation Considerations Automation The Current.

Cacti Workshop Tony Roman Agenda What is Cacti? The Origins of Cacti Large Installation Considerations Automation The Current.
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.

Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
Chapter 18: Security on z/OS

Chapter 18: Security on z/OS
Introduction to z/OS Basics © 2006 IBM Corporation Chapter 7: Batch processing and the Job Entry Subsystem (JES) Batch processing and JES.

Introduction to z/OS Basics © 2006 IBM Corporation Chapter 7: Batch processing and the Job Entry Subsystem (JES) Batch processing and JES.
11 MAINTAINING THE OPERATING SYSTEM Chapter 5. Chapter 5: MAINTAINING THE OPERATING SYSTEM2 CHAPTER OVERVIEW Understand the difference between service.

11 MAINTAINING THE OPERATING SYSTEM Chapter 5. Chapter 5: MAINTAINING THE OPERATING SYSTEM2 CHAPTER OVERVIEW Understand the difference between service.
Norman SecureTide Powerful cloud solution to stop spam and threats before it reaches your network.

Norman SecureTide Powerful cloud solution to stop spam and threats before it reaches your network.
Introduction to the new mainframe © Copyright IBM Corp., 2005. All rights reserved. Chapter 5: Batch processing and the Job Entry Subsystem (JES) Batch.

Introduction to the new mainframe © Copyright IBM Corp., All rights reserved. Chapter 5: Batch processing and the Job Entry Subsystem (JES) Batch.
Clinic Security and Policy Enforcement in Windows Server 2008.

Clinic Security and Policy Enforcement in Windows Server 2008.
Test Review. What is the main advantage to using shadow copies?

Test Review. What is the main advantage to using shadow copies?
Hands-On Microsoft Windows Server 2008 Chapter 1 Introduction to Windows Server 2008.

Hands-On Microsoft Windows Server 2008 Chapter 1 Introduction to Windows Server 2008.
Hands-On Microsoft Windows Server 2008 Chapter 5 Configuring, Managing, and Troubleshooting Resource Access.

Hands-On Microsoft Windows Server 2008 Chapter 5 Configuring, Managing, and Troubleshooting Resource Access.
SafeNet Protects Data at Rest

SafeNet Protects Data at Rest
Module 7: Fundamentals of Administering Windows Server 2008.

Module 7: Fundamentals of Administering Windows Server 2008.
Software.

Software.
Click to add text Introduction to the new mainframe: Large-Scale Commercial Computing © Copyright IBM Corp., 2006. All rights reserved. Chapter 4: Integrity.

Click to add text Introduction to the new mainframe: Large-Scale Commercial Computing © Copyright IBM Corp., All rights reserved. Chapter 4: Integrity.
The protection of the DB against intentional or unintentional threats using computer-based or non- computer-based controls. Database Security – Part 2.

The protection of the DB against intentional or unintentional threats using computer-based or non- computer-based controls. Database Security – Part 2.
10/16/2015 3 ER/CORP/CRS/OS02/003-4 JCL DAY 4. 10/16/2015 4 ER/CORP/CRS/OS02/003-4 VSAM DATASETS (virtual storage access method) These are the logical.

10/16/ ER/CORP/CRS/OS02/003-4 JCL DAY 4. 10/16/ ER/CORP/CRS/OS02/003-4 VSAM DATASETS (virtual storage access method) These are the logical.
Guide to Linux Installation and Administration, 2e1 Chapter 10 Managing System Resources.

Guide to Linux Installation and Administration, 2e1 Chapter 10 Managing System Resources.
Module 3 Configuring File Access and Printers on Windows 7 Clients.

Module 3 Configuring File Access and Printers on Windows 7 Clients.

Similar presentations

Ads by Google