z/OS Security and PKI services

More documents

Recommendations

Info

Agenda• z/OS 1.7 – Integrated IP security► AT-TLS► IPSec• z/OS PKI Services• Encryption Facility for z/OS• IBM Data Encryption for IMS and DB2 Databases V1.12807.04.2006 IBM SystemsThe issue• Secure data requirements driven by►Sarbanes-Oxley & Co.►Competition ?►External and internal threats►. . .• any solution has challenges in this environment►Performance overhead►Key management►Application changes• Solution offered :►IBM Data Encryption for IMS and DB2 Databases● 5655-P03 Version 1.1 GA December 9 , 2005►Implemented using an IMS or DB2 exit● DECENC01 for IMS, Segment Edit/Compression exit specified in DBDCOMPRTN parameter DECENA01 for clear key support (APAR PQ94822)● DECENC00 for DB2, EDITPROC exit specified in EDITPROC clause ofthe SQL CREATE TABLE statement DECENA00 for clear key support (APAR PQ94822)User's Guide (SC18-7336-01)http://www-1.ibm.com/support/docview.wss?rs=434&context=SSZJXP&uid=swg27005552&loc=en_US&cs=utf-8&lang=en2907.04.2006 IBM Systems
EnvironmentDB2 V8 EngineSQL orUtility( Batch Job )DataEncryption( EDITPROC )z/OS 1.4+ with Features (*)Hardware CryptoFeature:- CEXC2 (z9-109)- PCXICC ( z990 )- CCF ( z900 )ICSF ServiceDB2TableDB2TableNo ENCRYPTIONCaseENCRYPTIONCase• IBM zSeries Processors ( z9-109, z990, z890, z900 )► Hardware Cryptographic Features which supports “Secure Key” (clear key with PQ94822 + PQ93943)● z9-109 : CEX2CC● z990 : PCIXCC● Z900 : CCF• IBM z/OS V1R4+ with following Features (*) installed;► z990 and z890 Enhancements to Cryptographic Support► z/OS V1R4 z990 Exploitation Support• IBM Middleware Products;► DB2 for z/OS Version 6 or higher► IMS, Version 6 or higherz9-109, z990 or z900 LPARDisks3007.04.2006 IBM SystemsInstallation Steps• Set up and validate crypto hardware► Validate? If from ICSF menu, Utility option for Random Number works, ICSF and secure crypto hardwareworks● Clear key support with APAR PQ94822 + PQ93943• Generate and then store (in the CKDS) a triple DES encryption key for use► Use ICSF Key Generation Utility Program, KGUP► Read ICSF Administrator's Guide• Build the IMS or DB2 user exit, specifying the key name defined in step above• Back up your data• Unload your data• Create/install the exit• Reload the data, during which process the data is encrypted• Validate your output3107.04.2006 IBM Systems
Page 1: z/OS Security andPKI servicesThomas
Page 5 and 6: Tutorial907.04.2006 IBM SystemsWhat
Page 7 and 8: Certificate Life Cycle - this is wh
Page 9 and 10: z/OS R.7 - enhanced functions• En
Page 12 and 13: Technical detail of Encryption Serv
Page 16 and 17: Build DB2 user exit• “Data Encr
Page 18 and 19: IBM Security Strategy• Mainframe

z/OS Security and PKI services

Create successful ePaper yourself

Delete template?

Save as template?