Build DB2 user exit• “Data Encryption” Product <strong>and</strong> ICSF Cryptographic Key Settings;► “Data Encryption” Product;● Link-edit with SYSLMOD load module name ‘DB2DEXIT’.● A 10 byte string of “ICSFDB2KEY” is set to the load module by AMSPZAP utility.● The load module is placed within the DB2 ‘SDSNEXIT’ Library dataset.► “Key” Settings on z/<strong>OS</strong> ICSF Component;● User Key: 24 byte Triple DES Cryptographic Key generated from the string “ICSFDB2KEY”above, using KGUP Utility.● Master Key: Generated from the string “ABCDEFGHIJKLMNOP” as the “pass phrase”.● “Data Encryption” product currently requires Master Key for “Secure Key” capability.//LINK EXEC PGM=IEWL,PARM='LIST,XREF,RENT'//SYSPRINT DD SYSOUT=*//SYSUDUMP DD SYSOUT=*//SDECLMD0 DD DSN=DSN810.ENCRYPT.SDECLMD0,DISP=SHR//SCSFMOD0 DD DSN=CSF.SCSFMOD0,DISP=SHR//SYSUT1 DD UNIT=SYSALLDA,SPACE=(1024,(50,50))//SYSLMOD DD DSN=DSN810.DB8A.SDSNEXIT(DB2DEXIT),DISP=SHR//SYSLIN DD *ENTRY DECENC00INCLUDE SDECLMD0(DECENC00)INCLUDE SCSFMOD0(CSNBENC)INCLUDE SCSFMOD0(CSNBDEC)NAME DB2DEXIT(R)//*[ Link-edit JCL ][ AMSPZAP JCL ]//BATCHTSO EXEC PGM=IKJEFT01,DYNAMNBR=25,REGION=0M,COND=EVEN//SYSLIB DD DISP=SHR,DSN=DSN810.DB8A.SDSNEXIT//ISPLLIB DD DISP=SHR,DSN=SYS1.MIGLIB ** For ZAP PGM AMASPZAP **//ISPPLIB DD DISP=SHR,DSN=DSN810.ENCRYPT.SDECPLIB//ISPSLIB DD DISP=SHR,DSN=DSN810.ENCRYPT.SDECSLIB//ISPMLIB DD DISP=SHR,DSN=DSN810.ENCRYPT.SDECMLIB// DD DISP=SHR,DSN=ISP.SISPMENU//ISPTLIB DD DISP=SHR,DSN=USER1.ISPF.ISPPROF// DD DISP=SHR,DSN=ISP.SISPTENU//SYSEXEC DD DISP=SHR,DSN=DSN810.ENCRYPT.SDECCEXE//ISPPROF DD DISP=SHR,DSN=USER1.ISPF.ISPPROF//SYSTSPRT DD SYSOUT=*//ISPLOG DD SYSOUT=*,DCB=(BLKSIZE=800,LRECL=80,RECFM=FB)//SYSTSIN DD *PROFILE PREFIX(USER1)ISPSTART CMD(%DECENC02 DB2 DB2DEXIT -ICSFDB2KEY )//*3207.04.2006 IBM SystemsSummary• Not an integrated solution but well tested <strong>and</strong> is the best around• Replaces the EditProc code providing encryption that may have been obtained <strong>and</strong>was 'AS IS'• Requires no application changes► Data base changes may need to occur● Ensure targeted data will be protected may need to rearrange data● Adjustments for data base product restrictions or considerations► Underst<strong>and</strong>ing IBM Crypto will be crucial to adhering to the regulations/requirementsdriving this solution• Weigh the options available► Not every segment or table needs to be encrypted► Evaluate need for● Encryption/decryption in cross-platform <strong>and</strong>/or sysplex environments● Disaster Recovery3307.04.2006 IBM Systems
Agenda• z/<strong>OS</strong> 1.7 – Integrated IP security► AT-TLS► IPSec• z/<strong>OS</strong> <strong>PKI</strong> Services• Encryption Facility for z/<strong>OS</strong>• IBM Data Encryption for IMS <strong>and</strong> DB2 Databases V1.1• . . . <strong>and</strong> what about the future ?3407.04.2006 IBM SystemsVirtualization & Certification on System z9 <strong>and</strong> zSeriesLogicalPartitionLogical <strong>and</strong>PhysicalResourcesLogicalPartitionLogical <strong>and</strong>PhysicalResourcesLogical PartitionLogical <strong>and</strong> Physical Resourcesz/VM CPLinux Linux LinuxGuest VM Guest VM Guest VM•SUSE LES9 certified at EAL4+ with CAPP•Red Hat EL3 certified at EAL3+ with CAPP•Red Hat EL4 EAL4+ in progressz/<strong>OS</strong>LinuxLinux Linux LinuxVirtualDevicesVirtualDevicesVirtualDevicesz/VM 5.1 RSU1 + RACF, certified at EAL3+with CAPP <strong>and</strong> LSPP (26.10.2005)Guest LANIUCVVCTCz/VM Control Program virtualizationHiperSocketsPR/SM Microcode virtualization• z/<strong>OS</strong> 1.6 + RACF, certified at EAL3+with CAPP <strong>and</strong> LSPP• z/<strong>OS</strong> 1.7 EAL4+ with CAPP(CeBit 10.03.2006)See: www.ibm.com/security/st<strong>and</strong>ards/st_evaluations.shtml35PUsFICONChannels<strong>OS</strong>A-ExpressCryptoszSeriesHardwarez800, z900, z990 PR/SM certified at EAL4/EAL5with specific Target Of EvaluationzSeries Crypto coprocessors:FIPS 140-1 level 4FIPS 140-2 level 4 (Crypto Express 2) – In progressIdentrus certification for z/<strong>OS</strong> 1.5 <strong>PKI</strong>DB2 V8 certifcation for MLS (w/ RACF)WS AS V6.02 in evaluation fo EAL407.04.2006 IBM Systems