z/OS Security and PKI services

More documents

Recommendations

Info

Build DB2 user exit• “Data Encryption” Product and ICSF Cryptographic Key Settings;► “Data Encryption” Product;● Link-edit with SYSLMOD load module name ‘DB2DEXIT’.● A 10 byte string of “ICSFDB2KEY” is set to the load module by AMSPZAP utility.● The load module is placed within the DB2 ‘SDSNEXIT’ Library dataset.► “Key” Settings on z/OS ICSF Component;● User Key: 24 byte Triple DES Cryptographic Key generated from the string “ICSFDB2KEY”above, using KGUP Utility.● Master Key: Generated from the string “ABCDEFGHIJKLMNOP” as the “pass phrase”.● “Data Encryption” product currently requires Master Key for “Secure Key” capability.//LINK EXEC PGM=IEWL,PARM='LIST,XREF,RENT'//SYSPRINT DD SYSOUT=*//SYSUDUMP DD SYSOUT=*//SDECLMD0 DD DSN=DSN810.ENCRYPT.SDECLMD0,DISP=SHR//SCSFMOD0 DD DSN=CSF.SCSFMOD0,DISP=SHR//SYSUT1 DD UNIT=SYSALLDA,SPACE=(1024,(50,50))//SYSLMOD DD DSN=DSN810.DB8A.SDSNEXIT(DB2DEXIT),DISP=SHR//SYSLIN DD *ENTRY DECENC00INCLUDE SDECLMD0(DECENC00)INCLUDE SCSFMOD0(CSNBENC)INCLUDE SCSFMOD0(CSNBDEC)NAME DB2DEXIT(R)//*[ Link-edit JCL ][ AMSPZAP JCL ]//BATCHTSO EXEC PGM=IKJEFT01,DYNAMNBR=25,REGION=0M,COND=EVEN//SYSLIB DD DISP=SHR,DSN=DSN810.DB8A.SDSNEXIT//ISPLLIB DD DISP=SHR,DSN=SYS1.MIGLIB ** For ZAP PGM AMASPZAP **//ISPPLIB DD DISP=SHR,DSN=DSN810.ENCRYPT.SDECPLIB//ISPSLIB DD DISP=SHR,DSN=DSN810.ENCRYPT.SDECSLIB//ISPMLIB DD DISP=SHR,DSN=DSN810.ENCRYPT.SDECMLIB// DD DISP=SHR,DSN=ISP.SISPMENU//ISPTLIB DD DISP=SHR,DSN=USER1.ISPF.ISPPROF// DD DISP=SHR,DSN=ISP.SISPTENU//SYSEXEC DD DISP=SHR,DSN=DSN810.ENCRYPT.SDECCEXE//ISPPROF DD DISP=SHR,DSN=USER1.ISPF.ISPPROF//SYSTSPRT DD SYSOUT=*//ISPLOG DD SYSOUT=*,DCB=(BLKSIZE=800,LRECL=80,RECFM=FB)//SYSTSIN DD *PROFILE PREFIX(USER1)ISPSTART CMD(%DECENC02 DB2 DB2DEXIT -ICSFDB2KEY )//*3207.04.2006 IBM SystemsSummary• Not an integrated solution but well tested and is the best around• Replaces the EditProc code providing encryption that may have been obtained andwas 'AS IS'• Requires no application changes► Data base changes may need to occur● Ensure targeted data will be protected may need to rearrange data● Adjustments for data base product restrictions or considerations► Understanding IBM Crypto will be crucial to adhering to the regulations/requirementsdriving this solution• Weigh the options available► Not every segment or table needs to be encrypted► Evaluate need for● Encryption/decryption in cross-platform and/or sysplex environments● Disaster Recovery3307.04.2006 IBM Systems
Agenda• z/OS 1.7 – Integrated IP security► AT-TLS► IPSec• z/OS PKI Services• Encryption Facility for z/OS• IBM Data Encryption for IMS and DB2 Databases V1.1• . . . and what about the future ?3407.04.2006 IBM SystemsVirtualization & Certification on System z9 and zSeriesLogicalPartitionLogical andPhysicalResourcesLogicalPartitionLogical andPhysicalResourcesLogical PartitionLogical and Physical Resourcesz/VM CPLinux Linux LinuxGuest VM Guest VM Guest VM•SUSE LES9 certified at EAL4+ with CAPP•Red Hat EL3 certified at EAL3+ with CAPP•Red Hat EL4 EAL4+ in progressz/OSLinuxLinux Linux LinuxVirtualDevicesVirtualDevicesVirtualDevicesz/VM 5.1 RSU1 + RACF, certified at EAL3+with CAPP and LSPP (26.10.2005)Guest LANIUCVVCTCz/VM Control Program virtualizationHiperSocketsPR/SM Microcode virtualization• z/OS 1.6 + RACF, certified at EAL3+with CAPP and LSPP• z/OS 1.7 EAL4+ with CAPP(CeBit 10.03.2006)See: www.ibm.com/security/standards/st_evaluations.shtml35PUsFICONChannelsOSA-ExpressCryptoszSeriesHardwarez800, z900, z990 PR/SM certified at EAL4/EAL5with specific Target Of EvaluationzSeries Crypto coprocessors:FIPS 140-1 level 4FIPS 140-2 level 4 (Crypto Express 2) – In progressIdentrus certification for z/OS 1.5 PKIDB2 V8 certifcation for MLS (w/ RACF)WS AS V6.02 in evaluation fo EAL407.04.2006 IBM Systems
Page 1: z/OS Security andPKI servicesThomas
Page 5 and 6: Tutorial907.04.2006 IBM SystemsWhat
Page 7 and 8: Certificate Life Cycle - this is wh
Page 9 and 10: z/OS R.7 - enhanced functions• En
Page 12 and 13: Technical detail of Encryption Serv
Page 14 and 15: Agenda• z/OS 1.7 - Integrated IP
Page 18 and 19: IBM Security Strategy• Mainframe

z/OS Security and PKI services

Create successful ePaper yourself

Delete template?

Save as template?