Encrypted Backup to Ultrium 4 - IBM AS400

This is a discussion on Encrypted Backup to Ultrium 4 - IBM AS400 ; Hello everyone. I’m putting together a backup strategy with the requirement of encrypting all “customer” and other sensitive data. I would appreciate your feedback on any gaps I might have overlooked. Given the following system environment: Single NON-PARTITIONED iSeries running ...

+ Reply to Thread
Results 1 to 6 of 6

Thread: Encrypted Backup to Ultrium 4

  1. Encrypted Backup to Ultrium 4

    Hello everyone. I’m putting together a backup strategy with the
    requirement of encrypting all “customer” and other sensitive data. I
    would appreciate your feedback on any gaps I might have overlooked.
    Given the following system environment:

    Single NON-PARTITIONED iSeries running v5r4
    TS3200 tape library with 2 fiber-attached Ultrium 4 drives
    Using LME capability of TS3200 and IBM Encryption Key Manager (EKM)

    The easy way out is to run the IBM EKM on a small windows or linux
    server. LME has the library communicating with the EKM so even
    restricted state backups would work. However, in consideration of
    licensing, software maintenance and support, complexity, plus
    redundancy for our DR site, I would like to eliminate the need to run
    my primary EKM on anything but the i.

    What I’ve come up with (aside from partitioning the system) is
    splitting the backup into 2 parts, encrypted and non-encrypted. The
    non-encrypted part would include a SAVSYS (minus security data and
    configuration objects), IBM system libraries, and maybe /QIBM. The
    encrypted part would include everything else…

    Non-encrypted:

    SAVSYS OMIT(*CFG *SECDTA)
    SAVLIB LIB(*IBM)
    SAV OBJ(('/QIBM/ProdData') ('/QOpenSys/QIBM/ProdData'))
    /* Backup keystore to some other media */
    /* Backup any other objects and IFS folders required to restore EKM
    itself */


    Encrypted:

    STRSBS QCTL
    /* Start EKM “server” subsystem and jobs */
    SAVSECDTA
    SAVCFG
    SAVLIB LIB(*ALLUSR)
    SAVDLO DLO(*ALL) FLR(*ANY) /* Yes, I still need this */
    SAV OBJ(('/*') ('/QSYS.LIB' *OMIT) ('/QDLS' *OMIT)
    ('/QIBM/ProdData' *OMIT)
    ('/QOpenSys/QIBM/ProdData' *OMIT)) UPDHST(*YES)

    Questions:

    1. Is there any reason I should have to encrypt QSYS, the IBM system
    libraries, and anything under /QIBM?

    2. Do I need to include anything else in the non-encrypted part of the
    backup to ensure I can recover the EKM and it’s prerequisites (IBM
    Java JRE, configuration files, policy files, etc)?

    Thanks in advance!

    -Kerry

  2. Re: Encrypted Backup to Ultrium 4

    On Oct 21, 5:47*pm, Madcap wrote:
    > Hello everyone. *I’m putting together a backup strategy with the
    > requirement of encrypting all “customer” and other sensitive data. *I
    > would appreciate your feedback on any gaps I might have overlooked.
    > Given the following system environment:
    >
    > Single NON-PARTITIONED iSeries running v5r4
    > TS3200 tape library with 2 fiber-attached Ultrium 4 drives
    > Using LME capability of TS3200 and IBM Encryption Key Manager (EKM)
    >
    > The easy way out is to run the IBM EKM on a small windows or linux
    > server. *LME has the library communicating with the EKM so even
    > restricted state backups would work. *However, in consideration of
    > licensing, software maintenance and support, complexity, plus
    > redundancy for our DR site, I would like to eliminate the need to run
    > my primary EKM on anything but the i.
    >
    > What I’ve come up with (aside from partitioning the system) is
    > splitting the backup into 2 parts, encrypted and non-encrypted. *The
    > non-encrypted part would include a SAVSYS (minus security data and
    > configuration objects), IBM system libraries, and maybe /QIBM. *The
    > encrypted part would include everything else…
    >
    > Non-encrypted:
    >
    > SAVSYS OMIT(*CFG *SECDTA)
    > SAVLIB LIB(*IBM)
    > SAV OBJ(('/QIBM/ProdData') ('/QOpenSys/QIBM/ProdData'))
    > /* Backup keystore to some other media */
    > /* Backup any other objects and IFS folders required to restore EKM
    > itself */
    >
    > Encrypted:
    >
    > STRSBS QCTL
    > /* Start EKM “server” subsystem and jobs */
    > SAVSECDTA
    > SAVCFG
    > SAVLIB LIB(*ALLUSR)
    > SAVDLO DLO(*ALL) FLR(*ANY) /* Yes, I still need this */
    > SAV OBJ(('/*') ('/QSYS.LIB' *OMIT) ('/QDLS' *OMIT)
    > * * * *('/QIBM/ProdData' *OMIT)
    > * * * *('/QOpenSys/QIBM/ProdData' *OMIT)) UPDHST(*YES)
    >
    > Questions:
    >
    > 1. Is there any reason I should have to encrypt QSYS, the IBM system
    > libraries, and anything under /QIBM?
    >
    > 2. Do I need to include anything else in the non-encrypted part of the
    > backup to ensure I can recover the EKM and it’s prerequisites (IBM
    > Java JRE, configuration files, policy files, etc)?
    >
    > Thanks in advance!
    >
    > -Kerry


    I am new to the encryption world using LTO4, here are my questions
    etc.
    A) I would encrypt all of it, picking and choosing what you encrypt
    or don't seems like a management nightmare.
    B) I believe the key(s) alogorithims etc to do the encryption are
    controlled by the I5, not sure why you need a windows or linux server
    in the mix, I would not want that in the mix myself.
    C) In the event of a disaster would you have readily access to the
    IBM EKM on linux or windows and does that requirement put you in a
    scenario of a slower recovery hence having the windows/linux
    requirement.
    D) The tape drive would be doing the encryption, not sure what that
    means on the I5 side as far as objects and restoration.

  3. Re: Encrypted Backup to Ultrium 4

    Thanks for your input.

    > A) *I would encrypt all of it, picking and choosing what you encrypt
    > or don't seems like a management nightmare.


    That would be ideal however the tape library doesn't store the keys
    used to encrypt the data. It must communicate with a system running
    the IBM Encryption Key Manager (EKM) during the backup. If the
    iSeries is in restricted state for the purpose of running a SAVSYS it
    can't be running the EKM.

    > B) *I believe the key(s) alogorithims etc to do the encryption are
    > controlled by the I5, not sure why you need a windows or linux server
    > in the mix, I would not want that in the mix myself.


    Me neither. But that would provide for a fully encrypted "option 21"
    backup. If and when we partition the system we may have a "thin"
    partition as the "primary" and run the EKM on it. At least I think
    that would work - I don't have any real hands on experience with
    managing LPAR's.

    > C) *In the event of a disaster would you have readily access to the
    > IBM EKM on linux or windows and does that requirement put you in a
    > scenario of a slower recovery hence having the windows/linux
    > requirement.


    Yes, slower, more costly and less reliable overall due to complexity.
    You're either committing to self-support of the EKM hosts or you're
    paying for software support and maintenance on those windows/linux
    systems to regain the "one-stop" technical support we are used to from
    IBM.

    > D) *The tape drive would be doing the encryption, not sure what that
    > means on the I5 side as far as objects and restoration.- Hide quoted text-


    It would be transparent to OS/400 if it weren't the system running the
    EKM. It would also be transparent to the job performing the backup in
    the event that the system isn't restricted and that same system is
    running the EKM in another job (or jobs). It does increase the DR
    budget though. We *have to* restore from an IBM Ultrium 4 library
    with this backup solution and our DR facility provider is
    (understandably) charging more to cover the purchase and maintenance
    of that spare.

    -Kerry

  4. Re: Encrypted Backup to Ultrium 4

    On Oct 22, 10:19*am, Madcap wrote:
    > Thanks for your input.
    >
    > > A) *I would encrypt all of it, picking and choosing what you encrypt
    > > or don't seems like a management nightmare.

    >
    > That would be ideal however the tape library doesn't store the keys
    > used to encrypt the data. *It must communicate with a system running
    > the IBM Encryption Key Manager (EKM) during the backup. *If the
    > iSeries is in restricted state for the purpose of running a SAVSYS it
    > can't be running the EKM.
    >
    > > B) *I believe the key(s) alogorithims etc to do the encryption are
    > > controlled by the I5, not sure why you need a windows or linux server
    > > in the mix, I would not want that in the mix myself.

    >
    > Me neither. *But that would provide for a fully encrypted "option 21"
    > backup. *If and when we partition the system we may have a "thin"
    > partition as the "primary" and run the EKM on it. *At least I think
    > that would work - I don't have any real hands on experience with
    > managing LPAR's.
    >
    > > C) *In the event of a disaster would you have readily access to the
    > > IBM EKM on linux or windows and does that requirement put you in a
    > > scenario of a slower recovery hence having the windows/linux
    > > requirement.

    >
    > Yes, slower, more costly and less reliable overall due to complexity.
    > You're either committing to self-support of the EKM hosts or you're
    > paying for software support and maintenance on those windows/linux
    > systems to regain the "one-stop" technical support we are used to from
    > IBM.
    >
    > > D) *The tape drive would be doing the encryption, not sure what that
    > > means on the I5 side as far as objects and restoration.- Hide quoted text -

    >
    > It would be transparent to OS/400 if it weren't the system running the
    > EKM. *It would also be transparent to the job performing the backup in
    > the event that the system isn't restricted and that same system is
    > running the EKM in another job (or jobs). *It does increase the DR
    > budget though. *We *have to* restore from an IBM Ultrium 4 library
    > with this backup solution and our DR facility provider is
    > (understandably) charging more to cover the purchase and maintenance
    > of that spare.
    >
    > -Kerry


    Kerry, I had not really spent allot of time looking into this until
    today. This seems like allot of work to make it work, so I now see
    why you would want to pick and choose what you EKM against, in this
    case I guess 400 libraries and objects, ifs etc. I did not realize
    how much micro management of the system would be required to support
    EKM and how many other systems you might need to support it. I did
    read where it uses DCM which you can use natively on the 400 and if
    you have all the right components installed you could use from what I
    can tell the IFS to manage the keys and java on the 400. See below(s)
    write up from the manual:

    i5/OS Disaster Recovery Considerations: The i5/OS support will require
    the Encryption Key Manager server to be running on a different
    partition or system other than where the encrypted save is being
    performed. Failure to do so could result in data loss. Prior to
    recovering encrypted data, the Encryption Key Manager must be running
    or recovered on another system. Maintaining primary and secondary
    Encryption Key Manager servers is desired for maximum availability of
    encrypted backup and recovery. The Encryption Key Manager and its
    associated data must be saved regularly without encryption. If the
    keystore password is specified on the strEKM script call (and not
    stored in the KeyManagerConfig.properties file), then you must keep a
    copy of the password in a secure location. The keystore password must
    be available to recover the Encryption Key Manager. Encrypted save or
    archive operations must not be performed on the partition or system
    where the Encryption Key Manager server is running. If data on the
    system where the Encryption Key Manager is running is encrypted, the
    Encryption Key Manager cannot be recovered without availability of a
    secondary Encryption Key Manager server. For additional disaster
    recovery information, refer to this Software Knowledge Base document:
    http://www-912.ibm.com/8625680A007CA...2571CC0006652D.

  5. Re: Encrypted Backup to Ultrium 4

    The link you provided has some good info. I have a similar version of
    that powerpoint doc but the second document is specifically geared for
    drive managed encryption on the i. Nancy Roper knows her stuff
    (security too) and touched on the questions I had posted, regarding
    what has to be recovered before one can restore encrypted data - base
    OS, EKM, some IFS stuff, etc. Rather than a blueprint she provides a
    strong recommendation that you don't do it and encourages you to
    consult IBM first.

    > performed. Failure to do so could result in data loss. Prior to
    > recovering encrypted data, the Encryption Key Manager must be running
    > or recovered on another system. Maintaining primary and secondary


    This is about as far as every other document I've come across goes.
    As much as I would like to do it, I think I'm going to back off of the
    clever backup/recovery strategy and just build a RHEL box for the
    EKM. I'm going to have to have one anyway as a backup until I can
    prove the DR system is properly staged for it and the primary system
    is completely recoverable from tape. It's a shame though, first we
    had to purchase a library instead of the single slot 2340 to get drive
    based encryption. Now the integrity of our core system hinges on the
    "economy" system (plus it's hot spare of course) to "bootstrap"
    itself. I guess I'm not the typical shop though, not being LPAR'd
    which would (will) at least eliminate the windows/linux boxes and
    allow me to concentrate on my $20K tape drive.

    I did come up with one other way though. I might be able to do an
    option 21 save without encryption then duptap it from a non-encrypting
    drive to an encrypting one. (I wonder if a drive set to encrypt can
    still *read* a non-encrypted volume) This might require me to
    partition the library but that's not a problem as I will have dual
    fiber cards and IOA's on the i. Our DR system is partitioned so I
    could run the EKM on i5/OS at the DR site. The only time I would need
    an external EKM then would be to recover the production system back at
    home and then only if the local non-encrypted copy of the save was
    destroyed. I imagine that would be days after the disaster, allowing
    time to restore or even build from scratch a linux/windows EKM box.

    Here's some additional links in case you're still researching
    yourself:

    Implementing IBM Tape in i5/OS
    http://www.redbooks.ibm.com/abstract...7440.html?Open

    IBM System Storage Tape Encryption Solutions
    http://www.redbooks.ibm.com/redbooks...tml/wwhelp.htm

    IBM Encryption Key Manager for Java Platform
    http://www-01.ibm.com/support/docvie...=utf-8&lang=en

    IBM TotalStorage Productivity Center
    http://www-03.ibm.com/systems/storag...ter/index.html

    IBM TS3200 Tape Library Express
    http://www-03.ibm.com/systems/storag...200/index.html

    BRMS
    http://www-03.ibm.com/systems/i/support/brms/

    RHEL
    http://www.redhat.com/rhel/

    RHEL Subscription Fees
    https://www.redhat.com/wapps/store/catalog.html

    SLES
    http://www.novell.com/products/server/

    SLES Subscription Fees
    http://www.novell.com/products/server/howtobuy.html

  6. Re: Encrypted Backup to Ultrium 4

    Just started reading about encrypted backups.

    Very nice discussion & thank you for the links saved me a lot of first
    timer eye squishing.


+ Reply to Thread