Jerry, to add to Lennie's comments.... 1. The best z/OS 2.1 was/is able to do is to tolerate z/OS Data Set Encryption, i.e. to read and write to the types of encrypted data sets that z/OS 2.2 supports. But z/OS 2.1 cannot create new encrypted data sets. That's assuming you install the appropriate toleration maintenance on z/OS 2.1. Moreover, IBM added support for additional encrypted data set types in newer releases of z/OS. At least some of those types won't go all the way back to z/OS 2.1.
I think you're going to be out of runway with that z/OS 2.1 system unless (perhaps) it's in a Parallel Sysplex with your z/OS 2.3 system. Even then encryption coverage will be very partial, in all likelihood. Some is better than nothing, but the magic really arrives with later releases of z/OS. Of course the hardware model isn't holding you back, and IMS V13's standard support period ended well after z/OS 2.3's release. (z/OS 2.3 is itself reaching End of Service later this year, and IMS V13 reached EoS in 2018.) 2. Another popular consideration that comes to mind is compressibility. Encrypted data is not compressible, but fortunately you have Integrated Accelerator for Z Enterprise Data Compression on your IBM z15 machines. It's a great idea to configure and exploit that feature, too, so that you can compress data quickly and efficiently before it's encrypted (quickly and efficiently). You may need the optional z/OS element depending on what you're doing. If your storage tiers (such as tape or virtual tape) are currently enjoying a lot of benefits from compression then the Integrated Accelerator for ZEDC is rather important, perhaps with some minor adjustments in your storage configurations. (Basically "Storage, don't compress THIS, because you're wasting effort.") 3. If you plan to use protected key encryption (versus clear key encryption) then your two IBM Crypto Express features must be configured in CCA mode. If they are configured in another mode (and need to be) then you may need another pair of IBM Crypto Express features. However, on IBM z15 machines the IBM Crypto Express7S features are available in "single port" and "dual port" variants. The "dual port" variant contains two independent HSMs per feature (on one adapter). Check to see if you have a pair of "dual port" IBM Crypto Express features. If you do, you actually have four HSMs, and thus you can configure two in CCA mode and two in EP11 mode (a popular choice) if you wish. Apply due care to master key management in your IBM Crypto Express domains and with your smart cards (if you have them), including disaster contingency planning. (But you're hopefully already familiar with those core principles.) 4. If you plan to implement the highest level of security protection then you'll want to instantiate master keys in your IBM Crypto Express CCA domains using the IBM Trusted Key Entry (TKE) Workstation and associated smart cards. This equipment eliminates the possibility that operators might acquire knowledge or otherwise intercept master key materials. If you don't have an IBM TKE Workstation then you can order one or a couple. A single TKE Workstation can manage IBM Crypto Express domains on multiple machines, but some customers like to have a second (or even multiple) TKE Workstation(s) at (a) different location(s). 5. Give some thought to key rotation operations, because you might have to do that at some point in the future. 6. IBM has some great z/OS Data Set Encryption materials, including a nice red book. And there are also some very knowledgeable IBMers happy to help. Don't struggle too long if you get stuck somewhere; ask for help. - - - - - - - - - - Timothy Sipples I.T. Architect Executive Digital Asset & Other Industry Solutions IBM Z & LinuxONE - - - - - - - - - - E-Mail: [email protected] ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
