Here's what our DS8K storage expert (from Mainline) said:
The DS8k’s need to be at code level 9.2 and have internal encryption
licensed. Any of your DS8886’s would still need SKLM, the new DS8900’s
can have internal encryption (no ISKLM needed).
On 5/9/2022 12:18 PM, Pommier, Rex wrote:
Mike,
Does the 8950 HMC based encryption require an ISKLM license? We are currently
replicating from an 8910 to an 8884 and the 8884 is falling off support at the
end of the year so we'll be replacing it with another 8910 most likely. I'm
wondering if I'll still need ISKLM for disk if we move our encryption key
serving to the HMCs.
Thanks,
Rex
-----Original Message-----
From: IBM Mainframe Discussion List<[email protected]> On Behalf Of
Michael Babcock
Sent: Monday, May 9, 2022 12:10 PM
To:[email protected]
Subject: [EXTERNAL] Re: How do you Prove that you no longer need a working SKLM
server or started task.
We had DS8886 boxes and used a AP1 appliance with SKLM installed. These are
no longer offered by IBM. We just upgraded to DS8950s and it has the option to
do key management within the HMCs on the DS8950s. We went this route.
On Mon, May 9, 2022 at 11:37 AM Tom Longfellow
<[email protected]> wrote:
We have been doing hardware based tape and disk encryption for a very
long time. So long in fact that I think we have 'upgraded' ourselves
out of the SKLM (or EKM) business.
The standalone servers were installed way back in our early years of
DS8000 technology (before they started offering the standalone feature code
for a dedicated box to handle keys). In the meantime we have gone through
a few upgrades and we are currently at the DS8884 technology. I cannot
find any config info in the DS8884 on 'how to access' an external SKLM
server. I think we have gone internal somehow.
The SKLM address spaces under z/OS were setup in our days of 3592
tapes with encryption labels on the tapes themselves. 3592 is another
technology no longer present in our current data center. A TS7760 grid with
encrypted
virtual tape disk cache handled the encryption requirement. Our SKLM
setup had two lpars, each backing the other in a primary/secondary
relationship across an internal hipersockets link.
My gut reaction is to just turn them off and lets the chips fall where
they may, but that is not the 'professional' way to handle it.
Does anyone know how to prove the negative: That I do not need these
servers.
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions, send
email [email protected] with the message: INFO IBM-MAIN
--
Michael Babcock
OneMain Financial
z/OS Systems Programmer, Lead
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions, send email
[email protected] with the message: INFO IBM-MAIN
----------------------------------------------------------------------
The information contained in this message is confidential, protected from
disclosure and may be legally privileged. If the reader of this message is not
the intended recipient or an employee or agent responsible for delivering this
message to the intended recipient, you are hereby notified that any disclosure,
distribution, copying, or any action taken or action omitted in reliance on it,
is strictly prohibited and may be unlawful. If you have received this
communication in error, please notify us immediately by replying to this
message and destroy the material in its entirety, whether in electronic or hard
copy format. Thank you.
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email [email protected] with the message: INFO IBM-MAIN
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
