IBM Encryption Key Manager with zLINUX

Wed, 17 Feb 2010 12:49:08 -0800 

We currently encrypt our 3592 tape in our 3494 C06 controller with IBM EKM 
running under Red Hat Linux on a PC server.
I am trying to create a second EKM running under SuSE LINUX under z/VM 540. Yet 
I cannot SYNC the two servers nor ENCRYPT 3592 tapes.

I also have tried to SYNC from the PC EKM with the VM EKM and all I get is a 
connection timeout. I can ping both ways and can perform FTP GETS.

Any Ideas as to what I am missing?

On VM user LINUXEKM,  I see  the C06 tape controller(172.16.28.25) is 
contacting LINUXEKM(172.16.28.63)
SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC= SRC=172.16.28.25 DST=172.16.28.63 LEN=44
 TOS=0x00 PREC=0x00 TTL=59 ID=22745 DF PROTO=TCP SPT=52036 DPT=3801 WINDOW=65535
 RES=0x00 SYN URGP=0 OPT (020405B4)
SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC= SRC=172.16.28.25 DST=172.16.28.63 LEN=44
 TOS=0x00 PREC=0x00 TTL=59 ID=22755 PROTO=TCP SPT=52036 DPT=3801 WINDOW=65535 RE
S=0x00 SYN URGP=0 OPT (020405B4)
SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC= SRC=172.16.28.25 DST=172.16.28.63 LEN=44
 TOS=0x00 PREC=0x00 TTL=59 ID=22765 PROTO=TCP SPT=52036 DPT=3801 WINDOW=65535 RE
S=0x00 SYN URGP=0 OPT (020405B4)
SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC= SRC=172.16.28.25 DST=172.16.28.63 LEN=44
 TOS=0x00 PREC=0x00 TTL=59 ID=22780 DF PROTO=TCP SPT=52053 DPT=3801 WINDOW=65535
 RES=0x00 SYN URGP=0 OPT (020405B4)
SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC= SRC=172.16.28.25 DST=172.16.28.63 LEN=44
 TOS=0x00 PREC=0x00 TTL=59 ID=22783 DF PROTO=TCP SPT=52053 DPT=3801 WINDOW=65535
 RES=0x00 SYN URGP=0 OPT (020405B4)
Over and over.....


I turned on debug = all and this does not show anything during the encryption 
process.


I have installed JAVA  and EKM and have brought up EKM successfully under 
z/LINUX, but I cannot encrypt our 3592 tapes on our VSE guest.
I FTP  get the files below (BINARY) from the PC server. Then CHMOD to make the 
permissions the same as the PC server running EKM.

VSE GUEST:
BG 0014 0P68I C  KEYXCHG ER SYS010=700
        CCSW=02109028F006000050 CCB=9029C8
        SNS= 804808C0 22402751 0106FF00 00000000 00000000 00000092
             2004E820 62162111
BG 0000 0P73I I/O ERROR

ekms...@linuxekm:~/keymanager> pwd
/home/ekmserv/keymanager
drwxr-xr-x 2 ekmserv users    256 2010-02-17 14:40 audit
-rw-rw-r-- 1 ekmserv users  10405 2010-02-17 11:49 drivetable
-rwxr-xr-x 1 ekmserv users     79 2010-02-12 09:00 ekmcli
-rwxr-xr-x 1 ekmserv users     46 2010-02-12 09:00 ekmkeystore
-rwxr-xr-x 1 ekmserv users     75 2010-02-12 09:00 ekmlaunch
-rw-rw-r-- 1 ekmserv users  32755 2010-02-12 09:00 key1.jck
-rw-r--r-- 1 ekmserv users     40 2010-02-17 11:49 KeyGroups.xml
-rw-rw-r-- 1 ekmserv users   1576 2010-02-17 14:38 KeymanagerConfig.properties
-rw-rw-r-- 1 ekmserv users 269850 2010-02-12 09:00 metafile.xml


Below is the config deck - same as one on PC Server:

ekms...@linuxekm:~/keymanager> cat KeymanagerConfig.properties
TransportListener.ssl.port = 1443
config.keystore.password.obfuscated = 3C0782A86CAE6DA07C
TransportListener.tcp.port = 3801
TransportListener.tcp.timeout = 0
fips = Off
TransportListener.ssl.keystore.password.obfuscated = 19075F85498B4A7D59
Server.password = 
9513229D435978263D82902C59D4E0FB86C941A9BF09B605CD8A6643F40149                  
                           A8
Admin.ssl.keystore.name = /home/ekmserv/keymanager/key1.jck
TransportListener.ssl.clientauthentication = 0
Admin.ssl.keystore.type = jceks
TransportListener.ssl.ciphersuites = JSSE_ALL
Audit.handler.file.size = 10000
drive.acceptUnknownDrives = true
Audit.metadata.file.name = /home/ekmserv/keymanager/metafile.xml
TransportListener.ssl.truststore.name = /home/ekmserv/keymanager/key1.jck
Audit.handler.file.directory = /home/ekmserv/keymanager/audit
TransportListener.ssl.protocols = SSL_TLS
Admin.ssl.keystore.password.obfuscated = 0107476D3173326541
config.keystore.file = /home/ekmserv/keymanager/key1.jck
TransportListener.ssl.truststore.type = jceks
debug.output = simple_file
TransportListener.ssl.keystore.name = /home/ekmserv/keymanager/key1.jck
TransportListener.ssl.timeout = 0
Audit.eventQueue.max = 0
debug.output.file = /home/ekmserv/keymanager/audit/debug.log
TransportListener.ssl.keystore.type = jceks
Audit.handler.file.name = ekmaudit.log
config.keystore.type = jceks
drive.default.alias2 = EKMCERT032409B
drive.default.alias1 = EKMCERT032409A
Audit.event.outcome = success,failure
debug = none
Audit.event.types = all
config.drivetable.file.url = FILE:////home/ekmserv/keymanager/drivetable
Admin.ssl.truststore.name = /home/ekmserv/keymanager/key1.jck


ekmaudit.log:
Authorization event:[
  timestamp=Tue Feb 16 11:06:06 EST 2010
  ComponentId=[threadId=Thread[Thread-30,5,KeyManagementServerV2-Processors]]
  event source=com.ibm.keymanager.a.c
  outcome=[result=successful]
  event type=SECURITY_AUTNZ
  access decision=permitted
  checked permissions=STATUS
  resource=[name=EKMAdmin;type=application]
  users=[name=EKMAdmin]
  ]
Authorization event:[
  timestamp=Tue Feb 16 11:06:28 EST 2010
  ComponentId=[threadId=Thread[Thread-30,5,KeyManagementServerV2-Processors]]
  event source=com.ibm.keymanager.a.c
  outcome=[result=successful]
  event type=SECURITY_AUTNZ
  access decision=permitted
  checked permissions=LISTDRIVES
  resource=[name=EKMAdmin;type=application]
  users=[name=EKMAdmin]
  ]
Resource management event:[
  timestamp=Tue Feb 16 11:06:28 EST 2010
  ComponentId=[threadId=Thread[Thread-30,5,KeyManagementServerV2-Processors]]
  event source=com.ibm.keymanager.admin.cli.a
  outcome=[result=successful]
  event type=SECURITY_MGMT_RESOURCE
  action=show
  user=[name=CLIProcessor]
  resource=[name=drive table;type=file]
  ]
Authorization event:[
  timestamp=Tue Feb 16 11:07:06 EST 2010
  ComponentId=[threadId=Thread[Thread-30,5,KeyManagementServerV2-Processors]]
  event source=com.ibm.keymanager.a.c
  outcome=[result=successful]
  event type=SECURITY_AUTNZ
  access decision=permitted
  checked permissions=STOP
  resource=[name=EKMAdmin;type=application]
  users=[name=EKMAdmin]
  ]
Runtime event:[
  timestamp=Tue Feb 16 11:07:06 EST 2010
  ComponentId=[threadId=Thread[Thread-30,5,KeyManagementServerV2-Processors]]
  event source=com.ibm.keymanager.EKMServer
  outcome=[result=successful]
  event type=SECURITY_RUNTIME
  resource=[name=EKM server;type=application]
  action=stop
  user=[name=EKMAdmin]
  ]
Runtime event:[
  timestamp=Tue Feb 16 11:14:25 EST 2010
  ComponentId=[threadId=Thread[main,5,main]]
  event source=com.ibm.keymanager.EKMServer
  outcome=[result=successful]
  event type=SECURITY_RUNTIME
  resource=[name=EKMAdmin;type=application]
  action=runEKMServer
  user=[name=EKMAdmin]
  ]
Resource management event:[
  timestamp=Tue Feb 16 11:14:28 EST 2010
  ComponentId=[threadId=Thread[main,5,main]]
  event source=com.ibm.keymanager.keygroups.KeyGroupManager
  outcome=[result=successful]
  event type=SECURITY_MGMT_RESOURCE
  action=retrieve
  user=[name=KMSAdmin]
  resource=[name=/home/ekmserv/keymanager/key1.jck;type=file]
  ]
Resource management event:[
  timestamp=Tue Feb 16 11:14:28 EST 2010
  ComponentId=[threadId=Thread[main,5,main]]
  event source=com.ibm.keymanager.keystore.KeyStoreLoader
  outcome=[result=successful]
  event type=SECURITY_MGMT_RESOURCE
  action=retrieve
  user=[name=KMSAdmin]
  resource=[name=/home/ekmserv/keymanager/key1.jck;type=file]
  ]
Runtime event:[
  timestamp=Tue Feb 16 11:14:29 EST 2010
  ComponentId=[threadId=Thread[main,5,main]]
  event source=com.ibm.keymanager.EKMServer
  outcome=[result=unsuccessful]
  event type=SECURITY_RUNTIME
  message=no symmetric Key aliases LTO drives not supported. ErrorCode= 19
  resource=[name=if LTO support is needed valid symmetric Keys must be added to 
the config keystore;type=file]
  action=stop
  ]
Runtime event:[
  timestamp=Tue Feb 16 11:14:31 EST 2010
  ComponentId=[threadId=Thread[main,5,main]]
  event source=com.ibm.keymanager.q
  outcome=[result=successful]
  event type=SECURITY_RUNTIME
  resource=[name=EKM server;type=application]
  action=start
  user=[name=EKMAdmin]
  ]
LINUXEKM:/home/ekmserv/keymanager/audit #



Thanks,
Ray Waters
Senior Technical Support Analyst
Open Solutions Inc.
3900 Essex Lane, Suite 400
Houston, TX  77027-5100

Office 713-965-8451
Cell    713-705-5403
Email [email protected]<mailto:[email protected]>

www.bank.opensolutions.com<http://www.bank.opensolutions.com>
www.opensolutions.com<file:///C:\Documents%20and%20Settings\Ray.Waters\Application%20Data\Microsoft\Signatures\www.opensolutions.com>

________________________________
NOTICE:
This e-mail is intended solely for the use of the individual to whom it is 
addressed and may contain information that is privileged, confidential or 
otherwise exempt from disclosure. If the reader of this e-mail is not the 
intended recipient or the employee or agent responsible for delivering the 
message to the intended recipient, you are hereby notified that any 
dissemination, distribution, or copying of this communication is strictly 
prohibited. If you have received this communication in error, please 
immediately notify us by replying to the original message at the listed email 
address. Thank You.

----------------------------------------------------------------------
For LINUX-390 subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390

Reply via email to