Re: Encrypted Tapes and DR [EMAIL PROTECTED]

2008-04-16 Thread Richard Peurifoy 

Russell Witt wrote:

That will work just fine Mark, if your DR site is dedicated to you and you
have a running system there that is not recovered from your DR tapes
themselves. If your DR is running at a Sunguard/IBM shared DR recovery site,
then that will not work. In that case, you will have to have a backup of
your RACF database (in un-encrypted form of course) and restore that first;
re-ipl using the new RACF database (can RACF be re-activated with a new
database without an IPL?); then restore the rest of your backups. DR is one
of the biggest issues with any encryption product; and of course Key
Management is the other major concern (don't let your digital certificates
expire when you are still using them).


I believe the EKM documentation indicates it will work even if
the certificate is expired. So the real issue is to not delete
them until you are sure they are not needed.

However, I used the max allowed expiration date on my certs
anyway :-).

--
Richard

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Encrypted Tapes and DR [EMAIL PROTECTED]

2008-04-11 Thread Walt Farrell 
On Thu, 10 Apr 2008 20:56:04 -0500, Russell Witt [EMAIL PROTECTED] wrote:

That will work just fine Mark, if your DR site is dedicated to you and you
have a running system there that is not recovered from your DR tapes
themselves. If your DR is running at a Sunguard/IBM shared DR recovery site,
then that will not work. In that case, you will have to have a backup of
your RACF database (in un-encrypted form of course) and restore that first;
re-ipl using the new RACF database (can RACF be re-activated with a new
database without an IPL?); then restore the rest of your backups. DR is one
of the biggest issues with any encryption product; and of course Key
Management is the other major concern (don't let your digital certificates
expire when you are still using them).

I think he'll need an unencrypted copy of his ICSF databases, too, Russell.

And yes, you can activate a new RACF DB without an IPL, but only if it has
the same dsname as the one you're already running.

-- 
  Walt Farrell, CISSP
  IBM STSM, z/OS Security Design

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Encrypted Tapes and DR [EMAIL PROTECTED]

2008-04-11 Thread Mark Jacobs 
Walt Farrell wrote:
 On Thu, 10 Apr 2008 20:56:04 -0500, Russell Witt [EMAIL PROTECTED] wrote:

   
 That will work just fine Mark, if your DR site is dedicated to you and you
 have a running system there that is not recovered from your DR tapes
 themselves. If your DR is running at a Sunguard/IBM shared DR recovery site,
 then that will not work. In that case, you will have to have a backup of
 your RACF database (in un-encrypted form of course) and restore that first;
 re-ipl using the new RACF database (can RACF be re-activated with a new
 database without an IPL?); then restore the rest of your backups. DR is one
 of the biggest issues with any encryption product; and of course Key
 Management is the other major concern (don't let your digital certificates
 expire when you are still using them).
 

 I think he'll need an unencrypted copy of his ICSF databases, too, Russell.

 And yes, you can activate a new RACF DB without an IPL, but only if it has
 the same dsname as the one you're already running.

   

We have a one volume zOS 1.8 environment that includes its own RACF and
ICSF databases. We restore it from the floor system, ipl it, enter the
master keys into the cryptographic hardware, start ICSF and EKM and
start restoring the encrypted full volume backup tapes.

At the end of the test we erase the keys from the cryptographic
hardware, securely wipe the volume that we ipled with(along with the
restored volumes of course) and go home.

-- 
Mark Jacobs
Time Customer Service
Tampa, FL


We have a special climate-controlled room that keeps the worms 
at a low enough temerature so that they remain dormant. If the 
temperature varies by more than +-0.73K, the worms either freeze 
to death, or eat throught the CrTiAl alloy of the airlock doors. 
Dicey.

   -Branko Cibej [EMAIL PROTECTED], concerning the can of worms

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Encrypted Tapes and DR [EMAIL PROTECTED]

2008-04-11 Thread Rick Fochtman 

--snip---


And yes, you can activate a new RACF DB without an IPL, but only if it has
the same dsname as the one you're already running.
   


-unsnip
ISTR switch to new RACF database files by using a series of RVARY 
commands. It that no longer available?


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Encrypted Tapes and DR [EMAIL PROTECTED]

2008-04-11 Thread R.S. 

Rick Fochtman wrote:

--snip---

And yes, you can activate a new RACF DB without an IPL, but only if 
it has

the same dsname as the one you're already running.
  

-unsnip
ISTR switch to new RACF database files by using a series of RVARY 
commands. It that no longer available?


It is still available, but it never allowed to specify new dataset name.
So, you can switch. inact, act, but the dataset names are fixed in 
ICHRDSNT.


However I see no problem here: you can simply copy any RACF db to 
existing (inactive) file. Or rename the files.
In other words RACFdb is not aware of it's own dataset name - so the 
name can be changed.







--
Radoslaw Skorupka
Lodz, Poland


--
BRE Bank SA
ul. Senatorska 18
00-950 Warszawa
www.brebank.pl

Sd Rejonowy dla m. st. Warszawy 
XII Wydzia Gospodarczy Krajowego Rejestru Sdowego, 
nr rejestru przedsibiorców KRS 025237

NIP: 526-021-50-88
Wedug stanu na dzie 01.01.2008 r. kapita zakadowy BRE Banku SA  wynosi 
118.642.672 zote i zosta w caoci wpacony.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Encrypted Tapes and DR [EMAIL PROTECTED]

2008-04-11 Thread Rick Fochtman 

--snip
R.S. wrote:


Rick Fochtman wrote:


--snip---

And yes, you can activate a new RACF DB without an IPL, but only if 
it has

the same dsname as the one you're already running.
  



-unsnip
ISTR switch to new RACF database files by using a series of RVARY 
commands. It that no longer available?



It is still available, but it never allowed to specify new dataset name.
So, you can switch. inact, act, but the dataset names are fixed in 
ICHRDSNT.


However I see no problem here: you can simply copy any RACF db to 
existing (inactive) file. Or rename the files.
In other words RACFdb is not aware of it's own dataset name - so the 
name can be changed.


--unsnip---
Yes I did change the dsname, and that change lasts through the life of 
the IPL. Learned it the hard way, when I forgot to update ICHRDSNT and 
it reverted to the old datasets after an IPL. I'm sure I'll be corrected 
if I'm wrong, but ICHRDSNT is only referenced at IPL time, when RACF is 
first initialized. Other security tools MAY behave differently. Look at 
the syntax of the RVARY command for dataset switching.


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Encrypted Tapes and DR

2008-04-10 Thread Lizette Koehler 
Is anyone using the new Encryption Tape Drives (like TS3500) from IBM at a DR 
site?  If so, how are the keys handled?


Lizette

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Encrypted Tapes and DR

2008-04-10 Thread Hal Merritt 
I hear the name of the algorithm is WORN: Write once, read never :-)


Sorry. 

We are looking at the solution and have been through some presentations. 

http://www-03.ibm.com/press/us/en/pressrelease/20254.wss

Key management comes with the solution and DR considerations are allegedly 
built right in. I don't recall any of the details, but I do recall thinking 
their scheme might actually work. After all, sales folks always know their 
product perfectly and all software works exactly as documented :-) 

Even so, my personal take is that there are lots of complex little pieces that 
have to work perfectly or the data is irrevocably lost. Since the data includes 
your backups, well, there you are. Somehow the cost/benefit/risk equations 
don't quite add up in my poor, befuddled brainbone. 

HTH 
 

-Original Message-
From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of 
Lizette Koehler
Sent: Thursday, April 10, 2008 2:37 PM
To: IBM-MAIN@BAMA.UA.EDU
Subject: Encrypted Tapes and DR

Is anyone using the new Encryption Tape Drives (like TS3500) from IBM at a DR 
site?  If so, how are the keys handled?


Lizette

 

NOTICE: This electronic mail message and any files transmitted with it are 
intended
exclusively for the individual or entity to which it is addressed. The message, 
together with any attachment, may contain confidential and/or privileged 
information.
Any unauthorized review, use, printing, saving, copying, disclosure or 
distribution 
is strictly prohibited. If you have received this message in error, please 
immediately advise the sender by reply email and delete all copies.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Encrypted Tapes and DR

2008-04-10 Thread Mark Jacobs 
Actually we have them in production and have sucessfully tested a
restore of an encrypted tape in our disaster recovery environment. We
use RACF to control the public piece of the key pair and ICSF holds the
private key. Our DR environment has a completely separate RACF and ICSF
databases from production.

The way that we have set it all up to work is to create keypairs in both
the production and DR environments, import the public keys from the DR
environment into the production environment and attach these keys to EKM
keyring.

When we encrypt tapes we use both the production and DR public keys to
wrap the data encrypting key on the tape. At DR the tape drives talk to
EKM which sends the DR private key to the tape drive which sucessfully
unwraps the data encrypting key protected by the DR public key.

Does that make sense?

Mark Jacobs
Time Customer Service 

-Original Message-
From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On
Behalf Of Hal Merritt
Sent: Thursday, April 10, 2008 4:24 PM
To: IBM-MAIN@BAMA.UA.EDU
Subject: Re: Encrypted Tapes and DR

I hear the name of the algorithm is WORN: Write once, read never :-)


Sorry. 

We are looking at the solution and have been through some presentations.


http://www-03.ibm.com/press/us/en/pressrelease/20254.wss

Key management comes with the solution and DR considerations are
allegedly built right in. I don't recall any of the details, but I do
recall thinking their scheme might actually work. After all, sales folks
always know their product perfectly and all software works exactly as
documented :-) 

Even so, my personal take is that there are lots of complex little
pieces that have to work perfectly or the data is irrevocably lost.
Since the data includes your backups, well, there you are. Somehow the
cost/benefit/risk equations don't quite add up in my poor, befuddled
brainbone. 

HTH 
 

-Original Message-
From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On
Behalf Of Lizette Koehler
Sent: Thursday, April 10, 2008 2:37 PM
To: IBM-MAIN@BAMA.UA.EDU
Subject: Encrypted Tapes and DR

Is anyone using the new Encryption Tape Drives (like TS3500) from IBM at
a DR site?  If so, how are the keys handled?


Lizette

 

NOTICE: This electronic mail message and any files transmitted with it
are intended exclusively for the individual or entity to which it is
addressed. The message, together with any attachment, may contain
confidential and/or privileged information.
Any unauthorized review, use, printing, saving, copying, disclosure or
distribution is strictly prohibited. If you have received this message
in error, please immediately advise the sender by reply email and delete
all copies.

--
For IBM-MAIN subscribe / signoff / archive access instructions, send
email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search
the archives at http://bama.ua.edu/archives/ibm-main.html

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Encrypted Tapes and DR [EMAIL PROTECTED]

2008-04-10 Thread Russell Witt 
That will work just fine Mark, if your DR site is dedicated to you and you
have a running system there that is not recovered from your DR tapes
themselves. If your DR is running at a Sunguard/IBM shared DR recovery site,
then that will not work. In that case, you will have to have a backup of
your RACF database (in un-encrypted form of course) and restore that first;
re-ipl using the new RACF database (can RACF be re-activated with a new
database without an IPL?); then restore the rest of your backups. DR is one
of the biggest issues with any encryption product; and of course Key
Management is the other major concern (don't let your digital certificates
expire when you are still using them).

Russell Witt
CA L2 Support Manager

-Original Message-
From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED]
Behalf Of Mark Jacobs
Sent: Thursday, April 10, 2008 4:09 PM
To: IBM-MAIN@BAMA.UA.EDU
Subject: Re: Encrypted Tapes and DR


Actually we have them in production and have sucessfully tested a
restore of an encrypted tape in our disaster recovery environment. We
use RACF to control the public piece of the key pair and ICSF holds the
private key. Our DR environment has a completely separate RACF and ICSF
databases from production.

The way that we have set it all up to work is to create keypairs in both
the production and DR environments, import the public keys from the DR
environment into the production environment and attach these keys to EKM
keyring.

When we encrypt tapes we use both the production and DR public keys to
wrap the data encrypting key on the tape. At DR the tape drives talk to
EKM which sends the DR private key to the tape drive which sucessfully
unwraps the data encrypting key protected by the DR public key.

Does that make sense?

Mark Jacobs
Time Customer Service

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html