Getting Started with z/OS Data Set Encryption

Book description

Abstract

This IBM® Redbooks® publication provides a broad explanation of data protection through encryption and IBM Z® pervasive encryption with a focus on IBM z/OS® data set encryption. It describes how the various hardware and software components interact in a z/OS data set encryption environment.

In addition, this book concentrates on the planning and preparing of the environment and offers implementation, configuration, and operational examples that can be used in z/OS data set encryption environments.

This publication is intended for IT architects, system programmer, and security administrators who plan for, deploy, and manage security on the Z platform. The reader is expected to have a basic understanding of IBM Z security concepts.

Table of contents

  1. Front cover
  2. Notices
    1. Trademarks
  3. Preface
    1. Authors
    2. Now you can become a published author, too!
    3. Comments welcome
    4. Stay connected to IBM Redbooks
  4. Chapter 1. Protecting data in today’s IT environment
    1. 1.1 Which data
      1. 1.1.1 Data at-rest
      2. 1.1.2 Data in-use
      3. 1.1.3 Data in-flight
      4. 1.1.4 Sensitive data
    2. 1.2 Why protect data
      1. 1.2.1 Accidental exposure
      2. 1.2.2 Insider attacks
      3. 1.2.3 Data breaches
      4. 1.2.4 Regulations
    3. 1.3 How to protect data
      1. 1.3.1 Defining the perimeter
      2. 1.3.2 Methods to protect data
      3. 1.3.3 Encryption
      4. 1.3.4 Forms of encryption
      5. 1.3.5 Cryptographic keys
    4. 1.4 IBM Z pervasive encryption
      1. 1.4.1 Encrypting beyond compliance
      2. 1.4.2 Encryption pyramid
      3. 1.4.3 Managing the pervasive encryption environment
    5. 1.5 Understanding z/OS data set encryption
      1. 1.5.1 IBM Z cryptographic system
    6. 1.6 How z/OS data set encryption works
    7. 1.7 Administrator’s perspective of z/OS data set encryption
      1. 1.7.1 Security administrator
      2. 1.7.2 Storage administrator
      3. 1.7.3 Cryptographic administrator
  5. Chapter 2. Identifying components and release levels
    1. 2.1 Starting a z/OS data set encryption implementation
    2. 2.2 Required and optional hardware features
      1. 2.2.1 IBM Z platform: Optimized for data set encryption
      2. 2.2.2 Central Processor Assist for Cryptographic Function
      3. 2.2.3 Crypto Express adapters
      4. 2.2.4 Trusted Key Entry workstation
      5. 2.2.5 Enterprise Key Management Foundation workstation
    3. 2.3 Required and optional software features
      1. 2.3.1 IBM z/OS DFSMS
      2. 2.3.2 IBM z/OS Integrated Cryptographic Service Facility
      3. 2.3.3 IBM System Authorization Facility
      4. 2.3.4 IBM Resource Access Control Facility for z/OS
      5. 2.3.5 IBM Multi-Factor Authentication for z/OS
      6. 2.3.6 IBM Security zSecure Suite
      7. 2.3.7 IBM Security QRadar
      8. 2.3.8 IBM zBNA and zCP3000
    4. 2.4 Cost and performance effect
  6. Chapter 3. Planning for z/OS data set encryption
    1. 3.1 Creating an implementation plan
      1. 3.1.1 Distinguishing roles and responsibilities
    2. 3.2 Data set administration considerations
      1. 3.2.1 Supported data set types
      2. 3.2.2 Data set compression
      3. 3.2.3 Data set naming conventions
      4. 3.2.4 Encrypted data set availability at IPL
      5. 3.2.5 Using z/OS data set encryption with Db2, IMS, IBM MQ, CICS, and zFS
      6. 3.2.6 Copying, backing up, migrating, and replicating encrypted data sets
    3. 3.3 Resource authorization considerations
      1. 3.3.1 Organizing DATASET resource profiles
      2. 3.3.2 Separating duties of data owners and administrators
      3. 3.3.3 Considering multi-factor authentication
    4. 3.4 ICSF administration considerations
      1. 3.4.1 Upgrading an IBM Z platform
      2. 3.4.2 Starting ICSF early in the IPL process
      3. 3.4.3 Using the Common Record Format (KDSR) cryptographic key data set
      4. 3.4.4 Planning the size of your CKDS
      5. 3.4.5 Calculating the virtual storage that is needed for the CKDS
      6. 3.4.6 Sharing the CKDS in a sysplex
    5. 3.5 Key management considerations
      1. 3.5.1 Understanding key management
      2. 3.5.2 Reviewing industry regulations
      3. 3.5.3 Choosing key algorithms and lengths
      4. 3.5.4 Determining key security
      5. 3.5.5 Choosing key officers
      6. 3.5.6 Using protected keys for high-speed encryption
      7. 3.5.7 Creating a key label naming convention
      8. 3.5.8 Deciding whether to archive or delete keys
      9. 3.5.9 Defining key rotation
      10. 3.5.10 Establishing cryptoperiods
      11. 3.5.11 Establishing a process for handling compromised operational keys
      12. 3.5.12 Establishing a process for handling compromised master keys
      13. 3.5.13 Choosing key management tools
      14. 3.5.14 Determining key availability needs
      15. 3.5.15 Creating backups of keys
      16. 3.5.16 Planning for disaster recovery
    6. 3.6 General considerations
      1. 3.6.1 Defining a maintenance policy
      2. 3.6.2 Performing z/OS health checks
      3. 3.6.3 Backing out of z/OS data set encryption
  7. Chapter 4. Preparing for z/OS data set encryption
    1. 4.1 Data set configuration
      1. 4.1.1 Migrating to extended format data sets
      2. 4.1.2 Compressing data sets before encryption
    2. 4.2 RACF configuration
      1. 4.2.1 Restricting data set encryption to security administrators
      2. 4.2.2 Defining DATASET, CSFSERV, CSFKEYS, and other resources
      3. 4.2.3 Setting a policy to control the use of archived keys
      4. 4.2.4 Configuring the RACF environment for key generation
    3. 4.3 ICSF configuration
      1. 4.3.1 Configuring Crypto Express adapters
      2. 4.3.2 Creating a Common Record Format (KDSR) CKDS
      3. 4.3.3 CSFPRMxx and installation options
      4. 4.3.4 Starting and stopping ICSF
      5. 4.3.5 Loading the AES master key
      6. 4.3.6 Initializing the CKDS
      7. 4.3.7 Verifying the ICSF Configuration
      8. 4.3.8 Reviewing messages and codes
    4. 4.4 Audit configuration
      1. 4.4.1 Enabling SMF record types 14, 15, 62, 70, 80, 82, and 113
      2. 4.4.2 Configuring SMF recording options in SMFPRMxx
      3. 4.4.3 Enabling auditing for master key change operations
      4. 4.4.4 RMF Crypto Hardware Activity Report
  8. Chapter 5. Deploying z/OS data set encryption
    1. 5.1 Readiness checklists for deployment
    2. 5.2 Deploying z/OS data set encryption
    3. 5.3 Generating a secure 256-bit AES DATA key
      1. 5.3.1 Using Enterprise Key Management Foundation
      2. 5.3.2 Using ICSF panels
      3. 5.3.3 Using ICSF APIs
      4. 5.3.4 Using CSFKGUP
    4. 5.4 Protecting data sets with secure keys
    5. 5.5 Encrypting a data set with a secure key
    6. 5.6 Verifying that the data set is encrypted
    7. 5.7 Granting access to encrypted data sets
    8. 5.8 Accessing encrypted data sets
    9. 5.9 Viewing the encrypted text
  9. Chapter 6. Auditing z/OS data set encryption
    1. 6.1 Auditing encrypted sequential data sets
    2. 6.2 Auditing encrypted VSAM data sets
    3. 6.3 Auditing crypto hardware activity
    4. 6.4 Auditing security authorization attempts
    5. 6.5 Auditing crypto engine, service, and algorithm usage
    6. 6.6 Auditing key lifecycle transitions
    7. 6.7 Auditing key usage operations
    8. 6.8 Formatting SMF Type 82 records
  10. Chapter 7. Maintaining encrypted data sets
    1. 7.1 Identifying encrypted data sets
      1. 7.1.1 Using IBM zSecure
    2. 7.2 Rekeying encrypted data sets
      1. 7.2.1 Rotating the AES master key
      2. 7.2.2 Rotating data set encryption keys
  11. Chapter 8. Maintaining the ICSF environment
    1. 8.1 Viewing master key information
      1. 8.1.1 ICSF Coprocessor Management panel
      2. 8.1.2 Display ICSF operator command (D ICSF,MKS and D ICSF,CARDS)
    2. 8.2 Viewing ICSF options
      1. 8.2.1 ICSF OPSTAT utility panel
      2. 8.2.2 Display ICSF operator command (D ICSF,OPT)
    3. 8.3 Refreshing the CKDS
      1. 8.3.1 Refreshing a CKDS shared in a sysplex
      2. 8.3.2 Refreshing a single CKDS
    4. 8.4 Increasing the CKDS size
    5. 8.5 Validating CKDS keys
    6. 8.6 Verifying the CKDS format
    7. 8.7 Dumping CKDS contents
    8. 8.8 Browsing the CKDS
  12. Chapter 9. Maintaining data set encryption keys
    1. 9.1 Backing up and restoring data set encryption keys
      1. 9.1.1 Manual backup and restore
      2. 9.1.2 Automated backup and restore
      3. 9.1.3 Refreshing the CKDS
    2. 9.2 Transporting data set encryption keys
      1. 9.2.1 Overview of scenarios
      2. 9.2.2 Scenario 1: Same Master Key
      3. 9.2.3 Scenario 2: Different Master Key
      4. 9.2.4 Scenario 3: Duplicate Key Label
    3. 9.3 Viewing the last reference date
      1. 9.3.1 Using the CKDS Keys panel utility
      2. 9.3.2 Using the CSFKDMR callable service
    4. 9.4 Archiving data set encryption keys
    5. 9.5 Setting key expiration dates
  13. Appendix A. Troubleshooting
    1. A.1 Accessing data sets
    2. A.2 Invalid keys in CKDS
    3. A.3 Keys
  14. Related publications
    1. IBM Redbooks
    2. Online resources
    3. Help from IBM
  15. Back cover

Product information

  • Title: Getting Started with z/OS Data Set Encryption
  • Author(s): Andy Coulson Bill White Jacky Doll, Brad Habbershaw, Cecilia Carranza Lewis, Thomas Liu, Ryan McCarry, Eysha Shirrine Powers, Philippe Richard, Romoaldo Santos
  • Release date: June 2018
  • Publisher(s): IBM Redbooks
  • ISBN: 9780738456874