book

Getting Started with z/OS Data Set Encryption

by Bill White, Cecilia Carranza Lewis, Eysha Shirrine Powers, David Rossi, Eric Rossman, Andy Coulsonr, Jacky Doll, Brad Habbershow, Thomas Liu, Ryan McCarry, Philippe Richard, Romoaldo Santos, Isabel Arnold, Kasper Lindberg

December 2021

Beginner

252 pages

8h 1m

English

IBM Redbooks

Read now

Unlock full access

Trademarks
AuthorsNow you can become a published author, too!Comments welcomeStay connected to IBM Redbooks
1.1 Which data1.1.1 Data at-rest1.1.2 Data in-use1.1.3 Data in-flight1.1.4 Sensitive data1.2 Why protect data1.2.1 Accidental exposure1.2.2 Insider attacks1.2.3 Data breaches1.2.4 Regulations1.3 Standards and regulations overview1.3.1 PCI Data Security Standards (PCI-DSS)1.3.2 General Data Protection Regulation (GDPR)1.3.3 California Consumer Privacy Act (CCPA)1.3.4 The Sarbanes-Oxley Act of 2002 (SOX)1.3.5 ISO/IEC 270011.3.6 Federal Information Security Modernization Act of 2014 (FISMA 2014)1.3.7 Payment Card Industry (PCI) PTS HSM Security Requirements (PCI-HSM)1.3.8 German Banking Industry Committee (GBIC)1.3.9 Australian Payments Network (Auspaynet)1.3.10 Common Criteria1.3.11 FIPS PUB 140-3 (Security Requirements for Cryptographic Modules)1.3.12 HIPAA/HITECH1.3.13 eIDAS (electronic IDentification, Authentication and trust Services)1.4 How to protect data1.4.1 Defining the perimeter1.4.2 Methods to protect data1.4.3 Encryption1.4.4 Forms of encryption1.4.5 Cryptographic keys1.5 Pervasive encryption for IBM Z1.5.1 Encrypting above and beyond compliance requirements1.5.2 Encryption pyramid (data at rest)1.5.3 Managing the pervasive encryption environment1.6 Understanding z/OS data set encryption1.6.1 Challenges and use cases1.6.2 IBM Z cryptographic system1.7 How z/OS data set encryption works1.8 Administratorâ€™s perspective of z/OS data set encryption1.8.1 Security administrator1.8.2 Storage administrator1.8.3 Cryptographic administrator1.8.4 Key manager
2.1 Starting a z/OS data set encryption implementation2.2 Required and optional hardware features2.2.1 IBM Z platform: Optimized for data set encryption2.2.2 Central Processor Assist for Cryptographic Function2.2.3 Crypto Express adapters2.2.4 Trusted Key Entry workstation2.2.5 IBM Enterprise Key Management Foundation2.3 Required and optional software features2.3.1 IBM z/OS DFSMS2.3.2 IBM z/OS Integrated Cryptographic Service Facility2.3.3 IBM System Authorization Facility2.3.4 IBM Resource Access Control Facility for z/OS2.3.5 IBM Multi-Factor Authentication for z/OS2.3.6 IBM Security zSecure Suite2.3.7 IBM Security QRadar2.3.8 IBM zBNA2.4 Cost and performance effect
3.1 Creating an implementation plan3.1.1 Distinguishing roles and responsibilities3.2 Data set administration considerations3.2.1 Supported data set types3.2.2 Data set compression3.2.3 Data set naming conventions3.2.4 Encrypted data set availability at IPL3.2.5 Using z/OS data set encryption with Db2, IMS, IBM MQ, CICS, and zFS3.2.6 Copying, backing up, migrating, and replicating encrypted data sets3.3 Resource authorization considerations3.3.1 Organizing DATASET resource profiles3.3.2 Separating duties of data owners and administrators3.3.3 Considering multi-factor authentication3.4 ICSF administration considerations3.4.1 Upgrading an IBM Z platform3.4.2 Starting ICSF early in the IPL process3.4.3 Using the Common Record Format (KDSR) cryptographic key data set3.4.4 Planning the size of your CKDS3.4.5 Calculating the virtual storage that is needed for the CKDS3.4.6 Sharing the CKDS in a sysplex3.5 Key management considerations3.5.1 Understanding key management3.5.2 Reviewing industry regulations3.5.3 Choosing key algorithms and lengths3.5.4 Determining key security3.5.5 Choosing key officers3.5.6 Using protected keys for high-speed encryption3.5.7 Creating a key label naming convention3.5.8 Deciding whether to archive or delete keys3.5.9 Defining key rotation3.5.10 Establishing cryptoperiods3.5.11 Establishing a process for handling compromised operational keys3.5.12 Establishing a process for handling compromised master keys3.5.13 Choosing key management tools3.5.14 Determining key availability needs3.5.15 Creating backups of keys3.5.16 Planning for disaster recovery3.6 General considerations3.6.1 Defining a maintenance policy3.6.2 Performing z/OS health checks3.6.3 Backing out of z/OS data set encryption3.6.4 Auditing and compliance
4.1 Data set configuration4.1.1 Migrating to extended format data sets4.1.2 Compressing data sets before encryption4.2 RACF configuration4.2.1 Restricting data set encryption to security administrators4.2.2 Defining DATASET, CSFSERV, CSFKEYS, and other resources4.2.3 Setting a policy to control the use of archived keys4.2.4 Configuring the RACF environment for key generation4.3 ICSF configuration4.3.1 Configuring Crypto Express adapters4.3.2 Creating a Common Record Format (KDSR) CKDS4.3.3 CSFPRMxx and installation options4.3.4 Starting and stopping ICSF4.3.5 Loading the AES master key4.3.6 Initializing the CKDS4.3.7 Verifying the ICSF Configuration 4.3.8 Reviewing messages and codes4.4 Audit configuration4.4.1 Enabling SMF record types 14, 15, 42, 62, 70, 80, 82, and 1134.4.2 Configuring SMF recording options in SMFPRMxx4.4.3 Enabling auditing for master key change operations4.4.4 RMF Crypto Hardware Activity Report4.4.5 EKMF Auditing4.5 EKMF Configuration4.5.1 EKMF Agent4.5.2 EKMF Web4.5.3 EKMF Workstation
5.1 Readiness checklists for deployment5.2 Deploying z/OS data set encryption5.3 Generating a secure 256-bit data set encryption key5.3.1 Using Enterprise Key Management Foundation5.3.2 Using ICSF panels5.3.3 Using ICSF APIs5.3.4 Using CSFKGUP5.4 Protecting data sets with secure keys5.5 Encrypting a data set with a secure key5.6 Verifying that the data set is encrypted5.7 Granting access to encrypted data sets5.8 Accessing encrypted data sets5.9 Viewing the encrypted text
6.1 Auditing encrypted sequential data sets and PDSEs6.2 Auditing encrypted VSAM data sets6.3 Auditing crypto hardware activity6.4 Auditing security authorization attempts6.5 Auditing crypto engine, service, and algorithm usage6.6 Auditing key lifecycle transitions6.7 Auditing key usage operations6.8 Formatting SMF Type 82 records6.9 Auditing Key management in EKMF
7.1 Identifying encrypted data sets7.1.1 Using IBM zSecure7.1.2 Using EKMF Web7.2 Rekeying encrypted data sets7.2.1 Rotating the AES master key7.2.2 Rotating data set encryption keys

8.1 Viewing master key information8.1.1 ICSF Coprocessor Management panel8.1.2 Display ICSF operator command (D ICSF,MKS and D ICSF,CARDS)8.2 Viewing ICSF options8.2.1 ICSF OPSTAT utility panel8.2.2 Display ICSF operator command (D ICSF,OPT)8.3 Refreshing the CKDS8.3.1 Refreshing a CKDS shared in a sysplex8.3.2 Refreshing a single CKDS8.4 Increasing the CKDS size8.5 Validating CKDS keys8.6 Verifying the CKDS format8.7 Dumping CKDS contents8.8 Browsing the CKDS
9.1 Backing up and restoring data set encryption keys9.1.1 Manual backup and restore9.1.2 Automated backup and restore9.1.3 Refreshing the CKDS9.1.4 EKMF backup and restore9.2 Transporting data set encryption keys9.2.1 Overview of scenarios9.2.2 Scenario 1: Same Master Key9.2.3 Scenario 2: Different Master Key9.2.4 Scenario 3: Duplicate Key Label9.3 Viewing the last reference date9.3.1 Using the CKDS Keys panel utility9.3.2 Using the CSFKDMR callable service9.4 Archiving data set encryption keys9.5 Deactivating EKMF managed data set encryption keys9.6 Setting key expiration dates
10.1 Introduction to IBM Enterprise Key Management Foundation - Web Edition (EKMF Web)10.1.1 EKMF Web Edition overview10.2 EKMF Web edition requirements10.2.1 Key hierarchy10.2.2 EKMF Web authorization roles10.3 Key management with EKMF Web10.3.1 EKMF Keystores10.3.2 Key template10.3.3 Key label10.3.4 Keystores10.3.5 Characteristics of the key template10.3.6 Key lifecycle10.3.7 Key rotation10.4 EKMF Web view of data sets10.5 Summary
A.1 Accessing data setsA.2 Invalid keys in CKDSA.3 Keys
IBM RedbooksOnline resourcesHelp from IBM

Overview

This IBM® Redpaper Redbooks® publication provides a broad explanation of data protection through encryption and IBM Z® pervasive encryption with a focus on IBM z/OS® data set encryption. It describes how the various hardware and software components interact in a z/OS data set encryption environment.

In addition, this book concentrates on the planning and preparing of the environment and offers implementation, configuration, and operational examples that can be used in z/OS data set encryption environments.

This publication is intended for IT architects, system programmer, and security administrators who plan for, deploy, and manage security on the Z platform. The reader is expected to have a basic understanding of IBM Z security concepts.

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Start your free trial

Getting Started with z/OS Data Set Encryption

Publisher Resources

ISBN: 9780738460222Other

Getting Started with z/OS Data Set Encryption

by Bill White, Cecilia Carranza Lewis, Eysha Shirrine Powers, David Rossi, Eric Rossman, Andy Coulsonr, Jacky Doll, Brad Habbershow, Thomas Liu, Ryan McCarry, Philippe Richard, Romoaldo Santos, Isabel Arnold, Kasper Lindberg

Overview

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

You might also like