Home Page Icon
Home Page
Table of Contents for
Front cover
Close
Front cover
by Andy Coulson Bill White Jacky Doll, Brad Habbershaw, Cecilia Carranza Lewis, Tho
Getting Started with z/OS Data Set Encryption
Front cover
Notices
Trademarks
Preface
Authors
Now you can become a published author, too!
Comments welcome
Stay connected to IBM Redbooks
Chapter 1. Protecting data in today’s IT environment
1.1 Which data
1.1.1 Data at-rest
1.1.2 Data in-use
1.1.3 Data in-flight
1.1.4 Sensitive data
1.2 Why protect data
1.2.1 Accidental exposure
1.2.2 Insider attacks
1.2.3 Data breaches
1.2.4 Regulations
1.3 How to protect data
1.3.1 Defining the perimeter
1.3.2 Methods to protect data
1.3.3 Encryption
1.3.4 Forms of encryption
1.3.5 Cryptographic keys
1.4 IBM Z pervasive encryption
1.4.1 Encrypting beyond compliance
1.4.2 Encryption pyramid
1.4.3 Managing the pervasive encryption environment
1.5 Understanding z/OS data set encryption
1.5.1 IBM Z cryptographic system
1.6 How z/OS data set encryption works
1.7 Administrator’s perspective of z/OS data set encryption
1.7.1 Security administrator
1.7.2 Storage administrator
1.7.3 Cryptographic administrator
Chapter 2. Identifying components and release levels
2.1 Starting a z/OS data set encryption implementation
2.2 Required and optional hardware features
2.2.1 IBM Z platform: Optimized for data set encryption
2.2.2 Central Processor Assist for Cryptographic Function
2.2.3 Crypto Express adapters
2.2.4 Trusted Key Entry workstation
2.2.5 Enterprise Key Management Foundation workstation
2.3 Required and optional software features
2.3.1 IBM z/OS DFSMS
2.3.2 IBM z/OS Integrated Cryptographic Service Facility
2.3.3 IBM System Authorization Facility
2.3.4 IBM Resource Access Control Facility for z/OS
2.3.5 IBM Multi-Factor Authentication for z/OS
2.3.6 IBM Security zSecure Suite
2.3.7 IBM Security QRadar
2.3.8 IBM zBNA and zCP3000
2.4 Cost and performance effect
Chapter 3. Planning for z/OS data set encryption
3.1 Creating an implementation plan
3.1.1 Distinguishing roles and responsibilities
3.2 Data set administration considerations
3.2.1 Supported data set types
3.2.2 Data set compression
3.2.3 Data set naming conventions
3.2.4 Encrypted data set availability at IPL
3.2.5 Using z/OS data set encryption with Db2, IMS, IBM MQ, CICS, and zFS
3.2.6 Copying, backing up, migrating, and replicating encrypted data sets
3.3 Resource authorization considerations
3.3.1 Organizing DATASET resource profiles
3.3.2 Separating duties of data owners and administrators
3.3.3 Considering multi-factor authentication
3.4 ICSF administration considerations
3.4.1 Upgrading an IBM Z platform
3.4.2 Starting ICSF early in the IPL process
3.4.3 Using the Common Record Format (KDSR) cryptographic key data set
3.4.4 Planning the size of your CKDS
3.4.5 Calculating the virtual storage that is needed for the CKDS
3.4.6 Sharing the CKDS in a sysplex
3.5 Key management considerations
3.5.1 Understanding key management
3.5.2 Reviewing industry regulations
3.5.3 Choosing key algorithms and lengths
3.5.4 Determining key security
3.5.5 Choosing key officers
3.5.6 Using protected keys for high-speed encryption
3.5.7 Creating a key label naming convention
3.5.8 Deciding whether to archive or delete keys
3.5.9 Defining key rotation
3.5.10 Establishing cryptoperiods
3.5.11 Establishing a process for handling compromised operational keys
3.5.12 Establishing a process for handling compromised master keys
3.5.13 Choosing key management tools
3.5.14 Determining key availability needs
3.5.15 Creating backups of keys
3.5.16 Planning for disaster recovery
3.6 General considerations
3.6.1 Defining a maintenance policy
3.6.2 Performing z/OS health checks
3.6.3 Backing out of z/OS data set encryption
Chapter 4. Preparing for z/OS data set encryption
4.1 Data set configuration
4.1.1 Migrating to extended format data sets
4.1.2 Compressing data sets before encryption
4.2 RACF configuration
4.2.1 Restricting data set encryption to security administrators
4.2.2 Defining DATASET, CSFSERV, CSFKEYS, and other resources
4.2.3 Setting a policy to control the use of archived keys
4.2.4 Configuring the RACF environment for key generation
4.3 ICSF configuration
4.3.1 Configuring Crypto Express adapters
4.3.2 Creating a Common Record Format (KDSR) CKDS
4.3.3 CSFPRMxx and installation options
4.3.4 Starting and stopping ICSF
4.3.5 Loading the AES master key
4.3.6 Initializing the CKDS
4.3.7 Verifying the ICSF Configuration
4.3.8 Reviewing messages and codes
4.4 Audit configuration
4.4.1 Enabling SMF record types 14, 15, 62, 70, 80, 82, and 113
4.4.2 Configuring SMF recording options in SMFPRMxx
4.4.3 Enabling auditing for master key change operations
4.4.4 RMF Crypto Hardware Activity Report
Chapter 5. Deploying z/OS data set encryption
5.1 Readiness checklists for deployment
5.2 Deploying z/OS data set encryption
5.3 Generating a secure 256-bit AES DATA key
5.3.1 Using Enterprise Key Management Foundation
5.3.2 Using ICSF panels
5.3.3 Using ICSF APIs
5.3.4 Using CSFKGUP
5.4 Protecting data sets with secure keys
5.5 Encrypting a data set with a secure key
5.6 Verifying that the data set is encrypted
5.7 Granting access to encrypted data sets
5.8 Accessing encrypted data sets
5.9 Viewing the encrypted text
Chapter 6. Auditing z/OS data set encryption
6.1 Auditing encrypted sequential data sets
6.2 Auditing encrypted VSAM data sets
6.3 Auditing crypto hardware activity
6.4 Auditing security authorization attempts
6.5 Auditing crypto engine, service, and algorithm usage
6.6 Auditing key lifecycle transitions
6.7 Auditing key usage operations
6.8 Formatting SMF Type 82 records
Chapter 7. Maintaining encrypted data sets
7.1 Identifying encrypted data sets
7.1.1 Using IBM zSecure
7.2 Rekeying encrypted data sets
7.2.1 Rotating the AES master key
7.2.2 Rotating data set encryption keys
Chapter 8. Maintaining the ICSF environment
8.1 Viewing master key information
8.1.1 ICSF Coprocessor Management panel
8.1.2 Display ICSF operator command (D ICSF,MKS and D ICSF,CARDS)
8.2 Viewing ICSF options
8.2.1 ICSF OPSTAT utility panel
8.2.2 Display ICSF operator command (D ICSF,OPT)
8.3 Refreshing the CKDS
8.3.1 Refreshing a CKDS shared in a sysplex
8.3.2 Refreshing a single CKDS
8.4 Increasing the CKDS size
8.5 Validating CKDS keys
8.6 Verifying the CKDS format
8.7 Dumping CKDS contents
8.8 Browsing the CKDS
Chapter 9. Maintaining data set encryption keys
9.1 Backing up and restoring data set encryption keys
9.1.1 Manual backup and restore
9.1.2 Automated backup and restore
9.1.3 Refreshing the CKDS
9.2 Transporting data set encryption keys
9.2.1 Overview of scenarios
9.2.2 Scenario 1: Same Master Key
9.2.3 Scenario 2: Different Master Key
9.2.4 Scenario 3: Duplicate Key Label
9.3 Viewing the last reference date
9.3.1 Using the CKDS Keys panel utility
9.3.2 Using the CSFKDMR callable service
9.4 Archiving data set encryption keys
9.5 Setting key expiration dates
Appendix A. Troubleshooting
A.1 Accessing data sets
A.2 Invalid keys in CKDS
A.3 Keys
Related publications
IBM Redbooks
Online resources
Help from IBM
Back cover
Search in book...
Toggle Font Controls
Playlists
Add To
Create new playlist
Name your new playlist
Playlist description (optional)
Cancel
Create playlist
Sign In
Email address
Password
Forgot Password?
Create account
Login
or
Continue with Facebook
Continue with Google
Sign Up
Full Name
Email address
Confirm Email Address
Password
Login
Create account
or
Continue with Facebook
Continue with Google
Next
Next Chapter
Note: Before using this information and the product it supports, read the information in “Notices” on page vii.
Add Highlight
No Comment
..................Content has been hidden....................
You can't read the all page of ebook, please click
here
login for view all page.
Day Mode
Cloud Mode
Night Mode
Reset