I have had 2 customers implement TKLM in both their production and DR sites recently and neither had any difficulty. We actually spent much less than one week getting it up and running (elapsed time was longer due to change control). We never had to install Websphere or DB2 to use TKLM. We did need to make sure that we had the SDK (JAVA) installed if we wanted TKLM to run under z/OS. My customer actually chose to install one instance of TKLM on AIX and one on z/OS. The only other decision to make is the keystore and I can assure you that DB2 is not required.
Adolph Kahan GlassHouse Systems Inc. 416-229-2950 Ext 304 -----Original Message----- From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of Russell Witt Sent: Thursday, February 18, 2010 12:14 AM To: IBM-MAIN@bama.ua.edu Subject: Re: DFSMSrmm Tape encryption TKLM is IBM's new Tivoli Key Lifecycle Manager and is the replacement for EKM. While EKM is (was) a no-cost download; I believe (could be wrong) TKLM is an extra-cost software product that requires WebSphere (oh goody-goody). And while EKM can still be downloaded, the statement on the IBM web-site is that it is only for existing clients and new clients must use TKLM. And to be honest, as Lizette has indicated in earlier posts even EKM is not that easy to install. While key management of the tape encryption keys is critical (that is why we have CA Key Manager as well); I really don't see why it needs to be made so difficult. Granted, no-one wants to "lose" the keys since their existing tape data would suddenly become un-accessable. So you need to balance the ability to have multiple copies stored in secure locations with having enough security that only authorized systems can access them. But the installation should not require a month of effort, especially at the DR location. Just my own 2-cents worth of opinion here. Russell Witt -----Original Message----- From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu]on Behalf Of Richard Peurifoy Sent: Wednesday, February 17, 2010 5:54 PM To: IBM-MAIN@bama.ua.edu Subject: Re: DFSMSrmm Tape encryption On 2/17/2010 5:04 PM, Tom Longfellow wrote: > How did the installation of TKLM go? It has been a nightmare for us. > Over a month of effort without a valid working install yet. > And now we have to deal with getting an operational DB2 and WebSphere app > server (SSRE) system at our DR site before we can read any encrypted > data. Running SSRE takes more storage frames that our major subsystems. > The overhead in software to activate this 'hardware' feature is becoming > more trouble than it is worth. I can't speak for Mark, but we don't have TKLM. I am not even sure what it does. I just installed an EKM server on z/OS (did take a while to get all the JAVA pieces worked out), and created a key through RACF. I use SMS to control what gets encrypted (by default everything). The only thing we are writing are backups, so they all use the same key. Key management could get to be a problem if you needed lots of keys. -- Richard ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html __________ Information from ESET NOD32 Antivirus, version of virus signature database 4875 (20100217) __________ The message was checked by ESET NOD32 Antivirus. http://www.eset.com __________ Information from ESET NOD32 Antivirus, version of virus signature database 4875 (20100217) __________ The message was checked by ESET NOD32 Antivirus. http://www.eset.com ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html