Because I (stupidly? ha) worked somewhat with Linux over the years, I
became the SKLM person at the company I work for. Over the past 5 years
we've ordered 2421's with DS8000 boxes. They came with SUSE installed,
but I would often replace it with the latest SUSE version, and then
install SKLM on top of that. Then the DS8000 needs to be told the IP
addresses of the 2 SKLM boxes (Master and Clone) to do the encryption
process which is pretty quick. This must be done prior to defining the
DASD layout (DS8000 must be empty). If there's a power outage, the
DS8000 will query for the keys after everything comes back up. Like
Dave said, The DS8000 also checks the connection periodically even when
it doesn't need the keys, and calls home if there is a connection
problem or one of the SKLM's is down for some reason. Same for a DS7000
(running internally as a DS5000). From what I've seen, keys are only
retrieved real-time for things like 3592 physical tapes with chips on
them. Been a while since I've seen a real tape directly accessed by
z/OS though.
IBM is discontinuing the ability to order the 2421's with a DS8000, so
our response is to order a couple of Dell R240's and deliver those
separately. By coincidence our first 2 of these boxes are sitting at my
feet since last week, running Redhat 7.9 and SKLM 3.0.1.5 and working
great, ready for delivery. I chose older versions of both Redhat and
SKLM for various reasons, but they should be fine.
Last time I saw key management running on z/OS was many years ago, and
it was TKLM the predecessor for SKLM (wish they would quit changing the
name).
And like Dave mentioned, when you setup encryption on a DS8000 you get a
"Recovery Key" which can be used after a power failure even if SKLM is
not working. The problem is that I only tested this recovery key
process once, and it took many hours and probably should be considered a
last resort.
We never used the KMIP protocol, but found out last year that is
required (including client keys imported to the SKLM boxes) with the
newest TS7000 boxes. Something to be aware of next time I guess.
Ok! Long note. Ready for corrections by Mr. Sipples and others :)
On 3/23/2021 9:34 AM, Ed Jaffe wrote:
Curious what folks are doing to provide SKLM to your IBM Z DASD and tape
devices?
Are people using an IBM Storage Appliance (such as 2421 model AP1),
hosting SKLM on your own dedicated "in room" Linux machines, using
competing KMIP-compliant solutions, or something else entirely?
Thanks...
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
