Re: Any default encryption for TSM server??
I would say there are 4 types of encryption. (Chapter 14 in the 5.5 Admin Guide covers alot of this) - TSM Client level encryption (using the include.encrypt and various client options) Data is encrypted before sending to the TSM server. (software based) - TSM Server level encryption (using the devclass DRIVEEncryption option) This is done at the devclass/stgpool level (I.E. DB Backups are not encrypted) (hardware based) - AIX System level. Encryption is handled at the Atape level (hardware based) - Library managed (completely transparent to TSM) (hardware based) 1- no default encryption 2- Each method will have its own way to check. The way we proved to our auditors involved documentating an attempt to restore without the keys (which failed) 3- These have nothing to do with encryption. These are basic client files. Refer to the TSM Client manual. Regards, Shawn Shawn Drew Internet tsm-fo...@backupcentral.com Sent by: ADSM-L@VM.MARIST.EDU 08/09/2011 09:22 PM Please respond to ADSM-L@VM.MARIST.EDU To ADSM-L cc Subject [ADSM-L] Any default encryption for TSM server?? Conclude that the TSM encryption can categories by two types: 1) Software/application layer encryption 2) Hardware layer encryption (Tape drive). Question: 1) Does TSM has any data protection other than this two? Does TSM has default encryption if we never configure any setting to enable the software/application and there are no license key bought for hardware layer to do encryption? 2)If a software/application was configured or installed on the server, how can we check it? (e.g Maybe there are some files or command able to show it and please show me the way to check whether is the encryption enable or not to protect the data) 3) Can you tell me where are these files and what are their content about: - TSM.PWD - Dsm.sys - Dsm.opt And What do INCLUDE.ENCRYPT and EXCLUDE.ENCRYPT statements mean? Where are them? And last question is which file content the encryptkey and encryptiontype parameter? +-- |This was sent by terrancey...@yahoo.com via Backup Central. |Forward SPAM to ab...@backupcentral.com. +-- This message and any attachments (the "message") is intended solely for the addressees and is confidential. If you receive this message in error, please delete it and immediately notify the sender. Any use not in accord with its purpose, any dissemination or disclosure, either whole or partial, is prohibited except formal approval. The internet can not guarantee the integrity of this message. BNP PARIBAS (and its subsidiaries) shall (will) not therefore be liable for the message if modified. Please note that certain functions and services for BNP Paribas may be performed by BNP Paribas RCC, Inc.
Re: Any default encryption for TSM server??
There is no default encryption on TSM Server. For hardware encryption you need to look into drive configuration. Software encryption is supported by TSM Client and TDP (API). For example, we need to encrypt all information related to Oracle databases on AIX logical partition (database dumps and database backups via TDPO). Configuration steps are (encryption keys are kept in TSM database): 1) to enable possibility of encryption for AIX file systems add next lines into /usr/tivoli/tm/ba/bin64/dsm.sys: Nodename LPAR05 Encryptiontype AES128 Encryptkey generate InclExcl /backup/tsm/ba/InclExcl.list 2) to enable possibility of encryption for TDP for Oracle backups add next lines into /usr/tivoli/tsm/api/bin64/dsm.sys: NODENAME LPAR05_ORA Encryptiontype AES128 Encryptkey generate Inclexcl /backup/tsm/ba/InclExcl.list 3) set encryption for database dumps and TDPO backups in include/exclude list /backup/tsm/ba/InclExcl.list: include * AIX include /.../* FSLPAR05 include /ifns_ifns/.../* DBLPAR05 include /patm_patm/.../* DBLPAR05 include /ptel_ptel/.../* DBLPAR05 include.encrypt /ifns_ifns/.../* include.encrypt /patm_patm/.../* include.encrypt /ptel_ptel/.../* include.encrypt *.dmp.Z Note, there are 3 databases with file space names ifns_ifns, patm_patm and ptel_ptel (names are defined in TDPO configuration file). In addition, all databases dumps are kept in compressed files *.dmp.Z. List of encrypted files can be expanded by adding INCLUDE.ENCRYPT lines into include/exclude list. To check encryption for databases: q act or=client node=LPAR05_ORA begind=08/09/2011 . Date/Time: 08/09/2011 15:44:51 Message: ANE4991I (Session: 42231, Node: LPAR05_ORA) TDP Oracle AIX ANU0599 TDP for Oracle: (9216226): =>(LPAR05_ORA) ANU2526I Backup details for backup piece /ifns_ifns///LPAR05/ifns.09.1.58075.1.758734242 (database "IFNSDB"). Total bytes sent: 9756213248. Total processing time: 00:14:06. Throughput rate: 11261.88Kb/Sec. Compressed: Yes , 61%. Encryption: AES_128BIT. LAN-Free: No.(SESSION: 42231) .. Date/Time: 08/09/2011 16:05:32 Message: ANE4991I (Session: 44685, Node: LPAR05_ORA) TDP Oracle AIX ANU0599 TDP for Oracle: (10055750): =>(LPAR05_ORA) ANU2526I Backup details for backup piece /patm_patm///LPAR05/Archive_patm.09.50832.1.758736133 (database "PATMDB"). Total bytes sent: 3064201216. Total processing time: 00:03:17. Throughput rate: 15189.77Kb/Sec. Compressed: Yes , 54%. Encryption: AES_128BIT. LAN-Free: No.(SESSION: 44685) To check encryption for database dumps: dsmc query backup "/home/users05/fnsonli/backup/*.dmp.Z" -detail -traceflags=query dsmc query backup "/backup05/exp/patm/*.dmp.Z" -detail -traceflags=query dsmc query backup "/backup05/exp/ptel/*.dmp.Z" -detail -traceflags=query dsmc query backup "/backup05/exp/ptel/*.log" -detail -traceflags=query For example, prove_encryption.sh gives: IBM Tivoli Storage Manager Command Line Backup-Archive Client Interface Client Version 6, Release 2, Level 2.0 Client date/time: 08/10/11 13:20:20 (c) Copyright by IBM Corporation and other(s) 1990, 2010. All Rights Reserved. Node Name: LPAR05 Session established with server BKME: AIX-RS/6000 Server Version 5, Release 5, Level 5.2 Data compression forced on by the server Server date/time: 08/10/11 13:20:20 Last access: 08/09/11 16:49:09 SizeBackup DateMgmt Class A/I File ----- --- 13,012,947,599 B 08/09/11 16:30:00 FSLPAR05 A /home/users05/fnsonli/backup/expfns1.dmp.Z Modified: 08/09/11 01:25:29 Accessed: 08/08/11 16:42:19 Compressed: NOEncryption Type: 128-bit AES Client-deduplicated: NO ... I hope this will answer all your questions. Grigori G. Solonovitch -Original Message- From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf Of terrance Sent: Wednesday, August 10, 2011 4:22 AM To: ADSM-L@VM.MARIST.EDU Subject: [ADSM-L] Any default encryption for TSM server?? Conclude that the TSM encryption can categories by two types: 1) Software/application layer encryption 2) Hardware layer encryption (Tape drive). Question: 1) Does TSM has any data protection other than this two? Does TSM has default encryption if we never configure any setting to enable the software/application and there are no license key bought for hardware layer to do encryption? 2)If a software/application was configured or installed on the server, how can we check it? (e.g Maybe there are some files or command able to show it and please show me the way to check whether is the encryption enable or not to protect the data) 3) Can you tell me where are these f
Any default encryption for TSM server??
can anyone tell me what is the step to restore the data from tape? Let say that if the tape lost, even the catalog tape also lost together with it. so any possible the outsider able to retrieve the data using both of the tape? (as i know that the encryption key will store inside the catalog and backup to a tape)<<(correct?) is it the catalog only can retrieve by particular account inside a same TSM server? so different TSM server different account and password. so do it make sense that the outsider unable to retrieve data which different from the original server? +-- |This was sent by terrancey...@yahoo.com via Backup Central. |Forward SPAM to ab...@backupcentral.com. +--
Any default encryption for TSM server??
Conclude that the TSM encryption can categories by two types: 1) Software/application layer encryption 2) Hardware layer encryption (Tape drive). Question: 1) Does TSM has any data protection other than this two? Does TSM has default encryption if we never configure any setting to enable the software/application and there are no license key bought for hardware layer to do encryption? 2)If a software/application was configured or installed on the server, how can we check it? (e.g Maybe there are some files or command able to show it and please show me the way to check whether is the encryption enable or not to protect the data) 3) Can you tell me where are these files and what are their content about: - TSM.PWD - Dsm.sys - Dsm.opt And What do INCLUDE.ENCRYPT and EXCLUDE.ENCRYPT statements mean? Where are them? And last question is which file content the encryptkey and encryptiontype parameter? +-- |This was sent by terrancey...@yahoo.com via Backup Central. |Forward SPAM to ab...@backupcentral.com. +--