Hi Tom, I'm not so sure you can eliminate your ISKLM servers. You may want to log onto the DS8884 and check your security settings. I have both an 8884 and an 8910F array and both of them have ISKLM servers assigned to them. I believe the box needs the ISKLM server when it starts up.
On the 8884 go to settings then security then data at rest encryption. Does the resulting window show data at rest encryption is enabled and does it show any key servers? If not, you may want to revisit whether you actually have your disk encrypted. We have our ISKLM servers running off the mainframe because we were concerned about if for some reason the disk array lost power and had to reboot, it would need the master key to start up which I believe is provided by the ISKLM server. If the ISKLM server was running on z/OS and z/OS was down because the disk lost power, how do you bring z/OS up to get the key to bring the disk up which is needed to bring z/OS up. Catch-22 situation so we made the decision to put the ISKLM servers on separate boxes. I don't like it but didn't see we really had a choice. Rex -----Original Message----- From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> On Behalf Of Tom Longfellow Sent: Monday, May 9, 2022 11:38 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: [EXTERNAL] How do you Prove that you no longer need a working SKLM server or started task. We have been doing hardware based tape and disk encryption for a very long time. So long in fact that I think we have 'upgraded' ourselves out of the SKLM (or EKM) business. The standalone servers were installed way back in our early years of DS8000 technology (before they started offering the standalone feature code for a dedicated box to handle keys). In the meantime we have gone through a few upgrades and we are currently at the DS8884 technology. I cannot find any config info in the DS8884 on 'how to access' an external SKLM server. I think we have gone internal somehow. The SKLM address spaces under z/OS were setup in our days of 3592 tapes with encryption labels on the tapes themselves. 3592 is another technology no longer present in our current data center. A TS7760 grid with encrypted virtual tape disk cache handled the encryption requirement. Our SKLM setup had two lpars, each backing the other in a primary/secondary relationship across an internal hipersockets link. My gut reaction is to just turn them off and lets the chips fall where they may, but that is not the 'professional' way to handle it. Does anyone know how to prove the negative: That I do not need these servers. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ---------------------------------------------------------------------- The information contained in this message is confidential, protected from disclosure and may be legally privileged. If the reader of this message is not the intended recipient or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any disclosure, distribution, copying, or any action taken or action omitted in reliance on it, is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to this message and destroy the material in its entirety, whether in electronic or hard copy format. Thank you. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
