Re: How do you Prove that you no longer need a working SKLM server or started task.
https://www.smh.com.au/national/the-brazen-airport-computer-theft-that-has-australias-anti-terror-fighters-up-in-arms-20030905-gdhc5q.html 2 mainframes. Convinced that lots of important files were stolen. Since most computers (but not most mainframes) have internal file storage. On Sat, Jun 11, 2022 at 1:52 PM Rob Schramm wrote: > > Yeah for as funny as that sounds about taking off of an entire unit I seem > to remember a post some years ago with somebody rolling off a disc and > mainframe out of an Australian data center maybe? > > Rob > > On Tue, May 10, 2022, 01:58 Timothy Sipples wrote: > > > Echoing some other comments, there’s security merit in having redundant > > external key managers with your IBM DS8000 systems (external to the storage > > device). As IBM explains, the Local Key Manager won’t protect the drives if > > someone manages to grab the whole IBM DS8000 unit — a law enforcement > > agency, co-location data center owner, invading army, etc. — regardless of > > whether your servers are up or down. Anything on the storage device that > > can be read will be readable in that event. And “grab” doesn’t really mean > > “cart away.” > > > > An external key manager allows for some separation of duties. For example, > > storage administrators can be responsible for the IBM DS8000 systems while > > your security organization is responsible for the EKMs. If the security > > team shuts down the EKMs then the DS8000 systems cannot (re)start up and > > come online. In other words, at least two people in this equation have to > > be involved in providing (or at least maintaining) access to storage. > > > > EKMs can also provide services to other devices and environments. For > > example, IBM Security Guardium Key Lifecycle Manager not only provides key > > management services for IBM DS8000 and other IBM/non-IBM storage devices, > > it also provides KMS to VMware environments (as a notable example). > > > > I’m not arguing the LKM is “bad.” It’s convenient, and that counts. It > > provides some security, really for addressing the risks of individual drive > > thefts and storage retirement. (Remove the keys and the encrypted drives > > are safe to transfer/repurpose/sell.) But having EKMs is more secure by > > design because they address those risks and a few more. However, if you’ve > > implemented comprehensive z/OS Data Set Encryption (and Linux > > dm-crypt/LUKS2 and/or Spectrum Scale encryption) then I think the LKM could > > be reasonable even with demanding security requirements. > > > > Yes, IBM recommends having a redundant pair of EKMs. But they don’t > > necessarily have to be your “on premises” EKMs. In fact, one fairly popular > > pattern now is to have one “primary” EKM on your premises and an alternate > > running in IBM Cloud Hyper Protect. > > > > — — — — — > > Timothy Sipples > > Senior Architect > > Digital Assets, Industry Solutions, and Cyber Security > > IBM zSystems and LinuxONE > > sipp...@sg.ibm.com > > > > > > -- > > For IBM-MAIN subscribe / signoff / archive access instructions, > > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- Mike A Schwab, Springfield IL USA Where do Forest Rangers go to get away from it all? -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: How do you Prove that you no longer need a working SKLM server or started task.
Yeah for as funny as that sounds about taking off of an entire unit I seem to remember a post some years ago with somebody rolling off a disc and mainframe out of an Australian data center maybe? Rob On Tue, May 10, 2022, 01:58 Timothy Sipples wrote: > Echoing some other comments, there’s security merit in having redundant > external key managers with your IBM DS8000 systems (external to the storage > device). As IBM explains, the Local Key Manager won’t protect the drives if > someone manages to grab the whole IBM DS8000 unit — a law enforcement > agency, co-location data center owner, invading army, etc. — regardless of > whether your servers are up or down. Anything on the storage device that > can be read will be readable in that event. And “grab” doesn’t really mean > “cart away.” > > An external key manager allows for some separation of duties. For example, > storage administrators can be responsible for the IBM DS8000 systems while > your security organization is responsible for the EKMs. If the security > team shuts down the EKMs then the DS8000 systems cannot (re)start up and > come online. In other words, at least two people in this equation have to > be involved in providing (or at least maintaining) access to storage. > > EKMs can also provide services to other devices and environments. For > example, IBM Security Guardium Key Lifecycle Manager not only provides key > management services for IBM DS8000 and other IBM/non-IBM storage devices, > it also provides KMS to VMware environments (as a notable example). > > I’m not arguing the LKM is “bad.” It’s convenient, and that counts. It > provides some security, really for addressing the risks of individual drive > thefts and storage retirement. (Remove the keys and the encrypted drives > are safe to transfer/repurpose/sell.) But having EKMs is more secure by > design because they address those risks and a few more. However, if you’ve > implemented comprehensive z/OS Data Set Encryption (and Linux > dm-crypt/LUKS2 and/or Spectrum Scale encryption) then I think the LKM could > be reasonable even with demanding security requirements. > > Yes, IBM recommends having a redundant pair of EKMs. But they don’t > necessarily have to be your “on premises” EKMs. In fact, one fairly popular > pattern now is to have one “primary” EKM on your premises and an alternate > running in IBM Cloud Hyper Protect. > > — — — — — > Timothy Sipples > Senior Architect > Digital Assets, Industry Solutions, and Cyber Security > IBM zSystems and LinuxONE > sipp...@sg.ibm.com > > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: [EXTERNAL] Re: How do you Prove that you no longer need a working SKLM server or started task.
Great story. It is not that I "wished" to share. Just being neighborly. I have been cured of that after frequently and repeatedly being snubbed by those who "know better than to use anything associated with mainframes" And please, do not get me started on Oracle. Their disk management has never been world class in my experiences. Every performance issue I have been involved with ends with the suggestion "Use more in storage databases" and "buy more memory". In your case, it was "acquire dedicated storage" It's official: The topic drift has arrived. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: [EXTERNAL] Re: How do you Prove that you no longer need a working SKLM server or started task.
Be careful what you wish for in sharing storage - especially if they're running Oracle. We hit something called "sibling pend" at my last site - not DS8K disk, but a different vendor. Had mainframe LUNs and Oracle LUNs on same spindles and whenever the Oracle folks would kick off some kind of replication process. My disk response time would immediately go from 1-2 milliseconds to 500-600 milliseconds. The disk vendor tried to tell me it was the mainframe's fault until I showed them the RMF reports showing the response time. Their response was to provide additional spindles at no charge to segregate the data. Rex -Original Message- From: IBM Mainframe Discussion List On Behalf Of Tom Longfellow Sent: Tuesday, May 10, 2022 12:51 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: [EXTERNAL] Re: How do you Prove that you no longer need a working SKLM server or started task. Very interesting update that brought up issues that may become useful to us in the future. If we ever get a unified storage organization at our site, the idea of an onsite/offsite key management would make us look good. The biggest hurdle for me is the 'My Side/Your Side' dichotomy of management. "This is mine", "That is Yours" This is a part of my life here. Since day one of our DS8000 we offered to carve out our excess space as SAN LUNs. You would have thought I was asking to shoot their pet dog. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- The information contained in this message is confidential, protected from disclosure and may be legally privileged. If the reader of this message is not the intended recipient or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any disclosure, distribution, copying, or any action taken or action omitted in reliance on it, is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to this message and destroy the material in its entirety, whether in electronic or hard copy format. Thank you. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: How do you Prove that you no longer need a working SKLM server or started task.
Very interesting update that brought up issues that may become useful to us in the future. If we ever get a unified storage organization at our site, the idea of an onsite/offsite key management would make us look good. The biggest hurdle for me is the 'My Side/Your Side' dichotomy of management. "This is mine", "That is Yours" This is a part of my life here. Since day one of our DS8000 we offered to carve out our excess space as SAN LUNs. You would have thought I was asking to shoot their pet dog. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: How do you Prove that you no longer need a working SKLM server or started task.
Echoing some other comments, there’s security merit in having redundant external key managers with your IBM DS8000 systems (external to the storage device). As IBM explains, the Local Key Manager won’t protect the drives if someone manages to grab the whole IBM DS8000 unit — a law enforcement agency, co-location data center owner, invading army, etc. — regardless of whether your servers are up or down. Anything on the storage device that can be read will be readable in that event. And “grab” doesn’t really mean “cart away.” An external key manager allows for some separation of duties. For example, storage administrators can be responsible for the IBM DS8000 systems while your security organization is responsible for the EKMs. If the security team shuts down the EKMs then the DS8000 systems cannot (re)start up and come online. In other words, at least two people in this equation have to be involved in providing (or at least maintaining) access to storage. EKMs can also provide services to other devices and environments. For example, IBM Security Guardium Key Lifecycle Manager not only provides key management services for IBM DS8000 and other IBM/non-IBM storage devices, it also provides KMS to VMware environments (as a notable example). I’m not arguing the LKM is “bad.” It’s convenient, and that counts. It provides some security, really for addressing the risks of individual drive thefts and storage retirement. (Remove the keys and the encrypted drives are safe to transfer/repurpose/sell.) But having EKMs is more secure by design because they address those risks and a few more. However, if you’ve implemented comprehensive z/OS Data Set Encryption (and Linux dm-crypt/LUKS2 and/or Spectrum Scale encryption) then I think the LKM could be reasonable even with demanding security requirements. Yes, IBM recommends having a redundant pair of EKMs. But they don’t necessarily have to be your “on premises” EKMs. In fact, one fairly popular pattern now is to have one “primary” EKM on your premises and an alternate running in IBM Cloud Hyper Protect. — — — — — Timothy Sipples Senior Architect Digital Assets, Industry Solutions, and Cyber Security IBM zSystems and LinuxONE sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: [EXTERNAL] Re: How do you Prove that you no longer need a working SKLM server or started task.
Here's what our DS8K storage expert (from Mainline) said: The DS8k’s need to be at code level 9.2 and have internal encryption licensed. Any of your DS8886’s would still need SKLM, the new DS8900’s can have internal encryption (no ISKLM needed). On 5/9/2022 12:18 PM, Pommier, Rex wrote: Mike, Does the 8950 HMC based encryption require an ISKLM license? We are currently replicating from an 8910 to an 8884 and the 8884 is falling off support at the end of the year so we'll be replacing it with another 8910 most likely. I'm wondering if I'll still need ISKLM for disk if we move our encryption key serving to the HMCs. Thanks, Rex -Original Message- From: IBM Mainframe Discussion List On Behalf Of Michael Babcock Sent: Monday, May 9, 2022 12:10 PM To:IBM-MAIN@LISTSERV.UA.EDU Subject: [EXTERNAL] Re: How do you Prove that you no longer need a working SKLM server or started task. We had DS8886 boxes and used a AP1 appliance with SKLM installed. These are no longer offered by IBM. We just upgraded to DS8950s and it has the option to do key management within the HMCs on the DS8950s. We went this route. On Mon, May 9, 2022 at 11:37 AM Tom Longfellow <03e29b607131-dmarc-requ...@listserv.ua.edu> wrote: We have been doing hardware based tape and disk encryption for a very long time. So long in fact that I think we have 'upgraded' ourselves out of the SKLM (or EKM) business. The standalone servers were installed way back in our early years of DS8000 technology (before they started offering the standalone feature code for a dedicated box to handle keys). In the meantime we have gone through a few upgrades and we are currently at the DS8884 technology. I cannot find any config info in the DS8884 on 'how to access' an external SKLM server. I think we have gone internal somehow. The SKLM address spaces under z/OS were setup in our days of 3592 tapes with encryption labels on the tapes themselves. 3592 is another technology no longer present in our current data center. A TS7760 grid with encrypted virtual tape disk cache handled the encryption requirement. Our SKLM setup had two lpars, each backing the other in a primary/secondary relationship across an internal hipersockets link. My gut reaction is to just turn them off and lets the chips fall where they may, but that is not the 'professional' way to handle it. Does anyone know how to prove the negative: That I do not need these servers. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email tolists...@listserv.ua.edu with the message: INFO IBM-MAIN -- Michael Babcock OneMain Financial z/OS Systems Programmer, Lead -- For IBM-MAIN subscribe / signoff / archive access instructions, send email tolists...@listserv.ua.edu with the message: INFO IBM-MAIN -- The information contained in this message is confidential, protected from disclosure and may be legally privileged. If the reader of this message is not the intended recipient or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any disclosure, distribution, copying, or any action taken or action omitted in reliance on it, is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to this message and destroy the material in its entirety, whether in electronic or hard copy format. Thank you. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email tolists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: [EXTERNAL] Re: How do you Prove that you no longer need a working SKLM server or started task.
I’m not sure but I can try to find out from our storage guys. On Mon, May 9, 2022 at 12:18 PM Pommier, Rex wrote: > Mike, > > Does the 8950 HMC based encryption require an ISKLM license? We are > currently replicating from an 8910 to an 8884 and the 8884 is falling off > support at the end of the year so we'll be replacing it with another 8910 > most likely. I'm wondering if I'll still need ISKLM for disk if we move > our encryption key serving to the HMCs. > > Thanks, > > Rex > > -Original Message- > From: IBM Mainframe Discussion List On Behalf > Of Michael Babcock > Sent: Monday, May 9, 2022 12:10 PM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: [EXTERNAL] Re: How do you Prove that you no longer need a working > SKLM server or started task. > > We had DS8886 boxes and used a AP1 appliance with SKLM installed. These > are no longer offered by IBM. We just upgraded to DS8950s and it has the > option to do key management within the HMCs on the DS8950s. We went this > route. > > On Mon, May 9, 2022 at 11:37 AM Tom Longfellow < > 03e29b607131-dmarc-requ...@listserv.ua.edu> wrote: > > > We have been doing hardware based tape and disk encryption for a very > > long time. So long in fact that I think we have 'upgraded' ourselves > > out of the SKLM (or EKM) business. > > > > The standalone servers were installed way back in our early years of > > DS8000 technology (before they started offering the standalone feature > code > > for a dedicated box to handle keys). In the meantime we have gone > through > > a few upgrades and we are currently at the DS8884 technology. I > cannot > > find any config info in the DS8884 on 'how to access' an external SKLM > > server. I think we have gone internal somehow. > > > > The SKLM address spaces under z/OS were setup in our days of 3592 > > tapes with encryption labels on the tapes themselves. 3592 is another > > technology no longer present in our current data center. A TS7760 grid > with encrypted > > virtual tape disk cache handled the encryption requirement. Our SKLM > > setup had two lpars, each backing the other in a primary/secondary > > relationship across an internal hipersockets link. > > > > My gut reaction is to just turn them off and lets the chips fall where > > they may, but that is not the 'professional' way to handle it. > > > > Does anyone know how to prove the negative: That I do not need these > > servers. > > > > -- > > For IBM-MAIN subscribe / signoff / archive access instructions, send > > email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > > -- > Michael Babcock > OneMain Financial > z/OS Systems Programmer, Lead > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, send email > to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > -- > The information contained in this message is confidential, protected from > disclosure and may be legally privileged. If the reader of this message is > not the intended recipient or an employee or agent responsible for > delivering this message to the intended recipient, you are hereby notified > that any disclosure, distribution, copying, or any action taken or action > omitted in reliance on it, is strictly prohibited and may be unlawful. If > you have received this communication in error, please notify us immediately > by replying to this message and destroy the material in its entirety, > whether in electronic or hard copy format. Thank you. > > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > -- Michael Babcock OneMain Financial z/OS Systems Programmer, Lead -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: [EXTERNAL] Re: How do you Prove that you no longer need a working SKLM server or started task.
Mike, Does the 8950 HMC based encryption require an ISKLM license? We are currently replicating from an 8910 to an 8884 and the 8884 is falling off support at the end of the year so we'll be replacing it with another 8910 most likely. I'm wondering if I'll still need ISKLM for disk if we move our encryption key serving to the HMCs. Thanks, Rex -Original Message- From: IBM Mainframe Discussion List On Behalf Of Michael Babcock Sent: Monday, May 9, 2022 12:10 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: [EXTERNAL] Re: How do you Prove that you no longer need a working SKLM server or started task. We had DS8886 boxes and used a AP1 appliance with SKLM installed. These are no longer offered by IBM. We just upgraded to DS8950s and it has the option to do key management within the HMCs on the DS8950s. We went this route. On Mon, May 9, 2022 at 11:37 AM Tom Longfellow < 03e29b607131-dmarc-requ...@listserv.ua.edu> wrote: > We have been doing hardware based tape and disk encryption for a very > long time. So long in fact that I think we have 'upgraded' ourselves > out of the SKLM (or EKM) business. > > The standalone servers were installed way back in our early years of > DS8000 technology (before they started offering the standalone feature code > for a dedicated box to handle keys). In the meantime we have gone through > a few upgrades and we are currently at the DS8884 technology. I cannot > find any config info in the DS8884 on 'how to access' an external SKLM > server. I think we have gone internal somehow. > > The SKLM address spaces under z/OS were setup in our days of 3592 > tapes with encryption labels on the tapes themselves. 3592 is another > technology no longer present in our current data center. A TS7760 grid with > encrypted > virtual tape disk cache handled the encryption requirement. Our SKLM > setup had two lpars, each backing the other in a primary/secondary > relationship across an internal hipersockets link. > > My gut reaction is to just turn them off and lets the chips fall where > they may, but that is not the 'professional' way to handle it. > > Does anyone know how to prove the negative: That I do not need these > servers. > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, send > email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > -- Michael Babcock OneMain Financial z/OS Systems Programmer, Lead -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- The information contained in this message is confidential, protected from disclosure and may be legally privileged. If the reader of this message is not the intended recipient or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any disclosure, distribution, copying, or any action taken or action omitted in reliance on it, is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to this message and destroy the material in its entirety, whether in electronic or hard copy format. Thank you. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: How do you Prove that you no longer need a working SKLM server or started task.
We had DS8886 boxes and used a AP1 appliance with SKLM installed. These are no longer offered by IBM. We just upgraded to DS8950s and it has the option to do key management within the HMCs on the DS8950s. We went this route. On Mon, May 9, 2022 at 11:37 AM Tom Longfellow < 03e29b607131-dmarc-requ...@listserv.ua.edu> wrote: > We have been doing hardware based tape and disk encryption for a very long > time. So long in fact that I think we have 'upgraded' ourselves out of the > SKLM (or EKM) business. > > The standalone servers were installed way back in our early years of > DS8000 technology (before they started offering the standalone feature code > for a dedicated box to handle keys). In the meantime we have gone through > a few upgrades and we are currently at the DS8884 technology. I cannot > find any config info in the DS8884 on 'how to access' an external SKLM > server. I think we have gone internal somehow. > > The SKLM address spaces under z/OS were setup in our days of 3592 tapes > with encryption labels on the tapes themselves. 3592 is another technology > no longer present in our current data center. A TS7760 grid with encrypted > virtual tape disk cache handled the encryption requirement. Our SKLM > setup had two lpars, each backing the other in a primary/secondary > relationship across an internal hipersockets link. > > My gut reaction is to just turn them off and lets the chips fall where > they may, but that is not the 'professional' way to handle it. > > Does anyone know how to prove the negative: That I do not need these > servers. > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > -- Michael Babcock OneMain Financial z/OS Systems Programmer, Lead -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: [EXTERNAL] How do you Prove that you no longer need a working SKLM server or started task.
Hi Tom, I'm not so sure you can eliminate your ISKLM servers. You may want to log onto the DS8884 and check your security settings. I have both an 8884 and an 8910F array and both of them have ISKLM servers assigned to them. I believe the box needs the ISKLM server when it starts up. On the 8884 go to settings then security then data at rest encryption. Does the resulting window show data at rest encryption is enabled and does it show any key servers? If not, you may want to revisit whether you actually have your disk encrypted. We have our ISKLM servers running off the mainframe because we were concerned about if for some reason the disk array lost power and had to reboot, it would need the master key to start up which I believe is provided by the ISKLM server. If the ISKLM server was running on z/OS and z/OS was down because the disk lost power, how do you bring z/OS up to get the key to bring the disk up which is needed to bring z/OS up. Catch-22 situation so we made the decision to put the ISKLM servers on separate boxes. I don't like it but didn't see we really had a choice. Rex -Original Message- From: IBM Mainframe Discussion List On Behalf Of Tom Longfellow Sent: Monday, May 9, 2022 11:38 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: [EXTERNAL] How do you Prove that you no longer need a working SKLM server or started task. We have been doing hardware based tape and disk encryption for a very long time. So long in fact that I think we have 'upgraded' ourselves out of the SKLM (or EKM) business. The standalone servers were installed way back in our early years of DS8000 technology (before they started offering the standalone feature code for a dedicated box to handle keys). In the meantime we have gone through a few upgrades and we are currently at the DS8884 technology. I cannot find any config info in the DS8884 on 'how to access' an external SKLM server. I think we have gone internal somehow. The SKLM address spaces under z/OS were setup in our days of 3592 tapes with encryption labels on the tapes themselves. 3592 is another technology no longer present in our current data center. A TS7760 grid with encrypted virtual tape disk cache handled the encryption requirement. Our SKLM setup had two lpars, each backing the other in a primary/secondary relationship across an internal hipersockets link. My gut reaction is to just turn them off and lets the chips fall where they may, but that is not the 'professional' way to handle it. Does anyone know how to prove the negative: That I do not need these servers. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- The information contained in this message is confidential, protected from disclosure and may be legally privileged. If the reader of this message is not the intended recipient or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any disclosure, distribution, copying, or any action taken or action omitted in reliance on it, is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to this message and destroy the material in its entirety, whether in electronic or hard copy format. Thank you. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
How do you Prove that you no longer need a working SKLM server or started task.
We have been doing hardware based tape and disk encryption for a very long time. So long in fact that I think we have 'upgraded' ourselves out of the SKLM (or EKM) business. The standalone servers were installed way back in our early years of DS8000 technology (before they started offering the standalone feature code for a dedicated box to handle keys). In the meantime we have gone through a few upgrades and we are currently at the DS8884 technology. I cannot find any config info in the DS8884 on 'how to access' an external SKLM server. I think we have gone internal somehow. The SKLM address spaces under z/OS were setup in our days of 3592 tapes with encryption labels on the tapes themselves. 3592 is another technology no longer present in our current data center. A TS7760 grid with encrypted virtual tape disk cache handled the encryption requirement. Our SKLM setup had two lpars, each backing the other in a primary/secondary relationship across an internal hipersockets link. My gut reaction is to just turn them off and lets the chips fall where they may, but that is not the 'professional' way to handle it. Does anyone know how to prove the negative: That I do not need these servers. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN