Getting Started with z/OS Data Set Encryption

Getting Started with z/OS Data Set Encryption

by Bill White, Cecilia Carranza Lewis, Eysha Shirrine Powers, David Rossi, Eric Rossman, Andy Coulsonr, Jacky Doll, Brad Habbershow, Thomas Liu, Ryan McCarry, Philippe Richard, Romoaldo Santos, Isabel Arnold, Kasper Lindberg
Released December 2021
Publisher(s): IBM Redbooks
ISBN: 9780738460222

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Book description

This IBM® Redpaper Redbooks® publication provides a broad explanation of data protection through encryption and IBM Z® pervasive encryption with a focus on IBM z/OS® data set encryption. It describes how the various hardware and software components interact in a z/OS data set encryption environment.

In addition, this book concentrates on the planning and preparing of the environment and offers implementation, configuration, and operational examples that can be used in z/OS data set encryption environments.

This publication is intended for IT architects, system programmer, and security administrators who plan for, deploy, and manage security on the Z platform. The reader is expected to have a basic understanding of IBM Z security concepts.

Table of contents

  1. Front cover
  2. Notices
    1. Trademarks
  3. Preface
    1. Authors
    2. Now you can become a published author, too!
    3. Comments welcome
    4. Stay connected to IBM Redbooks
  4. Chapter 1. Protecting data in today’s IT environment
    1. 1.1 Which data
      1. 1.1.1 Data at-rest
      2. 1.1.2 Data in-use
      3. 1.1.3 Data in-flight
      4. 1.1.4 Sensitive data
    2. 1.2 Why protect data
      1. 1.2.1 Accidental exposure
      2. 1.2.2 Insider attacks
      3. 1.2.3 Data breaches
      4. 1.2.4 Regulations
    3. 1.3 Standards and regulations overview
      1. 1.3.1 PCI Data Security Standards (PCI-DSS)
      2. 1.3.2 General Data Protection Regulation (GDPR)
      3. 1.3.3 California Consumer Privacy Act (CCPA)
      4. 1.3.4 The Sarbanes-Oxley Act of 2002 (SOX)
      5. 1.3.5 ISO/IEC 27001
      6. 1.3.6 Federal Information Security Modernization Act of 2014 (FISMA 2014)
      7. 1.3.7 Payment Card Industry (PCI) PTS HSM Security Requirements (PCI-HSM)
      8. 1.3.8 German Banking Industry Committee (GBIC)
      9. 1.3.9 Australian Payments Network (Auspaynet)
      10. 1.3.10 Common Criteria
      11. 1.3.11 FIPS PUB 140-3 (Security Requirements for Cryptographic Modules)
      12. 1.3.12 HIPAA/HITECH
      13. 1.3.13 eIDAS (electronic IDentification, Authentication and trust Services)
    4. 1.4 How to protect data
      1. 1.4.1 Defining the perimeter
      2. 1.4.2 Methods to protect data
      3. 1.4.3 Encryption
      4. 1.4.4 Forms of encryption
      5. 1.4.5 Cryptographic keys
    5. 1.5 Pervasive encryption for IBM Z
      1. 1.5.1 Encrypting above and beyond compliance requirements
      2. 1.5.2 Encryption pyramid (data at rest)
      3. 1.5.3 Managing the pervasive encryption environment
    6. 1.6 Understanding z/OS data set encryption
      1. 1.6.1 Challenges and use cases
      2. 1.6.2 IBM Z cryptographic system
    7. 1.7 How z/OS data set encryption works
    8. 1.8 Administrator’s perspective of z/OS data set encryption
      1. 1.8.1 Security administrator
      2. 1.8.2 Storage administrator
      3. 1.8.3 Cryptographic administrator
      4. 1.8.4 Key manager
  5. Chapter 2. Identifying components and release levels
    1. 2.1 Starting a z/OS data set encryption implementation
    2. 2.2 Required and optional hardware features
      1. 2.2.1 IBM Z platform: Optimized for data set encryption
      2. 2.2.2 Central Processor Assist for Cryptographic Function
      3. 2.2.3 Crypto Express adapters
      4. 2.2.4 Trusted Key Entry workstation
      5. 2.2.5 IBM Enterprise Key Management Foundation
    3. 2.3 Required and optional software features
      1. 2.3.1 IBM z/OS DFSMS
      2. 2.3.2 IBM z/OS Integrated Cryptographic Service Facility
      3. 2.3.3 IBM System Authorization Facility
      4. 2.3.4 IBM Resource Access Control Facility for z/OS
      5. 2.3.5 IBM Multi-Factor Authentication for z/OS
      6. 2.3.6 IBM Security zSecure Suite
      7. 2.3.7 IBM Security QRadar
      8. 2.3.8 IBM zBNA
    4. 2.4 Cost and performance effect
  6. Chapter 3. Planning for z/OS data set encryption
    1. 3.1 Creating an implementation plan
      1. 3.1.1 Distinguishing roles and responsibilities
    2. 3.2 Data set administration considerations
      1. 3.2.1 Supported data set types
      2. 3.2.2 Data set compression
      3. 3.2.3 Data set naming conventions
      4. 3.2.4 Encrypted data set availability at IPL
      5. 3.2.5 Using z/OS data set encryption with Db2, IMS, IBM MQ, CICS, and zFS
      6. 3.2.6 Copying, backing up, migrating, and replicating encrypted data sets
    3. 3.3 Resource authorization considerations
      1. 3.3.1 Organizing DATASET resource profiles
      2. 3.3.2 Separating duties of data owners and administrators
      3. 3.3.3 Considering multi-factor authentication
    4. 3.4 ICSF administration considerations
      1. 3.4.1 Upgrading an IBM Z platform
      2. 3.4.2 Starting ICSF early in the IPL process
      3. 3.4.3 Using the Common Record Format (KDSR) cryptographic key data set
      4. 3.4.4 Planning the size of your CKDS
      5. 3.4.5 Calculating the virtual storage that is needed for the CKDS
      6. 3.4.6 Sharing the CKDS in a sysplex
    5. 3.5 Key management considerations
      1. 3.5.1 Understanding key management
      2. 3.5.2 Reviewing industry regulations
      3. 3.5.3 Choosing key algorithms and lengths
      4. 3.5.4 Determining key security
      5. 3.5.5 Choosing key officers
      6. 3.5.6 Using protected keys for high-speed encryption
      7. 3.5.7 Creating a key label naming convention
      8. 3.5.8 Deciding whether to archive or delete keys
      9. 3.5.9 Defining key rotation
      10. 3.5.10 Establishing cryptoperiods
      11. 3.5.11 Establishing a process for handling compromised operational keys
      12. 3.5.12 Establishing a process for handling compromised master keys
      13. 3.5.13 Choosing key management tools
      14. 3.5.14 Determining key availability needs
      15. 3.5.15 Creating backups of keys
      16. 3.5.16 Planning for disaster recovery
    6. 3.6 General considerations
      1. 3.6.1 Defining a maintenance policy
      2. 3.6.2 Performing z/OS health checks
      3. 3.6.3 Backing out of z/OS data set encryption
      4. 3.6.4 Auditing and compliance
  7. Chapter 4. Preparing for z/OS data set encryption
    1. 4.1 Data set configuration
      1. 4.1.1 Migrating to extended format data sets
      2. 4.1.2 Compressing data sets before encryption
    2. 4.2 RACF configuration
      1. 4.2.1 Restricting data set encryption to security administrators
      2. 4.2.2 Defining DATASET, CSFSERV, CSFKEYS, and other resources
      3. 4.2.3 Setting a policy to control the use of archived keys
      4. 4.2.4 Configuring the RACF environment for key generation
    3. 4.3 ICSF configuration
      1. 4.3.1 Configuring Crypto Express adapters
      2. 4.3.2 Creating a Common Record Format (KDSR) CKDS
      3. 4.3.3 CSFPRMxx and installation options
      4. 4.3.4 Starting and stopping ICSF
      5. 4.3.5 Loading the AES master key
      6. 4.3.6 Initializing the CKDS
      7. 4.3.7 Verifying the ICSF Configuration   
      8. 4.3.8 Reviewing messages and codes
    4. 4.4 Audit configuration
      1. 4.4.1 Enabling SMF record types 14, 15, 42, 62, 70, 80, 82, and 113
      2. 4.4.2 Configuring SMF recording options in SMFPRMxx
      3. 4.4.3 Enabling auditing for master key change operations
      4. 4.4.4 RMF Crypto Hardware Activity Report
      5. 4.4.5 EKMF Auditing
    5. 4.5 EKMF Configuration
      1. 4.5.1 EKMF Agent
      2. 4.5.2 EKMF Web
      3. 4.5.3 EKMF Workstation
  8. Chapter 5. Deploying z/OS data set encryption
    1. 5.1 Readiness checklists for deployment
    2. 5.2 Deploying z/OS data set encryption
    3. 5.3 Generating a secure 256-bit data set encryption key
      1. 5.3.1 Using Enterprise Key Management Foundation
      2. 5.3.2 Using ICSF panels
      3. 5.3.3 Using ICSF APIs
      4. 5.3.4 Using CSFKGUP
    4. 5.4 Protecting data sets with secure keys
    5. 5.5 Encrypting a data set with a secure key
    6. 5.6 Verifying that the data set is encrypted
    7. 5.7 Granting access to encrypted data sets
    8. 5.8 Accessing encrypted data sets
    9. 5.9 Viewing the encrypted text
  9. Chapter 6. Auditing z/OS data set encryption
    1. 6.1 Auditing encrypted sequential data sets and PDSEs
    2. 6.2 Auditing encrypted VSAM data sets
    3. 6.3 Auditing crypto hardware activity
    4. 6.4 Auditing security authorization attempts
    5. 6.5 Auditing crypto engine, service, and algorithm usage
    6. 6.6 Auditing key lifecycle transitions
    7. 6.7 Auditing key usage operations
    8. 6.8 Formatting SMF Type 82 records
    9. 6.9 Auditing Key management in EKMF
  10. Chapter 7. Maintaining encrypted data sets
    1. 7.1 Identifying encrypted data sets
      1. 7.1.1 Using IBM zSecure
      2. 7.1.2 Using EKMF Web
    2. 7.2 Rekeying encrypted data sets
      1. 7.2.1 Rotating the AES master key
      2. 7.2.2 Rotating data set encryption keys
  11. Chapter 8. Maintaining the ICSF environment
    1. 8.1 Viewing master key information
      1. 8.1.1 ICSF Coprocessor Management panel
      2. 8.1.2 Display ICSF operator command (D ICSF,MKS and D ICSF,CARDS)
    2. 8.2 Viewing ICSF options
      1. 8.2.1 ICSF OPSTAT utility panel
      2. 8.2.2 Display ICSF operator command (D ICSF,OPT)
    3. 8.3 Refreshing the CKDS
      1. 8.3.1 Refreshing a CKDS shared in a sysplex
      2. 8.3.2 Refreshing a single CKDS
    4. 8.4 Increasing the CKDS size
    5. 8.5 Validating CKDS keys
    6. 8.6 Verifying the CKDS format
    7. 8.7 Dumping CKDS contents
    8. 8.8 Browsing the CKDS
  12. Chapter 9. Maintaining data set encryption keys with ICSF
    1. 9.1 Backing up and restoring data set encryption keys
      1. 9.1.1 Manual backup and restore
      2. 9.1.2 Automated backup and restore
      3. 9.1.3 Refreshing the CKDS
      4. 9.1.4 EKMF backup and restore
    2. 9.2 Transporting data set encryption keys
      1. 9.2.1 Overview of scenarios
      2. 9.2.2 Scenario 1: Same Master Key
      3. 9.2.3 Scenario 2: Different Master Key
      4. 9.2.4 Scenario 3: Duplicate Key Label
    3. 9.3 Viewing the last reference date
      1. 9.3.1 Using the CKDS Keys panel utility
      2. 9.3.2 Using the CSFKDMR callable service
    4. 9.4 Archiving data set encryption keys
    5. 9.5 Deactivating EKMF managed data set encryption keys
    6. 9.6 Setting key expiration dates
  13. Chapter 10. IBM Enterprise Key Management Foundation Web Edition
    1. 10.1 Introduction to IBM Enterprise Key Management Foundation - Web Edition (EKMF Web)
      1. 10.1.1 EKMF Web Edition overview
    2. 10.2 EKMF Web edition requirements
      1. 10.2.1 Key hierarchy
      2. 10.2.2 EKMF Web authorization roles
    3. 10.3 Key management with EKMF Web
      1. 10.3.1 EKMF Keystores
      2. 10.3.2 Key template
      3. 10.3.3 Key label
      4. 10.3.4 Keystores
      5. 10.3.5 Characteristics of the key template
      6. 10.3.6 Key lifecycle
      7. 10.3.7 Key rotation
    4. 10.4 EKMF Web view of data sets
    5. 10.5 Summary
  14. Appendix A. Troubleshooting
    1. A.1 Accessing data sets
    2. A.2 Invalid keys in CKDS
    3. A.3 Keys
  15. Appendix B. Sample REXX scripts for creating DATA and CIPHER keys
  16. Related publications
    1. IBM Redbooks
    2. Online resources
    3. Help from IBM
  17. Back cover

Product information

  • Title: Getting Started with z/OS Data Set Encryption
  • Author(s): Bill White, Cecilia Carranza Lewis, Eysha Shirrine Powers, David Rossi, Eric Rossman, Andy Coulsonr, Jacky Doll, Brad Habbershow, Thomas Liu, Ryan McCarry, Philippe Richard, Romoaldo Santos, Isabel Arnold, Kasper Lindberg
  • Release date: December 2021
  • Publisher(s): IBM Redbooks
  • ISBN: 9780738460222