Professional Documents
Culture Documents
Tivoli Key Lifecycle Manager for z/OS: Migration Guide for the IBM Encryption Key Manager
Introduction
IBM Tivoli Key Lifecycle Manager (TKLM) delivers simplified key life-cycle management capabilities in a solution that is easy to install, deploy, and manage. Tivoli Key Lifecycle Manager allows you to create, back up, and manage the life cycle of keys and certificates that an organization uses, including the management of symmetric keys, asymmetric key parts, and certificates. Tivoli Key Lifecycle Manager also provides a graphical user interface (GUI) and a command-line interface (CLI) to manage keys and certificates. Tivoli Key Lifecycle Manager provides these functions: Key serving with life-cycle management, using a GUI and CLI to manage keys and certificates Support for encryption-enabled IBM 3592 and Linear Tape-Open (LTO) tape drives, as well as IBM DS8000 Turbo drives Encrypted backup and recovery to protect the critical keystore and other Tivoli Key Lifecycle Manager data, such as the configuration file System Management Facility (SMF)-based audit records that are based on selected events that are occurring as a result of successful operations, unsuccessful operations, or both Debug for additional information about the Tivoli Key Lifecycle Manager problems In this IBM Redpaper publication, we discuss the actions that are required to migrate an existing IBM Encryption Key Manager (EKM) installation on z/OS to Tivoli Key Lifecycle Manager for z/OS.
ibm.com/redbooks
Tivoli Key Lifecycle Manager for z/OS: Migration Guide for the IBM Encryption Key Manager
Tivoli Key Lifecycle Manager for z/OS: Migration Guide for the IBM Encryption Key Manager
Tivoli Key Lifecycle Manager for z/OS: Migration Guide for the IBM Encryption Key Manager
Important considerations
Before you begin, consider the following issues. Ensure that your organization allows a time interval for a temporary halt to key serving activity. While the migration runs, no key serving activity can occur. A window of testing in a test environment is also required to ensure that the new Tivoli Key Lifecycle Manager has the expected keys and other configuration attributes that you intended to migrate. Back up the Encryption Key Manager server that has the configuration data that you intend to migrate. Migrated data includes these types of information: A configuration properties file. Keys and certificates that are referenced by the configuration properties file. Drive tables. An optional metadata file to which the configuration properties file points. An optional key groups file. Migrate only one Encryption Key Manager server to one Tivoli Key Lifecycle Manager server. To migrate a second Encryption Key Manager server, use a second Tivoli Key Lifecycle Manager server. Both the Encryption Key Manager server and the Tivoli Key Lifecycle Manager server that receives the migrated data must be on the same z/OS system, which must be at Version 1, Release 9 or later. After migration, the Tivoli Key Lifecycle Manager server uses the keystore, TCP port, and Secure Sockets Layer (SSL) port that the Encryption Key Manager server previously used. Before you migrate, refresh and stop the Encryption Key Manager server to ensure that there is no data loss. Encryption Key Manager cannot be active when you perform the actual migration.
Migration restrictions
Encryption Key Manager supports a separate set of keystores and manages keys differently than Tivoli Key Lifecycle Manager. There are certain restrictions on what information will be migrated: The migration of Administrator SSL keystores and truststores is not supported. The Tivoli Key Lifecycle Manager server does not support the Administrator synchronization capability. The migration of PKCS11Impl keystores and truststores is not supported. The Tivoli Key Lifecycle Manager server does not support PKCS11Impl keystores. Because this migration is on z/OS, no PKCS11Impl keystore exists. So, this restriction does not apply.
Tivoli Key Lifecycle Manager for z/OS: Migration Guide for the IBM Encryption Key Manager
Tivoli Key Lifecycle Manager does not support the use of a key in multiple groups, unlike Encryption Key Manager, which allows the use of a key in multiple groups. Keygroups are sets of symmetrical keys that are used for LTO-4 drive-based encryption. This restriction only becomes an issue if the keystore that is being migrated is of the JCEKS type (a flat UNIX file). When you migrate key data in the KeyGroup.xml file from Encryption Key Manager to Tivoli Key Lifecycle Manager, each key is attached to one group. A key that was previously in multiple groups in Encryption Key Manager is created in only one group in Tivoli Key Lifecycle Manager. This restriction only becomes an issue if the keystore being migrated is of the type JCEKS.
Keystores
Encryption Key Manager has several types of keystores, each with a separate purpose. These keystores are listed in the Encryption Key Manager properties file: config.keystore.file TransportListener.ssl.keystore.name Used to hold encryption keys. Migrated to Tivoli Key Lifecycle Manager. Used for Encryption Key Manager server authentication. Migrated to Tivoli Key Lifecycle Manager.
TransportListener.ssl.truststore.name Used for Encryption Key Manager client authentication. Not migrated to Tivoli Key Lifecycle Manager. Admin.ssl.keystore.name Used when Encryption Key Manager is a target server for sync operations. Not migrated to Tivoli Key Lifecycle Manager. Used when Encryption Key Manager is a client for sync operations. Not migrated to Tivoli Key Lifecycle Manager.
Admin.ssl.truststore.name
Note that Encryption Key Manager uses the term truststore to denote keystores from certificates that are used by clients. Because the Tivoli Key Lifecycle Manager clients authenticate to the WebSphere Application Server environment, either through the ISC or the CLI using wsadmin, no client side keystore or truststore is necessary. Tivoli Key Lifecycle Manager supports only one keystore, which is identified by the config.keystore.name property in the TKLMgrConfig.properties file. This keystore is equivalent to the Encryption Key Manager Config keystore (config.keystore.file). During migration, the two Encryption Key Manager keystores, config.keystore.file and TransportListener.ssl.keystore.name, are merged into the single Tivoli Key Lifecycle Manager keystore. The resulting keystore is created with a default name of Tivoli Key Lifecycle Manager Keystore. That is, this entry is in the TKLMgrConfig.properties file: config.keystore.name = Tivoli Key Lifecycle Manager Keystore
Tivoli Key Lifecycle Manager for z/OS: Migration Guide for the IBM Encryption Key Manager
All certificates from the Encryption Key Manager config.keystore.file keystore are added to the Tivoli Key Lifecycle Manager keystore. All the certificates from the TransportListener.ssl.truststore.name truststore are added to the Tivoli Key Lifecycle Manager keystore, and one of the certificates is set as an SSL certificate. The config.keystore.ssl.certalias property is updated with the alias of this certificate. This certificate is used to secure communications between the ISC GUI and the Tivoli Key Lifecycle Manager server. Other Encryption Key Manager keystores are not used.
Devices
All the device information is read from the drive table pointed at by the config.drivetable.file.url property, and it is entered in a Tivoli Key Lifecycle Manager database. If the drive has the symalias property defined, the drive type is set to LTO. If the drive has aliases defined, the drive type is set to 3592. If the drive does not have any of these properties defined and the type cannot be determined during migration, the type is set to UNKNOWN.
Keygroups
The keygroup.xml file, to which the config.keygroup.xml.file property points, is parsed, and the keygroup information is stored in a Tivoli Key Lifecycle Manager database. All the group members and group relationships are also migrated. The group member and group relationship migration only applies to Encryption Key Manager Version 2.1.
Metadata
All the metadata information, to which the audit.metadata.file.name property points, is migrated to a Tivoli Key Lifecycle Manager database. This metadata migration only applies to Encryption Key Manager versions 2.0 and 2.1.
Properties
The following properties are migrated from the Encryption Key Manager configuration file to the TKLMgrConfig.properties file: audit.eventQueue.max audit.handler.file.size audit.event.outcome audit.event.types config.keystore.name (set to Tivoli Key Lifecycle Manager Keystore) cert.valiDATE drive.acceptUnknownDrives drive.default.alias1 drive.default.alias2 fips symmetricKeySet (set to DefaultMigrationGroup if it was not a symmetricKeySet, otherwise, set to the groupName) TransportListener.ssl.ciphersuites TransportListener.ssl.clientauthentication TransportListener.ssl.port TransportListener.ssl.protocols
Tivoli Key Lifecycle Manager for z/OS: Migration Guide for the IBM Encryption Key Manager
When to migrate
It is important that you understand when to migrate Encryption Key Manager to Tivoli Key Lifecycle Manager. Because Tivoli Key Lifecycle Manager manages the keys life cycles, it needs to track more than just the existence of the keys. Tivoli Key Lifecycle Manager manages this information in several DB2 tablespaces. Although Encryption Key Manager can continue to serve keys after its data is migrated to Tivoli Key Lifecycle Manager, it is important to know that you can only migrate Encryption Key Manager one time. Any keys that are added to the Encryption Key Manager keystore after migration will not be recognized by Tivoli Key Lifecycle Manager. Tivoli Key Lifecycle Manager will take control of the Encryption Key Manager keystore. For example, if the keystore is a JCERACFKS RACF keyring, that same keyring and user ID will be used by Tivoli Key Lifecycle Manager. Data is not moved to a new keyring. Also, Tivoli Key Lifecycle Manager will take control of the Encryption Key Manager keystore in the same way if the keystore is a JCEKS UNIX file. Tivoli Key Lifecycle Manager will read the keystore and create metadata in DB2 for its contents. You can only migrate Encryption Key Manager to Tivoli Key Lifecycle Manager at one of these times: During the Tivoli Key Lifecycle Manager installation process After the Tivoli Key Lifecycle Manager installation completes, but before the creation of the Tivoli Key Lifecycle Manager master keystore Master keystore: After Tivoli Key Lifecycle Manager has created a master keystore, you cannot migrate Encryption Key Manager to Tivoli Key Lifecycle Manager.
Tivoli Key Lifecycle Manager for z/OS: Migration Guide for the IBM Encryption Key Manager
audit.metadata.file.name config.keystore.file Depending on the value of config.keystore.type, this property might be a Resource Access Control Facility (RACF) keyring or a flat file.
2. Ensure that the following values in the Encryption Key Manager properties file are defined as absolute paths: audit.metadata.file.name config.drivetable.file.url config.keygroup.xml.file
Tivoli Key Lifecycle Manager for z/OS: Migration Guide for the IBM Encryption Key Manager
You must review the set of variables that follows the prolog in the racfpermissions.rexx script: groupid This variable is the ID of the group of Tivoli Key Lifecycle Manager users. By default, the permissions in this sample script are granted at the group level (that is, SSREGRP). This value can be any RACF ID (either user ID or group ID) that needs access to the keyring. Default groupid = SSREGRP userid This variable is the user ID. It is only used one time in this script. The user ID must be the SSRE-started task user ID, which defaults to SSREADM. Default userid = SSREADM ownerid This variable is the user ID of the owner of the EKM master keystore keyring. A typical Encryption Key Manager installation might have used user ID EKMSERV. Default ownerid = OWNERID keyring This variable is the name of the Encryption Key Manager keyring to which the SSRE group is being granted access. A typical Encryption Key Manager installation might have used a ring name of EKMRing. Default keyring = KEYRING You can use a REXX script by running the script directly in OMVS. Or, you can copy the script into a dataset and run the script in the TSO command line by using the following command: To execute from the UNIX System Services environment: Insure that the correct UNIX permissions are set for accessing the file: chmod 755 racfpermissions.rexx Run the executable (this example shows the executable being run from the samples directory): . ./racfpermissions.rexx To execute from the Time Sharing Option Extensions (TSO)/E environment: Copy the executable to a partitioned dataset (for example, HLQ.REXX(sample)) cp racfpermissions.rexx "//''HLQ.REXX(sample)' " We describe the RACF commands that are issued from the racfpermissions.rexx script in Appendix: RACF commands on page 13.
10
Tivoli Key Lifecycle Manager for z/OS: Migration Guide for the IBM Encryption Key Manager
Tivoli Key Lifecycle Manager for z/OS: Migration Guide for the IBM Encryption Key Manager
11
3. Run the migration manually, after you have successfully installed Tivoli Key Lifecycle Manager. Run the migration script by using this shell script from the directory where the tklm.jar file was expanded: ./bin/migrateEKM.sh Specify these optional parameters: -responseFile response_file Specifies the response file that is created during the createResponseFile.sh step that the Tivoli Key Lifecycle Manager installation program provides. If you do not specify this option, the migration process looks for the default response file name, which is the POST_SMPE_TKLM_HOME/bin/tklmInstall.response file. In this example, the value is the /etc/tklm/bin/tklmInstall.response file. Specifies the SSRECFG user ID password. If you do not supply a password, you are prompted for the value in a secure manner. Specifies the password of the Tivoli Key Lifecycle Manager database owner. If you do not supply a password, you are prompted for the value in a secure manner. Specifies sending verbose output to the console. The migration process always sends verbose output to a migration log.
-wasPassword was_password
-dbPassword db_password
-v
The output in Example 1 occurs when you run the migrateEKM.sh shell script with no specified parameters.
Example 1 Migration command sample output
Log file "/etc/tklm/logs/migrateEKM_100808_163341.log" will be used for this run No response file passed. Defaulting to "/etc/tklm/bin/tklmInstall.response" Enter the fully qualified path name of the EKM configuration file: /home/suimglb/bin/KeyManagerConfig.properties.JCERACFKS Accepted input: ["/home/suimglb/bin/KeyManagerConfig.properties.JCERACFKS"] Stopping SSRE... SSRE stopped Running Migration API Starting SSRE... SSRE started TKLM Migration has succeeded Script completed with exit code: 0(SUCCESS) Note that SSRE is stopped and restarted during this process.
12
Tivoli Key Lifecycle Manager for z/OS: Migration Guide for the IBM Encryption Key Manager
Summary
By following these instructions, you can upgrade the existing Encryption Key Manager solution with a new look, new capabilities, and an easier to use interface. After migrating the Encryption Key Manager environment to Tivoli Key Lifecycle Manager, you can perform key management for tape and disk devices at a GUI from a Web-based portal. Key management for Encryption Key Manager was performed at a terminal using sophisticated and complex commands. Device management was performed at libraries or from within data management routines. Tivoli Key Lifecycle Manager allows the user to assign keys to devices from a streamlined interface. Key management is simplified by providing rollover schedules for default keys and certificates. As the need for encryption key management evolves and grows, Tivoli Key Lifecycle Manager is positioned to take advantage of simplified key life-cycle management capabilities in a solution that is easy to manage.
2. Grant the proper authorizations to both user IDs: PERMIT PERMIT PERMIT PERMIT PERMIT PERMIT PERMIT PERMIT PERMIT IRR.DIGTCERT.LISTRING CLASS(FACILITY) ID(SSRE_USERID) ACC(UPDATE) IRR.DIGTCERT.LIST CLASS(FACILITY) ID(SSRE_USERID) ACC(UPDATE) IRR.DIGTCERT.ADD CLASS(FACILITY) ID(SSRE_USERID) ACC(CONTROL) IRR.DIGTCERT.DELETE CLASS(FACILITY) ID(SSRE_USERID) ACC(CONTROL) IRR.DIGTCERT.ADDRING CLASS(FACILITY) ID(SSRE_USERID) ACC(CONTROL) IRR.DIGTCERT.CONNECT CLASS(FACILITY) ID(SSRE_USERID) ACC(CONTROL) IRR.DIGTCERT.GENCERT CLASS(FACILITY) ID(SSRE_USERID) ACC(CONTROL) IRR.DIGTCERT.GENREQ CLASS(FACILITY) ID(SSRE_USERID) ACC(CONTROL) IRR.DIGTCERT.ALTER CLASS(FACILITY) ID(SSRE_USERID) ACC(CONTROL)
Tivoli Key Lifecycle Manager for z/OS: Migration Guide for the IBM Encryption Key Manager
13
For more information about RACF keyrings, syntax, and commands, see the z/OS Security Server RACF Security Administrator Guide, SA22-7683-11, and z/OS Security Server RACF Command Language Reference, SA22-7687-11.
14
Tivoli Key Lifecycle Manager for z/OS: Migration Guide for the IBM Encryption Key Manager
Tivoli Key Lifecycle Manager for z/OS: Migration Guide for the IBM Encryption Key Manager
15
16
Tivoli Key Lifecycle Manager for z/OS: Migration Guide for the IBM Encryption Key Manager
Notices
This information was developed for products and services offered in the U.S.A. IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any non-IBM product, program, or service. IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to: IBM Director of Licensing, IBM Corporation, North Castle Drive, Armonk, NY 10504-1785 U.S.A. The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you. This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice. Any references in this information to non-IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk. IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you. Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. This information contains examples of data and reports used in daily business operations. To illustrate them as completely as possible, the examples include the names of individuals, companies, brands, and products. All of these names are fictitious and any similarity to the names and addresses used by an actual business enterprise is entirely coincidental. COPYRIGHT LICENSE: This information contains sample application programs in source language, which illustrate programming techniques on various operating platforms. You may copy, modify, and distribute these sample programs in any form without payment to IBM, for the purposes of developing, using, marketing or distributing application programs conforming to the application programming interface for the operating platform for which the sample programs are written. These examples have not been thoroughly tested under all conditions. IBM, therefore, cannot guarantee or imply reliability, serviceability, or function of these programs.
Copyright International Business Machines Corporation 2010. All rights reserved. Note to U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
17
This document REDP-4646-00 was created or updated on April 12, 2010. Send us your comments in one of the following ways: Use the online Contact us review Redbooks form found at: ibm.com/redbooks Send your comments in an e-mail to: redbooks@us.ibm.com Mail your comments to: IBM Corporation, International Technical Support Organization Dept. HYTD Mail Station P099 2455 South Road Poughkeepsie, NY 12601-5400 U.S.A.
Redpaper
Trademarks
IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. These and other IBM trademarked terms are marked on their first occurrence in this information with the appropriate symbol ( or ), indicating US registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. A current list of IBM trademarks is available on the Web at http://www.ibm.com/legal/copytrade.shtml The following terms are trademarks of the International Business Machines Corporation in the United States, other countries, or both:
DB2 DS8000 IBM RACF Redpaper Redbooks (logo) Tivoli WebSphere z/OS
The following terms are trademarks of other companies: Java, and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both. Windows, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both. Linux is a trademark of Linus Torvalds in the United States, other countries, or both. Other company, product, or service names may be trademarks or service marks of others.
18
Tivoli Key Lifecycle Manager for z/OS: Migration Guide for the IBM Encryption Key Manager