IBM Fibre Channel Endpoint Security For IBM DS8900F And IBM Z

NoticesThis information was developed for products and services offered in the US. This material might be availablefrom IBM in other languages. However, you may be required to own a copy of the product or product version inthat language in order to access it.IBM may not offer the products, services, or features discussed in this document in other countries. Consultyour local IBM representative for information on the products and services currently available in your area. Anyreference to an IBM product, program, or service is not intended to state or imply that only that IBM product,program, or service may be used. Any functionally equivalent product, program, or service that does notinfringe any IBM intellectual property right may be used instead. However, it is the user’s responsibility toevaluate and verify the operation of any non-IBM product, program, or service.IBM may have patents or pending patent applications covering subject matter described in this document. Thefurnishing of this document does not grant you any license to these patents. You can send license inquiries, inwriting, to:IBM Director of Licensing, IBM Corporation, North Castle Drive, MD-NC119, Armonk, NY 10504-1785, USINTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION “AS IS”WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITEDTO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR APARTICULAR PURPOSE. Some jurisdictions do not allow disclaimer of express or implied warranties incertain transactions, therefore, this statement may not apply to you.This information could include technical inaccuracies or typographical errors. Changes are periodically madeto the information herein; these changes will be incorporated in new editions of the publication. IBM may makeimprovements and/or changes in the product(s) and/or the program(s) described in this publication at any timewithout notice.Any references in this information to non-IBM websites are provided for convenience only and do not in anymanner serve as an endorsement of those websites. The materials at those websites are not part of thematerials for this IBM product and use of those websites is at your own risk.IBM may use or distribute any of the information you provide in any way it believes appropriate withoutincurring any obligation to you.The performance data and client examples cited are presented for illustrative purposes only. Actualperformance results may vary depending on specific configurations and operating conditions.Information concerning non-IBM products was obtained from the suppliers of those products, their publishedannouncements or other publicly available sources. IBM has not tested those products and cannot confirm theaccuracy of performance, compatibility or any other claims related to non-IBM products. Questions on thecapabilities of non-IBM products should be addressed to the suppliers of those products.Statements regarding IBM’s future direction or intent are subject to change or withdrawal without notice, andrepresent goals and objectives only.This information contains examples of data and reports used in daily business operations. To illustrate themas completely as possible, the examples include the names of individuals, companies, brands, and products.All of these names are fictitious and any similarity to actual people or business enterprises is entirelycoincidental.COPYRIGHT LICENSE:This information contains sample application programs in source language, which illustrate programmingtechniques on various operating platforms. You may copy, modify, and distribute these sample programs inany form without payment to IBM, for the purposes of developing, using, marketing or distributing applicationprograms conforming to the application programming interface for the operating platform for which the sampleprograms are written. These examples have not been thoroughly tested under all conditions. IBM, therefore,cannot guarantee or imply reliability, serviceability, or function of these programs. The sample programs areprovided “AS IS”, without warranty of any kind. IBM shall not be liable for any damages arising out of your useof the sample programs. Copyright IBM Corp. 2020. All rights reserved.v

TrademarksIBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International Business MachinesCorporation, registered in many jurisdictions worldwide. Other product and service names might betrademarks of IBM or other companies. A current list of IBM trademarks is available on the web at “Copyrightand trademark information” at http://www.ibm.com/legal/copytrade.shtmlThe following terms are trademarks or registered trademarks of International Business Machines Corporation,and might also be trademarks or registered trademarks in other countries.DS8000 FICON IBM IBM Z IBM z Systems IBM z15 Passport Advantage Redbooks Redbooks (logo) Resource Link System Storage XIV z Systems z/OS z/VM z/VSE z15 The following terms are trademarks of other companies:The registered trademark Linux is used pursuant to a sublicense from the Linux Foundation, the exclusivelicensee of Linus Torvalds, owner of the mark on a worldwide basis.Windows, and the Windows logo are trademarks of Microsoft Corporation in the United States, othercountries, or both.UNIX is a registered trademark of The Open Group in the United States and other countries.Other company, product, or service names may be trademarks or service marks of others.viIBM Fibre Channel Endpoint Security

PrefaceThis IBM Redbooks publication will help you install, configure, and use the new IBMFibre Channel Endpoint Security function.The focus of this publication is about securing the connection between an IBM DS8900F andthe IBM z15 .The solution is delivered with two levels of link security supported: support forlink authentication on Fibre Channel links and support for link encryption of data in flight(which also includes link authentication).This solution is targeted for clients needing to adhere to Payment Card Industry (PCI) or otheremerging data security standards, and those who are seeking to reduce or eliminate insiderthreats regarding unauthorized access to data.AuthorsThis book was produced by a team of specialists from around the world.Roger Hathorn is a Senior Technical Staff Member and MasterInventor at IBM Systems Storage in Tucson, AZ. He isresponsible for IBM DS8000 I/O architecture anddevelopment with expertise in the IBM FICON and FibreChannel I/O Architecture and standards, and has over 31 yearsof experience on the enterprise storage platform. Rogerrepresents IBM at INCITS Fibre Channel T11 standards,including the responsibility of vice-chair of the T11.3 technicalcommittee, chairman of the FC-SB-6 (FICON) working group,and secretary of the FC-NVMe working group. Roger is thelead architect of the IBM Fibre Channel Endpoint Securitysolution on the new DS8900F storage controllers.Matthew Houzenga is an Executive IT Specialist and ClientTechnical Specialist for IBM Storage in Cleveland, OH. Hejoined IBM Storage in 2000, and worked for the support anddevelopment organizations in San Jose and Tucson beforemoving to the field in 2006. He holds a degree in ComputerScience from Northern Illinois University. Copyright IBM Corp. 2020. All rights reserved.vii

Jacob Sheppard joined the IBM DS8000 device adapterdevelopment team in 2003, where he worked on problems ofmulti-node management of metadata, logical volumeexpansion, and solid state disk control. He began working onencryption of data at rest using self encrypting spinning disks in2008. In 2012, he helped implement the encryption of data atrest solution for IBM XIV . In 2014, he returned to IBMDS8000 development to tackle problems of KMIPstandardization for data at rest encryption, customer definedcertificates, Transparent Cloud Tiering encryption, andEncryption of Data in Flight.Robert Tondini is an IBM Consulting IT Specialist in IBMAustralia and New Zealand. He has 24 years of experience inIBM enterprise storage for mainframe and open systems. Hejoined IBM in 2000, and since then he has been providingpresales and implementation support for high-end disk, tape,and SAN fabric systems with high availability and disasterrecovery solutions. He co-authored several IBM Redbookspublications and workshops for IBM DS8000 systems.Alexander Warmuth is a Consulting IT Specialist in IBM’sEuropean Storage Competence Center. Working in technicalsales support, he designs and promotes new and complexstorage solutions, drives the introduction of new products, andprovides advice to customers, IBM Business Partners, andsales. His main areas of expertise are: high-end storagesolutions and business resilience for IBM z Systems andLinux. He joined IBM in 1993. Alexander holds a diploma inElectrical Engineering from the University of Erlangen,Germany.Bert Dufrasne is an IBM Certified Consulting IT Specialist andProject Leader for IBM System Storage disk and flashproducts at the ITSO, San Jose Center. He has worked at IBMin various IT areas. He has written many IBM Redbookspublications, and has developed and taught technicalworkshops. Before joining the ITSO, he worked for IBM GlobalServices as an Application Architect. He holds a Master’sdegree in Electrical Engineering.Thanks to the following people for their contributions to this project:Larry BrociousPasquale CatalanoRashmi ChandraJustin CripsAndrew CrimminsPatty DrieverDonna FreckIgor PopovIBMviiiIBM Fibre Channel Endpoint Security

Now you can become a published author, tooHere’s an opportunity to spotlight your skills, grow your career, and become a publishedauthor—all at the same time. Join an IBM Redbooks residency project and help write a bookin your area of expertise, while honing your experience using leading-edge technologies. Yourefforts will help to increase product acceptance and customer satisfaction, as you expandyour network of technical contacts and relationships. Residencies run from two to six weeksin length, and you can participate either in person or as a remote resident working from yourhome base.Find out more about the residency program, browse the residency index, and apply online at:ibm.com/redbooks/residencies.htmlComments welcomeYour comments are important to us.We want our books to be as helpful as possible. Send us your comments about this book orother IBM Redbooks publications in one of the following ways: Use the online Contact us review Redbooks form:ibm.com/redbooks Send your comments in an email:redbooks@us.ibm.com Mail your comments:IBM Corporation, IBM RedbooksDept. HYTD Mail Station P0992455 South RoadPoughkeepsie, NY 12601-5400Stay connected to IBM Redbooks Find us on Facebook:http://www.facebook.com/IBMRedbooks Follow us on Twitter:http://twitter.com/ibmredbooks Look for us on LinkedIn:http://www.linkedin.com/groups?home &gid 2130806 Explore new Redbooks publications, residencies, and workshops with the IBM Redbooksweekly sf/subscribe?OpenForm Stay current on recent Redbooks publications with RSS x

xIBM Fibre Channel Endpoint Security

1Chapter 1.Introducing IBM Fibre ChannelEndpoint SecurityIBM Fibre Channel Endpoint Security (IFCES) is designed to protect data that is transferredover Fibre Channel storage area networks (SANs). It consists of two components: Link authentication Encryption of data in flight (EDIF)In this chapter, we first discuss the general need for data protection and encryption. Then weexplain the benefits of IFCES and how it fits into the IBM Z Pervasive Encryption strategy.We complete the introduction with a high-level functional overview of the solution. Copyright IBM Corp. 2020. All rights reserved.11

1.1 The need for data protection and encryptionToday, data stored and processed in IT systems is one of the core assets of most enterprisesor organizations. Losing or exposing data often results in high cost or even irreparabledamage. In addition, more and more regulatory requirements are introduced, forcingorganizations to protect the data they store and process, inducing severe penalties ifrequirements are not met or sensitive data is lost or exposed. Thus, organizations areexperiencing increased pressure from internal and external sources to protect and governdata.The two main aspects of data protection are the following goals: Protection against loss: losing access to data can have a severe impact on anorganization’s ability to function, but will generally have limited impact on third parties. Inthe past, most of the efforts of data protection focused on this aspect. Hardwareredundancy, backup and restore processes, or disaster recovery solutions are examplesof methods used here. Protection against unauthorized access and abuse: losing control of data not only impactsthe storing and processing organization itself, but also other organizations or persons it isinteracting with. This aspect is gaining significance in recent years as data breaches andabuse are reported frequently. Furthermore, data is increasingly stored in cloudenvironments outside of an organization’s own data center where it is much harder tocontrol. Here, the most effective methods of protection are access control and encryption.With the IBM Z Systems z14, IBM introduced the concept of Pervasive Encryption. IBM Zclients are no longer required to put excessive effort into planning, implementing, andmaintaining effective access control and encryption of their data. Pervasive encryptionprovides the means to encrypt all data at all levels and in all components of the ITinfrastructure, without impacting the operation and without requiring changes to existingapplications.Figure 1-1 shows a graphical representation of the layers where encryption can take place.Figure 1-1 The IBM Pervasive Encryption PyramidThe width of each layer represents the coverage that can be achieved related to overallprotection. The vertical position of the layers represent the granularity of control, but also thecomplexity of implementation and management.12IBM Fibre Channel Endpoint Security

Starting from the top, we briefly explain each layer. You can also refer to Getting Started withz/OS Data Set Encryption, SG24-8410, for more details about Pervasive Encryption. Application encryption provides encryption and data protection by each individualapplication. It is highly granular and specific, but also requires the highest efforts, becauseeach application needs the necessary encryption capabilities and has to be managedindividually. It can provide protection of highly sensitive application data, which is notcovered by any of the lower levels or if their protection is not sufficient. Database encryption provides the capability to protect key database files and databasebackup images from inappropriate access. It is less granular and therefore easier tomanage, but covers only a certain subset of data. File or data set encryption provides broad coverage for sensitive data by using encryptionthat is tightly integrated with the operating system and managed by policies. It is notapparent to applications and allows for separation of duties within an organization.Security administration can be performed independently of application, database, orstorage administration. Disk and tape encryption provide coverage for data-at-rest at the storage infrastructurelevel. It is an “all or nothing” solution and encrypts data at rest within a storage controllerwithout differentiating type, sensitivity, or importance of data. Therefore it requires theleast organizational effort of all layers with the broadest coverage. It protects againstintrusion, tampering, or removal of physical infrastructure.For the upper three levels shown in the pyramid, data is encrypted on the host side. Thereforeit is protected at rest on external storage media, as well as in flight, while being read orwritten. With conventional disk encryption, data is unprotected as long as it is outside of therespective storage system.IBM Fibre Channel Endpoint Security (IFCES) adds the protection of data in flight betweenthe IBM Z and the IBM DS8900F storage system, controlling access and encrypting data thatis transferred over a SAN.Note: Only data transferred between an IBM Z CPC and IBM DS8900F storage systemscan be protected with IFCES. Data in flight is not protected in the following situations: On PPRC replication links between DS8000 storage systems Between an IBM Z CPC and virtual or physical tape devicesIn addition, IFCES can also be used to protect data flowing between hosts using Channel toChannel (CTC) connections.1.2 IBM Fibre Channel Endpoint Security overviewWhile data set encryption is supported through most IBM z/OS access methods, there aresome that do not yet support it. Utilizing datasets encryption also requires a set of z/OScomponents to be functional in order to perform the encryption and key management, sooperations on the link prior to those components being initialized and functional are notprotected by encryption. IBM Z also supports 5 operating systems (z/OS, Linux, z/TPF, IBMz/VSE , and IBM z/VM ), and not all of them provide file or datasets encryption capability forall file systems or access methods.DS8000 Data at Rest (DAR) encryption provides protection for all data stored within thestorage system, regardless of application, access method, or operating system. However, itChapter 1. Introducing IBM Fibre Channel Endpoint Security13

does not protect the data on its way (in flight) between the IBM Z CPC and the storagesystem.Figure 1-2 on page 14 illustrates how IBM Fibre Channel Endpoint Security complementsDAR encryption and extends the protection to data in flight.Figure 1-2 The protection scope of IFCESThe blue logical volumes in the storage systems and the datasets or files stored in themrepresent the level of protection from conventional DAR encryption. The orange parts,consisting of the FICON or FCP HBAs in the IBM Z CPC, all SAN components, and the hostadapters in the DS8000 storage system show the extent of additional protection provided byIFCES.Note: IFCES also supports Fibre Channel-to-Channel (CTC) connections.1.2.1 IFCES design overviewIn this section, we provide a high-level overview of the IFCES solution. For a detailedexplanation see Chapter 2, “IBM Fibre Channel Endpoint Security solution design” onpage 17.Solution componentsIFCES is a SAN end-to-end solution, and requires support from both endpoints, the IBM ZCPC (initiator) and the DS8900F storage system (target). Both sides provide encryptioncapability and support for the creation, reception, interpretation, and transmission ofmessages that are exchanged to establish endpoint security. Fibre Channel fabriccomponents, like switches, also have to support the solution.Note: IFCES can be used with switched links and direct Fibre Channel point-to-pointconnections.For secure key management, the solution also requires an external key manager. It maintainsthe shared secrets (keys) that associate the IBM Z CPCs and the DS8000 storage systemswith each other as trusted partners.14IBM Fibre Channel Endpoint Security

Note: IBM Security Key Lifecycle Manager Version 3.0.1.3 or higher is the requiredExternal Key Manager. For IFCES, we recommend SKLM version 4.0.0.2 or later.Figure 1-3 on page 15 shows the major components involved in IFCES.Figure 1-3 Main IFCES componentsThe endpoints communicate with the key manager through the Hardware ManagementConsoles (HMCs) of the IBM Z CPC and the DS8000 storage system, using Transport LayerSecurity (TLS) to establish secure connections. The Fibre Channel endpoint ports use inbandFibre Channel link services to set up the trusted and encrypted connections for IFCES,governed by the IBM Security Key Exchange (SKE) protocol, which IBM developed on thebasis of the industry standard Fibre-Channel Security Protocols 2 (FC-SP 2).Note: See Chapter 3, “Endpoint Security Requirements and Planning” on page 27 fordetailed hardware, firmware, and key manager requirements.Solution designIBM Fibre Channel Endpoint Security is initiated in two phases:1. Link authentication: ensure that only ports of trusted endpoints are communicating witheach other (a common symmetric key is used for authentication)2. Link encryption: establish encryption of all payload traffic between the endpoints using apair of derived symmetric keys.When you set up your environment for IFCES, a Device Authentication Key (DAK) is createdin the External Key Manager. It acts as a shared secret that associates a pair of endpointdevices a

IBM Fibre Channel Endpoint Security. IBM Z