Skip Headers
Oracle® Key Manager 3 Systems Assurance Guide
Release 3.0
E48394-01
  Go To Table Of Contents
Contents
Go To Index
Index

Previous
Previous
 
Next
Next
 

A IBM ICSF Integration

This appendix provides an overview about the IBM Integrated Cryptography Service Facility (ICSF)Foot 1 . For more information, refer to:

System Requirements

Both the IBM mainframe and the OKM Cluster have system requirements for this solution.

IBM Mainframe

The IBM z/OS mainframe must be running ICSF HCR-7740 or higher.

With the Enterprise Library Software (ELS 7.0) or Nearline Control Software (NCS 6.2) along with any associated PTFs.

A Cryptographic Express2 coprocessor (CEX2C) card must also be installed on the IBM mainframe.

OKM

The OKM must be running Version 2.2 or higher.

Understanding the Solution

The IBM Integrated Cryptography Service Facility (ICSF) is an encryption solution where the external key store resides in an IBM mainframe and is accessed using a TLS/XML protocol. This protocol is supported in the IBM mainframe with the keys stored in a Token Data Set in the IBM Integrated Cryptography Service Facility.

Figure A-1 shows a typical configuration.

Figure A-1 ICSF Site Configuration

Surrounding text describes Figure A-1 .

Site Configurations

The cluster periodically issues requests to the IBM mainframe to create new master keys (referred to as application keys in ICSF).

The KMAs then use these new master keys to derive new tape encryption keys.


Note:

The mainframe where Common Cryptographic Architecture (CCA/ICSF) resides.

Key Stores and Master Key Mode

In version 2.x, the KMAs generate their own keys using their Cryptographic Accelerator (SCA6000) cards. Some customers may prefer to have the KMAs use master keys that are created and stored in an external key store contained in an IBM mainframe.

Version 2.2 introduces a Master Key Mode feature. When this feature is enabled, the OKM derives tape encryption keys from a set of master keys. The master keys are created and stored in an external key store.

Full disaster recovery is possible with just the tapes, the master keys, and factory default equipment.

IBM Mainframe

Various steps are required to configure a z/OS system to be used as an external key store for an OKM cluster.

Updating Information

After the IBM mainframe has been configured, the z/OS systems programmer must provide the following information to the administrator of an OKM:

  • Host name or IP address of the mainframe

  • Port number (such as 9889)

  • Web application path (such as "/cgi/smcgcsf")

  • File containing the client "user certificate" (exported and transferred off of the mainframe)

  • File containing the client private key (exported and transferred off of the mainframe)

  • Password that was used when the client private key was created

  • File containing the Root CA certificate (exported and transferred off of the mainframe)

The administrator of an Oracle Key Manager enters this information as the Master Key Provider settings in the Security Parameters panel of the OKM Manager GUI.

After the administrator saves these settings, the OKM cluster begins to issue requests to the Proxy on the IBM mainframe.

The client "user certificate" and the client private key might appear in the same file when they are exported from the IBM mainframe. If so, then the administrator should specify the same file in the OKM Certificate File Name and OKM Private Key File Name fields in the Master Key Provider settings.



Footnote Legend

Footnote 1: ICSF is a software component of z/OS providing cryptographic support either in its own� software routines or through access to external cryptographic hardware, such as the Oracle Key Manager.