This appendix provides an overview about the IBM Integrated Cryptography Service Facility (ICSF)Foot 1 . For more information, refer to:
Oracle Key Manager: ICSF Integration Guide PN: 31619810x
Oracle Key Manager: Administration Guide PN: 31619510x
Both the IBM mainframe and the OKM Cluster have system requirements for this solution.
The IBM Integrated Cryptography Service Facility (ICSF) is an encryption solution where the external key store resides in an IBM mainframe and is accessed using a TLS/XML protocol. This protocol is supported in the IBM mainframe with the keys stored in a Token Data Set in the IBM Integrated Cryptography Service Facility.
Figure A-1 shows a typical configuration.
The cluster periodically issues requests to the IBM mainframe to create new master keys (referred to as application keys in ICSF).
The KMAs then use these new master keys to derive new tape encryption keys.
Note: The mainframe where Common Cryptographic Architecture (CCA/ICSF) resides. |
In version 2.x, the KMAs generate their own keys using their Cryptographic Accelerator (SCA6000) cards. Some customers may prefer to have the KMAs use master keys that are created and stored in an external key store contained in an IBM mainframe.
Version 2.2 introduces a Master Key Mode feature. When this feature is enabled, the OKM derives tape encryption keys from a set of master keys. The master keys are created and stored in an external key store.
Full disaster recovery is possible with just the tapes, the master keys, and factory default equipment.
Various steps are required to configure a z/OS system to be used as an external key store for an OKM cluster.
After the IBM mainframe has been configured, the z/OS systems programmer must provide the following information to the administrator of an OKM:
Host name or IP address of the mainframe
Port number (such as 9889)
Web application path (such as "/cgi/smcgcsf")
File containing the client "user certificate" (exported and transferred off of the mainframe)
File containing the client private key (exported and transferred off of the mainframe)
Password that was used when the client private key was created
File containing the Root CA certificate (exported and transferred off of the mainframe)
The administrator of an Oracle Key Manager enters this information as the Master Key Provider settings in the Security Parameters panel of the OKM Manager GUI.
After the administrator saves these settings, the OKM cluster begins to issue requests to the Proxy on the IBM mainframe.
The client "user certificate" and the client private key might appear in the same file when they are exported from the IBM mainframe. If so, then the administrator should specify the same file in the OKM Certificate File Name and OKM Private Key File Name fields in the Master Key Provider settings.
Footnote Legend
Footnote 1: ICSF is a software component of z/OS providing cryptographic support either in its own� software routines or through access to external cryptographic hardware, such as the Oracle Key Manager.