ADSM-L
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [ADSM-L] TDPO and encryption

2007-03-27 06:30:24
Subject: Re: [ADSM-L] TDPO and encryption
From: Hans Christian Riksheim <HCR AT STERIA DOT NO>
To: ADSM-L AT VM.MARIST DOT EDU
Date: Tue, 27 Mar 2007 12:29:49 +0200 
Hi,

first of all, thanks to all for replying on the list and by private
e-mail. I have also contacted our supplier of TSM-software on this
issue.

As I suspected, only the transparent option is available for
TDPO-backups. This method offers some additional security since
communication between client and TSM-server will be encrypted if anyone
taps the line and the tape media will be of no use to anyone who steals
them.

It is however less secure than BA-encryption where the key is held by
the administrator of the client. In the TDPO case a person with the TSM
admin password can fake the TDPO client and get to the data. The data
can also be retrieved if someone steals the TSM-server and library. For
the BA-encryption, this is not possible.

I know the risk is marginal but it might be important for a customer who
has outsourced his backup to us. Therefore I have contacted IBM and
asked if they could work on this so that it is possible to have the
option of the application/client to store the key instead.


Best regards

Hans Chr.



 

-----Original Message-----
From: ADSM: Dist Stor Manager [mailto:ADSM-L AT VM.MARIST DOT EDU] On Behalf Of
Prather, Wanda
Sent: Monday, March 26, 2007 1:20 AM
To: ADSM-L AT VM.MARIST DOT EDU
Subject: Re: TDPO and encryption

Ditto.
It's supported, and we've used it (with Oracle), and it works.
 

________________________________

From: ADSM: Dist Stor Manager on behalf of Neil Rasmussen
Sent: Thu 3/22/2007 3:59 PM
To: ADSM-L AT VM.MARIST DOT EDU
Subject: Re: TDPO and encryption



Encryption is supported through the TSM API starting at 5.3. To set it
up with DP Oracle/RMAN you need to make the following changes in your
dsm.sys for the DP Oracle stanza, for instance:


enableclientencryptkey   yes
encryptiontype                   AES128
include.encrypt                  /adsmorc/.../*

This assumes that your TDPO_FS is 'adsmorc' (the default) and that you
want all Oracle backups to be encrypted.


Regards,

Neil Rasmussen
Software Development
Data Protection for Oracle
rasmussn AT us.ibm DOT com




Hans Christian Riksheim <HCR AT STERIA DOT NO>
Sent by: "ADSM: Dist Stor Manager" <ADSM-L AT VM.MARIST DOT EDU>
03/22/2007 02:24 AM
Please respond to
"ADSM: Dist Stor Manager" <ADSM-L AT VM.MARIST DOT EDU>


To
ADSM-L AT VM.MARIST DOT EDU
cc

Subject
TDPO and encryption






Hi,

does anyone have any experience with rman/tdpo and encryption?

I have not found any detailed information on how to implement it and the
redbook from 2001(Backing up Oracle using TSM) does not mention it.

I have learned that there are two ways of doing it:

Client handles encryption through the API. Here I have not seen how to
set this up with RMAN.


API handles it transparently and stores the key on the TSM-server. I
haven't fully understood the security implications of this method. I
don't understand how this method can be as secure as for example
BA-encryption where the key is held by the administrator of the client.


Anyway, any tip on how to do it or pointers to information is much
appreciated.


Best regards

Hans Chr. Riksheim


<html><body><br /><br /><br /><font face="Arial" size="1"><hr>This email
originates from Steria AS, Biskop Gunnerus' gate 14a, N-0051 OSLO,
http://www.steria.no <http://www.steria.no/> . This email and any
attachments may contain confidential/intellectual property/copyright
information and is only for the use of the addressee(s). You are
prohibited from copying, forwarding, disclosing, saving or otherwise
using it in any way if you are not the
addressee(s) or responsible for delivery. If you receive this email by
mistake, please advise the sender and cancel it immediately. Steria may
monitor the content of emails within its network to ensure compliance
with its policies and procedures. Any email is susceptible to alteration
and its integrity cannot be assured. Steria shall not be liable if the
message is altered, modified, falsified, or even
edited.</font><html><body><br /><br /><br /><font face="Arial" 
size="1"><hr>This email originates from Steria AS, Biskop Gunnerus' gate 14a, 
N-0051 OSLO, http://www.steria.no. This email and any attachments may contain 
confidential/intellectual property/copyright information and is only for the 
use of the addressee(s). You are prohibited from copying, forwarding, 
disclosing, saving or otherwise using it in any way if you are not the 
addressee(s) or responsible for delivery. If you receive this email by mistake, 
please advise the sender and cancel it immediately. Steria may monitor the 
content of emails within its network to ensure compliance with its policies and 
procedures. Any email is susceptible to alteration and its integrity cannot be 
assured. Steria shall not be liable if the message is altered, modified, 
falsified, or even edited.</font></body></html></body></html>
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [ADSM-L] Contents of Copy Storage Pool ?, Peter Billam
Next by Date:  Re: [ADSM-L] Contents of Copy Storage Pool ?, Richard Sims
Previous by Thread:  Re: [ADSM-L] TDPO and encryption, Prather, Wanda
Next by Thread:  [ADSM-L] dsmaccnt help script ..., goc
Indexes:  [Date] [Thread] [Top] [All Lists]