There is no default encryption on TSM Server.
For hardware encryption you need to look into drive configuration.
Software encryption is supported by TSM Client and TDP (API).
For example, we need to encrypt all information related to Oracle databases on
AIX logical partition (database dumps and database backups via TDPO).
Configuration steps are (encryption keys are kept in TSM database):
1) to enable possibility of encryption for AIX file systems add next lines into
/usr/tivoli/tm/ba/bin64/dsm.sys:
Nodename LPAR05
Encryptiontype AES128
Encryptkey generate
InclExcl /backup/tsm/ba/InclExcl.list
2) to enable possibility of encryption for TDP for Oracle backups add next
lines into /usr/tivoli/tsm/api/bin64/dsm.sys:
NODENAME LPAR05_ORA
Encryptiontype AES128
Encryptkey generate
Inclexcl /backup/tsm/ba/InclExcl.list
3) set encryption for database dumps and TDPO backups in include/exclude list
/backup/tsm/ba/InclExcl.list:
include * AIX
include /.../* FSLPAR05
include /ifns_ifns/.../* DBLPAR05
include /patm_patm/.../* DBLPAR05
include /ptel_ptel/.../* DBLPAR05
include.encrypt /ifns_ifns/.../*
include.encrypt /patm_patm/.../*
include.encrypt /ptel_ptel/.../*
include.encrypt *.dmp.Z
Note, there are 3 databases with file space names ifns_ifns, patm_patm and
ptel_ptel (names are defined in TDPO configuration file). In addition, all
databases dumps are kept in compressed files *.dmp.Z. List of encrypted files
can be expanded by adding INCLUDE.ENCRYPT lines into include/exclude list.
To check encryption for databases:
q act or=client node=LPAR05_ORA begind=08/09/2011
.........
Date/Time: 08/09/2011 15:44:51
Message: ANE4991I (Session: 42231, Node: LPAR05_ORA) TDP Oracle AIX ANU0599
TDP for Oracle: (9216226): =>(LPAR05_ORA) ANU2526I Backup details for backup
piece /ifns_ifns///LPAR05/ifns.09.1.58075.1.758734242 (database "IFNSDB").
Total bytes sent: 9756213248. Total processing time: 00:14:06. Throughput rate:
11261.88Kb/Sec. Compressed: Yes , 61%. Encryption: AES_128BIT. LAN-Free:
No.(SESSION: 42231)
..........
Date/Time: 08/09/2011 16:05:32
Message: ANE4991I (Session: 44685, Node: LPAR05_ORA) TDP Oracle AIX ANU0599
TDP for Oracle: (10055750): =>(LPAR05_ORA) ANU2526I Backup details for backup
piece /patm_patm///LPAR05/Archive_patm.09.50832.1.758736133 (database
"PATMDB"). Total bytes sent: 3064201216. Total processing time: 00:03:17.
Throughput rate: 15189.77Kb/Sec. Compressed: Yes , 54%. Encryption: AES_128BIT.
LAN-Free: No.(SESSION: 44685)
............
To check encryption for database dumps:
dsmc query backup "/home/users05/fnsonli/backup/*.dmp.Z" -detail
-traceflags=query
dsmc query backup "/backup05/exp/patm/*.dmp.Z" -detail -traceflags=query
dsmc query backup "/backup05/exp/ptel/*.dmp.Z" -detail -traceflags=query
dsmc query backup "/backup05/exp/ptel/*.log" -detail -traceflags=query
For example, prove_encryption.sh gives:
IBM Tivoli Storage Manager
Command Line Backup-Archive Client Interface
Client Version 6, Release 2, Level 2.0
Client date/time: 08/10/11 13:20:20
(c) Copyright by IBM Corporation and other(s) 1990, 2010. All Rights Reserved.
Node Name: LPAR05
Session established with server BKME: AIX-RS/6000
Server Version 5, Release 5, Level 5.2
Data compression forced on by the server
Server date/time: 08/10/11 13:20:20 Last access: 08/09/11 16:49:09
Size Backup Date Mgmt Class A/I File
---- ----------- ---------- --- ----
13,012,947,599 B 08/09/11 16:30:00 FSLPAR05 A
/home/users05/fnsonli/backup/expfns1.dmp.Z
Modified: 08/09/11 01:25:29 Accessed: 08/08/11 16:42:19
Compressed: NO Encryption Type: 128-bit AES
Client-deduplicated: NO
.......
I hope this will answer all your questions.
Grigori G. Solonovitch
-----Original Message-----
From: ADSM: Dist Stor Manager [mailto:ADSM-L AT VM.MARIST DOT EDU] On Behalf Of
terrance
Sent: Wednesday, August 10, 2011 4:22 AM
To: ADSM-L AT VM.MARIST DOT EDU
Subject: [ADSM-L] Any default encryption for TSM server??
Conclude that the TSM encryption can categories by two types: 1)
Software/application layer encryption 2) Hardware layer encryption (Tape drive).
Question:
1) Does TSM has any data protection other than this two? Does TSM has default
encryption if we never configure any setting to enable the software/application
and there are no license key bought for hardware layer to do encryption?
2)If a software/application was configured or installed on the server, how can
we check it? (e.g Maybe there are some files or command able to show it and
please show me the way to check whether is the encryption enable or not to
protect the data)
3) Can you tell me where are these files and what are their content about:
- TSM.PWD
- Dsm.sys
- Dsm.opt
And What do INCLUDE.ENCRYPT and EXCLUDE.ENCRYPT statements mean? Where are them?
And last question is which file content the �encryptkey� and �encryptiontype�
parameter?
+----------------------------------------------------------------------
|This was sent by terranceyaul AT yahoo DOT com via Backup Central.
|Forward SPAM to abuse AT backupcentral DOT com.
+----------------------------------------------------------------------
Please consider the environment before printing this Email.
CONFIDENTIALITY AND WAIVER: The information contained in this electronic mail
message and any attachments hereto may be legally privileged and confidential.
The information is intended only for the recipient(s) named in this message. If
you are not the intended recipient you are notified that any use, disclosure,
copying or distribution is prohibited. If you have received this in error
please contact the sender and delete this message and any attachments from your
computer system. We do not guarantee that this message or any attachment to it
is secure or free from errors, computer viruses or other conditions that may
damage or interfere with data, hardware or software.
|
