I know this sounds strange, but we need to implement encryption on our TS1130 tapes. Never having done this, I need some help/suggestions/war-stories/etc on how to basically turn encryption on. Is th
Author: "Billaudeau, Pierre" <P.Billaudeau AT SAQ.QC DOT CA>
Date: Thu, 4 Apr 2013 16:00:27 +0000
Hi Zoltan, We used TSM encryption (Application base on AIX TSM servers) and here are the steps we had to implement: 1. On TSM server : Update DEVCLASS 3592CLASS2 drivee=on 2. On AIX : chdev -l 'rmt6'
Author: "Prather, Wanda" <Wanda.Prather AT ICFI DOT COM>
Date: Thu, 4 Apr 2013 16:10:01 +0000
Zoltan, BTDTGTTS. You first decide if you want to use TSM-managed or externally-managed (EKM) encryption. With TSM encryption, it really is just as simple as creating a devclass and creating storage
Wanda, As always, thanks for the detailed explanation. However, it brings up lots of questions. Since this would be hardware-based and encrypts everything, this is the way we would go. has to be run
Author: Mike De Gasperis <mike.degasperis AT WOWWAY DOT COM>
Date: Thu, 4 Apr 2013 13:00:28 -0400
I've never dealt with the EKM but it looks to be a legacy product that will be phased out by IBM. You'll want to look at the TKLM product which does require licensing for the drives that will be encr
Author: Mike De Gasperis <mike.degasperis AT WOWWAY DOT COM>
Date: Thu, 4 Apr 2013 13:01:02 -0400
Forgot to include this link from IBM regarding their EKM support. http://www-01.ibm.com/support/docview.wss?uid=ssg1S4000504 -- Original Message -- Wanda, As always, thanks for the detailed explanati
Author: "Prather, Wanda" <Wanda.Prather AT ICFI DOT COM>
Date: Thu, 4 Apr 2013 17:41:52 +0000
I apologize, when I said EKM, I meant TKLM, which is the current product replacement for the old EKM. The only paint-by-number is a redbook for TKLM. Actually there are a couple, and you'll need aspi
Thanks - that clears things up - a little bit - My question is, will the older EKM work with the TS3500? What what I have read in the TS3500 Planning Guide, it seems to imply it will. On Thu, Apr 4,
Thanks. Other than the factor that certain tapes/processes are not encrypted (from the book when setting DRIVEE=ON - *Other types of volumesfor example, backup sets, export volumes, and database back
Author: "Prather, Wanda" <Wanda.Prather AT ICFI DOT COM>
Date: Thu, 4 Apr 2013 22:53:08 +0000
Correct. Anything that has to be readable without accessing a live TSM DB, can't be encrypted with TSM, ergo backupsets, exports, DB backups. And I don't know of any other reason not to choose TSM/Ap
Unfortunately, after discussing the choices with management, they decided to choose LME vs AME. So they want me to setup a Linux VM running EKM (onsite), as well as the EMK function on my offsite TSM
Author: Alex Paschal <apaschal5 AT FRONTIER DOT COM>
Date: Fri, 5 Apr 2013 12:27:14 -0700
Be sure to create a Windows task or crontab script that copies your EKM keystore periodically and remotely. And preferably not to TSM. :-) On 4/5/2013 6:30 AM, Zoltan Forray wrote: Unfortunately, aft
Understood. I do something similar right now. Daily, my TSM servers backup their volhist and devconfig files which are then SFTP'ed to an offsite server (these are Linux systems). On Fri, Apr 5, 2013
Well folks, this project keeps changing. Originally figured we would use EKM/TKLM but then discussions bought it back to, why not just AME/TSM handle the encryption - do we need to encrypt the DB? So
Author: Alex Paschal <apaschal5 AT FRONTIER DOT COM>
Date: Tue, 9 Apr 2013 14:01:37 -0700
The real question is: are you allowed to send the unencrypted keys (in the unencrypted dbbackup) offsite in the same truck as the encrypted tapes? Or will you have to ship the dbbackup tape separatel
Author: Alex Paschal <apaschal5 AT FRONTIER DOT COM>
Date: Tue, 9 Apr 2013 15:03:32 -0700
Oh, sorry, rest of the question. It's easy to convert from AME to LME - create new library partition, new devclass, set up for LME. Rename some stgpools and recreate them using the new devclass so yo
robot doesn't talk to TSM for the keys - it's done strictly at the tape drive level. * You are the second person to make such a comment when documentation I have found says exactly the opposite. Wit
Author: Alex Paschal <apaschal5 AT FRONTIER DOT COM>
Date: Wed, 10 Apr 2013 11:04:29 -0700
That's odd. On page 23 it didn't mention anything about a robot being in the AME workflow. Might it be on another page? In the Redbook, AME is on pages 34-37. There is no mention of the library itsel
True, those pages don't mention a tape library. In this document on the TS3500 Tape Library: http://publib.boulder.ibm.com/infocenter/ts3500tl/v1r0/index.jsp?topic=%2Fcom.ibm.storage.ts3500.doc%2Fipg