You are previewing Key Management Deployment Guide: Using the IBM Enterprise Key Management Foundation.
O'Reilly logo
Key Management Deployment Guide: Using the IBM Enterprise Key Management Foundation

Book Description

In an increasingly interconnected world, data breaches grab headlines. The security of sensitive information is vital, and new requirements and regulatory bodies such as the Payment Card Industry Data Security Standard (PCI-DSS), Health Insurance Portability and Accountability Act (HIPAA), and Sarbanes-Oxley (SOX) create challenges for enterprises that use encryption to protect their information. As encryption becomes more widely adopted, organizations also must contend with an ever-growing set of encryption keys. Effective management of these keys is essential to ensure both the availability and security of the encrypted information. Centralized management of keys and certificates is necessary to perform the complex tasks that are related to key and certificate generation, renewal, and backup and recovery.

The IBM® Enterprise Key Management Foundation (EKMF) is a flexible and highly secure key management system for the enterprise. It provides centralized key management on IBM zEnterprise® and distributed platforms for streamlined, efficient, and secure key and certificate management operations.

This IBM Redbooks® publication introduces key concepts around a centralized key management infrastructure and depicts the proper planning, implementation, and management of such a system using the IBM Enterprise Key Management Foundation solution.

Table of Contents

  1. Front cover
  2. Notices
    1. Trademarks
  3. Preface
    1. Authors
    2. Now you can become a published author, too!
    3. Comments welcome
    4. Stay connected to IBM Redbooks
  4. Part 1 Business context and solution architecture
    1. Chapter 1. Business context for enterprise key management
      1. 1.1 The need for encryption
        1. 1.1.1 Reasons for encryption
      2. 1.2 The need for enterprise key management
      3. 1.3 IBM Security Framework and Blueprint
        1. 1.3.1 IBM Security Framework
        2. 1.3.2 IBM Security Blueprint
      4. 1.4 Enterprise key management and the IBM Security Blueprint
      5. 1.5 Conclusion
    2. Chapter 2. Solution architecture
      1. 2.1 Functional overview
        1. 2.1.1 IBM Enterprise Key Management Foundation highlights
        2. 2.1.2 Benefits of IBM Enterprise Key Management Foundation
        3. 2.1.3 IBM Enterprise Key Management Foundation functions
      2. 2.2 Logical and physical components
        1. 2.2.1 Component overview
        2. 2.2.2 Key Repository
        3. 2.2.3 Key Management Workstation
        4. 2.2.4 Browser
        5. 2.2.5 Agent
        6. 2.2.6 Reporter
      3. 2.3 Sysplex technology
        1. 2.3.1 System z logical partitioning
        2. 2.3.2 Parallel Sysplex usage
        3. 2.3.3 Network architecture
      4. 2.4 Disaster recovery
        1. 2.4.1 Key Management Workstation
      5. 2.5 Smart card support
        1. 2.5.1 Zone concepts
        2. 2.5.2 CA smart card
        3. 2.5.3 Enrolling an entity
        4. 2.5.4 TKE smart cards
        5. 2.5.5 Reuse of TKE smart cards between EKMF and TKE workstations
      6. 2.6 Roles and responsibilities
        1. 2.6.1 Basic concepts
        2. 2.6.2 Access control systems
        3. 2.6.3 Role concept
      7. 2.7 Migration considerations
      8. 2.8 Conclusion
    3. Chapter 3. Deployment, administration, and maintenance
      1. 3.1 Understanding deployment options
        1. 3.1.1 Configurations
        2. 3.1.2 Environments
        3. 3.1.3 Online Key Repository access
        4. 3.1.4 Online keystore access
        5. 3.1.5 Designing the security organization
      2. 3.2 Maintenance of the installation
        1. 3.2.1 Maintenance of the workstation
        2. 3.2.2 Maintenance of Agents and data tables
      3. 3.3 Administering users
      4. 3.4 Providing applicable logging
      5. 3.5 Tracing for troubleshooting
        1. 3.5.1 Other tools for troubleshooting
      6. 3.6 Ensuring consistent backup and restore procedures
      7. 3.7 Conclusion
  5. Part 2 Use case scenario
    1. Chapter 4. Overview of scenario, requirements, and approach
      1. 4.1 Company overview
        1. 4.1.1 Current IT infrastructure
        2. 4.1.2 Key management issues in the current infrastructure
      2. 4.2 Business requirements
        1. 4.2.1 Compliance
        2. 4.2.2 Cost-effective key management operations
      3. 4.3 Functional requirements
        1. 4.3.1 Centralized operations
        2. 4.3.2 Basic key management requirements
        3. 4.3.3 Extended key management requirements
      4. 4.4 Architectural decisions
      5. 4.5 Solution overview
        1. 4.5.1 The design for the IT infrastructure and processes
        2. 4.5.2 The plan for implementation phases
      6. 4.6 Conclusion
    2. Chapter 5. Key management infrastructure setup and deployment
      1. 5.1 Planning for deployment
        1. 5.1.1 System z
        2. 5.1.2 Key Management Workstation
        3. 5.1.3 Keys to be managed
        4. 5.1.4 Keys to be managed for the application
        5. 5.1.5 Key label naming convention
      2. 5.2 Implementation
        1. 5.2.1 System z
        2. 5.2.2 Key Management Workstation
      3. 5.3 Managing keys
        1. 5.3.1 Adding key zones
        2. 5.3.2 Adding system application names
        3. 5.3.3 Setting up the device configuration
        4. 5.3.4 Importing key templates
        5. 5.3.5 Verifying the key templates
        6. 5.3.6 Generating keys
        7. 5.3.7 Leaving insecure mode
      4. 5.4 Link encryption configuration
        1. 5.4.1 Configuring the Agents
        2. 5.4.2 Configuring RACF permissions
        3. 5.4.3 Configuring the application
      5. 5.5 Application keys
        1. 5.5.1 Requesting key generation
        2. 5.5.2 Processing a key generation request
      6. 5.6 Key lifecycle management
      7. 5.7 Conclusion
  6. Appendix A. Troubleshooting
    1. EKMF workstation
    2. EKMF agents
    3. CCA Node Management Utility
  7. Appendix B. Operational procedures
    1. Smart card management using Smart Card Utility Program
    2. IBM PCIe 4765 Cryptographic Coprocessor management using CNM
    3. Managing the application
  8. Related publications
    1. IBM Redbooks
    2. Product publications
    3. Online resources
    4. Help from IBM
  9. Back cover
  10. IBM System x Reference Architecture for Hadoop: IBM InfoSphere BigInsights Reference Architecture
    1. Introduction
    2. Business problem and business value
    3. Reference architecture use
    4. Requirements
    5. InfoSphere BigInsights predefined configuration
    6. InfoSphere BigInsights HBase predefined configuration
    7. Deployment considerations
    8. Customizing the predefined configurations
    9. Predefined configuration bill of materials
    10. References
    11. The team who wrote this paper
    12. Now you can become a published author, too!
    13. Stay connected to IBM Redbooks
  11. Notices
    1. Trademarks