mitec 2011 backup encryption on ibm i - gomitec.com presentations/debbie... · backup encryption on...
TRANSCRIPT
© 2011 IBM Corporation
MITEC - June 7, 2011
Backup Encryption on IBM i
Speaker: Debbie Saugen
© 2011 IBM Corporation
IBM Power Systems
2
About the SpeakerDebbie Saugen is the Technical Owner of IBM i Backup and Recovery in the
Rochester, MN Development Lab. She is also a Senior Business Recovery
Architect/Consultant with IBM Business Continuity and Resiliency Services.
Debbie ensures the Backup and Recovery Solution meets the customer's
requirements in capability and usability. She does actual Backup/Recovery
testing using the new functions, products and publications.
As a recognized expert on Backup and Recovery worldwide, Debbie enjoys
sharing her knowledge by speaking at Common, Technical Conferences,
Business Continuity and Resiliency Services Conferences, User Group
conferences and writing for various magazines, books and websites.
You can reach Debbie at [email protected].
© 2011 IBM Corporation
IBM Power Systems
3
Agenda
� Why is Encryption Hot in the Marketplace Today?� Techniques for Encrypting Data� Hardware Based Backup Encryption(via LTO4/LTO5 or TS1120/TS1130)
– Aside: Tape Technology Update– Solution Overview– Tivoli Key Lifecycle Manager – Comparisons
• based on Tape Technology used (LTO4/LTO5 vs TS1120/TS1130)• based on Drives/Libraries used (Small or Enterprise Libraries)• Based on Solution Components
– BRMS and Drive-based Tape Encryption– Planning for your Encryption Project– Encryption Recovery Stories
� Software Based Backup Encryption (via BRMS)– Aside: BRMS Overview– Solution Overview and Considerations– Setting up BRMS-based encryption
� Summary
© 2011 IBM Corporation
IBM Power Systems
4
Tape and Data Encryption
In the News
TAPES LOST!Privacy Commission
Contacted
In a move that could fuel efforts to change data storage practices, records management provider ABC Co has admitted losing a customer’s backup tapes and is recommending that customers begin encrypting tapes.
Although data encryption is not a new issue, it is a growing business security focus. Increased awareness of customer privacy, an increase in identity theft crimes, and more technical savvy criminals are all contributing.
New state, federal and industry regulations to protect personal data, credit card numbers, etc, are making this an issue of interest to many businesses
� Many government agencies are requiring disclosure of security breaches
– 38 states have enacted legislation requiring notification in cases of security breaches
• Source: www.Privacyrights.org
– Similar federal legislation has been proposed
• Source: http://www.epic.org/privacy/bill_track.html
� Industry organizations are also increasing scrutiny of security procedures
• Source: Payment Card Industry Security Audit Procedures Version 1
� Over 236 million data records of U.S. residents have been exposed due to security breaches since January 2005
• Source: www.Privacyrights.org
Customer Data EXPOSED!!
© 2011 IBM Corporation
IBM Power Systems
5
Tape and Data Encryption
� Many government agencies are requiring disclosure of security breaches
– 38 states have enacted legislation requiring notification in cases of security breaches
• Source: www.Privacyrights.org
– Similar federal legislation has been proposed
• Source: http://www.epic.org/privacy/bill_track.html
� Industry organizations are also increasing scrutiny of security procedures
• Source: Payment Card Industry Security Audit Procedures Version 1
� Over 236 million data records of U.S. residents have been exposed due to security breaches since January 2005
• Source: www.Privacyrights.org
Costs from Security Breach
Direct Costs- Fines and penalties- Customer notification
- letters- postage- hotline- credit checks
- Public Relations costs- Legal Actions
Indirect Costs- Loss of reputation- Loss of customer goodwill- Government investigations
$$
Customer Data EXPOSED!!
6
IBM Training
© 2009 IBM Corporation
Techniques for Encrypting Data on IBM i
Software Based Encryption
Encrypt using middleware for
Selected Objects
(eg BRMS)
DatabaseEncrypted
Copy
Application Database
Encryption
Encrypt sensitive data directly in SQL
table columns or via application use
of cryptographic APIs
Encrypted Fields
Encrypted Data
Appl.
Hardware
Appliance Encryption
Encrypt using 3rd
party appliance between server and
tape drive
Database
Tape Drive based Hardware
Encryption
Encrypt using tape drive with built-in tape encryption
(eg LTO4/LTO5 or TS1120/TS1130)
Database
6.1 BRMS SW Encryption
LTO4/LTO5 or TS1120/TS1130
© 2011 IBM Corporation
IBM Power Systems
7
Encrypting Data
via IBM Tape Drives
with Built-in Encryption
© 2011 IBM Corporation
IBM Power Systems
8
(Aside)
Update on Tape Drives for IBM i
9
IBM Training
© 2009 IBM Corporation
Current IBM Tape Product Line for IBM i
LTO Family Enterprise Family
TS3400
TS1130
TS3500
TS3310
TS3100
TS2340
TS3200
TS2900
� Low cost� High capacity� Fast streaming operations
� High performance� High capacity� Industrial strength� Fast streaming and
start/stop operations
TS2240
TS3500 HD (High Density)GA’d Fall 2008
TS2900 (SAS) GA’d in Dec 2008(POWER6 + i6.1)
TS1130 GA’d in Sept 2008
10
IBM Training
© 2009 IBM Corporation
TS3500
TS3310
LTO Ultrium Tape Family
4Gbit (192)4 Gbit (18)4 Gbit (2)4 Gbit (1)NoNoNoFibre Drives
w fibre(+ fc 1640)
w SAS/fibre(+ fc 5900)
w SAS/fibre(+ fc 5900)
w SAS/fibre(+ fc 5900)
Yes(+ fc 5901)
NoNoLME Encryption(w Transparent LTO Encr Feat)
HH (1)
No
No
9
3572
TS2900
HH (1)
No
No
1
3580-H4S
TS2240
No (not for LTO3/4/5)
No (not for LTO4/5)
Yes (2)Yes (1)FH (1) (L43)LVD SCSI Drives
NoFH (18)HH (4)FH (2)
HH (2)FH (1)
FH (1) (S43)SAS Drives HH = half high, FH = full high
358435763573-L4U3573-L2U3580-L43/S43Machine Name
YesYesYesYes (w HH)NoPartition Capable
>620039645+323+11Max # Cartridges
TS3500TS3310TS3200TS3100TS2340
TS2340
TS2240
TS3200
TS3100TS2900
NEW!Requires POWER6
and IBM i 6.1
Although SAS drives have 2 ports, they are only supported for single system attach
© 2011 IBM Corporation
IBM Power Systems
11
LTO 5 Current Tape Support
LTO 5 Tape
Library Now Also
Supported on IBM i
� TS2250 Half High LTO5 (3580-H5S or 3580-S5E) – POWER6/POWER7 Servers or POWER Blades
� TS2350 Full High LTO5 (3580-S53 or 3580-S5X) – POWER6/POWER7 Servers but NOT on Blades
� Requires IBM i 6.1.1 with MF49234 or IBM i 7.1 with MF49235
� LTO5 Supported Directly or through VIOS – Minimum VIOS level is 2.1.3.10 FP23
� LTO5 Performance on IBM i Same as LTO4
� Tape Capacity Doubled – Now 1.5TB Native
� Encryption NOT Supported on TS2250 or TS2350 – TS2250 or TS2350 are Standalone Drives
– IBM i Encryption Requires Tape Libraries for Library Managed Encryption
� BRMS Supports LTO5 TS2250 and TS2350
New
© 2011 IBM Corporation
IBM Power Systems
12
LTO 5 Current Tape Support
LTO 5 Tape
Library Now Also
Supported on IBM i
� Supported Adapters– -- POWER6/POWER7
• - SAS adapters #5912(PCI-X) or #5901 (PCIe)
– IBM BladeCenter S
• IBM BladeCenter SAS Connectivity Module
• IBM BladeCenter S SAS RAID Controller Module
– IBM BladeCenter H
• IBM BladeCenter SAS Connectivity Module
– JS12 / JS22 Blades
• SAS Expansion card (CFFv) for IBM BladeCenter(7998-8250)
– JS23 / JS43 and PS700/701/702 Blades, use the following Expansion Card
• 3Gb SAS Passthrough Expansion Card (CIOv) for BladeCenter (8406-8246)
New
13
IBM Training
© 2009 IBM Corporation
TS3400
TS3500
TS1130 Standalone Drive
Enterprise Tape Family
4 Gbit (for TS1120/30)4 Gbit4 GbitFibre Drives
YesYesNoLibrary Managed Encryption Capable
35843577-L5U3592-E06Machine Name
No (for TS1120/30)NoNoLVD Drives
YesYes No Partition Capable
>6200181Max # Cartridges
19221Max # drives
TS3500TS3400TS1130 Standalone
Drive based Encryption is supported for TS1120 / TS1130 drives in the TS3400 and TS3500 (and 3494), but not standalone drives
TS1130 GA’din Sept 2008
TS1130 Support• V5R3 with IOP’d fibre cards• 6.1 + POWER6 for IOPless
fibre cards
© 2011 IBM Corporation
IBM Power Systems
14
Overview of Encryption Solution
on IBM Tape Drives
15
IBM Training
© 2009 IBM Corporation
Encryption MethodsE
ncry
ption K
ey M
anager
Library-Managed (LME) _ _TS3500, TS3400, TS3310_ _ _
TS3200, TS3100, TS2900, 3494 ___
System-Managed (SME) . z/OS, AIX, Solaris .Windows & Linux .
Application-Managed (AME)(TSM Only)
© 2011 IBM Corporation
IBM Power Systems
16
IBM i Tape Encryption on IBM Tape Drives
TKLM Server
IBM i
LTO4/LTO5 or TS1120 / TS1130 Drives
in a Tape Library
Components• Encryption Capable Tape Drive(s) – fibre TS1120/TS1130 or
fibre/SAS LTO4/LTO5• A Tape Library – TS2900/3100/3200/3310, TS3400, TS3500, 3494• Multiple Key Managers (TKLMs)• Suitable Drive / Library / TKLM at DR Site to restore
How does it Work?
• IBM i sends the backup to the tape library
• If the drive / library has encryption turned on, then the library gets the keys from the TKLM
• The drive/library write the save
• BRMS is recommended to keep encrypted / non-encrypted tapes separate
TKLM Server
© 2011 IBM Corporation
IBM Power Systems
17
Tivoli Key Lifecycle Manager
(TKLM)
18
IBM Training
© 2009 IBM Corporation
Tivoli Key Lifecycle Manager (TKLM) – IMPORTANT
Disaster Recovery Site
Primary Site
Run Multiple TKLMs
(so backups can still run when one is down)
Comparable DR Site Gear• Encryption Capable Drive / Library
• Access to TKLMs
Save / Synch• Copy fresh keystore to all TKLMs
each time you add/change keys
• Keep offsite backup of TKLM
Don’t Encrypt TKLM• Run TKLM on a system/LPAR where none of the saves will be
encrypted
TEST YOUR RECOVERY CAREFULLY!
© 2011 IBM Corporation
IBM Power Systems
19
Tivoli Key Lifecycle Manager (TKLM)
What is TKLM?
•Follow-on to Encryption Key Manager (EKM)
•Stores / Serves keys for Encryption:•Tape: TS1120, TS1130, LTO4, LTO5•Disk: DS8000
•MUCH more user-friendly than EKM
IBM i customers usually run their TKLM on Windows because:
• They typically have good skill on Windows
• It avoids the temptation to run TKLM on a system with a production application and accidentally encrypt the keys (this would make it impossible to recover due to the chicken / egg problem
• Easy to load up a spare TKLM and store it offsite
• Easy to acquire hardware to re-build the TKLM after a big disaster
• Faster to restore / rebuild the key store on Windows vs a largerplatform
Although we can’t RUN TKLM on IBM i, we can use TKLM on another platform to encrypt our IBM i saves
What Platforms does it run on?
•Windows Server 2003 & 2008•AIX 5.3, AIX 6.1 or later•Red Hat Enterprise Linux 4 & 5 •SuSE Linux Enterprise Server 9 &10•Solaris 9&10 SPARC•z/OS Version 1 Release 9 &10
See Notespage
for details
20
IBM Training
© 2009 IBM Corporation
TKLM – Supported Platforms - Notes
Tivoli Key Lifecycle Manager Platforms Supported
Supported with initial TKLM release:
• AIX 5.3 64-bit• AIX 6.1 64-bit• Red Hat Enterprise Linux 4 32-bit• Solaris 10 SPARC 64-bit• SuSE Linux Enterprise Server 9 32-bit• SuSE Linux Enterprise Server 10 32-bit• Windows Server 2003 32-bit
Supported with TKLM Fix Pack 1 installed:
(Fix Pack 1 came out in late April 2009)
• Red Hat Enterprise Linux 5 32-bit• Red Hat Enterprise Linux 5 64-bit (32-bit mode)• Solaris 9 SPARC 64-bit• SuSE Linux Enterprise Server 10 64-bit (32-bit mode)• Windows Server 2003 64-bit (32-bit mode). Requires
both new installation image and Fix Pack 1 • Windows Server 2008 32-bit. Requires both new
installation image and Fix Pack 1 • Windows Server 2008 64-bit (32-bit mode). Requires
both new installation image and Fix Pack 1
TKLM Hardware Requirements
Typical ValueMinimum ValueSystem Component
4 GB2 GBSystem Memory (RAM)
For Linux and Windows:3.0 GHz dual processorsFor AIX and Sun Solaris:1.5 GHz (4-way)
For Linux and Windows:2.66 GHz single processorFor AIX and Sun Solaris:1.5 GHz (2-way)
Processor Speed
20 GB10 GBDisk space free for product and pre-requisite products such as DB2 Database and keystore files
� All file systems must be writeable� Minimum Values: These values enable a basic use of TKLM� Typical Values: You might need to use larger values that are appropriate for your production
environment. The most critical requirements are to provide adequate system memory, and free disk space and swap space. Processor speed is less important
1.5 GB1.5 GBDisk space free in /home directory for DB2 Database
3.5 GB3.5 GBDisk space free in /opt
500 MB500 MBDisk space free in /tmp or C:\temp
For Linux and Windows:3.0 GHz dual processorsFor AIX and Sun Solaris:1.5 GHz (4-way)
For Linux and Windows:2.66 GHz single processorFor AIX and Sun Solaris:1.5 GHz (2-way)
Processor Speed
TKLM is tested for x86 Linux, but not yet for POWER Linux
© 2011 IBM Corporation
IBM Power Systems
21
TKLM: Advantages over EKM
Much Nicer Interface
•GUI Install Wizard
•Web GUI Interface
•Simple backup of TKLM data via GUI
New Functions
•Automated key rollover
•Notification of expired certificates
•Able to force a unique key for each LTO tape
Easier to Order/Use
•IBM Java RunTime Environment (IBM JRE) is included with the product: no need to buy TPC/BE
•Easy to include Support on the order
•Better documentation via Info Center
© 2011 IBM Corporation
IBM Power Systems
22
What’s New in TKLM V2.0
Page 22
� Key Management Interoperability Protocol – KMIP V1.0 Support Extends TKLM to non-IBM Devices
� Emulex Encrypting HBAs� Brocade Encrypting Switch� Around 30 companies participating in the OASIS TC
� Role Based Access Control� Can define multiple administrators with different permissions� Can define different administrators for different groups of devices� Can restrict what devices can get which keys
� New Ease of Use Features� Pending auto – new option to capture device registration request and hold for
administrative action� Works for devices and certificates
� Improved silent install
� New Options for Disaster Recovery� Flag to not serve a key until it has been backed up� New scripts for automating keystore backup/restore
New
23
IBM Training
© 2009 IBM Corporation
TKLM: Pricing and Licensing
TKLM Server License includes:
•1 Production Copy of TKLM
•Multiple non-production copies of TKLM
•First 2 tape drive or disk resource activations
$3,000 US
TKLM “Resource Value Units” (RVU’s):
•Authorization to add 1 more tape drive to drive table
•Or ability to encrypt 1 more TB of disk
$750 US
each
Primary Site Secondary Site
6 drives 4 drives
TKLM A
TKLM B
TKLM C
TKLM D
A single TKLM server license with 8 tape drive RVUs (+ 2 base RVUS)
could be used as follows (simultaneously):
• Load it onto TKLM A and have both tape libraries point at it as their main Key Manager with 10 drives in the drive table
• Load it onto TKLM B and have both libraries point at it as their backup Key Manager. TKLM B will be used automatically if TKLM A is unavailable
• Load it onto TKLM C and TKLM D to use in case of a disaster. The Libraries will have to be switched to point at these key managers when needed
• Load it onto 2 laptops to store offsite in case of a serious disaster
• Use TKLM C and TKLM D 2-3 times a year for 2-3 days each time for disaster recovery testing, even while TKLM A and TKLM B are serving keys
• If the secondary site is a cold site (eg drives are only used in a disaster), then 4 RVUs (+ 2 base) are enough
TKLM offers volume discounts. Check the announcement letter for details
If the customer would like to run each tape library from a local TKLM, then he will need 2
TKLM server licenses (2+2 base RVU’s) and 6 extra drive RVU’s
© 2011 IBM Corporation
IBM Power Systems
24
Notes - TKLM: Feature Codes
eConfig/AAS
• 5608-A91 Initial Server License with 2 tape/disk activations + 1 yr SW Maintenance• 5608-A92 1-yr SW Maintenance Renewal without a lapse (20% of purchase price)• 5608-A95 1-yr SW Maintenance Renewal following a lapse (60% of purchase price)
• 5608-A93 – initial license with 3-year maintenance• 5608-A96 – subsequent 3-year maintenance without a lapse• 5608-A94 – subsequent 3-year maintenance following a lapse
For each product above (except 5608-A92):• Fc 0005 is the server license• Fc 0003 is the tape or disk resource activation
For 5608-A92:• Fc 0009 is the server license maintenance for the 1st yr• Fc 0001 is the tape or disk resource activation maintenance for the 1st yr
• Fc 0011 is the server license maintenance for subsequent years• Fc 0003 is the tape or disk resource activation maintenance for subsequent yrs
From TKLM Announcement Letter - 209-020 dated January 13/09
Passport Advantage
• D0887LL - TKLM server license with 2 tape/disk activations + 1 yr SW maintenance• E06JMLL - TKLM server license – 1 yr maintenance renewal• D0888LL - TKLM server license – 1 yr maintenance renewal after a lapse
• D05EULL – Storage resource allocation including 1 yr SW maintenance• E05EULL - Storage resource allocation - 1 yr SW maintenance renewal (no lapse)• D05EVLL - Storage resource allocation - 1 yr SW maintenance renewal (no lapse)
• BJ0QUML – copy of code on CD for folks who don’t want to download it
The feature code #’s in the announcement letter are truncated so it is difficult to
differentiate them, hence we have included them here. Please see the announcement
letter for additional information.
Some customers may have bigger discounts on AAS or Passport Advantage,
which will dictate how they order
Passport Advantage synchs up the maintenance agreements in the 2nd year so
they are payable at the same time for all products which may draw a customer to
this ordering method
© 2011 IBM Corporation
IBM Power Systems
25
TKLM V2.0 Pricing Changes
Page 25
� No Tape Drive Activations Included for New Customers
� TKLM V1.0 customers get 2 tape drive activations
� Customers with TKLM Maintenance get TKLM V2.0 Free
� RVU Definition Changes
� RVU used to be 1 Drive = 1 RVU
� Now 1 Drive w/1TB Cartridge = 1 RVU
� Hence, 3592 w/700GB Media = .7 RVU
New
© 2011 IBM Corporation
IBM Power Systems
26
Tape Drive Based Encryption Reminders
Things to Remember� Hardware Required
• LTO4/LTO5 or TS1120/TS1130 tape drives• Fibre or SAS (not SCSI)• Drives must reside in a tape library
(although it’s OK to run in sequential mode)• For LTO4/LTO5, library must have the transparent LTO encryption feature• LTO4/LTO5 media for LTO4/LTO5, or any TS1120/TS1130 formatted media• Comparable gear at your recovery site
� Software Required• Tivoli Key Lifecycle Manager Software + hardware to run it on
� Key Manager reminders• Don’t encrypt your Key Manager• Have multiple Key Managers at your home site and DR site• Save your Key Manager and send a copy offsite anytime your keys change
� Other Reminders• Choose TS3500/3494 over other libraries since they can turn encryption on/off based on volser• Include ALMS on a TS3500 order so encrypted/non-encrypted drives can share a TS3500
partition• IBM Rochester Lab Services Available to help with install/setup (contact Mark Even in
Rochester)
© 2011 IBM Corporation
IBM Power Systems
27
Tape Encryption Comparisons
•Smaller libraries vs TS3500/3494
•LTO4/LTO5 vs TS1120/TS1120
© 2011 IBM Corporation
IBM Power Systems
28
Comparison of Tape Encryption Among Drives / Libraries
• Turn Encryption on/off via tape GUI interface
• All drives in a library partition have the same setting for encryption
Small LTO4/LTO5 Libraries
Small TS1120/30 Library
TS2900/TS3100/TS3200/
TS3310 LibrariesTS3400 Library
• Turn Encryption on/off via tape GUI interface
• All drives in a library partition have the same setting for encryption
Drive 001 - ON
Drive 002 - OFF
Tape GUI
Drive 001 - ON
Drive 002 - OFF
Tape GUI
Enterprise Libraries
TS3500 with LTO4/LTO5/ TS1120/30
or 3494 with TS1120/TS1130
• Encryption can be controlled by volume serial number (“Barcode Encryption
Policy” = “BEP”)
• With ALMS, TS3500 can have a mixture of encrypted / non-encrypted drives
Vol 3
Vol 6
Vol 2
Vol 5
Vol 1
Vol 4
© 2011 IBM Corporation
IBM Power Systems
29
Comparison of Solution Components for LTO4 vs TS1120/30
TS1120 / TS1130LTO4/LTO5
TS1120/30 MediaLTO4/LTO5 media onlyMedia
Multiple TKLMs (SW + HW to run it on)Multiple TKLMs (SW + HW to run it on)Key Manager
Not required
(function is included in drive price)
TS2900: fc 5901 ($1,250 US)
TS3100/TS3200: fc 5900 ($2,500 US)
TS3310: fc 5900 ($5,000 US)
TS3500: fc 1604 ($12,000 US)
Transparent LTO Encryption feature for LME and SME
TS3400 or TS3500 or 3494TS2900, TS3100, TS3200, TS3310, TS3500Tape Library
Fibre TS1120/30 (3592E) drives
with fc 5592 ($5K) or fc 9592 (nc)
Fibre or SAS LTO4/LTO5 drives only
(*NOT* LVD SCSI drives)
Encryption Capable Drive
Note: TS1120/30 use a special media density for encrypted tapes called
FMT3592A2E/A3E.
LTO4/LTO5 does not have a special density.
© 2011 IBM Corporation
IBM Power Systems
30
Notes: Encryption Intermix Rules with/without ALMS
The intent of this document is to explain and clarify the impact of Advanced Library Management System (ALMS) when implementing encryption on an IBM System Storage TS3500 Tape Library. The following are several terms and definitions that are necessary to be familiar with when referring to ALMS and encryption on a TS3500 tape library.
Terms and Definitions
1) Encryption capable versus encryption enabled.
Encryption capable refers to a drives ability to convert data into a cipher that ensures data security. For example, all IBM LTO 4 drives are encryption capable while not all IBM 3592 E05 drives are encryption capable (ie drives bought before the TS1120 encryption announcement need to add the fc 5592 encryption feature to make them encryption-capable)To perform encryption, the drive must be made "encryption-enabled" by your selection of one of three methods of encryptionmanagement
2) Encryption management methodLibrary managed encryption (LME) – Library acts as the proxy to the EKM (supported on System i)System managed encryption (SME) – IBM device drivers act as the proxy for open. For zSeriesthe key proxy is via zOS IOS for in band or via the drive Control unit for out of band connectivity. Application managed encryption (AME) - Key management is performed by TSM.
3) TS1120 refers to 3592 E05s only, not the 3592 J1As. Machine type 3592 refers to both J1As and E05s.
4) Not all TS1120s are encryption capable. Non encryption capable TS1120s have serial numbers that start with S/N 13-50000.Encryption capable TS1120s have serial numbers that start with serial # 13-65000
Older pre S/N 13-65000 drives that have been MES’d with FC5592 are encryption capable.
5) All IBM LTO4 drives are encryption capable provided LTO4 cartridges are used. All IBM LTO1, LTO2 and LTO3 drives are not encryption capable.
6) Library refers to the entire physical library, logical library refers to a subset of the physical library. While a physical library can consist of only one logical library in this paper logical library will infer that multiple logical libraries are defined.
© 2011 IBM Corporation
IBM Power Systems
31
Notes: Encryption Intermix Rules with/without ALMS
TS3500 ALMS Encryption Rules
For NON ALMS TS3500 libraries we enforce homogeneous encryption rules for all 3592 and all LTO drives, separately by drive type. Drive type is defined as 3592 or LTO.
Rule 1. Environment: TS3500 Non ALMS 3592 drives only library
All 3592 drives in the entire library must be encryption capable for encryption to be enabled. The entire physical library (all logical libraries if partitioned) must consist of encryption capable 3592 E05 drives. If encryption is to be enabled, it must be enabled for all drives in the entire physical library and they need to be all managed in the same manner, ie, all LME, all SME, or all AME.
Rule 2. Environment: TS3500 Non ALMS LTO drives only library
The entire library must consist of LTO4 drives before encryption can be enabled. No LTO 1, LTO 2 or LTO3 drives are allowed in the entire physical library. If the library is partitioned, all logical libraries must have encryption enabled in the same manner, ie, all LME, all SME, or all AME.
Rule3. Environment: TS3500 Non ALMS 3592 and LTO drives mixed. Both drive types (LTO and 3592) need to be encryption enabled.
For NON ALMS TS3500 libraries we enforce homogeneous encryption rules for all 3592 and all LTO drives, separately by drive type.
If you intend to enable encryption for both LTO and 3592 then Rule 1 and Rule 2 must be adhered to with the following exception. All LTO logical libraries must be managed in the same manner, ie, LME, SME, AME and All 3592 logical libraries must be managed in the same manner, ie, LME, SME, AME,However, LTO and 3592 can be managed differently. For example, All LTO can be LME while all 3592 can be SME or all AME.
Rule3A. Environment: TS3500 Non ALMS 3592 and LTO drives mixed, but only LTO or only 3592 intend to have encryption enabled.
The rules only need to be adhered to if you intend to enable encryption for that drive type. If you intend to enable 3592 encryption only and not LTO encryption, then only Rule 1 needs to be adhered to. If you intend to enable LTO encryption only and not 3592 encryption, then only Rule 2 needs to be adhered to.
Rule 4. Environment: TS3500 ALMS enabled 3592 drives only library
With ALMS enabled all drives in the physical library do not need to be encryption capable. That is, The physical library can consist of both encryption capable and non encryption capable 3592 drives
All drives in the Logical library must be encryption capable if using LME or AME. All drives in a SME managed Logical library do NOT need to be encryption capable.
© 2011 IBM Corporation
IBM Power Systems
32
Notes: Encryption Intermix Rules with/without ALMS
Rule 5. Environment: TS3500 ALMS enabled LTO drives only library
With ALMS enabled all LTO drives in the physical library or the logical library do not need to be encryption capable for encryption to be enabled. For example, a logical library can consist of LTO4, LTO2, and LTO3, drives and yet the LTO4 drives can be encryption enabled using LME, AME or SME.
Rule5A. Environment: TS3500 ALMS enabled 3592 and LTO drives mixed.
Rules 4 and 5 only need to be adhered to if you intend to enable encryption for that drive type. If you intend to enable 3592 encryption only and not LTO encryption, then only Rule 4 applies. If you intend to enable LTO encryption only and not 3592 encryption, then only Rule 5 applies. If you intend to implement encryption on both 3592 and LTO then Rules 4 & 5 both apply.
The Bottom Line
On an existing TS3500 library W/O ALMS: Without ALMS, implementing encryption on an existing library is very inflexible and can be costly as you cannot have older technology coexist with newer encryption capable technology.On a newly ordered library W/O ALMS: Without ALMS, implementing encryption it’s harder to manage and not very flexible. This environment is useful only if you intend to implement encryption on a new library that won’t change over time. All Logical libraries will need to have the same encryption method which makes management an issue when needing to create non encrypted cartridges. On a new or existing TS3500 library with ALMS: With ALMS, implementing encryption is easily managed, flexible, and much more cost effective regardless of your library configuration. This environment is cost effective as older technology can coexist in the same physical with newer encryption capable technology without restrictions. Management is much easier as multiple encryption methods can be used within the same library. This environment is more flexible as a logical partition can consist of both old and new encryption capable technology.
On August 29, 2006, IBM announced entry and intermediate priced offerings of ALMS that mesh with existing Capacity on Demand library features. This provides full ALMS functionality for smaller libraries at a lower entry fee and lessens the impact of cost as a barrier.
© 2011 IBM Corporation
IBM Power Systems
33
BRMS and Tape Encryption
© 2011 IBM Corporation
IBM Power Systems
34
BRMS and Tape Encryption
BRMS and Tape Encryption
• In TS3500 and 3494, user needs to keep encrypted / non-encrypted media inventories in synch between BRMS and Tape Library records
• BRMS PTFs for “Encryption Awareness” on TS1120 / TS1130 drives will help
SI24932 - V5R2M0SI24933 - V5R3M0SI24934 - V5R4M0
LTO4/LTO5 does not have a special density for encrypted tapes
PTFs provide a new Media Density for TS11x0
“FMT3592A2E” or “FMT3592A3E”
Media Class for Encrypted Tapes(for TS1120 use density FMT3592A2E)
Vol 4 Vol 5 Vol 6
Media Class for Regular Tapes(for TS1120, use Density FMT3592A2)
Vol 1 Vol 2 Vol 3
Scratch Encryption Policy
Regular VolumesVol1 to Vol 3
Encrypted VolumesVol4 to Vol 6
© 2011 IBM Corporation
IBM Power Systems
35
Encryption
How to get Started
© 2011 IBM Corporation
IBM Power Systems
36
Encryption – Getting Started
Careful Planning is required:
• Encryption Strategy
• What data will / won’t be encrypted?
• Which encryption techniques should be used? (eg drive-based, BRMS SW based, etc)
• What other companies need to exchange data with us?
• Key Management Strategy
• Which Platform should run the TKLM? Where should it be located?
• What keys are required and how often will they change?
• What is the HA and DR Strategy for our keys?
• Should we use enterprise-wide keys, or segment by platform or ??
• etc
The IBM Services Organization has offerings to help you get started as quickly and smoothly as possible – ask your rep or BP to contact Mark Even or Frank Kriss
© 2011 IBM Corporation
IBM Power Systems
37
Encryption
Recovery Stories
© 2011 IBM Corporation
IBM Power Systems
38
BRMS Software-based
Tape Encryption
© 2011 IBM Corporation
IBM Power Systems
39
BRMS Functions
BackupApplication #1Lib 1Lib 2
Application #2Lib ALib B
• Libraries, objects, IFS, spoolfiles
• Tape, Virtual Tape, SAVF, TSM
• Full, Incremental, Cumulative
• Save-while-Active, Parallel, Domino
• Duplicate tapes
• Did last night’s backup run OK?
Tape Library Support
Network Feature
• Shared Scratch Pool
• Combined Reporting
• Cross-system restores
• Cross-system duplications
Media Management
• What is on tape XYZ?
• What tapes are in location DEF?
• What tapes have errors?
• What tapes go offsite today?
• What tape has the latest copy of object JKL?
IBM Cartridge System Tape
Enhanced Capacity IBM Cartridge System Tape
Enhanced Capacity
RecoveryVolumes
RequiredProgressRecovery
Steps
• List of ASPs to be created
• List of tapes required
• List of steps to recover
• On-Line Progress Report
• Mark tapes as “available” in the library
• Select scratch tape for the save
• Eject tapes headed offsite
Advanced Feature
• Hierarchical Storage Management (HSM)
• BRMS user defined system name
• BRMS Software-based encryption
IBM Cartridge System Tape
Enhanced Capacity
For encryption, also purchase IBM i option #44 – Encrypted Backup Enablement
40
IBM Training
© 2009 IBM Corporation
Change Media Policy
Media policy . . . . . . . . . . : ENCRYPT
Type choices, press Enter.
Encrypt Data . . . . . . . . . . . . *YES *NO, *YES Key store file . . . . . . . . . Q1AKEYFILE NameKey store library. . . . . . . QUSRBRM Name Key record label . . . . . . . ENCRYPTION
F3=Exit F5=Refresh F12=Cancel
BRMS 6.1 Software-based Encryption
� Benefits
– Works with any tape drive, not just LTO4/LTO5 and TS1120/TS1130
– Granular selection of Items to be encrypted
� Who for?
– Customers with a large backup window and/or a small amount of data to encrypt (due to performance – see next page)
� What to Buy (Tier priced features)
– BRMS Advanced Feature - Option 2
– IBM i Encrypted Backup Enablement - Option 44
� How do you set it up?
1.Create Master Keys for Keystore + Save/Restore
2.Create Keystore File via GUI (Security Section)
3.Update Media Policy to Indicate Keystore File
4.Update Control Group to request encryption
Edit Backup Control Group Entries CLIO
Group . . . . . . . . . . . . : LIB001
Default activity . . . . . *BKUPCY
Text . . . . . . . . . . . . . LIBRARY backup
Type information, press Enter.
Backup List Parallel Private
Seq Items Type Type Authorities Encrypt10 LIBA *DEFAULT *NO *MEDPCY20 LIBB *DEFAULT *NO *NO
F3=Exit F5=Refresh F11=Display main F12=Cancel
© 2011 IBM Corporation
IBM Power Systems
41
BRMS 6.1 Software-based Encryption� Considerations
– Objects that cannot be encrypted: *SAVSYS, *SAVSECDTA, *SAVCFG, *IBM, and libraries starting with a Q
• Check for user objects residing in QGPL and QUSRSYS !!!
– Does not support save files, optical or virtual optical devices
– Careful Key Management is imperative or data could be lost
Notice impact on save/restore
performance and CPU utilization
9406-MMA 7056 4 way partition
40 GB mainstore, 324 15K 70GB DASD using 571F ioa's
0
2
4
6
8
10
12
14
1 GB Source File 12 GB User Mix 64 GB Large File 320 GB Large
File
%C
PU
Used
%CPU used during SAVLIBBRM NO Software Encryption%CPU used during SAVLIBBRM with Software Encryption%CPU used during RSTLIBBRM NO Software Encryption%CPU used during RSTLIBBRM with Software Encryption
CPU Utilization
Short bars are good
Saves may take 3* as much media
– Will require extra media since encrypted data doesn’t compress well
9406-MMA 7056 4 way partition
40 GB mainstore, 324 15K 70GB DASD using 571F ioa's
0
100
200
300
400
500
600
700
1 GB Source File 12 GB User Mix 64 GB Large File 320 GB Large
File
GB
/HR
SAVLIBBRM NO Software EncryptionSAVLIBBRM with Software EncryptionRSTLIBBRM NO Software EncryptionRSTLIBBRM with Software Encryption
Save Performance
Tall bars are good
Sa
ve
Re
sto
re
– Significant hit on Save Performance and CPU Utilization
For performance information, see the Performance Capabilities Reference Manual
© 2011 IBM Corporation
IBM Power Systems
42
Performance Testing on BRMS Software Encryption
Here’s what we saw in our BRMS Encryption Performance Test on :
185-250 depending on fibre card4321203580-004 (LTO4)
Performance varies with disk configuration and processor speedIntegrated Virtual Tape
250360100TS1120
141288803580-003 (LTO3)
104144403592-01A (Gen 1)
100126353580-002 (LTO2)
4050143590-H11
185Fc 6387 (QIC SLR 100)
MB/secGB/hrMB/sec
Largefile Save
(without BRMS Encryption)
Largefile Save
(with BRMS Encryption)
Drive
System Processor Speed Impacts BRMS Encryption Performance– P5 processors -> Expect 76MB/sec (275 GB/hour) or less– P6 processors -> Expect 130MB/sec (468 GB/hour) or less << P5+ would be similar
Largefile saves are dramatically faster with drive-
based encryption or no
encryption
© 2011 IBM Corporation
IBM Power Systems
43
SAVSYS
Protecting your Encryption Keys
QUSRBRM
Q1AKEYFILE
8DJK4829DAW…94ODKKey 5
93IDSIR5029DK…8DKWIKey 4
38DJWK29DKZ…93JK9SKey 3
DJRKW8FIWJ8…3KDNVKey 2
38JK398SKDM…8D9KSKey 1
The keys in Q1AKEYFILE are encrypted using one of the 8 Master Keys
IBM i Operating System
Master Keys
The Master Keys are encrypted using the SAVRST Master Key
QUSRBRMSave
Recovery Center
ASP
38KF9SR9FJS9…FJSFI38SAVRST
3J48DKSIFOD4…9DKI3998
…
1
Other Data
SAVRST Master Key
© 2011 IBM Corporation
IBM Power Systems
44
Setup for Software Encryption (6.1)
� Create “Save Restore Master Key” (*SAVRST) to encrypt all the Master Keys
� Create “Master Key for BRMS Keystore File” to encrypt BRMS Encryption Keys (choose 1 of 8 general purpose Master Keys)
� Store the Master Key Passphrases in a safe place
� Create BRMS Key Store File – BRMS Requires Key Store File Named Q1AKEYFILE in QUSRBRM
� Configure BRMS for Software Encryption
� Test a simple save/restore
� Test a full system backup/recovery
© 2011 IBM Corporation
IBM Power Systems
45
Create the Save Restore Master Key for the System
� Create one or more *SAVRST Master Key Parts
� Set the *SAVRST Master Key
� This can be done on the green screen or in the Navigator
© 2011 IBM Corporation
IBM Power Systems
46
Create “Save Restore Master Key” for the System
� This key is used to encrypt/protect the Master Keys on the system (eg the general purpose key that will encrypt the keys for the BRMS Keystore)
� Use ADDMSTPART command to set the passphrases. This can be done multiple times if multiple people will each know part of the key
Make CERTAIN you have a plan to get all
parts of the passphrase delivered to the recovery site
otherwise the system is not recoverable
© 2011 IBM Corporation
IBM Power Systems
47
Set the “Save Restore Master Key” for the System
� Once all passphrases have been input, use the SETMSTKEY command to Set Master Key
© 2011 IBM Corporation
IBM Power Systems
48
Create Save Restore Master Key via Navigator
� Navigate to Security / Cryptographic Services Key Management / Master Keys and use Load Part and Set Actions
The Master Key is not yet set in the example above. A default key is in place to provide minimal protection until you set your key … it means that the master keys are not “in the clear” on your SAVSYS tape, but any IBM i system can decrypt them
© 2011 IBM Corporation
IBM Power Systems
49
Create the General Purpose Master Key for the BRMS Keystore
� Choose which of the 8 general purpose master keys you’ll use
� Create the Master Key Parts
� Set the Master Key
� This can be done on the green screen or in the Navigator
© 2011 IBM Corporation
IBM Power Systems
50
Create Master Key for BRMS Keystore
� Select 1 of the 8 general purpose master keys
� Use ADDMSTPART command to set the passphrases. This can be done
multiple times if multiple people will each know part of the key
© 2011 IBM Corporation
IBM Power Systems
51
Set the Master Key for BRMS Keystore
� Once all passphrases have been input, use the SETMSTKEY command to Set Master Key
© 2011 IBM Corporation
IBM Power Systems
52
Create Master Key for BRMS Keystore via Navigator
� Navigate to Security / Cryptographic Services Key Management / Master Keys and use Load Part and Set Actions
© 2011 IBM Corporation
IBM Power Systems
53
Create the BRMS Keystore
� Create the BRMS Keystore
� Generate / add the keys
� This can be done on the green screen or in the Navigator
© 2011 IBM Corporation
IBM Power Systems
54
Create BRMS Key Store File
� CRTCKMKSF Command to Create Key Store File� Name must be QUSRBRM / Q1AKEYFILE
© 2011 IBM Corporation
IBM Power Systems
55
Generate/Add Keys for BRMS Key Store File
� GENCKMKSFE Command to Generate Entry (Key Record)– Key Size can be 16, 24, or 32
© 2011 IBM Corporation
IBM Power Systems
56
Create BRMS Key Store Files via Navigator
� Navigate to Security / Cryptographic Services Key Management / Keystores and use Create New Keystore to Create File and New Key Record Wizard to Add AES Type Entry
© 2011 IBM Corporation
IBM Power Systems
57
Configure BRMS to Use Encryption
� Create or Change Media Policy to Specify Encryption
� Specify Encryption via Backup Control Group
� Can be done on green screen or via Navigator
© 2011 IBM Corporation
IBM Power Systems
58
Create or Change Media Policy for Encryption
Change Media Policy
Media policy . . . . . . . . . . : ENCRYPT
Type choices, press Enter.
Encrypt Data . . . . . . . . . . . *YES *NO, *YES Key store file . . . . . . . . . . Q1AKEYFILE Name Key store library. . . . . . . . QUSRBRM Name Key record label . . . . . . . . ENCRYPTION
Bottom F3=Exit F5=Refresh F12=Cancel
© 2011 IBM Corporation
IBM Power Systems
59
Set up Control Group for Encryption
Edit Backup Control Group Entries Group . . . . . . . . . . : LIB001 Default activity . . . *BKUPCY Text . . . . . . . . . . . . LIBRARY backup
Type information, press Enter.
Backup List Parallel Private Seq Items Type Type Authorities Encrypt 10 SHANES1 *DEFAULT *NO *MEDPCY 20 AJANISCH *DEFAULT *NO *NO
Bottom F3=Exit F5=Refresh F11=Display main F12=Cancel
© 2011 IBM Corporation
IBM Power Systems
60
Set up Media Policies via Navigator
© 2011 IBM Corporation
IBM Power Systems
61
Set up Control Group via Navigator
© 2011 IBM Corporation
IBM Power Systems
62
Checking the Reports
� WRKMEDIBRM will indicate encrypted saves
� This can be seen on the green screen or in Navigator
© 2011 IBM Corporation
IBM Power Systems
63
WRKMEDIBRM Encryption History
Work with Media Information Position to Date . . . . . 2=Change 4=Remove 5=Display 6=Work with media 7=Restore 9=Work with saved objects ...
Saved Encrypted Key Store Key Store Key Record Opt Item File Library Label
TESTERDATA *NO TESTERJRN$ *NO TESTERJRN$ *NO KLD *YES Q1AKEYFILE QUSRBRM ENCRYPTION TSTR2LIB *NO
F3=Exit F5=Refresh F11=Volume identifier F12=Cancel F23=More options
© 2011 IBM Corporation
IBM Power Systems
64
WRKMEDIBRM Encryption History via Navigator
© 2011 IBM Corporation
IBM Power Systems
65
Recovering a System with BRMS SW Encryption
� BRMS Recovery Report Identifies Encrypted Data
� Bring along the passphrases for your Save Restore Master Key
� Set up Save/Restore Master Keys to match SAVSYS Media– Reload Passphrase(s) (ADDMSTPART Command)
• MUST KNOW THE PASSPHRASES!– Set Master Key (SETMSTKEY Command)
� Restore BRMS Keystore File Q1AKEYFILE in QUSRBRM
� Proceed with the rest of the restore as usual
© 2011 IBM Corporation
IBM Power Systems
66
Duplicating Encrypted Data with BRMS
Convert Non-Unencrypted to Encrypted
Non-Encrypted
Encrypted(Key 1)
Non-Encrypted
Encrypted(Key 1)
Encrypted(Key 2)
Encrypted(Key 1)
Convert Encrypted to Non-encrypted
Convert Between Encryption Keys
DUPMEDBRM
DUPMEDBRM
DUPMEDBRM
67
IBM Training
© 2009 IBM Corporation
Comparison: BRMS Software vs Tape Drive Based Encryption
Advantages• Any type of tape drive• Mix/Match encryption on 1 cartridge
Considerations• Significant increase in CPU utilization• Significant Performance Degradation• May take up to 3* as much media• Certain system libraries can’t be
encrypted
BRMS Software-based Encryption
BRMS Control Group
LibA encryptedLibB unencrypted
IBM i Encrypted Backup Enablement Keys
Any tape drive or library
i5/OS Encrypted Backup Enablement Option 44 – is also req’d
Tape Drive Hardware-based Encryption
TKLM
SAS or fibre LTO4 or fibre
TS1120/30 in a library
Considerations• Needs fibre LTO4/LTO5 or TS1120/30
in a library• Encrypt whole cartridges
Advantages• No impact on CPU utilization• Max 1% performance degradation• No increase in media required• All objects can be encrypted
© 2011 IBM Corporation
IBM Power Systems
68
Summary
� Use IBM Lab Services to help with your install
� Take good care of your Encryption Keys– Don’t encrypt them
– Make sure you have a good backup of them
� Plan and Practice your Recovery carefully
© 2011 IBM Corporation
IBM Power Systems
69
Glossary and Reference Material
© 2011 IBM Corporation
IBM Power Systems
70
Glossary Encryption Terms and Standards
� AES - Advanced Encryption Standard� ANSI - American National Standards Institute� CCA - Common Cryptographic Architecture� CSP - crypto service provider� DES - Data Encryption Standard� DH - Diffie-Hellman key agreement� DSA - Digital Signature Algorithm� EMV - Europay, MasterCard, VISA� FIPS - Federal Information Processing Standards� HMAC - keyed-Hashing for MAC� HSM - hardware security module� IPSec - IP (Internet Protocol) Security� JCE - Java Cryptography Extension
� MAC - message authentication code� MD5 - Message Digest 5� PKCS - Public Key Cryptography Standards� PKI - public key infrastructure� PRNG - pseudo-random number generator� RC4* - RC4 compatible� RSA - Rivest, Shamir, Adleman public key algorithm� SHA-1 - Secure Hash Algorithm 1� SSL/TLS - Secure Sockets Layer / Transport Layer
Security� T-DES - Triple-DES� VPN - virtual private network
© 2011 IBM Corporation
IBM Power Systems
71
Backup and Recovery; SC41-5304-09 (6.1)
Backup and Recovery; SC41-5304-10 (7.1)
Backup, Recovery and Media Services; SC41-5345-06 (6.1)
Backup, Recovery and Media Services; SC41-5345-07 (7.1)
Virtual Tape Redbook; SQ24-7164
http://www.redbooks.ibm.com/abstracts/sg247164.html
Backup, Recovery and Media Service for OS/400: A Practical Approach Redbook; SG24-4840
http://www.redbooks.ibm.com/abstracts/sg244840.html
Performance Management on System i
http://www-03.ibm.com/servers/eserver/iseries/perfmgmt/resource.html
BRMS Web Page:
http://www-03.ibm.com/servers/eserver/iseries/service/brms/
Reference Material – BRMS Software based Encryption
© 2011 IBM Corporation
IBM Power Systems
72
Trademarks and DisclaimersAdobe, Acrobat, PostScript and all Adobe-based trademarks are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States, other countries, or both.
Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo, Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries.
Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both.
Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both.
IT Infrastructure Library is a registered trademark of the Central Computer and Telecommunications Agency which is now part of the Office of Government Commerce.
ITIL is a registered trademark, and a registered community trademark of the Office of Government Commerce, and is registered in the U.S. Patent and Trademark Office.
UNIX is a registered trademark of The Open Group in the United States and other countries.
Cell Broadband Engine and Cell/B.E. are trademarks of Sony Computer Entertainment, Inc., in the United States, other countries, or both and are used under license therefrom.
Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both.
Other company, product, or service names may be trademarks or service marks of others.
Information is provided "AS IS" without warranty of any kind.
The customer examples described are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual environmental costs and performance characteristics may vary by customer.
Information concerning non-IBM products was obtained from a supplier of these products, published announcement material, or other publicly available sources and does not constitute an endorsement of such products by IBM. Sources for non-IBM list prices and performance numbers are taken from publicly available information, including vendor announcements and vendor worldwide homepages. IBM has not tested these products and cannot confirm the accuracy of performance, capability, or any other claims related to non-IBM products. Questions on the capability of non-IBM products should be addressed to the supplier of those products.
All statements regarding IBM future direction and intent are subject to change or withdrawal without notice, and represent goals and objectives only.
Some information addresses anticipated future capabilities. Such information is not intended as a definitive statement of a commitment to specific levels of performance, function or delivery schedules with respect to any future products. Such commitments are only made in IBM product announcements. The information is presented here to communicate IBM's current investment and development activities as a good faith effort to help with our customers' future planning.
Performance is based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput or performance that any user will experience will vary depending upon considerations such as the amount of multiprogramming in the user's job stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve throughput or performance improvements equivalent to the ratios stated here.
Prices are suggested U.S. list prices and are subject to change without notice. Contact your IBM representative or Business Partner for the most current pricing in your geography.