Re: ISKLM as a replacement for EKM

Mon, 02 May 2011 06:35:43 -0700 

It has a cost which I understand is comprised of value units for the processors 
on which it operates and the amount of tape and DASD which are encrypted.
Pricing encryption enablement by storage footprint is even worse than processor 
capacity given the explosive data growth we see.
The one good thing that can be said is that ISKLM appears to be much less 
complex than TKLM and may be easier to implement.

IBM Security Key Lifecycle Manager for z/OS V1.1 manages encryption keys
    for storage, simplifying deployment and maintaining availability to 
    data at rest   
                                                     
http://www.ibm.com/common/ssi/rep_ca/4/897/ENUS211-104/ENUS211-104.PDF    


EKM is free.  The slow withdrawal of EKM has been somewhat stealthy.  

IBM seems to be pushing customers to migrate to ISKLM/TKLM even though I have 
yet to see a 
Statement Of Direction only this recent announcement that EKM was to be removed 
from Java.

"IBM 31-bit SDK for z/OS, Java Technology Edition Version 6 Release 0    
Modification 1 does not contain the Encryption Key Manager application  
(EKM JAR, the jzosekm.jar and sample JCL) in this z/OS Java SDK. Note that   
the EKM JAR and related material remain included in IBM 31-bit SDK for z/OS, 
Java                                                                    
Technology Edition Version 6 Release 0 Modification 0."                  
                                                                        
from IBM United States Software Announcement                            
211-003, dated March 15, 2011. IBM 31-bit SDK for z/OS, Java Technology 
Edition  Version 6 Release 0 Modification 1 lets application                    
 
developers use Java on IBM z/OS.

ISKLM/TKLM has more function than EKM but it seem unreasonable to remove the 
EKM jar files from Java while it is still supported and not SOD or EOS has been 
announced.

I don't think IBM has done enough to communicate to customers that EKM would be 
removed from the current best performing Java distribution.
Replacing what has been a base feature on the platform included with z/OS Java 
at no charge with a charged product is not well received here.

I am a little frustrated with the lack of clear communication and the way this 
continues to be handled.

There are competitive options which if forced to purchase a product may be 
worth consideration.

 http://www.ca.com/us/products/detail/CA-Encryption-Key-Manager.aspx 

If you don't need full disk encryption on DS8800 you can continue to use EKM 
and provided with Java 6.0.0 which is what we are doing with our z/OS 1.12 
order.

I cannot just make an unbudgeted purchase of ISKLM because they quietly removed 
the .jar files from Java 6.0.1.so we won't use Java 6.0.1.


        Best Regards, 

                Sam Knutson, GEICO 
                System z Team Leader 
                mailto:[email protected] 
                (office)  301.986.3574 
                (cell) 301.996.1318        
      
"Think big, act bold, start simple, grow fast..." 


-----Original Message-----
From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of 
Mark Jacobs
Sent: Friday, April 29, 2011 7:02 AM
To: [email protected]
Subject: Re: ISKLM as a replacement for EKM

Our IBM sales rep's told us that ISKLM is priced per tape drive that has the 
encryption feature enabled. It would make more sense to me to just bundle the 
license to utilize any encryption key manager product into the price of the 
optional encryption feature and be done with it.

Mark Jacobs

On 04/29/11 05:55, Jousma, David wrote:
> I think it is free.   This is the -lite version of TKLM that does not
> require WAS or a DB2 backend.
>
> And JAVA V6 (not 6.0.1) is still orderable in ShopZ, but I don't know
> for how long.   V6 still has EKM code in it.
>
> _________________________________________________________________
> Dave Jousma
> Assistant Vice President, Mainframe Services [email protected]
> 1830 East Paris, Grand Rapids, MI  49546 MD RSCB1G p 616.653.8429 f 
> 616.653.8497
>
> -----Original Message-----
> From: IBM Mainframe Discussion List [mailto:[email protected]] On 
> Behalf Of Lizette Koehler
> Sent: Thursday, April 28, 2011 7:39 PM
> To: [email protected]
> Subject: Re: ISKLM as a replacement for EKM
>
>    
>> I concur, looks the same.   Just going through conversion now.  As an
>> aside, if  you order JAVA 6.0.1, the EKM code has been removed....
>>
>>
>>      
> So I guess I need to start making plans to replace EKM.  I had thought 
> that IBM was providing TLKM for EMK users at no cost.  From this 
> discussion, I guess that is not the case.
>
> Let me know how your upgrade goes.  I will start looking at  the life 
> expectancy of EKM for my shop.
>
> Lizette
>
====================
This email/fax message is for the sole use of the intended
recipient(s) and may contain confidential and privileged information.
Any unauthorized review, use, disclosure or distribution of this
email/fax is prohibited. If you are not the intended recipient, please
destroy all paper and electronic copies of the original message.

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Reply via email to