Tom Brennan wrote: >SKLM also has a backup function that creates a *.jar data file with all >its certs and settings. I've installed totally new versions of SKLM, >restored a jar file, set the SKLM servers to the old IP address, and the >DS/TS boxes grab their keys without any knowledge of the hardware switch. > >So if you can get a new server fast enough after a total failure, such >an install and jar file restore may be faster than my one experience >with the recovery key. Of course you have to have a backup jar file :)
One possible, interesting DR approach you could take is to run a containerized instance of IBM Security Guardium Key Lifecycle Manager -- I suppose it's "SGKLM" now -- off-site at an IBM Cloud Hyper Protect Virtual Servers site (Sydney, Dallas, Frankfurt, etc.) Probably along with your encrypted cloud object storage, via DS8000 and TS7700 Transparent Cloud Tiering and Cloud Tape Connector for z/OS. Thus IBM Cloud becomes your off site/arms length "data vault," including for storage device key recovery, with extremely robust security. Nobody from IBM even has the technical ability to access your keys or your data this way. One set of scenarios you ought to think through is how to deal with disasters borne of malicious intent, even from inside the organization. The approach I'm sketching out is consistent with recovery in these scenarios and some others. - - - - - - - - - - Timothy Sipples I.T. Architect Executive Digital Asset & Other Industry Solutions IBM Z & LinuxONE - - - - - - - - - - E-Mail: [email protected] ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
