Enabling encryption of data in motion
Earlier versions of IBM® DB2® Analytics Accelerator for z/OS® were delivered without a network encryption function. Even though this did not pose a security risk when the setup recommendations were followed (dedicated private network between the mainframe computer or LPAR and the accelerator), it soon became obvious that in many situations, this type of setup did not align well with existing network infrastructures. Hence a secure way of data traffic had to be provided for customers who want to route sensitive data, such as patient data, credit-card transactions, or social security numbers through their corporate intranet. Furthermore, the security standards of many organizations demand that any sensitive data that is sent across a network must be encrypted. So finally, encryption capabilities were added to the product.
To reduce the CPU consumption on the mainframe, IBM recommends the use of z Systems® Integrated Information Processors (zIIPs) for IPsec processing. However, despite faster and specialized hardware, there will be a noticeable performance impact on bulk transmissions of data, such as table load jobs or queries with huge result sets. Queries with small or moderate result sets, on the other hand, will not be impacted by the use of encryption.
Encryption solution - summary of features
- AES-GCM symmetric encryption for the network payload
- RSA 2048 bit encryption keys
- Public key certificate signed by shared certificate authority, type X.509 in PKCS#12 format
The following figure shows the components that are involved when you set up an encrypted network with the z/OS Communications Server. Some of the components with a yellow background must be configured for IPsec network encryption with IBM Db2 Analytics Accelerator for z/OS. For an in-depth discussion, see Chapter 4. Policy Agent in IBM z/OS V2R1 Communications Server TCP/IP Implementation Volume 4: Security and Policy-Based Networking. You find a link to this Redbook at the end of this topic.
If you want to encrypt the network traffic between a z/OS LPAR and an accelerator, you need an RSA key pair and a public key certificate that is signed by a shared certificate authority on each side for each LPAR or accelerator (communication endpoints). The following figure shows three LPARs that are connected to two accelerators.
Each peer uses its IKE daemon to authenticate itself and negotiate the traffic protocol. It is your responsibility to generate the key pairs, sign them with the same certificate authority and then deploy and configure the keys with their associated certificates on the accelerators and z/OS LPARs. The following sections describe how to configure one connection from one LPAR to one accelerator (circled yellow in the previous figure).