DB2 10.5 FP5 Native Database Encryption in SAP System ... · PDF filelNew SAP installation or...

© 2015 IBM Corporation

IBM Analytics Platform

DB2 10.5 FP5Native DatabaseEncryptionin SAP System Environments

Friedemann AlbrechtFebruary 2015

IBM Germany, IBM SAP DB2 for LUW Platform Team

IBM Confidential

© 2015 IBM Corporation2

IBM's statements regarding its plans, directions, and intent are subject to change or withdrawalwithout notice at IBM's sole discretion.

Information regarding potential future products is intended to outline our general product directionand it should not be relied on in making a purchasing decision.

The information mentioned regarding potential future products is not a commitment, promise, orlegal obligation to deliver any material, code or functionality. Information about potential futureproducts may not be incorporated into any contract. The development, release, and timing of anyfuture features or functionality described for our products remains at our sole discretion.

Performance is based on measurements and projections using standard IBM benchmarks in acontrolled environment. The actual throughput or performance that any user will experience willvary depending upon many factors, including considerations such as the amount ofmultiprogramming in the user's job stream, the I/O configuration, the storage configuration, andthe workload processed. Therefore, no assurance can be given that an individual user willachieve results similar to those stated here.

All customer examples described are presented as illustrations of how those customers haveused IBM products and the results they may have achieved. Actual environmental costs andperformance characteristics may vary by customer. Nothing contained in these materials isintended to, nor shall have the effect of, stating or implying that any activities undertaken by youwill result in any specific sales, revenue growth or other results.

Important Disclaimer

IBM Confidential


© Copyright IBM Corporation 2015. All rights reserved.• U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by

GSA ADP Schedule Contract with IBM Corp.

IBM, the IBM logo, ibm.com, AIX and DB2 are trademarks or registered trademarks ofInternational Business Machines Corporation in the United States, other countries, or both. Ifthese and other IBM trademarked terms are marked on their first occurrence in this informationwith a trademark symbol (® or ™), these symbols indicate U.S. registered or common lawtrademarks owned by IBM at the time this information was published. Such trademarks may alsobe registered or common law trademarks in other countries. A current list of IBM trademarks isavailable on the Web at "Copyright and trademark information" atwww.ibm.com/legal/copytrade.shtml

Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both.Windows is a trademark of Microsoft Corporation in the United States, other countries, or both.UNIX is a registered trademark of The Open Group in the United States and other countries.SAP, R/3 and all other SAP product and service names mentioned herein are trademarks orregistered trademarks of SAP AG in Germany and several other countries.Other company, product, or service names may be trademarks or service marks of others.

Trademarks

IBM Confidential


l Overview

l Terms and Conditions

l Convert a Database from Plaintext to Encrypted

l Verification of Database Encryption

l Enabling Encryption in SAP System Lifecycle

l Managing Encryption During Backup and Restore

l Encrypted Backup Images

l Verification of Backup Image Encryption

l Restoring an Encrypted Backup Image

l Restrictions & Hints

l Sources of Information

DB2 10.5 FP5 Native DB Encryption - Contents

IBM Confidential


Overview

l DB2 10.5 FP5 has added native database encryption to the DB2database server:"IBM DB2 Encryption Technology"

l No application or schema changes

l Transparent and secure key management based onPublic Key Cryptography Standard #12 (PKCS#12)

l Database system encrypts the data before it calls theunderlying file system to write data to disk

l Objectives

l Protect data in cases of physical theft of disk devices or theftof backup images

l Protect data in log files and dump files

l Consider: Persons with instance-owner authorization oradequate authorizations nevertheless have access to the data

IBM Confidential


Terms and Conditions (1)

l Data Encryption Key (DEK):

l Used to encrypt actual user data(tablespaces, transaction logs, backup images, …)

l Stored in the database and managed by the database

l Master Key (MK, “key-encrypting key"):

l Used to protect the data encryption key

l Stored and managed outside of the database in a PKCS#12keystore

l Identified by a logical name, the Master Key Label

IBM Confidential


Terms and Conditions (2)

l Plaintext database:Data in its natural format; would be readable to an attacker("plaintext" = "cleartext")

l Ciphertext:Data once altered; unreadable for anyone except the intendedrecipients

l Cryptographic (encryption) algorithm:Mathematical function used in encryption and decryptionprocesses; examples: AES (Advanced Data Encryption Standardalgorithm), 3DES (Triple Data Encryption Standard algorithm)

l Public Key Cryptographic Standard (PKCS):Set of cryptographic standards devised by RSA Laboratories;example: PKCS#12 (Public Key Cryptography Standard #12)

l Keystore:Repository for storing cryptographic material (encryption keys, …)

IBM Confidential


Convert a Database from Plaintext to Encrypted

DBMCFG

DB

10.5 FP5 +

update cfg.

Conversionby a restore

usingencryption infofrom keystore

db2 backup db PRD to …

db2 update dbm cfg using keystore_type pkcs12keystore_location /db2/db2prd/keystore/prd.p12

11

22 33keystore

1)create keystore

mkdir /db2/db2prd/keystorechmod 700 /db2/db2prd/keystoregsk8capicmd -keydb -create -db /db2/db2prd/keystore/prd.p12

-pw <strong_pwd> -strong -type pkcs12 -stash

Encrypted

DB

44

db2 drop db PRD 2)

db2 restore db PRD … ENCRYPT

1) keystore directory withkeystore file (for master key),stash file (for keystore pwd)

2) without dropping: databaseencryption status preserved

IBM Confidential


Conversion Details

l The keystore is created using the gsk8capicmd IBM Global Security Kit (IBMGSKit) command,issued by the instance owner db2<dbsid>

l The keystore directory containsl a keystore file containing the master keyl a stash file containing the keystore password in an obfuscated form (to

be used automatically without password prompting when access to thekeystore is required)

l Keystore file and stash file should only be readable/writeable by the instanceowner db2<dbsid>

l In a partitioned database environment (DPF) or DB2 pureScale environment,the keystore location must be accessible to all members;Examples: /db2/db2<dbsid>/keystore (NFS shared, DPF)

/db2/instance_shared/keystore (GPFS, pureScale)

l The RESTORE … ENCRYPT command can optionally be specified with aCIPHER and a KEY LENGTH option. Currently the supported encryptionalgorithms (CIPHER) are AES (DB2 default) with KEY LENGTH 256 (DB2default), 192 or 128; and 3DES with KEY LENGTH 168 (DB2 default).

IBM Confidential


Verification of Database Encryption (1)

AA

db2prd> db2 get db cfg for prd | grep -i encrypted

Encrypted database = YES

Using status information from the database configuration:

BB

db2prd> db2 "SELECT substr(OBJECT_NAME,1,3) as OBJ, ...,FROM TABLE (SYSPROC.ADMIN_GET_ENCRYPTION_INFO())"

OBJ OBJ_TYPE AMODE KLEN MASTER_KEY_LABEL--- -------- ----- ---- -----------------------------------------PRD DATABASE CBC 256 DB2_SYSGEN_db2prd_PRD_2015-01-16-16.01.01

KEYSTORE_NAME KSTYPE KSHOST KSIP KSIPTYPE---------------------------- ------ ------- ----------- --------/db2/db2prd/keystore/prd.p12 PKCS12 sapho05 9.26.92.89 IPV4

PREVIOUS_MASTER_KEY_LABEL AUTH_ID ROTATION_TIME----------------------------------------- ------- -------------DB2_SYSGEN_db2prd_PRD_2015-01-16-16.01.01 DB2PRD ...

Using the SYSPROC.ADMIN_GET_ENCRYPTION_INFO() table function:

IBM Confidential


Verification of Database Encryption (2)

db2prd> /db2/db2prd/db2_software/gskit/bin/gsk8capicmd-cert -list all -db /db2/db2prd/keystore/prd.p12-stashed

Certificates found* default, - personal, ! trusted, # secret key# PRD.db2prd.atgvmls60.mkeylabel01# DB2_SYSGEN_db2prd_PRD_2015-02-01-07.34.49# DB2_SYSGEN_db2prd_PRD_2015-02-27-15.39.55

l Use the gsk8capicmd command to check the keystore for existing masterkeys:

Remark: If calling the gsk8capicmd tool returns an error likeerror while loading shared libraries: libgsk8km.soyou should add the corresponding directory/db2/db2prd/db2_software/lib32/gskit_db2to the value of the environment variable LD_LIBRARY_PATH / LIBPATH /SHLIB_PATH / PATH (Windows).

added manually

from DB restore

after MK rotation

IBM Confidential


Summary: How DB2 Encryption Works

DB2 Instance

DB2 Encrypted Database

OS Level

DBM CFG

KEYSTORE_TYPEKEYSTORE_LOCATION

DatabaseDataEncryptionKey (DEK)

Backup DEK

Automatic BackupEncryption (optional)

DB CFG

ENCRLIBENCROPTS

EncryptedBackup Image

KeystoreFile

EncryptedMaster Key

Stash File

StashedKeystorePassword(obfuscated)

encrypts (default)

IBM Confidential


Enabling Encryption in SAP System Lifecycle (1)

l New SAP installation or SAP heterogeneous system copyl Normal procedure of SAP installation or heterogeneous system copy (using R3load)

on the target systeml Previously described DB2 backup/restore method to enable database encryption

New SAP Installation /Heterogeneous Copy

offline backup

create keystore update dbm cfg

Remark: Database encryption can be activated during database creation using the DB210.5 FP5 CREATE DATABASE command (see IBM DB2 Knowledge Center).Therefore, it is likely that future versions of the SAP installation tools will make itpossible to activate database encryption from the very beginning (which wouldeliminate the need of a further backup / restore run).

Remark: Alternate approach: Interrupt the installation run after database creation; backupand restore (… ENCRYPT) the empty database; continue the installation run withloading data.

IBM Confidential


Enabling Encryption in SAP System Lifecycle (2)

l SAP homogenous system copy through DB2 restorel A: Backup image from source system is not encrypted:

Previously described DB2 restore method to enable database encryption in thedestination system

l B: Encrypted database backup image from the source system:Master key used to encrypt the database backup image has to be made available on thetarget system side for the restore process to be able to successfully decrypt;à copy the keystore directory to the target system and adapt the DBM CFG accordingly

SAP Installation Process

create keystore update dbm cfg

Source DBBackup Image

SAP Installation Process

update dbm cfg

Encrypted SourceDB Backup Image

Original Key-store Directory

IBM Confidential


Encrypted Backup Images (1)

l You can store encrypted backup images by the use of DB2 libraries forencryption / for encryption and compression.

Library for Linux, HP-UX, Solaris AIX Windows

Encryption libdb2encr.so libdb2encr.so.a libdb2encr.dll

EncryptionandCompression

libdb2compr_encr.so libdb2compr_encr.so.a libdb2compr_encr.dll

l There are two ways for running encrypted backups using these libraries:

l Setting the database configuration parameters ENCRLIB and optionallyENCROPTS

l Using the BACKUP DATABASE parameters ENCRLIB and optionallyENCROPTS, together with the ENCRYPT (or COMPRESS) keyword

IBM Confidential


Encrypted Backup Images (2)

l Encrypting backup images through database configuration settings:

Parameter Examples for Values Comment

ENCRLIB /COMPRLIB *)

/db2/db2prd/db2_software/lib64/libdb2encr.a/db2/db2prd/db2_software/lib64/libdb2compr_encr.a/db2/db2prd/db2_software/lib64/libdb2compr.a

• Encrypt only• Compr. + Encr.• Compress only

ENCROPTS /COMPROPTS

Cipher=cipher-name:Mode=mode-name:Key Length=key-length:Master Key Label=label-name-1:Master KeyLabel=label-name-2:...

see BACKUPcommanddocumentation

*) The notion of "compression" and "encryption" is often interpreted interchangeably inDB2. The operation which is carried out is dictated by the library you specify.

l Encrypting backup images using BACKUP DATABASE parameters:

db2prd> db2 "backup database PRD ... ENCRYPT|COMPRESS[ ENCRLIB|COMPRLIB /db2/db2prd/db2_software/lib64/libdb2encr.a[ ENCROPTS|COMPROPTS 'Cipher=3DES:Master Key Label=MKL_4711...' ]]"

AA

BB

Remark: In order to use the ENCRLIB (and optionally the ENCROPTS) parameter of theBACKUP DATABASE command, the respective database configurationparameters (same names) must be set to a NULL value.

IBM Confidential


Verification of Backup Image Encryption (1)

l Use the db2ckbkp command to check whether a backup image is encrypted:

db2prd> db2ckbkp -H PRD.0.db2prd.DBPART000.20150117154325.001=====================MEDIA HEADER REACHED:=====================

Server Database Name -- PRDServer Database Alias -- PRD…Includes Logs -- 0 (No)Compression -- 2 (Encrypted)Backup Type -- 0 (Database-level)…

Remark: If you backup image is stored in TSM, you can verify the chosen encryption /compression option using the following command:db2adutl verify header taken at <backup-image-timestamp>

Other possible values:3 (Compressed + Encrypted)

1 (Compressed)

IBM Confidential


Verification of Backup Image Encryption (2)

l Use the ENCROPTS 'show master key details' parameter of the RESTOREDATABASE command to retrieve information about master key(s) used forencrypting a backup image (written to the DB2 dump directory):

db2prd> db2 "restore db PRD ...ENCRLIB /db2/db2prd/db2_software/lib64/libdb2encr.soENCROPTS 'show master key details'"

SQL2539W ... Restoring to an existing database ...Do you want to continue ? (y/n) yDB20000I The RESTORE DATABASE command completed successfully.

db2prd> cat /db2/PRD/db2dump/PRD.0.db2prd.DBPART000.20150226160626.masterKeyDetails

KeyStore Type: PKCS12KeyStore Location: /db2/db2prd/keystore/prd.p12KeyStore Host Name: atgvmls60.wdf.sap.corpKeyStore IP Address: 10.17.71.84

KeyStore IP Address Type: IPV4Encryption Algorithm: AES

Encryption Algorithm Mode: CBCEncryption Key Length: 256

Master Key Label: PRD.db2prd.atgvmls60.20141202_01

Don't worry, no realrestore takes place.

IBM Confidential


Restoring an Encrypted Backup Image (1)

l Restoring an encrypted backup image involves decrypting the data encryptionkey used for backup encryption.

l Prerequisites:l The master key used for encrypting the backup (identified by the master

key label) must exist in the keystore (at least one of possibly severalused master keys);a particular master key can be provided with the ENCROPTS parameter ofthe RESTORE DATABASE command

l When restoring on a different host, you can copy the entire keystore (e.g.using scp) from the original to the destination system(or use gsk8capicmd to export / import a certain master key)

l The encryption library used for taking the backup (e.g. libdb2encr.so)must be available during the restore;by default, the encryption library is stored in the backup image (unlessthe ENCRYPT EXCLUDE parameter was used in the backup session) andwill be used automatically

IBM Confidential


Restoring an Encrypted Backup Image (2)

l To restore an encrypted backup image into an encrypted database, you need tospecify the ENCRYPT parameter of the RESTORE DATABASE command (andoptionally further parameters like CIPHER, KEY LENGTH, and MASTER KEYLABEL);Example (using default options like CIPHER AES, KEY LENGTH 256):

l To restore an encrypted backup image into a non-encrypted database, specifythe NO ENCRYPT parameter of the RESTORE DATABASE command

l When restoring to an existing database, the encryption status of that database(stored in the database configuration) is definitely preserved;specifying the ENCRYPT option will then return an error

l The RECOVER DATABASE command (restore and roll forward in one run) hasbeen enhanced with encryption parameters similar to the BACKUP DATABASEcommand

db2prd> db2 "restore db prd ... encrypt"

IBM Confidential


Restrictions & Hints (1)

l Rotate your master key periodically - similar to changing user passwords at aregular interval.(The data encryption key can then remain unchanged; re-encryption of thewhole database is not necessary.)Use the stored procedure SYSPROC.ADMIN_ROTATE_MASTER_KEY .Example (system generated new label and master key):

l If required, change the password of your keystore periodically using the -keydb -changepw option of the gsk8capicmd command.

db2prd> db2 "CALL SYSPROC.ADMIN_ROTATE_MASTER_KEY(NULL)"

Value of output parameters--------------------------Parameter Name : LABELParameter Value : DB2_SYSGEN_db2prd_PRD_2015-01-16-16.01.01

Return Status = 0

IBM Confidential



l Attention:You / IBM support cannot access any data or recover your database from anencrypted backup if your keystore is lost.Backup your keystore and stash file regularly - at least after each insertion of anew master key into the keystore or after changing the keystore password.Corresponding admin message:

l Don't forget to mark the saved keystore and stash files with a timestamp whichdocuments the date of the change. (You must be able to associate a previousbackup of the keystore and the required password for that keystore.)

l Securely keep track of all password changes. Add the new password and thedate of its change to your records.

db2prd> view db2prd.nfy2015-01-12-12.03.57.408278 Instance:db2prd Node:000PID:20764(db2agent(instance)) TID:3443517760Appid:*LOCAL.db2prd.150112170356bsu security sqlexInsertNewMasterKeyLabel Probe:519 Database:

ADM8014W Backup the keystore.

Who ever readsthe notification log J

IBM Confidential



l The content of log files and dump files is encrypted as well.Before sending those files to IBM support for analysis, you have to decryptthem using tools provided by the IBM support.à This requires access to the corresponding keystore.

l When restoring a partitioned database (DPF), the catalog partition must berestored first, specifying the encryption options. Then the remaining partitionscan be restored without specifying the encryption options - encryption willtake place.

l In HADR environments, DB2 does not enforce that the primary and the standbydatabase use the same encryption settings (e.g. you can have the primaryencrypted and the standby not encrypted).

IBM Confidential


Sources of Information (1)

IBM white paper"Running an SAP NetWeaver Application Server on DB2 for LUW with theIBM DB2 Encryption Technology" on SAP Community Network (SCN)

http://scn.sap.com/docs/DOC-61811

IBM developerWorks article"I encrypted my database! How do I manage my master keys now?"

http://www.ibm.com/developerworks/data/library/techarticle/dm-1504-master-encrypted-keys/index.html

IDUG presentation by Greg Stager"An overview of the new DB2 Native Encryption Capability"

https://www.ibm.com/developerworks/community/files/form/anonymous/api/library/3c0ed2b6-1b87-49b8-8ba6-f0d4437cec45/document/a39bb3eb-5ea5-4c43-a0da-48e3eef294ed/media/An%2520overview%2520of%2520the%2520new%2520DB2%2520native%2520encryption%2520capability.pdf

Community Network

IBM developerWorks®

IBM Confidential


Sources of Information (2)

Refer to the IBM DB2 Knowledge Center for more information:

l Implementing DB2 native database encryptionhttp://www-01.ibm.com/support/knowledgecenter/#!/SSEPGG_10.5.0/com.ibm.db2.luw.admin.sec.doc/doc/ t0061766.html

l ADMIN_GET_ENCRYPTION_INFO table function - Get database encryptionsettings

l ADMIN_ROTATE_MASTER_KEY procedure - Change the database master key

l encrlib - Encryption library configuration parameter

l encropts - Encryption options configuration parameter

l keystore_location - Keystore location configuration parameter

l keystore_type - Keystore type configuration parameter

l CREATE DATABASE command

l BACKUP DATABASE command

l RESTORE DATABASE command

l START DATABASE MANAGER command (db2start)

IBM Confidential


Happy Encrypting !

DB2 10.5 FP5 Native Database Encryption in SAP System ... · PDF filelNew SAP installation or...

Documents

Transcript of DB2 10.5 FP5 Native Database Encryption in SAP System ... · PDF filelNew SAP installation or...