Unified Key Orchestrator for IBM z/OS

A centralized key management software for handling your sensitive encryption keys

Read the solution brief Read the product overview
Graphic illustration of enterprise data encryption

Centralized enterprise key management

Unified Key Orchestrator for IBM® z/OS®, formerly IBM® Enterprise Key Management Foundation-Web Edition, is a key management software that centrally orchestrates and secures the lifecycle of encryption keys across your enterprise for both on-premises and multiple cloud environments, including IBM Cloud®, AWS KMS, Azure Key Vault and Google Cloud.

 What's new: Features and functions
Unified key management

Orchestrate the lifecycle of keys from a single pane of glass using a shared mental model across all keystores regardless of whether the keys are stored in multiple clouds or on premises.
Multicloud key management

Generate and push keys to key stores across hybrid multicloud deployments such as IBM Cloud, Microsoft Azure, Amazon Web Services and Google Cloud Platform.  
Central backup and recovery

Back up and recover key material with a central repository database and one-click key recovery to mitigate the loss of access due to cryptographic erasure.

Features

Screenshot showing orchestration
Unified key orchestration

Orchestrate the different stages of the key lifecycle such as generation, storage, distribution, rotation, revocation and destruction. Key generation occurs in IBM Z crypto express cards using policies called key templates.

 Understand Unified Key Orchestrator
Screenshot showing PQC example
Post-quantum cryptography

Manage standardized post-quantum cryptography (PQC) algorithms with support for generating, managing and distributing ML-KEM and ML-DSA keys.

 Explore algorithm properties
Screenshot of crypto connect feature
External RESTful Key Management APIs

Integrate key management with your business processes. Leverage UKO for z/OS Crypto Connect API to expand functionality with Crypto Connect Advanced Crypto Service Provider (CC ACSP), Crypto Connect Crypto Analytics Tool (CC CAT), and Crypto Connect Microsoft Double Key Encryption (CC MSDKE).

 Manage keys with management API Querying the CAT GraphQL API with Python
Governance Vault screenshot
Access governance

Use role-based access control, dual control through separation of privileges and vaults to create multiple levels of access management.

 Explore application access and roles
Screenshot showing audit log feature
Auditability

Keep track of key management processes with audit logging.

 Explore auditing events
Screenshot showing orchestration
Unified key orchestration

Orchestrate the different stages of the key lifecycle such as generation, storage, distribution, rotation, revocation and destruction. Key generation occurs in IBM Z crypto express cards using policies called key templates.

 Understand Unified Key Orchestrator
Screenshot showing PQC example
Post-quantum cryptography

Manage standardized post-quantum cryptography (PQC) algorithms with support for generating, managing and distributing ML-KEM and ML-DSA keys.

 Explore algorithm properties
Screenshot of crypto connect feature
External RESTful Key Management APIs

Integrate key management with your business processes. Leverage UKO for z/OS Crypto Connect API to expand functionality with Crypto Connect Advanced Crypto Service Provider (CC ACSP), Crypto Connect Crypto Analytics Tool (CC CAT), and Crypto Connect Microsoft Double Key Encryption (CC MSDKE).

 Manage keys with management API Querying the CAT GraphQL API with Python
Governance Vault screenshot
Access governance

Use role-based access control, dual control through separation of privileges and vaults to create multiple levels of access management.

 Explore application access and roles
Screenshot showing audit log feature
Auditability

Keep track of key management processes with audit logging.

 Explore auditing events
Use cases Multicloud key management

Enable seamless management of encryption keys across multiple cloud environments using a common key state model compatible with IBM Cloud, Microsoft Azure, Amazon Web Services and Google Cloud Platform.

 Explore managed key rotation Crypto operations with CC ACSP

Equip distributed applications with secure access to IBM Z cryptographic hardware over the network through CC ACSP, allowing for centralized and consolidated crypto operations by using HSMs on IBM Z.

 Explore Crypto Connect ACSP Crypto Connect Microsoft Double Key Encryption

Maintain full control of your encryption keys with CC MSDKE, which uses a dual-key approach to protect Microsoft 365 data—one key remains under your control, while the other is securely stored in Microsoft Azure.

 Explore Microsoft Double Key Encryption services z/OS key management

Manage and orchestrate z/OS encryption keys, including data set encryption keys, across multiple sysplexes on IBM Z.

 Explore pervasive encryption for IBM Z Integrate UKO for z/OS with GKLM

Integrate UKO for z/OS with IBM Security Guardium Key Lifecycle Manager (GKLM) via APIs to leverage mainframe hardware crypto for generating master keys and encrypting or decrypting storage keys on demand.

 Explore setting up keys for GKLM Secure room operation

Implement UKO for z/OS with Enterprise Key Management Foundation (EKMF) Workstation to support secure room operations and maintain stringent key management controls.

 Explore EKMF Workstation integration

Technical details

When planning to install UKO, it is important to understand planning considerations and program requirements.

Program requirements

Get an understanding of supported operating systems, related software, hypervisors, hardware requirements and detailed system requirements, including component-level details. 

Planning considerations

Get an understanding of specific installation skills required to prepare for the installation of UKO.
 

Resources

z/OS Trusted Key Entry Workstation

Explore a set of wizards to help you manage your Trusted Key Entry (TKE) appliance and your host's crypto modules.

Keys usage for z/OS data set encryption

Find out how many keys should be used for z/OS data set encryption.
Understanding pervasive encryption

Get an understanding of pervasive encryption for IBM Z with use cases.
Getting Started with z/OS Data Set Encryption

In this ebook, get an explanation of data protection through encryption and IBM Z pervasive encryption with a focus on IBM z/OS data set encryption.

IBM EKMF Workstation with secure room operation

Read an overview highlighting enterprise-wide, policy-based key and certificate management across IBM Z, cloud and distributed environments.

Related products

IBM Unified Key Orchestrator for Containers

A centralized enterprise key management for streamlining the orchestration of the lifecycle of encryption keys.

 IBM Cloud® Hyper Protect Crypto Services with Unified Key Orchestrator

Protect your data across multicloud environments and keep your own key (KYOK) for exclusive key control.

 IBM® Guardium® Key Lifecycle Manager

Centralize, simplify and automate encryption key management process to protect encrypted data.
Take the next step

Discover how Unified Key Orchestrator for IBM z/OS handles your sensitive encryption keys.

 Read the solution brief
More ways to explore Documentation Support Technical lifecycle support and services Community