Enabling encryption of data in motion

Earlier versions of IBM® DB2® Analytics Accelerator for z/OS® were delivered without a network encryption function. Even though this did not pose a security risk when the setup recommendations were followed (dedicated private network between the mainframe computer or LPAR and the accelerator), it soon became obvious that in many situations, this type of setup did not align well with existing network infrastructures. Hence a secure way of data traffic had to be provided for customers who want to route sensitive data, such as patient data, credit-card transactions, or social security numbers through their corporate intranet. Furthermore, the security standards of many organizations demand that any sensitive data that is sent across a network must be encrypted. So finally, encryption capabilities were added to the product.

Naturally, the use of encryption comes at a price, and that is a slower performance, which is due to the fact that data has to be encrypted before it enters the network and decrypted after it leaves it. Both processes require a considerable amount of time, and the data volumes that are handled by IBM Db2 Analytics Accelerator for z/OS are usually extremely high. Customers rightfully expect remarkable acceleration rates despite the use of encryption. However, such rates can only be guaranteed in connection with fast hardware, which is why encryption is offered only with the IBM PureData® System for Analytics N2001 and N3001 series. For more information, see the IBM Db2 Analytics Accelerator prerequisites website.

To reduce the CPU consumption on the mainframe, IBM recommends the use of z Systems® Integrated Information Processors (zIIPs) for IPsec processing. However, despite faster and specialized hardware, there will be a noticeable performance impact on bulk transmissions of data, such as table load jobs or queries with huge result sets. Queries with small or moderate result sets, on the other hand, will not be impacted by the use of encryption.

Encryption solution - summary of features

  • AES-GCM symmetric encryption for the network payload
  • RSA 2048 bit encryption keys
  • Public key certificate signed by shared certificate authority, type X.509 in PKCS#12 format

The following figure shows the components that are involved when you set up an encrypted network with the z/OS Communications Server. Some of the components with a yellow background must be configured for IPsec network encryption with IBM Db2 Analytics Accelerator for z/OS. For an in-depth discussion, see Chapter 4. Policy Agent in IBM z/OS V2R1 Communications Server TCP/IP Implementation Volume 4: Security and Policy-Based Networking. You find a link to this Redbook at the end of this topic.

Figure 1. Components in the IPsec setup with z/OS Communications Server
This is an interaction diagram that shows which components are involved in the setup for IPsec network encryption.

If you want to encrypt the network traffic between a z/OS LPAR and an accelerator, you need an RSA key pair and a public key certificate that is signed by a shared certificate authority on each side for each LPAR or accelerator (communication endpoints). The following figure shows three LPARs that are connected to two accelerators.

Figure 2. Distribution of certificates and keys
Distribution of certificates and keys

Each peer uses its IKE daemon to authenticate itself and negotiate the traffic protocol. It is your responsibility to generate the key pairs, sign them with the same certificate authority and then deploy and configure the keys with their associated certificates on the accelerators and z/OS LPARs. The following sections describe how to configure one connection from one LPAR to one accelerator (circled yellow in the previous figure).