IBM Fibre Channel Endpoint Security (IFCES) was introduced as part of Pervasive Encryption. The first device to exploit this feature was the IBM z15 processor. Today, the purpose of IFCES is that it protects data in flight between an IBM Z host and the DS8000 storage system by controlling access and encrypting data that is transferred over the FICON network/SAN. IFCES can also be used to encrypt LPAR to LPAR host connections known as FICON Channel to Channel connections or CTCs.
IFCES is designed to be an end-to-end solution requiring support from both endpoints, the IBM Z host (initiator) and the DS8900F storage system (target). Both sides provide encryption capability and support for the creation, reception, interpretation, and transmission of messages that are exchanged to establish endpoint security. Fibre Channel fabric components, like switches, also have to support the solution. For secure key management, the solution also requires an external key manager such as SKLM. The key manager maintains the shared secrets (keys) that associate the IBM Z CPCs and the DS8000 storage systems with each other as trusted partners. In a FICON network, the endpoints communicate with the key manager through the Hardware Management Consoles (HMCs) of the IBM Z host and the DS8000 storage system. Communication between this host and DS8000 endpoints is protected by Transport Layer Security (TLS) to establish secure connections. The Fibre Channel endpoint ports use inband Fibre Channel link services to set up the trusted and encrypted connections for IFCES, governed by the IBM Security Key Exchange (SKE) protocol, which IBM developed on the basis of the industry standard Fibre-Channel Security Protocols 2 (FC-SP 2).
Once IFCES is implemented, the external key manager is a crucial component during startup of either an IBM Z host or any connected DS8000 storage system. If there is a failure, the Device Authentication Key (DAK) will not be available, Fibre Channel connections between the host and storage will fail and access to data will not be possible. This is because the endpoint devices require the retrieval of a key called the Device Authentication Key or DAK from the external key manager when needed, for example - when endpoint security is set up for the first time (for example at power up) or when the DAK is renewed according to the specified IFCES policies. Since the external key manager is crucial to data access, when using SKLM, the SKLM software must be installed on at least two servers. Some devices such as the IBM DS8900 storage array can support up to four ISKLM servers for maximum redundancy.
For those using FICON directors to connect to storage or for FICON CTCs, you must also check to be sure they are at the appropriate maintenance level to support IFCES connectivity. You can check the FICON Qualified Release page within IBM ResourceLink to find which director firmware is qualified for IFCES.
So why is this important? In April 2024 IBM announced a Statement Of Direction (SOD) pertaining to ICFES. This SOD mentions new requirements that customers need to consider when planning upgrades to their FICON attached devices over the next few years:
- With respect to storage devices - In support of this direction, all new FICON-connected storage systems introduced after December 31, 2024, will be required to support IFCES to connect to zNext+1.
- IBM z machines - IBM intends to require the use of IBM Fibre Channel Endpoint Security for all FICON connected devices starting with the release of IBM zNext+1 (2 IBMz generations past z16).
Future required adoption of IBM Fibre Channel Endpoint Security on FICON-attached devices - IBM Documentation
#IBMChampion