Abstract: A method for updating a current master key (MK) with a new MK, protected by an HSM, while a software component using a key is active, is disclosed. The method comprises signaling that a new master key has been loaded to the HSMs, re-encrypting the key encrypted with the current MK, storing the re-encrypted key as respective newKey component of a key object, wherein a current key is stored in a curKey component of the key object, and setting the new MK in a first HSM, and signaling to the active software component that the new MK is set in at least one of the HSMs. Upon determining that the new MK is set in the HSM, restricting usage of the HSMs to the selected HSM, and upon determining that the new MK is set in all HSMs, moving the value of the newKey to the curKey component.

Abstract: A method, computer program product, and a system where a secure interface control configures a hardware security module for exclusive use by a secure guest. The secure interface control (“SC”) obtains a configuration request (via a hypervisor) to configure the hardware security module (HSM), from a given guest of guests managed by the hypervisor. The SC determines if the HSM is already configured to a specific guest of the one or more guests, but based on determining that the HSM is not configured to the and is a secure guest the SC forecloses establishing a configuration of the HSM by limiting accesses by guests to the HSM exclusively to the given guest. The SC logs the given guest into the HSM by utilizing a secret of the given guest. The SC obtains, from the HSM, a session code and retains the session code.

Abstract: A method, computer program product, and a system where a secure interface control configures a hardware security module for exclusive use by a secure guest. The secure interface control (“SC”) obtains a configuration request (via a hypervisor) to configure the hardware security module (HSM), from a given guest of guests managed by the hypervisor. The SC determines if the HSM is already configured to a specific guest of the one or more guests, but based on determining that the HSM is not configured to the and is a secure guest the SC forecloses establishing a configuration of the HSM by limiting accesses by guests to the HSM exclusively to the given guest. The SC logs the given guest into the HSM by utilizing a secret of the given guest. The SC obtains, from the HSM, a session code and retains the session code.

Abstract: A method, computer program product, and a system where a secure interface control configures a hardware security module for exclusive use by a secure guest. The secure interface control (“SC”) obtains a configuration request (via a hypervisor) to configure the hardware security module (HSM), from a given guest of guests managed by the hypervisor. The SC determines if the HSM is already configured to a specific guest of the one or more guests, but based on determining that the HSM is not configured to the and is a secure guest the SC forecloses establishing a configuration of the HSM by limiting accesses by guests to the HSM exclusively to the given guest. The SC logs the given guest into the HSM by utilizing a secret of the given guest. The SC obtains, from the HSM, a session code and retains the session code.

Abstract: Embodiments include a computer system, method and program product for encrypted file access. An access program module, connected to at least one file system, intercepts a data request for accessing a plaintext file with information stored physically and consecutively on a hard disk and having a pre-determined order and length expected by a program that sends the data request, wherein the plaintext file includes a plaintext record having a key field and a plaintext data field. The access program module determines an encrypted file, associated with the plaintext file, based on a configuration file and the data request, wherein the configuration file indicates the encrypted file associated with the plaintext file. The access program module determines one or more encryption keys based on the configuration file. The access program module accesses an encrypted data field within the encrypted file based on the encryption keys and the key field.

Abstract: Embodiments include a computer system, method and program product for encrypted file access. An access program module, connected to at least one file system, intercepts a data request for accessing a plaintext file with information stored physically and consecutively on a hard disk and having a pre-determined order and length expected by a program that sends the data request, wherein the plaintext file includes a plaintext record having a key field and a plaintext data field. The access program module determines an encrypted file, associated with the plaintext file, based on a configuration file and the data request, wherein the configuration file indicates the encrypted file associated with the plaintext file. The access program module determines one or more encryption keys based on the configuration file. The access program module accesses an encrypted data field within the encrypted file based on the encryption keys and the key field.

Abstract: Embodiments include a computer system, method and program product for encrypted file access. An access program module, connected to at least one file system, intercepts a data request for accessing a plaintext file with information stored physically and consecutively on a hard disk and having a pre-determined order and length expected by a program that sends the data request, wherein the plaintext file includes a plaintext record having a key field and a plaintext data field. The access program module determines an encrypted file, associated with the plaintext file, based on a configuration file and the data request, wherein the configuration file indicates the encrypted file associated with the plaintext file. The access program module determines one or more encryption keys based on the configuration file. The access program module accesses an encrypted data field within the encrypted file based on the encryption keys and the key field.

Abstract: Embodiments include a computer system, method and program product for encrypted file access. An access program module, connected to at least one file system, intercepts a data request for accessing a plaintext file with information stored physically and consecutively on a hard disk and having a pre-determined order and length expected by a program that sends the data request, wherein the plaintext file includes a plaintext record having a key field and a plaintext data field. The access program module determines an encrypted file, associated with the plaintext file, based on a configuration file and the data request, wherein the configuration file indicates the encrypted file associated with the plaintext file. The access program module determines one or more encryption keys based on the configuration file. The access program module accesses an encrypted data field within the encrypted file based on the encryption keys and the key field.

Abstract: The present invention discloses a system and method for automatic redirection of record-based data access to host files to multiple non-host file systems having non-record-based access comprising a redirector engine, a redirector server and at least one handler. The redirector engine, located on the host side, gets automatic control for each request of a host application (e.g., a read/write request), interprets a property list containing information on whether and how redirection for that request should be processed, makes a redirect decision based on information received from the property list, and establishes a communication with its assigned redirector server. The redirector server, located on a non-host system, handles communication with the redirector engine and the handler, performs data conversions if required and passes control to the handler assigned in the property list.

Abstract: The present invention discloses a system and method for automatic redirection of record-based data access to host files to multiple non-host file systems having non-record-based access comprising a redirector engine, a redirector server and at least one handler. The redirector engine, located on the host side, gets automatic control for each request of a host application (e.g., a read/write request), interprets a property list containing information on whether and how redirection for that request should be processed, makes a redirect decision based on information received from the property list, and establishes a communication with its assigned redirector server. The redirector server, located on a non-host system, handles communication with the redirector engine and the handler, performs data conversions if required and passes control to the handler assigned in the property list.

Abstract: The present invention relates to a system and method for accessing non-relational data stored in records on a host system by a relational access method. The implementation of a relational interface component allows data transformation and type conversion and gives a relational interface to non-relational data. An integrated mapping component is used to define the relational structure of non-relational records or data. This relational structure is used by the application program or database request. The mapping component allows one to define columns with their characteristic (i.e. byte offset, data type, length). The definitions can be grouped in maps equivalent to a relational table and views representing a subset of the columns defined in a map. Multiple different maps and views can be defined for one record. The information of the maps, columns and views are stored in a repository.