PKZIP /SecureZIP for z/os
|
|
- Marcus Carson
- 8 years ago
- Views:
Transcription
1 PKZIP /SecureZIP for z/os System Administrator s Guide SZZSA- V111R0002 PKWARE Inc.
2 PKWARE, Inc. 648 N Plankinton Avenue, Suite 220 Milwaukee, WI Main office: 888-4PKWARE ( ) Sales: (888-4PKWARE / ) Sales - pksales@pkware.com Support: Support - Web Site: Edition (2009) SecureZIP for z/os, PKZIP for z/os, SecureZIP for i5/os, PKZIP for i5/os, SecureZIP for UNIX, and SecureZIP for Windows are just a few of the members of the PKWARE product family. PKWARE Inc. would like to thank all the individuals and companies including our customers, resellers, distributors, and technology partners who have helped make PKZIP the industry standard for trusted ZIP solutions. SecureZIP enables our customers to efficiently and securely transmit and store information across systems of all sizes, ranging from desktops to mainframes. This edition applies to the following PKWARE Inc. licensed programs: PKZIP for z/os (Version 11, Release 1, 2009) SecureZIP for z/os (Version 11, Release 1, 2009) SecureZIP Partner for z/os (Version 11, Release 1, 2009) PKWARE, PKZIP, and SecureZIP are registered trademarks of PKWARE, Inc. z/os, i5/os, zseries, and iseries are registered trademarks of IBM Corporation. Other product names mentioned in this manual may be trademarks or registered trademarks of their respective companies and are hereby acknowledged. Any reference to licensed programs or other material, belonging to any company, is not intended to state or imply that such programs or material are available or may be used. The copyright in this work is owned by PKWARE Inc., and the document is issued in confidence for the purpose only for which it is supplied. It must not be reproduced in whole or in part or used for tendering purposes except under an agreement or with the consent in writing of PKWARE Inc., and then only on condition that this notice is included in any such reproduction. No information as to the contents or subject matter of this document or any part thereof either directly or indirectly arising there from shall be given or communicated in any manner whatsoever to a third party being an individual firm or company or any employee thereof without the prior consent in writing of PKWARE Inc. Copyright PKWARE Inc. All rights reserved. MVS/QuickRef Copyright , Chicago-Soft, Ltd.
3 Contents PREFACE... 1 Notices...1 About This Manual...1 Conventions Used in This Manual...1 Related Publications...2 Related Information on the Internet...4 User Help and Contact Information SYSTEM PLANNING AND ADMINISTRATION... 5 Planning for Administration Activities...5 System Requirements...7 Operating System...7 Region Size and Storage...8 Static Disk Space...9 Tape Device Considerations...9 UserID OMVS Segment...10 SecureZIP ICSF Operations...10 z/os UNIX File System (HFS)...15 Migration Considerations...17 Release History and Setting Changes...19 Distinctive Features of PKZIP and SecureZIP for z/os...20 Distinctive Features of SecureZIP for z/os...21 PKWARE PartnerLink: SecureZIP Partner for z/os...21 Encryption...22 Authentication...22 Data Integrity...22 Digital Signature Validation...23 Digital Signature Source Validation...23 Public-Key Infrastructure and Digital Certificates...24 Contents iii
4 Public-Key Infrastructure (PKI)...24 x Digital Certificates...25 Certificate Authority (CA)...25 Private Key...25 Public Key...25 Certificate Authority and Root Certificates...26 Setting Up Stores for Digital Certificates on z/os...26 Setting Up the Certificate Stores...26 Updating the Certificate Stores...28 Types of Encryption Algorithms...28 Standard...28 FIPS 46-3, Data Encryption Standard (DES)...29 Triple DES Algorithm (3DES)...29 Advanced Encryption Standard (AES)...29 Comparison of the 3DES and AES Algorithms...29 RC Key Management...31 Passwords and PINS...31 Recipient Based Encryption...31 Random Number Generation...32 Integrity of Public and Private Keys...32 Data Encryption INSTALLATION, LICENSING, AND CONFIGURATION Installation Overview...34 Type of Media Distribution for Installation...34 Installation from Downloaded File or CD...35 Non-SMP/E Installation...35 SMP/E Installation...37 Installing from Tape...41 Tailoring Site-Specific Changes to the Defaults Module...42 Tailoring Site-Locking Commands...43 Protecting Files with the SAFETYEX Module...43 Tailoring for Filename and Data Character Set Conversions...44 SMS Dataclass Considerations...44 Note for users of PKZIP for MVS and PKZIP for zseries Considerations when Exporting Private Keys using RACDCERT...45 Evaluation Activity Log...45 Activity Log Setup and Configuration...46 Licensing Requirements...48 Licensed Types...49 Product Features...50 iv PKZIP/SecureZIP for z/os 11.1 System Administrator s Guide
5 Evaluation Period...53 Release-Dependent Licensing...53 Current Use License...53 Show System Information...55 Conditional Use...56 Initializing the License...56 PKZIP and Full-Featured SecureZIP License Activation...57 SecureZIP Partner License Activation...57 Reporting the PKZIP/SecureZIP for z/os License...58 PKZIP/SecureZIP for z/os Grace Period...59 Running a Disaster Recovery Test...59 Activating the ISPF Interface...60 ISPF Main Menu...61 Running PKZIP/SecureZIP with Library Lookaside (LLA and LNKLST)...61 Verifying the Installation...62 Run-time Performance Considerations...62 Main Tuning Ingredients...63 Initialization JOBLIB/STEPLIB Elimination, LLA, VLF and/or LPA...64 Initialization SYSIN Command Records via Partitioned Members...66 Initialization PARMLIB Commands via Partitioned Members...67 Enable SMF Recording...67 SMF Activation...68 Install and Activate the PKWSVC Module...68 Select a Unique SMF Record Type...71 Activate SVC and SMF Settings in the SecureZIP Defaults Module...72 Default Module Settings Affecting SMF Recording SECURITY ADMINISTRATION OVERVIEW Accessing Certificates...77 Public Key Certificate...77 Private Key Certificates...78 Certificate Authority and Root Certificates...78 Configuration Profile...78 Contents of the Configuration Profile...78 Data Base (DB) Profile (Local Certificate Store)...79 LDAP Profile (Networked Certificate Store)...79 Recipient Searches...80 Local Certificate Stores...81 Access x.509 Public and Private Key Certificates...81 Authentication and Certificate Validation Policies...82 Other Profile Commands...86 Passphrase Registration...87 Accessing the Passphrase Registration Dialogs CERTIFICATE STORE MANAGEMENT SecureZIP Main Panel Access to the Certificate Stores...89 Contents v
6 SecureZIP Certificate Store Administration and Configuration...89 Local Certificate Store Administration...90 SecureZIP Local Certificate Store...91 Create a New Local Certificate Store DB...92 Certificate Validation Options...93 Generated JCL to Build the Initial Certificate Store...94 View Data Base Certificate Entries...95 List Certificate Entries Add a Certificate to the Local Store Add a New Certificate to the CA Store Add a New Trusted Root Certificate to the Root Store Add a New Certificate via Batch Processing Register Security Server Certificates in the Key Store Index Delete a Certificate from the Local Store Synchronize the Index for the Local Certificate Store Generated JCL for Synchronization CA, Root, and CRL Verification Report DB Statistics Edit Active DB Profile Backup and Restore Process Directory Certificate Store Configuration - LDAP Create/Test LDAP Profile Statements Edit existing LDAP profile Create/Test LDAP Link Create New LDAP Profile Settings Load Existing LDAP Profile Testing the LDAP Connection Runtime Configuration Zip/Unzip Runtime Configuration Panel SecureZIP Runtime Configuration Panel SecureZIP Runtime Configuration Panel Undefined SecureZIP Runtime Configuration Panel with DB Profile Defined SecureZIP Runtime Configuration Panel with Private Certificate Location x.509 Certificate Utilities The Options Certificate Revocation Lists Filename Encryption How SecureZIP for z/os Encrypts File Names When SecureZIP for z/os Encrypts File Names Encrypting File Names When You Update an Archive Opening and Viewing an Archive that Has Encrypted File Names Input required to View Recipients in a Filename Encrypted Archive View of Recipients in a Filename Encrypted Archive View Detail of an Archive that Has Encrypted File Names Decrypting a Filename Encrypted Archive SECURITY QUESTIONS AND SOLUTIONS Which encryption settings should be chosen? How is encryption activated? vi PKZIP/SecureZIP for z/os 11.1 System Administrator s Guide
7 How is ICSF hardware acceleration activated? What is the difference between an Encryption Method and an algorithm? How many recipients can be specified? What virtual storage is required for certificate-based encryption? How does ENCRYPTION_METHOD affect certificate-based encryption? How does SecureZIP activate MASTER_RECIPIENT contingency keys? How does MASTER_RECIPIENT affect activation? How do I copy a local certificate store? How do I remove a local certificate store? How can the contents of an x.509 certificate file be determined? PKWARE PARTNERLINK: SECUREZIP PARTNER About SecureZIP Partner for z/os If You Are a Sponsor: Sign the Central Directory Terms and Acronyms Used in This Chapter PKWARE PartnerLink Program: Overview Decrypting and Extracting Sponsor Data (Read Mode) Creating an Archive for a Sponsor Getting Started Co-existence with Other PKWARE Products Recommendations PartnerLink Certificate Store Administration and Configuration Choosing a Configuration Model Installing a Sponsor Distribution Package Updating a Sponsor Distribution Package Removing a Sponsor Distribution Package Providing a Sponsor Configuration for Execution CRYPTOGRAPHIC FACILITY UTILITY - PKCRYUTL Cryptographic Facility Categories Assessing a System s Cryptographic Capabilities with PKCRYUTL PKCRYUTL Execution PKCRYUTL Reporting PKCRYUTL Sample Report PKCRYUTL Interpretation SMF RECORD FORMATS GLOSSARY INDEX Contents vii
8 viii PKZIP/SecureZIP for z/os 11.1 System Administrator s Guide
9 Preface SecureZIP for z/os, like PKZIP for z/os, is a member of the PKWARE family of products providing high-performance data compression and data protection across multiple operating systems and platforms. PKZIP for z/os provides powerful, easy-to-use data compression on the mainframe. PKZIP for z/os Enterprise Edition additionally includes support for password-based decryption of encrypted files, powered by trusted RSA BSAFE. Files created by PKZIP for z/os use the widely-adopted ZIP format and can be accessed on all major platforms throughout the enterprise from mainframe to PC. SecureZIP for z/os provides powerful, easy-to-use data compression and data protection on the mainframe. SecureZIP for z/os protects data with digital signatures and several encryption choices. Both trusted RSA BSAFE encryption or IBM ICSF are offered, either password- or certificate-based, and with key lengths of up to 256 bits. Like PKZIP for z/os, SecureZIP for z/os uses the widely-adopted ZIP format and creates files that can be accessed on all major platforms throughout the enterprise. Notices Licensing requirements have changed for this release. See chapter 2 for current information. About This Manual This manual provides information to help a system administrator install and use PKZIP for z/os or SecureZIP for z/os in an operational environment on supported IBM releases of z/os. It is assumed that anyone using this manual has a good understanding of JCL and dataset processing. Conventions Used in This Manual Throughout this manual, the following conventions are used: SecureZIP z (bold-italicized) is used as a shorthand to refer to both SecureZIP for z/os and PKZIP for z/os. Statements made about SecureZIP z apply to both products. Information given specifically for SecureZIP for z/os or PKZIP for z/os applies specifically to that product. Preface 1
10 The terms ZIP and UNZIP are used to refer to the respective overall processes of operating on an archive. The term PKZIP is often used generically to refer to any of the underlying executable programs that process archives in PKZIP for z/os and SecureZIP for z/os. These include programs PKZIP and SECZIP, to ZIP archives, and programs PKUNZIP and SECUNZIP, to UNZIP them. PKZIP is also more narrowly used to refer to either the PKZIP or SECZIP program, and PKUNZIP is often used to refer to either the PKUNZIP or SECUNZIP program. The use of the Courier font indicates text that may be found in job control language (JCL), parameter controls, or printed output. The use of italics in a command line indicates a value that must be substituted by the user, for example, a data set name. Italics are also used in body text to quote command names and so forth or to indicate the title of a manual or other publication. The use of <angle brackets> in a command definition indicates a mandatory parameter. The use of [square brackets] in a command definition indicates an optional parameter. A vertical bar ( ) in a command definition is used to separate mutually exclusive parameter options or modifiers. When sample JCL is shown, or references to the SecureZIP z libraries are made, the high-level qualifier PKWARE.MVS may be used generically. The high-level qualifier specifically for the packaged product SecureZIP for z/os is SECZIP.MVS. The high-level qualifier specifically for the packaged product PKZIP for z/os is PKZIP.MVS. Note that the actual high-level qualifiers installed on your system may be different. Program examples may show either SecureZIP for z/os or PKZIP for z/os constructs, for backward compatibility. In general, examples apply to both programs unless the examples appear in sections of the manual that relate exclusively to SecureZIP features. Such sections are marked like this: SecureZIP only Related Publications IBM Manuals relating to the SecureZIP z products include: System Codes - Documents the completion codes issued by the operating system when it terminates a task or an address space. Describes the wait state codes placed in the program status word (PSW) when the system begins a wait state. Describes the causes of loops. System Messages - Documents the messages issued by the z/os operating system. The descriptions explain why the component issued the message, give the actions of the operating system, and suggest responses by the applications programmer, system programmer, and/or operator. JES2 Messages - Documents the messages issued by the JES2 subsystem. The descriptions explain why the component issued the message, give the actions of the 2 PKZIP/SecureZIP for z/os 11.1 System Administrator s Guide
11 operating system, and suggest responses by the applications programmer, system programmer, and/or operator. JCL User's Guide - Describes the job control tasks needed to enter jobs into the operating system, control the system's processing of jobs, and request the resources needed to run jobs. To perform the tasks, programmers code job control statements. The user's guide assists in deciding how to perform job control tasks. JCL Reference - Describes the job control tasks needed to enter jobs into the operating system, control the system's processing of jobs, and request the resources needed to run jobs. To perform the tasks, programmers code job control statements. The reference guide; is designed to be used while coding the statements. Access Methods Services - Documents the functions that are available with Virtual Storage Access Method (VSAM) and describes the IDCAMS commands that can be issued to control VSAM datasets. DFSMS Using Data Sets Reference materials regarding z/os file systems and their usage. DFSMS Macro Instructions for Data Sets Reference material regarding I/O handling and diagnostics. ICSF Application Programmers Guide Describes how to use the callable services provided by the Integrated Cryptographic Service facility. ICSF Administrators Guide Describes how to manage cryptographic keys by using the z/os Integrated Cryptographic Service facility. ICSF Overview Contains overview and planning information for the z/os Integrated Cryptographic Service facility. ISPF bookshelf Reference materials regarding run-time environments supporting, and used by SecureZIP z. Language Environment bookshelf Reference materials regarding run-time environments supporting, and used by SecureZIP z. TSO/E Command Reference - Documents the functions of the TRANSMIT and RECEIVE Command Facility used for the distribution and allocation of SecureZIP z installation libraries. TSO/E Rexx Reference Reference materials regarding run-time environments supporting, and used by SecureZIP z. z/os XL C/C++ bookshelf Reference materials regarding run-time environments supporting, and used by SecureZIP z. z/os Unix System Services User s Guide Provides information that is fundamental to working with UNIX File Systems (also known as the hierarchical file system). MVS/QuickRef 6.3 (Chicago-Soft, Ltd.) - Includes both messages and command reference material for SecureZIP z. Preface 3
12 Related Information on the Internet PKWARE, Inc. FTP site Product manuals - ftp://bigiron.pkware.com/pub/manuals/zos Product downloads - ftp://bigiron.pkware.com/pub/products o o PKZIP for z/os - ftp://bigiron.pkware.com/pub/products/pkzip/zos SecureZIP for z/os - ftp://bigiron.pkware.com/pub/products/securezip/zos o SecureZIP Partner for z/os - ftp://bigiron.pkware.com/pub/products/partnerlink/zos National Institutes of Standards and Technology Computer Security Resource Center - Information on the AES development - Information on Key Management - RSA BSAFE Content Library User Help and Contact Information For licensing, please contact Sales at (888-4PKWARE / ) or pksales@pkware.com. For technical assistance, contact Technical Support at or visit the support web site: 4 PKZIP/SecureZIP for z/os 11.1 System Administrator s Guide
13 1 System Planning and Administration SecureZIP z contains two main programs: PKZIP (or SECZIP in SecureZIP) and PKUNZIP (or SECUNZIP in SecureZIP). The ZIP program is used to compress or store files into a ZIP format archive, while the UNZIP program is used to extract data compressed into ZIP-compatible archives. Processing control is available through the use of customized option modules, shared command lists, and individual job inputs. In addition to file selection, features such as compression levels and performance selections can be specified. To guarantee data integrity, a 32-bit cyclic redundancy check (CRC) is a standard feature. A ZIP archive is platform-independent; therefore, data compressed (zipped) on one platform, such as UNIX or Windows, can be decompressed (unzipped) on another platform, such as z/os, by using a compatible version of the UNZIP program. With its advanced password and certificate-based security features, SecureZIP for z/os offers multiple methods of encryption and is an excellent choice for securing data and data transfers. However, it is important that system administrators carefully plan in advance the design, development, and testing tasks required to successfully integrate SecureZIP for z/os as a secure solution into a production environment. The following sections chart the production and pre-production planning activities for administration and discuss SecureZIP z model environments and important concepts for the systems administrator. They also describe encryption, types of algorithms in use, information about specific mandates requiring the use of secure data, and how SecureZIP z will secure that data. Planning for Administration Activities The SecureZIP z software is often installed and maintained by a single party within an installation s system programming staff. However, there are several system interface components that may require attention from other departments relating to the administration of SecureZIP operation. Use the following installation and feature configuration checklist to help plan out the installation and operational use of SecureZIP z. Chapter 1 System Planning and Administration 5
14 Feature or Activity Base software installation; includes: Licensing Tailoring of the installation defaults module Translate table selection SAFETYEX module tailoring Migration Considerations Activating the TSO ISPF Interface Initial Tuning Optional LLA, VLF and LPA Configure Cryptographic Services for data Encryption, Digital Signing and Authentication with SecureZIP for z/os Use of ICSF Cryptographic Facilities CLASS(CSFSERV) service profiles Define the SecureZIP for z/os Key Store Index and Certificate Store Administer Digital Certificates to the SecureZIP for z/os Key Store for use in RECIPIENT, SIGN_FILES, SIGN_ARCHIVE or AUTHCHK processing. DATASET update access to SecureZIP Key Store components Administer Digital Certificates to the Security Server for use in RECIPIENT, SIGN_FILES, SIGN_ARCHIVE or AUTHCHK processing with SecureZIP for z/os. Certificate and Key Ring controls Administer Passphrase Registration to the ICSF CKDS for use with SecureZIP for z/os. CLASS(CSFSERV,CSFKEYS) service profiles Enable and Administer SecureZIP for z/os Policy Lockdown features Resources Ref. chapter 2 Required: System Programmer Optional: Data transfer architect for Translate Tables Optional: Storage administrator for related defaults module settings Optional: Security policy manager for related defaults module settings. Required: Security Administrator to define data set protection for supporting software libraries. Ref. chapter 1, SecureZIP ICSF Operations Ref. SecureZIP Security Administrator s Guide; ICSF Service Controls Required: ICSF Administrator, Security Server Administrator Ref. chapter 1, Setting Up Stores for Digital Certificates on z/os Ref. chapter 1, Public-Key Infrastructure and Digital Certificates Ref. chapter 4 Required: Security Server Administrator, SecureZIP Key Administrator Ref. SecureZIP Security Administrator s Guide Ref. IBM z/os Security Server RACF Administration Ref. IBM z/os Security Server RACF Command Reference (RACDCERT) Ref. IBM z/os Security Server Callable Services (R_datalib) Required: Security Server Administrator, SecureZIP Key Administrator, ICSF CKDS Administrator Ref. SecureZIP for z/os Security Administrator s Guide, chapter 5 ( SAF-protected Passphrase Feature ) Required: Security Server Administrator Ref. SecureZIP for z/os Security Administrator s Guide, Policy Lockdown chapter 6 PKZIP/SecureZIP for z/os 11.1 System Administrator s Guide
15 Feature or Activity Enable and Administer Contingency Keys for use with SecureZIP for z/os Generate and install certificates Define Contingency Key Ring(s) Administer Key Rings and PROFILEs (by JOB) Enable and tailor the SMF recording feature used with SecureZIP for z/os Use SMF data for audit controls Configuring jobs for operational use of the z/os UNIX File Systems Archives and/or files in the UNIX File System Application Integration with FIFO Special File (named pipes) Configuring for operations as a PartnerLink Sponsor or Partner Sponsor Distribution Packages Resources Required: Security Server Administrator, Operations JOB Planner Ref. SecureZIP for z/os Security Administrator s Guide, chapter 2, section Contingency Key Enforcement Required: z/os System Programmer Required: SMF Administrator, SMF Data Reduction Programmer, Security Auditor Ref. SecureZIP for z/os Security Administrator s Guide, Security Auditor s Guide chapter Ref. chapter 1, HFS Operational Knowledge Ref. PKWARE PartnerLink System Requirements This section describes the system requirements for SecureZIP z. Operating System The minimum operating system levels supported are: A release of z/os supported by IBM For installations intending to use digital certificates residing in the RACF Security Server, maintenance associated with APAR OA26639 is recommended to avoid spurious ICH408I messages. To extract files greater than 2 gigabytes or to create archives greater than 2 gigabytes in a PDSE, operating system maintenance associated with APAR BW57702 is required. z/os installations intending to use ICSF cryptographic services should ensure that RACF maintenance associated with APAR OA11874 is installed. System requirements for ICSF apply to facility settings of IBMHARDWARE and IBMSOFTWARE associated with ENCRYPTDATA, HASH, and RANDOM. Installations intending to use AES 128-bit ICSF hardware-based encryption/decryption on a System-z9 (2094 or 2096) with ICSF FMID HCR7730 should ensure that PTF UA22474 is applied. (Reference PKWARE HIPER TT3686 and IBM APAR OA13766). Chapter 1 System Planning and Administration 7
16 Installations intending to use SHA-256 ICSF hardware-based hashing in support of digital signature creation will require a minimum ICSF level of HCR7730 while operating on a System z9-109, z9, or z10. Language Environment release-dependent runtime options modules are supplied with the product and are dynamically selected for use at the release levels shown in the following table. If higher levels of Language Environment are encountered, informational system messages may be issued (CEE3611I, CEE3615I, CEE3627I). These have no functional impact on product operations. Operating System Release Language Environment FMID Language Environment Options Release OS/ HLE z/os 1/1 HLE z/os 1.2 HLE z/os 1.3 HLE z/os 1.4 HLE z/os 1.5 HLE z/os 1.6 HLE z/os 1.7 HLE z/os 1.8 HLE z/os 1.9 HLE z/os 1.10 HLE For installations using Security Server RACF and requiring RSA public or private keys to be stored in the ICSF PKDS, the PTF associated with APAR OA13030 must be installed. Region Size and Storage See the section Region Size and Storage in chapter 3 of the PKZIP/SecureZIP for z/os User s Guide for information relating to minimum virtual storage requirements. 8 PKZIP/SecureZIP for z/os 11.1 System Administrator s Guide
17 Static Disk Space Product data set allocations are approximately as follows: Tracks %Used XT Device CEXEC HELP INSTLIB INSTLIB LICENSE LOAD MACLIB SPKZCLIB SPKZMLIB SPKZPLIB SPKZSLIB SPKZTLIB SecureZIP certificate store data set allocations are approximately as follows: Tracks %Used XT Device CERTSTOR.DBX.DATA 150? CERTSTOR.DBX.INDEX 1? CERTSTOR.DBXCN.DATA 15? CERTSTOR.DBXCN.INDEX 1? CERTSTOR.DBXEM.DATA 15? CERTSTOR.DBXEM.INDEX 1? CERTSTOR.DBXPUBK.DATA 15? CERTSTOR.DBXPUBK.INDEX 1? CERTSTOR.PRIVATE CERTSTOR.PUBLIC CERTSTOR.P7CA CERTSTOR.P7CRL CERTSTOR.P7ROOT CERTSTOR.SPONSOR.AUTH CERTSTOR.SPONSOR.INFO CERTSTOR.SPONSOR.RECIP Tape Device Considerations The following notes apply when ZIP archives may be directed to a tape or cartridge device. Do not use DCB option TRTCH=COMP when specifying a non-store form of ZIP compression. If Large Block Interface (LBI) tape processing is to be used (ARCHIVE_ZIPFORMAT= FULL_LBI or XTAPE_LBI) and there is any restriction on maximum block size for tape cartridges, review the setting for SMS Dataclass Block Size Limit, or PARMLIB(DEVSUPxx) TAPEBLKSZLIM, and set the ZIP defaults (or pre-defined command sets) for ARCHIVE_BLKSIZE accordingly. IECIOSxx parmlib parameter MIH: If your site does not specify an IOS= member in the IEASYSxx member, then a default value of 3:00 minutes for 3490 missing tape device interrupts is used. This value is too low for PKZIP tape processing. IBM 3490 Planning and Migration Guide recommends a value of 20 minutes for missing interrupts associated with 3490E tape drives. Set a temporary increase to the MIH values for tape by using the following MVS console Chapter 1 System Planning and Administration 9
18 command: SETIOS MIH,TAPE=20:00 To change parmlib, place the following in member IECIOSxx: MIH TIME=20:20,DEV=nnnn where nnnn is the device address. For devices configured as 3590s, the control unit controls both the primary and secondary MIH values. The primary MIH governs most commands, and the second MIH governs a small group of long-running commands, such as LOCATE and FORWARD SPACE FILE. UserID OMVS Segment The following features of SecureZIP require the executing UserID to have a valid OMVS segment: SecureZIP for z/os Certificate Store administration and digital certificate usage Unix File System operations SecureZIP ICSF Operations This section pertains to system-supplied cryptographic facilities that are supplemental to inherent SecureZIP cryptographic services. An appropriate SecureZIP license is required to access these facilities. The system-supplied cryptographic facilities available for SecureZIP for z/os to use depend on the hardware configuration and controlling system software. ICSF callable services are utilized by SecureZIP to facilitate access to system-supplied cryptographic facilities for selected system configurations. For planning purposes, the following checklist may be used to ensure that the operating environment is activated appropriately to support the desired cryptographic feature through SecureZIP: Refer to the ICSF Feature/Facility Requirements Table later in this section to identify the desired cryptographic feature and associated facility requirements Ensure that the correct hardware feature codes are installed for the target platform Ensure that the ICSF Program Product is installed at the proper release level Use the TSO/ISPF ICSF dialog to determine if ICSF is active and the necessary components are operative. Select option 1 and press Enter. If ICSF is not available, you will receive the message shown in the upper right portion of the screen below. HCR Integrated Cryptographic Serv OPTION ===> Enter the number of the desired option. ICSF IS NOT ACTIVE 1 COPROCESSOR MGMT - Management of Cryptographic Coprocessors 2 MASTER KEY - Master key set or change, CKDS/PKDS Processing 3 OPSTAT - Installation options 4 ADMINCNTL - Administrative Control Functions 5 UTILITY - ICSF Utilities 6 PPINIT - Pass Phrase Master Key/CKDS Initialization 10 PKZIP/SecureZIP for z/os 11.1 System Administrator s Guide
19 7 TKE - TKE Master and Operational Key processing 8 KGUP - Key Generator Utility processes 9 UDX MGMT - Management of User Defined Extensions Licensed Materials - Property of IBM 5694-A01 (C) Copyright IBM Corp. 1989, All rights reserved. US Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. Press ENTER to go to the selected option. Press END to exit to the previous menu. If ICSF is active, you will see screens like the following. These may or may not identify coprocessors, but they can be used by SecureZIP for z/os. The coprocessor status is based on the hardware configuration of your environment. System with no coprocessors available ICSF Coprocessor Management COMMAND ===> SCROLL ===> PAGE Select the coprocessors to be processed and press ENTER. Action characters are: A, D, E, K, R and S. See the help panel for details. COPROCESSOR SERIAL NUMBER STATUS ******************************* Bottom of data ******************************** System with coprocessors available ICSF Coprocessor Management Row 1 of 4 COMMAND ===> SCROLL ===> PAGE Select the coprocessors to be processed and press ENTER. Action characters are: A, D, E, R, and S. See the help panel for details. COPROCESSOR MODULE ID/SERIAL NUMBER STATUS C FD FD ACTIVE. C A A2 ACTIVE. P00 94E04777 ACTIVE. P01 94E04781 ACTIVE System with coprocessors online but not initialized for use ICSF Coprocessor Management Row 1 to 1 of 1 COMMAND ===> SCROLL ===> PAGE Select the coprocessors to be processed and press ENTER. Action characters are: A, D, E, K, R and S. See the help panel for details. COPROCESSOR SERIAL NUMBER STATUS E ONLINE ******************************* Bottom of data ******************************* Chapter 1 System Planning and Administration 11
20 If necessary, perform some or all of the following system configuration activities in accordance with the z/os ICSF Administrators Guide and the z/os Cryptographic Services System Programmer s Guide: o o o o o Ensure that the system (or LPAR) is configured for the hardware cryptographic facility Perform Hardware Management Console (HMC) activities to enable cryptographic usage through ICSF Perform Power On Reset to activate HMC settings Prepare ICSF run-time environment (e.g. allocation of control data sets) Start ICSF in update mode to establish passphrases Ensure that ICSF is started with production run-time parameters Conditionally update RACF (or equivalent security product) to permit access to the following CSFSERV Resource classes (if CSFSERV is desired to be an active class) for READ access: o o o o o CSFCKM CSFIQF CSFOWH CSFRNG CSFRNGL Consult the SecureZIP Security Administrator s Guide to identify additional Security Server rules that may require definition or adjustments. The following tables show the levels of system hardware and operating software required by various cryptographic features. ICSF Feature/Facility Requirements Table SecureZIP only This table provides an overview of system facilities required to access a specific cryptographic feature. For each supported Service within a platform configuration, three pieces of information are shown. The minimum Hardware facility required The Software callable service used A minimum ICSF release level (referenced by FMID) 12 PKZIP/SecureZIP for z/os 11.1 System Administrator s Guide
21 Table 1: ICSF feature/facility requirements Cryptographic Service DES/3DES Hardware Acceleration DES/3DES Secure Key Operations (FIPS 140 Compliant) AES ICSF Software AES128 Hardware Acceleration AES192, AES256 Hardware Acceleration z/800 & z/900 CCF CSNBENC HCR7704 CCF CSNBENC HCR7704 CCF CSNBSYE HCR7706 z/890 & z/990 CPACF CSNBSYE HCR7720 CEX2C CSNBENC HCR7720 CPACF CSNBSYE HCR7720 z9-109 System z9 System z10 CPACF CSNBSYE HCR7720 CEX2C CSNBENC HCR7720 CPACF CSNBSYE HCR7720 Not available Not available CPACF CSNBSYE HCR7730 CPACF CSNBSYE HCR7720 CEX2C CSNBENC HCR7720 CPACF CSNBSYE HCR7720 CPACF CSNBSYE HCR7730 Not available Not available Not available Not available CPACF CSNBSYE HCR7720 CEX2C CSNBENC HCR7720 CPACF CSNBSYE HCR7720 CPACF CSNBSYE HCR7730 CPACF CSNBSYE AES Secure Key Operations (all AES key lengths) (FIPS 140 Compliant) SHA-1 Hardware Acceleration MD5 ICSF Software SHA-256 Hardware Acceleration SHA-384/512 Hardware Acceleration Not available Not available Not available CEX2C CSNBSAE HCR7751 *requires MCL update CCF CSNBOWH HCR7704 CCF CSNBOWH HCR7704 Not available CPACF CSNBOWH HCR7720 CPACF CSNBOWH HCR7720 CPACF CSNBOWH HCR7750 CPACF CSNBOWH HCR7720 CPACF CSNBOWH HCR7720 CPACF CSNBOWH HCR7750 CPACF CSNBOWH HCR7720 CPACF CSNBOWH HCR7720 CPACF CSNBOWH HCR7750 Not available Not available Not available Not available HCR7750 CEX2C CSNBSAE HCR7751 *requires MCL update CPACF CSNBOWH HCR7720 CPACF CSNBOWH HCR7720 CPACF CSNBOWH HCR7750 CPACF CSNBOWH HCR7751 Chapter 1 System Planning and Administration 13
22 Cryptographic Service Pseudo Random Data Generation z/800 & z/900 CCF CSNBRNG z/890 & z/990 CPACF CSNBRNG z9-109 System z9 System z10 CPACF CPACF CPACF CSNBRNG CSNBRNG CSNBRNG HCR7704 HCR7720 HCR7720 HCR7720 HCR7720 Pseudo Random Data Generation-Long CCF CSNBRNGL PCIXCC/ CEX2C CEX2C CSNBRNGL CEX2C CSNBRNGL CEX2C CSNBRNGL HCR7750 CSNBRNGL HCR7750 HCR7750 HCR7750 HCR7750 Notes: ICSF is assumed to be running in non-pcf mode, and FMIDs are listed at the minimum supported level. SMP/E and ICSF settings should be checked to verify the ICSF operating level and configuration. (Note that HCRP220 and prior FMIDs were for PCF.) Some ICSF levels may be required to be at a higher level than those shown due to IBM system configuration requirements. Through the callable service, ICSF directs which hardware/software facility to use based on the call request and the available configuration. IBM technical support documents and maintenance buckets should be reviewed to determine a complete set of system feature enablement requirements to activate the necessary level of ICSF and associated system-provided services. Distributed Operating System ICSF Levels The following table is provided as a convenience for planning purposes to show ICSF levels typically provided with a given level of the operating system. System-specific planning and requirements review should be performed for an installation. 14 PKZIP/SecureZIP for z/os 11.1 System Administrator s Guide
23 Operating System Distributed ICSF Level Enabled Feature as Used by SecureZIP OS/ HCR7703 Base ICSF for CSNBENC z/os 1.2 HCR7704 z/os 1.3 HCR7706 CSNBSYE CPACF (z/x90, z9) z/os 1.4 z/os 1.5 z/os 1.6 z/os 1.7 HCR7706 or HCR7708 HCR7708 HCR770A HCR7720 or HCR7730 CSNBSYE CPACF for DES/3DES CSNBSYE AES128 hardware (z9) z/os 1.7 HCR7730 SHA-256 hashing (software only) z/os 1.8 z/os 1.9 HCR7731 HCR7740 z/os 1.10 HCR7750 HCR7751 may be installed as an upgrade to access advanced AES capabilities available through hardware. Note that many of the ICSF release levels can be installed on earlier releases of the operating system. For z/os 1.7, z/os 1.8 and z/os 1.9, HCR7750 is available for upgrades, providing for CSNBSYE AES192, AES256 hardware (z9 model dependent) and SHA-256 hashing hardware (z9). z/os UNIX File System (HFS) In the context of this section, Hierarchical File System (HFS) refers to the entire z/os UNIX file system architecture unless otherwise noted. SecureZIP z does not require any special configuration to operate with the HFS (Hierarchical File System). However, working with archives and data files located in the HFS in the z/os environment requires some setup. In particular: The run-time user s OMVS segment information must be associated with a HOME directory for that user Permissions need to be set to correspond with the run-time user s ownership of directories and files to be accessed (see PATHMODE for directory and file objects within the HFS) Group permissions for directories and files in the HFS need to support the GROUPs that the run-time user will connect to If the SAFETYEX module has been modified from releases prior to release 10.0, a fresh source copy (from INSTLIB) should be used and updated. HFS PATH entries can be added in a new section provided for this purpose in the release 10.0 version of the module. Chapter 1 System Planning and Administration 15
24 HFS Operational Knowledge To operate SecureZIP z with the HFS, you need a basic understanding of how the HFS works. For information specific to using SecureZIP z, see section z/os UNIX File System (Hierarchical File System) in chapter 9 ( File Processing ) of the PKZIP/SecureZIP for z/os User s Guide. For more general information, you will find the IBM documentation listed in the following table helpful. Resource Chapter/Section Description IBM z/os UNIX System Services Guide IBM z/os UNIX System Services Guide IBM z/os UNIX System Services Guide IBM z/os UNIX System Services Guide IBM z/os UNIX System Services Guide IBM z/os UNIX System Services Guide Chapter 14: An Introduction to the hierarchical file system Chapter 16: Working with directories Chapter 17: Working with files Chapter 18: Handling security for your file Chapter 21: Copying data between the HFS and MVS Chapter 22: Transferring file between systems Mountable File Systems Directories Files Path and Pathname Using commands to work with directories and files Using the Network File System The working directory Creating and removing a directory Naming files Deleting a file Identifying a file by its inode number Creating and deleting links Renaming a file or directory Simultaneous access to a file Default permissions set by the system Changing permissions Displaying file and directory permissions Setting the file mode creation mask Displaying extended attributes Examples and requirements for various data types File Transfer Protocol (FTP) IBM z/os JCL Reference FILEDATA Parameter describe the organization of a hierarchical file so that the system can determine how to process the file IBM z/os JCL Reference PATH Parameter specify the name of the HFS file. IBM z/os JCL Reference PATHMODE Parameter file access attributes when the system is creating the HFS file named on the PATH parameter IBM z/os JCL Reference PATHMODE Parameter specify the file access attributes when the system is creating the HFS file 16 PKZIP/SecureZIP for z/os 11.1 System Administrator s Guide
25 Resource Chapter/Section Description IBM z/os JCL Reference PATHOPTS Parameter specify the access and status for the HFS file named in the PATH parameter IBM z/os SecureWay Security Server RACF Security Administrator s Guide The OMVS segment in User Profiles The z/os UNIX Identifier (UID) The initial directory path name (HOME) The maximum number of active or open files the user can have (FILEPROCMAX) The maximum number of processes the user can have (PROCUSERMAX) Migration Considerations Release 11.1 provides enhanced volume count control with MULTIVOL command specifications (e.g. ARCHIVE_SPACE_MULTIVOL). With the added capability for specifying a numeric volume count value, the default volume count associated with xxxx_space_multivol=y is changed from 59 to 5. If default volume count values greater than 5 are required, modifications to the defaults module may be performed. Release 11.1 provides segregated control of temporary data compression work space from other temporary work files. See the new TEMPDATA_xxx settings for additional information. If enabled, adjustments to existing TEMP_xxx settings should be considered to reduce overall work file allocation requirements. SecureZIP for z/os Release 11 provides the ability for an installation to logically move digital certificates from the SecureZIP Certificate Store to the installation s Security Server (for example, RACF). The SecureZIP Key Store Index component of the SecureZIP Certificate Store provides a redirection capability that permits existing jobs accessing digital certificates through the DB: syntax to reference certificates installed to the Security Server so that run-time JCL and parameters do not require modification. The administrative process of reindexing Security Server certificates for existing DB: entries is accomplished through the Add Certificates (or Register KeyRing Certificates) option under the Local Certificate Store Administration dialog. SecureZIP for z/os Release 11 includes a change to the Certificate Store references. If a Certificate Store configuration is not specified, DUMMY will be used as the default. To maintain upgrade continuity, Certificate Store configurations may be included with the INCLUDE_CMD or added to INSTLIB(ACZDFLT). Release 10 renamed the DATA_DELIMITER setting to ZIPFILE_RECORD_DELIMITER for the purpose of distinguishing it from new HFS ZOSFILE_RECORD_DELIMITER setting. Processing message references will now be made to ZIPFILE_RECORD_DELIMITER instead of DATA_DELIMITER. To maintain upgrade continuity for existing job streams, the DATA_DELIMITER command and the MCZDFLTS DATA_DELIMITER= keyword designator for the defaults module will continue to be supported as mapping entries to ZIPFILE_RECORD_DELIMITER. Release 10 renamed the PATH setting to USE_SOURCE_PATH to eliminate ambiguity with respect to HFS PATH names and PATH catalog entries. To maintain upgrade continuity for existing job streams, the PATH command and the MCZDFLTS PATH= Chapter 1 System Planning and Administration 17
26 keyword designator for the defaults module will continue to be supported as mapping entries to USE_SOURCE_PATH. Release 10 introduced newer forms of self-extractor (ref. INCLUDE_SFX for details) programs which support ZIP64 processing and Strong Decryption. Although the older versions of the self extractors are still available, they are specified with different names. Jobs coded with the previous names will include the newer form of the selfextraction programs in the archive. Release 10 introduced the command OUTFILE_LONGREC to support optional wrapping of extracted data (rather than truncating them). This command replaces a maintenance option PROC_OPT3=W setting (with alias command LONGREC_WRAP) introduced with TT3392. Although PROC_OPT3=W is still supported in this release, it is recommended that commands and default module settings be changed to use OUTFILE_LONGREC=WRAP instead. The LONGREC_WRAP alias command will now be assigned to OUTFILE_LONGREC and continue to be supported. Note: When changing the defaults module to use OUTFILE_LONGREC=W, PROC_OPT3= should be removed from the ACZDFLT source to avoid possible conflicts. When either setting is found to be W/WRAP, the record will be wrapped. Release 10 and higher permits the use of CRLF= Y,NOEOFDELIM and FILE_TERMINATOR= in the defaults module to prevent unwanted delimiter and terminator characters from being placed at the end of a file as it is added to an archive. This approach replaces old techniques of adding the commands CRLF(C) FILE_TERMINATOR() in the command stream. Release 10.0 introduced a new format for the SAFETYEX module, from INSTLIB. Transfer to a copy of the new module any installation entries you have made in the SAFETYEX that you have been using. The new version of the module has a separate section for HFS PATH entries. Installations using GZIP=Y in customized default modules should convert to ARCHIVE_ZIPFORMAT=GZIP. The GZIP setting is no longer honored when defined in the defaults module. Installations activating ARCHIVE_ZIPFORMAT Enhanced Tape Processing (XTAPE, XTAPE_LBI or FULL_LBI) should be aware that there are back-level release sharing considerations. ARCHIVE_ZIPFORMAT=FULL is recommended if a tape archive created by the current release is to be accessed by an older release of SecureZIP z. However, toleration maintenance change TT2741 is available for PKZIP for zseries (releases 5.6 & 8.2) and SecureZIP for zseries (releases 8.1 & 8.2) to provide restricted UNZIP processing capabilities. For information, refer to the ARCHIVE_ZIPFORMAT and ARCHIVE_BLKSIZE commands in the PKZIP/SecureZIP for z/os User s Guide. Installations suppressing the //SYSIN PDS member verification for performance reasons with PROC_OPT1=N (available with PKZIP for MVS maintenance) in ACZDFLT should change to CHECK_SYSIN_MEMBER=N in the assembly of ACZDFLT. PROC_OPT1 is no longer used for this purpose in PKZIP for MVS Release 5.5 or SecureZIP for z/os. Installations controlling the //SYSPRINT DCB attributes with PROC_OPT2 (available with PKZIP for MVS maintenance) in ACZDFLT should change to SYSPRINT_DCB in the assembly of ACZDFLT. PROC_OPT2 is no longer used for this purpose in PKZIP for MVS Release 5.5 or SecureZIP for z/os. 18 PKZIP/SecureZIP for z/os 11.1 System Administrator s Guide
27 Installations utilizing the filename case-insensitivity feature with PROC_OPT3=U (available with PKZIP for MVS maintenance) in ACZDFLT should change to FILENAME_SELECT_CASE=U in the assembly of ACZDFLT. PROC_OPT3 is no longer used for this purpose in SecureZIP for z/os. Upgrade note: Installations previously using text translation tables other than EBC#8859 for TRANSLATE_TABLE_DATA or TRANSLATE_TABLE_FILEINFO should review the data translation characters used. The newer default tables in EBC#8859 use the IBM ICONV standard character sets for IBM-1047 EBCDIC and ISO ASCII. In general, the newer default table is better for general-purpose text translation than the older ASCIIUS, ASCIIUSE, ASCIIUK, and ASCIIUKE tables. However, the older tables are still provided for compatibility in case installation-dependent processing requires translation of specialized character sets. The command ZIP_UNMOVABLE_CHKPT replaces functional fix TT1825 using PROC_OPT5 in earlier releases of the product. Installations previously using PROC_OPT5 are encouraged to use ZIP_UNMOVABLE_CHKPT. PROC_OPT5 is still active in this release, with differences in message notification (see command Usage Notes in the User s Guide for more information). The command GZIPCRC_IGNORE replaces functional fix TT2367 using PROC_OPT6 in earlier releases of the product. Installations previously using PROC_OPT6 are encouraged to use the new command. PROC_OPT6 is still active in this release, but may be removed in the future. Encryption features associated with the Advanced Encryption Module of PKZIP for zseries releases 5.5 and 5.6 are now only available with SecureZIP for z/os. However, PKZIP for z/os Enterprise Edition does include decryption capabilities allowing access to ZIP files created by earlier releases. SecureZIP installations previously using MASTER_RECIPIENT commands for contingency key processing will find a difference in processing if multiple MASTER_RECIPIENT command settings are provided in an execution. Whereas release 8.1 used the last command value, now all MASTER_RECIPIENT settings are cumulatively added to the run to provide support for multiple contingency keys. Installations using password-based encryption with passphrases greater than 95 characters should reference information from PKWARE HIPER fix TT3057. Contact the PKWARE Support team at with any questions related to this HIPER. Release History and Setting Changes A historical list of release changes is documented in the User Guide, Chapter 3, in the sections Release Summary and New Commands and Defaults. It is highly recommended that this section be reviewed to identify changes that may require attention for your installation s current operating environment. Chapter 1 System Planning and Administration 19
Tools for Managing Big Data Analytics on z/os
Tools for Managing Big Data Analytics on z/os Mike Stebner, Joe Sturonas PKWARE, Inc. Wednesday, March 12, 2014 Session ID 14948 Test link: www.share.org Introduction Heterogeneous Analysis Addressing
More informationConfiguring and Tuning SSH/SFTP on z/os
Configuring and Tuning SSH/SFTP on z/os Kirk Wolf / Steve Goetze Dovetailed Technologies info@dovetail.com dovetail.com Monday, March 10, 2014, 1:30PM Session: 14787 www.share.org Session Info/Eval link
More informationSecure Database Backups with SecureZIP
Secure Database Backups with SecureZIP A pproved procedures for insuring database recovery in the event of a disaster call for backing up the database and storing a copy of the backup offsite. Given the
More informationContingency Access to Enterprise Encrypted Data
T E C H N I C A L W H I T E P A P E R WP 700.xxxx Table of Contents No option to escrow Passphrase protection zseries example Incorporating contingency key in zseries Windows command line example Incorporating
More informationSharing Secrets Using Encryption Facility
Sharing Secrets Using Encryption Facility Eysha S. Powers IBM Corporation Insert Custom Session QR if Desired Tuesday, August 11, 2015: 6:00pm 7:00pm Session Number 17624 Cryptography is used in a variety
More informationUtility Mainframe System Administration Training Curriculum
Utility Mainframe System Administration Training Curriculum MVS SYSTEM ADMINISTRATION MVS SYSTEM ADMINISTRATION- LEVEL 1 TO 1.5 Name of the Module Common for All Administration LSO TSO/ISPF JCL & UTILITIES
More informationEnd-to-End Enterprise Encryption:
End-to-End Enterprise Encryption: A Look at SecureZIP Technology T E C H N I C A L W H I T E P A P E R WP 700.xxxx Table of Contents SecureZIP Executive Summary SecureZIP: The Next Generation of ZIP PKZIP:
More informationPKZIP 6.0. Command Line for Windows Getting Started Manual
PKZIP 6.0 Command Line for Windows Getting Started Manual Copyright 2000-2002 PKWARE, Inc. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval
More informationz/os Cryptographic Services - ICSF Best Practices
z/os Cryptographic Services - ICSF Best Practices Steven R. Hart, CISSP IBM Thursday, August 7, 2014: 8:30 AM-9:30 AM Session Number 15775 Insert Custom Session QR if Desired. Topics Cryptography Basics
More informationUsing the z/os SMB Server. to access z/os data from Windows. -- Hands-On Lab Session 10634-10879
Using the z/os SMB Server to access z/os data from Windows -- Hands-On Lab Session 10634-10879 Using the z/os SMB server to access z/os data from Windows Hands-On-Lab Marna Walle Jim Showalter Karl Lavo
More informationIBM Client Security Solutions. Client Security User's Guide
IBM Client Security Solutions Client Security User's Guide December 1999 1 Before using this information and the product it supports, be sure to read Appendix B - Notices and Trademarks, on page 22. First
More informationEncryption Facility for z/os Version 1.10
Front cover Encryption Facility for z/os Version 1.10 Principles of operations and options explained Examples of setup and use of all the features Expert considerations and recommendations Patrick Kappeler
More informationImplementing SSL Security on a PowerExchange 9.1.0 Network
Implementing SSL Security on a PowerExchange 9.1.0 Network 2012 Informatica Abstract This article describes how to implement SSL security on a PowerExchange network. To implement SSL security, configure
More informationSecureZIP User Guide
SecureZIP User Guide SecureZIP is an application for zipping files to save storage space as well as encrypting files with password control to protect information. SecureZIP not only works alone to perform
More informationDeploying PGP Encryption and Compression for z/os Batch Data Protection to (FIPS-140) Compliance
Deploying PGP Encryption and Compression for z/os Batch Data Protection to (FIPS-140) Compliance Patrick Townsend Software Diversified Services/Townsend Security August 9, 2011 Session Number 9347 PGP
More informationCrypto and Disaster Recovery. Greg Boyd gregboyd@mainframecrypto.com www.mainframecrypto.com
Crypto and Disaster Recovery Greg Boyd gregboyd@mainframecrypto.com www.mainframecrypto.com October 2014 Agenda Crypto and Disaster Recovery How Do You Do DR? Technology Hardware Domains Master Keys Restoring
More informationCA Deliver r11.7. Business value. Product overview. Delivery approach. agility made possible
PRODUCT SHEET CA Deliver agility made possible CA Deliver r11.7 CA Deliver is an online report management system that provides you with tools to manage and reduce the cost of report distribution. Able
More informationA guide for creating a more secure, efficient managed file transfer methodology
Sterling Connect:Direct & SecureZIP A guide for creating a more secure, efficient managed file transfer methodology JOE STURONAS CHIEF TECHNOLOGY OFFICER, PKWARE FORREST RATLIFF SOLUTIONS ENGINEER, PKWARE
More informationSystem i and System p. Customer service, support, and troubleshooting
System i and System p Customer service, support, and troubleshooting System i and System p Customer service, support, and troubleshooting Note Before using this information and the product it supports,
More informationIBM Crypto Server Management General Information Manual
CSM-1000-0 IBM Crypto Server Management General Information Manual Notices The functions described in this document are IBM property, and can only be used, if they are a part of an agreement with IBM.
More informationVERITAS NetBackup 6.0 Encryption
VERITAS NetBackup 6.0 Encryption System Administrator s Guide for UNIX, Windows, and Linux N15274C September 2005 Disclaimer The information contained in this publication is subject to change without notice.
More informationThe Digital Certificate Journey from RACF to PKI Services Part 2 Session J10 May 11th 2005
IBM eserver The Digital Certificate Journey from RACF to PKI Services Part 2 Session J10 May 11th 2005 Wai Choi IBM Corporation RACF Development Poughkeepsie, NY Phone: (845) 435-7623 e-mail: wchoi@us.ibm.com
More informationUnderstanding Digital Certificates on z/os Vanguard Las Vegas, NV Session AST3 June 26th 2012
Understanding Digital Certificates on z/os Vanguard Las Vegas, NV Session AST3 June 26th 2012 Wai Choi, CISSP IBM Corporation RACF/PKI Development & Design Poughkeepsie, NY e-mail: wchoi@us.ibm.com 1 Trademarks
More informationHP ProtectTools Embedded Security Guide
HP ProtectTools Embedded Security Guide Document Part Number: 364876-001 May 2004 This guide provides instructions for using the software that allows you to configure settings for the HP ProtectTools Embedded
More informationSecure your data. Wherever it is, Wherever it goes, However it gets there...on all major platforms. For every user.
Secure your data. Wherever it is, Wherever it goes, However it gets there......on all major platforms. For every user. SecureZIP Product Family SecureZIP products are designed as enterprise-class, data-centric
More informationProgram Directory for IBM Tivoli License Compliance Manager for z/os V3.2.0. Program Number 5698-A80 FMID HAUD320.
IBM Program Directory for IBM Tivoli License Compliance Manager for z/os V3.2.0 Program Number 5698-A80 FMID HAUD320 for Use with z/os Document Date: JULY 2005 GI11-4089-00 Note! Before using this information
More informationSecurity Service tools user IDs and passwords
System i Security Service tools user IDs and passwords Version 5 Release 4 System i Security Service tools user IDs and passwords Version 5 Release 4 Note Before using this information and the product
More informationData Center Real User Monitoring
Data Center Real User Monitoring Migration from CryptoSwift Migration Guide Release 12.0.2 Please direct questions about Data Center Real User Monitoring or comments on this document to: APM Customer Support
More informationi5/os and related software Distributing software
System i and System p i5/os and related software Distributing software Version 6 Release 1 System i and System p i5/os and related software Distributing software Version 6 Release 1 Note Before using
More informationSecurity Digital Certificate Manager
IBM i Security Digital Certificate Manager 7.1 IBM i Security Digital Certificate Manager 7.1 Note Before using this information and the product it supports, be sure to read the information in Notices,
More informationCA JCLCheck Workload Automation
PRODUCT SHEET CA JCLCheck Workload Automation CA JCLCheck Workload Automation CA JCLCheck Workload Automation (CA JCLCheck WA) validates z/os JCL before it is submitted for execution. CA JCLCheck WA helps
More informationQuick Beginnings for DB2 Servers
IBM DB2 Universal Database Quick Beginnings for DB2 Servers Version 8 GC09-4836-00 IBM DB2 Universal Database Quick Beginnings for DB2 Servers Version 8 GC09-4836-00 Before using this information and
More informationERserver. iseries. Secure Sockets Layer (SSL)
ERserver iseries Secure Sockets Layer (SSL) ERserver iseries Secure Sockets Layer (SSL) Copyright International Business Machines Corporation 2000, 2002. All rights reserved. US Government Users Restricted
More informationTivoli Access Manager Agent for Windows Installation Guide
IBM Tivoli Identity Manager Tivoli Access Manager Agent for Windows Installation Guide Version 4.5.0 SC32-1165-03 IBM Tivoli Identity Manager Tivoli Access Manager Agent for Windows Installation Guide
More informationSoftware Product Description
Software Product Description PRODUCT NAME: HP SNA Data Transfer SPD 27.85.13 This SPD describes HP SNA Data Transfer Facility for OpenVMS, which is available for the OpenVMS I64, OpenVMS Alpha and OpenVMS
More informationSecurity Digital Certificate Manager
System i Security Digital Certificate Manager Version 5 Release 4 System i Security Digital Certificate Manager Version 5 Release 4 Note Before using this information and the product it supports, be sure
More informationwebmethods Certificate Toolkit
Title Page webmethods Certificate Toolkit User s Guide Version 7.1.1 January 2008 webmethods Copyright & Document ID This document applies to webmethods Certificate Toolkit Version 7.1.1 and to all subsequent
More informationVTLBackup4i. Backup your IBM i data to remote location automatically. Quick Reference and Tutorial. Version 02.00
VTLBackup4i Backup your IBM i data to remote location automatically Quick Reference and Tutorial Version 02.00 Manufacture and distributed by VRTech.Biz LTD Last Update:16.9.2013 Contents 1. About VTLBackup4i...
More informationz/os Performance Monitoring Tools Shoot-Out: ASG, BMC, CA, Rocket
z/os Performance Monitoring Tools Shoot-Out: ASG, BMC, CA, Rocket Gary Henderson ASG (Allen Systems Group) 1 March 2011, 9:30 AM-10:30 AM Session Number 8695 Installation and Maintenance Installation and
More informationFDRSOS (Safeguard Open Storage)
Introducing FDRSOS (Safeguard Open Storage) FDRSOS (Safeguard Open Storage) provides high-speed, reliable backups of Open Systems (SCSI) data to an MVS or OS/390 System. FDRSOS and the SYMMETRIX 3000 and
More informationCA DLP. Release Notes for Advanced Encryption. r12.0
CA DLP Release Notes for Advanced Encryption r12.0 This documentation and any related computer software help programs (hereinafter referred to as the "Documentation") are for your informational purposes
More informationHitachi Virtual Storage Platform
Hitachi Virtual Storage Platform Encryption License Key User Guide FASTFIND LINKS Contents Product Version Getting Help MK-90RD7015-10 2010-2014 Hitachi, Ltd. All rights reserved. No part of this publication
More informationConfigure SecureZIP for Windows for Entrust Entelligence Security Provider 7.x for Windows
Configure SecureZIP for Windows for Entrust Entelligence Security Provider 7.x for Windows SecureZIP for Windows interoperates with leading PKI vendors including Entrust, VeriSign, and RSA to enable the
More informationMcAfee Endpoint Encryption for PC 7.0
Migration Guide McAfee Endpoint Encryption for PC 7.0 For use with epolicy Orchestrator 4.6 Software COPYRIGHT Copyright 2012 McAfee, Inc. Do not copy without permission. TRADEMARK ATTRIBUTIONS McAfee,
More informationfåíéêåéí=péêîéê=^çãáåáëíê~íçêûë=dìáçé
fåíéêåéí=péêîéê=^çãáåáëíê~íçêûë=dìáçé Internet Server FileXpress Internet Server Administrator s Guide Version 7.2.1 Version 7.2.2 Created on 29 May, 2014 2014 Attachmate Corporation and its licensors.
More informationCS z/os Application Enhancements: Introduction to Advanced Encryption Standards (AES)
Software Group Enterprise Networking and Transformation Solutions (ENTS) CS z/os Application Enhancements: Introduction to Advanced Encryption Standards (AES) 1 A little background information on cipher
More informationSMF Digital Signatures in z/os 2.2. Anthony Sofia (atsofia@us.ibm.com) Software Engineer at IBM August 14 th 2015
SMF Digital Signatures in z/os 2.2 Anthony Sofia (atsofia@us.ibm.com) Software Engineer at IBM August 14 th 2015 Agenda What is a digital signature? How digital signatures enhance SMF data Configuration
More informationIBM i Version 7.2. Security Service Tools
IBM i Version 7.2 Security Service Tools IBM i Version 7.2 Security Service Tools Note Before using this information and the product it supports, read the information in Notices on page 37. This edition
More informationSAS 9.4 Intelligence Platform: Migration Guide, Second Edition
SAS 9.4 Intelligence Platform: Migration Guide, Second Edition SAS Documentation The correct bibliographic citation for this manual is as follows: SAS Institute Inc. 2015. SAS 9.4 Intelligence Platform:
More informationAdministration Guide. BlackBerry Enterprise Service 12. Version 12.0
Administration Guide BlackBerry Enterprise Service 12 Version 12.0 Published: 2015-01-16 SWD-20150116150104141 Contents Introduction... 9 About this guide...10 What is BES12?...11 Key features of BES12...
More informationCA Workload Automation Agent for Databases
CA Workload Automation Agent for Databases Implementation Guide r11.3.4 This Documentation, which includes embedded help systems and electronically distributed materials, (hereinafter referred to as the
More informationODEX Enterprise. Introduction to ODEX Enterprise 3 for users of ODEX Enterprise 2
ODEX Enterprise Introduction to ODEX Enterprise 3 for users of ODEX Enterprise 2 Copyright Data Interchange Plc Peterborough, England, 2013. All rights reserved. No part of this document may be disclosed
More informationSpector 360 Deployment Guide. Version 7.3 January 3, 2012
Spector 360 Deployment Guide Version 7.3 January 3, 2012 Table of Contents Deploy to All Computers... 48 Step 1: Deploy the Servers... 5 Recorder Requirements... 52 Requirements... 5 Control Center Server
More informationRELEASE NOTES. Table of Contents. Scope of the Document. [Latest Official] ADYTON Release 2.12.9 - corrections. ADYTON Release 2.12.
Table of Contents Scope of the Document... 1 [Latest Official] ADYTON Release 2.12.9... 1 ADYTON Release 2.12.4... 1 ADYTON Release 2.9.3... 3 ADYTON Release 2.7.7... 3 ADYTON Release 2.6.2... 4 ADYTON
More informationDomino Certification Authority and SSL Certificates
Domino Certification Authority and SSL Certificates Setup Domino as Certification Authority Process Client Certificate Requests Mike Bartlett ibm.com/redbooks Redpaper Redpaper International Technical
More informationCA Top Secret r15 for z/os
PRODUCT SHEET: CA TOP SECRET FOR z/os we can CA Top Secret r15 for z/os CA Top Secret for z/os (CA Top Secret ) provides innovative, comprehensive security for your business transaction environments, including
More informationCopyright 2012 Trend Micro Incorporated. All rights reserved.
Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice. Before installing and using the software, please review the readme files,
More informationCA Performance Center
CA Performance Center Single Sign-On User Guide 2.4 This Documentation, which includes embedded help systems and electronically distributed materials, (hereinafter referred to as the Documentation ) is
More informationSiebel Installation Guide for UNIX. Siebel Innovation Pack 2013 Version 8.1/8.2, Rev. A April 2014
Siebel Installation Guide for UNIX Siebel Innovation Pack 2013 Version 8.1/8.2, Rev. A April 2014 Copyright 2005, 2014 Oracle and/or its affiliates. All rights reserved. This software and related documentation
More informationVERITAS NetBackup Microsoft Windows User s Guide
VERITAS NetBackup Microsoft Windows User s Guide Release 3.2 Windows NT/95/98 May, 1999 P/N 100-001004 1994-1999 VERITAS Software Corporation. All rights reserved. Portions of this software are derived
More informationJD Edwards World. Database Audit Manager Release A9.3 E21957-02
JD Edwards World Database Audit Manager Release A9.3 E21957-02 April 2013 JD Edwards World Database Audit Manager, Release A9.3 E21957-02 Copyright 2013, Oracle and/or its affiliates. All rights reserved.
More informationVersion 5.0. MIMIX ha1 and MIMIX ha Lite for IBM i5/os. Using MIMIX. Published: May 2008 level 5.0.13.00. Copyrights, Trademarks, and Notices
Version 5.0 MIMIX ha1 and MIMIX ha Lite for IBM i5/os Using MIMIX Published: May 2008 level 5.0.13.00 Copyrights, Trademarks, and Notices Product conventions... 10 Menus and commands... 10 Accessing online
More informationEMC NetWorker Module for Microsoft Exchange Server Release 5.1
EMC NetWorker Module for Microsoft Exchange Server Release 5.1 Installation Guide P/N 300-004-750 REV A02 EMC Corporation Corporate Headquarters: Hopkinton, MA 01748-9103 1-508-435-1000 www.emc.com Copyright
More informationNetwork Management & Monitoring
Network Management & Monitoring Overview CSI International 8120 State Route 138 Williamsport, OH 43164-9767 http://www.csi-international.com (800) 795-4914 - USA (740) 420-5400 - Main Operator (740) 333-7335
More informationCA ARCserve Backup for Windows
CA ARCserve Backup for Windows Agent for Microsoft SharePoint Server Guide r15 This documentation and any related computer software help programs (hereinafter referred to as the "Documentation") are for
More informationApple Corporate Email Certificates Certificate Policy and Certification Practice Statement. Apple Inc.
Apple Inc. Certificate Policy and Certification Practice Statement Version 2.0 Effective Date: April 10, 2015 Table of Contents 1. Introduction... 4 1.1. Trademarks... 4 1.2. Table of acronyms... 4 1.3.
More informationCA OPS /MVS Event Management and Automation
CA OPS /MVS Event Management and Automation Security Guide Release 12.1 This Documentation, which includes embedded help systems and electronically distributed materials, (hereinafter referred to as the
More informationCA Integrated Agent Services
CA Integrated Agent Services Implementation Guide Version 12.0.00 Second Edition This Documentation, which includes embedded help systems and electronically distributed materials (hereinafter referred
More informationTIBCO Fulfillment Provisioning Session Layer for FTP Installation
TIBCO Fulfillment Provisioning Session Layer for FTP Installation Software Release 3.8.1 August 2015 Important Information SOME TIBCO SOFTWARE EMBEDS OR BUNDLES OTHER TIBCO SOFTWARE. USE OF SUCH EMBEDDED
More informationUnderstanding Digital Certificates on z/os Share Anaheim, CA Session 8349 March 2nd 2011
Understanding Digital Certificates on z/os Share Anaheim, CA Session 8349 March 2nd 2011 Wai Choi, CISSP IBM Corporation RACF/PKI Development & Design Poughkeepsie, NY e-mail: wchoi@us.ibm.com 1 Trademarks
More informationHP P9000 for Business Continuity Manager Software 6.7.0-00
HP P9000 for Business Continuity Manager Software 6.7.0-00 Release Notes HP Part Number: T5253-96061 Published: November 2011 Edition: First Copyright 2009, 2011 Hewlett-Packard Development Company, L.P.
More informationVERITAS NetBackup 6.0
VERITAS NetBackup 6.0 Backup, Archive, and Restore Getting Started Guide for UNIX, Windows, and Linux N15278C September 2005 Disclaimer The information contained in this publication is subject to change
More informationBlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: 10.1.1. Security Note
BlackBerry Enterprise Service 10 Secure Work Space for ios and Android Version: 10.1.1 Security Note Published: 2013-06-21 SWD-20130621110651069 Contents 1 About this guide...4 2 What is BlackBerry Enterprise
More informationz/os Firewall Technology Overview
z/os Firewall Technology Overview Mary Sweat E - Mail: sweatm@us.ibm.com Washington System Center OS/390 Firewall/VPN 1 Firewall Technologies Tools Included with the OS/390 Security Server Configuration
More informationVERITAS NetBackup TM 6.0
VERITAS NetBackup TM 6.0 System Administrator s Guide, Volume II for UNIX and Linux N15258B September 2005 Disclaimer The information contained in this publication is subject to change without notice.
More informationEMC NetWorker Module for Microsoft Applications Release 2.3. Application Guide P/N 300-011-105 REV A02
EMC NetWorker Module for Microsoft Applications Release 2.3 Application Guide P/N 300-011-105 REV A02 EMC Corporation Corporate Headquarters: Hopkinton, MA 01748-9103 1-508-435-1000 www.emc.com Copyright
More informationMGC WebCommander Web Server Manager
MGC WebCommander Web Server Manager Installation and Configuration Guide Version 8.0 Copyright 2006 Polycom, Inc. All Rights Reserved Catalog No. DOC2138B Version 8.0 Proprietary and Confidential The information
More informationEMC Data Protection Search
EMC Data Protection Search Version 1.0 Security Configuration Guide 302-001-611 REV 01 Copyright 2014-2015 EMC Corporation. All rights reserved. Published in USA. Published April 20, 2015 EMC believes
More informationSecuring Data At Rest And Data In Motion - Strategic Data-Centric Security. 9 th March 2012
Securing Data At Rest And Data In Motion - Strategic Data-Centric Security 9 th March 2012 PKWARE Main Benefits Setting The Scene Project Management Triangle Scope Time Cost Security Triangle Security
More informationHitachi Data Ingestor
Hitachi Data Ingestor Backup Restore Features Supplement for Hitachi Data Protection Suite Product Version Getting Help Contents MK-90HDI009-14 2010-2015 Hitachi, Ltd. All rights reserved. No part of this
More informationMail 2 ZOS FTPSweeper
Mail 2 ZOS FTPSweeper z/os or OS/390 Release 1.0 February 12, 2006 Copyright and Ownership: Mail2ZOS and FTPSweeper are proprietary products to be used only according to the terms and conditions of sale,
More informationsafend a w a v e s y s t e m s c o m p a n y
safend a w a v e s y s t e m s c o m p a n y SAFEND Data Protection Suite Installation Guide Version 3.4.5 Important Notice This guide is delivered subject to the following conditions and restrictions:
More information7XWRULDO 5(;;6FULSWLQJ/DQJXDJH
7XWRULDO 5(;;6FULSWLQJ/DQJXDJH 3+33\WKRQEHOLHEWEHL/LQX[%HQXW]HUQ3HUOXQG7FO7NVLQGZHLWYHUEUHLWHWH6FULSWLQJ/DQJXDJHV 5(;;LVW,%0VEHYRU]XJWH6FULSWLQJ/DQJXDJHXQGLVWGHVKDOEDXIDOOH,%0%HWULHE\VWHPHVHLW YLHOHQ-DKUHQYHUI
More informationDigital Certificates Demystified
Digital Certificates Demystified Alyson Comer IBM Corporation System SSL Development Endicott, NY Email: comera@us.ibm.com February 7 th, 2013 Session 12534 (C) 2012, 2013 IBM Corporation Trademarks The
More informationRSA Authentication Manager 7.1 to 8.1 Migration Guide: Upgrading RSA SecurID Appliance 3.0 On Existing Hardware
RSA Authentication Manager 7.1 to 8.1 Migration Guide: Upgrading RSA SecurID Appliance 3.0 On Existing Hardware Contact Information Go to the RSA corporate website for regional Customer Support telephone
More informationLesson Plans Microsoft s Managing and Maintaining a Microsoft Windows Server 2003 Environment
Lesson Plans Microsoft s Managing and Maintaining a Microsoft Windows Server 2003 Environment (Exam 70-290) Table of Contents Table of Contents... 1 Course Overview... 2 Section 0-1: Introduction... 4
More informationSymantec Backup Exec 11d for Windows Servers New Encryption Capabilities
WHITE PAPER: ENTERPRISE SECURITY Symantec Backup Exec 11d for Windows Servers New Encryption Capabilities White Paper: Enterprise Security Symantec Backup Exec 11d for Windows Servers Contents Executive
More informationSAS 9.4 Intelligence Platform
SAS 9.4 Intelligence Platform Application Server Administration Guide SAS Documentation The correct bibliographic citation for this manual is as follows: SAS Institute Inc. 2013. SAS 9.4 Intelligence Platform:
More informationCA OPS /MVS Event Management and Automation
CA OPS /MVS Event Management and Automation Security Guide Release 12.0 This Documentation, which includes embedded help systems and electronically distributed materials, (hereinafter referred to as the
More informationCA Chorus Software Manager
CA Chorus Software Manager User Guide Release 5.1 Third Edition This Documentation, which includes embedded help systems and electronically distributed materials, (hereinafter referred to as the Documentation
More informationAdaptive Server Enterprise
Using Backup Server with IBM Tivoli Storage Manager Adaptive Server Enterprise 15.7 DOCUMENT ID: DC01176-01-1570-01 LAST REVISED: September 2011 Copyright 2011 by Sybase, Inc. All rights reserved. This
More informationVersion 2.3. Administration SC32-1430-03
Tivoli IBM Tivoli License Compliance Manager Version 2.3 Administration SC32-1430-03 Tivoli IBM Tivoli License Compliance Manager Version 2.3 Administration SC32-1430-03 Note Before using this information
More informationCA Librarian r4.3. Overview. Business value
PRODUCT SHEET CA Librarian CA Librarian r4.3 CA Librarian for z/os, for z/vse and for z/vm (CA Librarian) is a highly sophisticated and flexible storage medium of source programs and other sets of data
More informationCA SiteMinder. Web Agent Installation Guide for IIS. r12.5
CA SiteMinder Web Agent Installation Guide for IIS r12.5 This Documentation, which includes embedded help systems and electronically distributed materials, (hereinafter referred to as the Documentation
More informationCA SiteMinder. Web Agent Installation Guide for IIS 12.51
CA SiteMinder Web Agent Installation Guide for IIS 12.51 This Documentation, which includes embedded help systems and electronically distributed materials (hereinafter referred to as the Documentation
More informationIBM Campaign and IBM Silverpop Engage Version 1 Release 2 August 31, 2015. Integration Guide IBM
IBM Campaign and IBM Silverpop Engage Version 1 Release 2 August 31, 2015 Integration Guide IBM Note Before using this information and the product it supports, read the information in Notices on page 93.
More informationHow To Backup A Database In Navision
Making Database Backups in Microsoft Business Solutions Navision MAKING DATABASE BACKUPS IN MICROSOFT BUSINESS SOLUTIONS NAVISION DISCLAIMER This material is for informational purposes only. Microsoft
More informationHow To Login To The Mft Internet Server (Mft) On A Pc Or Macbook Or Macintosh (Macintosh) With A Password Protected (Macbook) Or Ipad (Macro) (For Macintosh) (Macros
TIBCO MFT Internet Server User Guide Software Release 7.2.4 October 2014 Important Information SOME TIBCO SOFTWARE EMBEDS OR BUNDLES OTHER TIBCO SOFTWARE. USE OF SUCH EMBEDDED OR BUNDLED TIBCO SOFTWARE
More informationHost Access Management and Security Server
Host Access Management and Security Server Evaluation Guide Host Access Management and Security Server Evaluation Guide 12.2 Copyrights and Notices Copyright 2015 Attachmate Corporation. All rights reserved.
More informationWeb Express Logon Reference
IBM WebSphere Host On-Demand Version 10 Web Express Logon Reference SC31-6377-01 IBM WebSphere Host On-Demand Version 10 Web Express Logon Reference SC31-6377-01 Note Before using this information and
More information