PKZIP /SecureZIP for z/os

Transcription

1 PKZIP /SecureZIP for z/os System Administrator s Guide SZZSA- V111R0002 PKWARE Inc.

2 PKWARE, Inc. 648 N Plankinton Avenue, Suite 220 Milwaukee, WI Main office: 888-4PKWARE ( ) Sales: (888-4PKWARE / ) Sales - pksales@pkware.com Support: Support - Web Site: Edition (2009) SecureZIP for z/os, PKZIP for z/os, SecureZIP for i5/os, PKZIP for i5/os, SecureZIP for UNIX, and SecureZIP for Windows are just a few of the members of the PKWARE product family. PKWARE Inc. would like to thank all the individuals and companies including our customers, resellers, distributors, and technology partners who have helped make PKZIP the industry standard for trusted ZIP solutions. SecureZIP enables our customers to efficiently and securely transmit and store information across systems of all sizes, ranging from desktops to mainframes. This edition applies to the following PKWARE Inc. licensed programs: PKZIP for z/os (Version 11, Release 1, 2009) SecureZIP for z/os (Version 11, Release 1, 2009) SecureZIP Partner for z/os (Version 11, Release 1, 2009) PKWARE, PKZIP, and SecureZIP are registered trademarks of PKWARE, Inc. z/os, i5/os, zseries, and iseries are registered trademarks of IBM Corporation. Other product names mentioned in this manual may be trademarks or registered trademarks of their respective companies and are hereby acknowledged. Any reference to licensed programs or other material, belonging to any company, is not intended to state or imply that such programs or material are available or may be used. The copyright in this work is owned by PKWARE Inc., and the document is issued in confidence for the purpose only for which it is supplied. It must not be reproduced in whole or in part or used for tendering purposes except under an agreement or with the consent in writing of PKWARE Inc., and then only on condition that this notice is included in any such reproduction. No information as to the contents or subject matter of this document or any part thereof either directly or indirectly arising there from shall be given or communicated in any manner whatsoever to a third party being an individual firm or company or any employee thereof without the prior consent in writing of PKWARE Inc. Copyright PKWARE Inc. All rights reserved. MVS/QuickRef Copyright , Chicago-Soft, Ltd.

3 Contents PREFACE... 1 Notices...1 About This Manual...1 Conventions Used in This Manual...1 Related Publications...2 Related Information on the Internet...4 User Help and Contact Information SYSTEM PLANNING AND ADMINISTRATION... 5 Planning for Administration Activities...5 System Requirements...7 Operating System...7 Region Size and Storage...8 Static Disk Space...9 Tape Device Considerations...9 UserID OMVS Segment...10 SecureZIP ICSF Operations...10 z/os UNIX File System (HFS)...15 Migration Considerations...17 Release History and Setting Changes...19 Distinctive Features of PKZIP and SecureZIP for z/os...20 Distinctive Features of SecureZIP for z/os...21 PKWARE PartnerLink: SecureZIP Partner for z/os...21 Encryption...22 Authentication...22 Data Integrity...22 Digital Signature Validation...23 Digital Signature Source Validation...23 Public-Key Infrastructure and Digital Certificates...24 Contents iii

4 Public-Key Infrastructure (PKI)...24 x Digital Certificates...25 Certificate Authority (CA)...25 Private Key...25 Public Key...25 Certificate Authority and Root Certificates...26 Setting Up Stores for Digital Certificates on z/os...26 Setting Up the Certificate Stores...26 Updating the Certificate Stores...28 Types of Encryption Algorithms...28 Standard...28 FIPS 46-3, Data Encryption Standard (DES)...29 Triple DES Algorithm (3DES)...29 Advanced Encryption Standard (AES)...29 Comparison of the 3DES and AES Algorithms...29 RC Key Management...31 Passwords and PINS...31 Recipient Based Encryption...31 Random Number Generation...32 Integrity of Public and Private Keys...32 Data Encryption INSTALLATION, LICENSING, AND CONFIGURATION Installation Overview...34 Type of Media Distribution for Installation...34 Installation from Downloaded File or CD...35 Non-SMP/E Installation...35 SMP/E Installation...37 Installing from Tape...41 Tailoring Site-Specific Changes to the Defaults Module...42 Tailoring Site-Locking Commands...43 Protecting Files with the SAFETYEX Module...43 Tailoring for Filename and Data Character Set Conversions...44 SMS Dataclass Considerations...44 Note for users of PKZIP for MVS and PKZIP for zseries Considerations when Exporting Private Keys using RACDCERT...45 Evaluation Activity Log...45 Activity Log Setup and Configuration...46 Licensing Requirements...48 Licensed Types...49 Product Features...50 iv PKZIP/SecureZIP for z/os 11.1 System Administrator s Guide

5 Evaluation Period...53 Release-Dependent Licensing...53 Current Use License...53 Show System Information...55 Conditional Use...56 Initializing the License...56 PKZIP and Full-Featured SecureZIP License Activation...57 SecureZIP Partner License Activation...57 Reporting the PKZIP/SecureZIP for z/os License...58 PKZIP/SecureZIP for z/os Grace Period...59 Running a Disaster Recovery Test...59 Activating the ISPF Interface...60 ISPF Main Menu...61 Running PKZIP/SecureZIP with Library Lookaside (LLA and LNKLST)...61 Verifying the Installation...62 Run-time Performance Considerations...62 Main Tuning Ingredients...63 Initialization JOBLIB/STEPLIB Elimination, LLA, VLF and/or LPA...64 Initialization SYSIN Command Records via Partitioned Members...66 Initialization PARMLIB Commands via Partitioned Members...67 Enable SMF Recording...67 SMF Activation...68 Install and Activate the PKWSVC Module...68 Select a Unique SMF Record Type...71 Activate SVC and SMF Settings in the SecureZIP Defaults Module...72 Default Module Settings Affecting SMF Recording SECURITY ADMINISTRATION OVERVIEW Accessing Certificates...77 Public Key Certificate...77 Private Key Certificates...78 Certificate Authority and Root Certificates...78 Configuration Profile...78 Contents of the Configuration Profile...78 Data Base (DB) Profile (Local Certificate Store)...79 LDAP Profile (Networked Certificate Store)...79 Recipient Searches...80 Local Certificate Stores...81 Access x.509 Public and Private Key Certificates...81 Authentication and Certificate Validation Policies...82 Other Profile Commands...86 Passphrase Registration...87 Accessing the Passphrase Registration Dialogs CERTIFICATE STORE MANAGEMENT SecureZIP Main Panel Access to the Certificate Stores...89 Contents v

6 SecureZIP Certificate Store Administration and Configuration...89 Local Certificate Store Administration...90 SecureZIP Local Certificate Store...91 Create a New Local Certificate Store DB...92 Certificate Validation Options...93 Generated JCL to Build the Initial Certificate Store...94 View Data Base Certificate Entries...95 List Certificate Entries Add a Certificate to the Local Store Add a New Certificate to the CA Store Add a New Trusted Root Certificate to the Root Store Add a New Certificate via Batch Processing Register Security Server Certificates in the Key Store Index Delete a Certificate from the Local Store Synchronize the Index for the Local Certificate Store Generated JCL for Synchronization CA, Root, and CRL Verification Report DB Statistics Edit Active DB Profile Backup and Restore Process Directory Certificate Store Configuration - LDAP Create/Test LDAP Profile Statements Edit existing LDAP profile Create/Test LDAP Link Create New LDAP Profile Settings Load Existing LDAP Profile Testing the LDAP Connection Runtime Configuration Zip/Unzip Runtime Configuration Panel SecureZIP Runtime Configuration Panel SecureZIP Runtime Configuration Panel Undefined SecureZIP Runtime Configuration Panel with DB Profile Defined SecureZIP Runtime Configuration Panel with Private Certificate Location x.509 Certificate Utilities The Options Certificate Revocation Lists Filename Encryption How SecureZIP for z/os Encrypts File Names When SecureZIP for z/os Encrypts File Names Encrypting File Names When You Update an Archive Opening and Viewing an Archive that Has Encrypted File Names Input required to View Recipients in a Filename Encrypted Archive View of Recipients in a Filename Encrypted Archive View Detail of an Archive that Has Encrypted File Names Decrypting a Filename Encrypted Archive SECURITY QUESTIONS AND SOLUTIONS Which encryption settings should be chosen? How is encryption activated? vi PKZIP/SecureZIP for z/os 11.1 System Administrator s Guide

7 How is ICSF hardware acceleration activated? What is the difference between an Encryption Method and an algorithm? How many recipients can be specified? What virtual storage is required for certificate-based encryption? How does ENCRYPTION_METHOD affect certificate-based encryption? How does SecureZIP activate MASTER_RECIPIENT contingency keys? How does MASTER_RECIPIENT affect activation? How do I copy a local certificate store? How do I remove a local certificate store? How can the contents of an x.509 certificate file be determined? PKWARE PARTNERLINK: SECUREZIP PARTNER About SecureZIP Partner for z/os If You Are a Sponsor: Sign the Central Directory Terms and Acronyms Used in This Chapter PKWARE PartnerLink Program: Overview Decrypting and Extracting Sponsor Data (Read Mode) Creating an Archive for a Sponsor Getting Started Co-existence with Other PKWARE Products Recommendations PartnerLink Certificate Store Administration and Configuration Choosing a Configuration Model Installing a Sponsor Distribution Package Updating a Sponsor Distribution Package Removing a Sponsor Distribution Package Providing a Sponsor Configuration for Execution CRYPTOGRAPHIC FACILITY UTILITY - PKCRYUTL Cryptographic Facility Categories Assessing a System s Cryptographic Capabilities with PKCRYUTL PKCRYUTL Execution PKCRYUTL Reporting PKCRYUTL Sample Report PKCRYUTL Interpretation SMF RECORD FORMATS GLOSSARY INDEX Contents vii

8 viii PKZIP/SecureZIP for z/os 11.1 System Administrator s Guide

9 Preface SecureZIP for z/os, like PKZIP for z/os, is a member of the PKWARE family of products providing high-performance data compression and data protection across multiple operating systems and platforms. PKZIP for z/os provides powerful, easy-to-use data compression on the mainframe. PKZIP for z/os Enterprise Edition additionally includes support for password-based decryption of encrypted files, powered by trusted RSA BSAFE. Files created by PKZIP for z/os use the widely-adopted ZIP format and can be accessed on all major platforms throughout the enterprise from mainframe to PC. SecureZIP for z/os provides powerful, easy-to-use data compression and data protection on the mainframe. SecureZIP for z/os protects data with digital signatures and several encryption choices. Both trusted RSA BSAFE encryption or IBM ICSF are offered, either password- or certificate-based, and with key lengths of up to 256 bits. Like PKZIP for z/os, SecureZIP for z/os uses the widely-adopted ZIP format and creates files that can be accessed on all major platforms throughout the enterprise. Notices Licensing requirements have changed for this release. See chapter 2 for current information. About This Manual This manual provides information to help a system administrator install and use PKZIP for z/os or SecureZIP for z/os in an operational environment on supported IBM releases of z/os. It is assumed that anyone using this manual has a good understanding of JCL and dataset processing. Conventions Used in This Manual Throughout this manual, the following conventions are used: SecureZIP z (bold-italicized) is used as a shorthand to refer to both SecureZIP for z/os and PKZIP for z/os. Statements made about SecureZIP z apply to both products. Information given specifically for SecureZIP for z/os or PKZIP for z/os applies specifically to that product. Preface 1

10 The terms ZIP and UNZIP are used to refer to the respective overall processes of operating on an archive. The term PKZIP is often used generically to refer to any of the underlying executable programs that process archives in PKZIP for z/os and SecureZIP for z/os. These include programs PKZIP and SECZIP, to ZIP archives, and programs PKUNZIP and SECUNZIP, to UNZIP them. PKZIP is also more narrowly used to refer to either the PKZIP or SECZIP program, and PKUNZIP is often used to refer to either the PKUNZIP or SECUNZIP program. The use of the Courier font indicates text that may be found in job control language (JCL), parameter controls, or printed output. The use of italics in a command line indicates a value that must be substituted by the user, for example, a data set name. Italics are also used in body text to quote command names and so forth or to indicate the title of a manual or other publication. The use of <angle brackets> in a command definition indicates a mandatory parameter. The use of [square brackets] in a command definition indicates an optional parameter. A vertical bar ( ) in a command definition is used to separate mutually exclusive parameter options or modifiers. When sample JCL is shown, or references to the SecureZIP z libraries are made, the high-level qualifier PKWARE.MVS may be used generically. The high-level qualifier specifically for the packaged product SecureZIP for z/os is SECZIP.MVS. The high-level qualifier specifically for the packaged product PKZIP for z/os is PKZIP.MVS. Note that the actual high-level qualifiers installed on your system may be different. Program examples may show either SecureZIP for z/os or PKZIP for z/os constructs, for backward compatibility. In general, examples apply to both programs unless the examples appear in sections of the manual that relate exclusively to SecureZIP features. Such sections are marked like this: SecureZIP only Related Publications IBM Manuals relating to the SecureZIP z products include: System Codes - Documents the completion codes issued by the operating system when it terminates a task or an address space. Describes the wait state codes placed in the program status word (PSW) when the system begins a wait state. Describes the causes of loops. System Messages - Documents the messages issued by the z/os operating system. The descriptions explain why the component issued the message, give the actions of the operating system, and suggest responses by the applications programmer, system programmer, and/or operator. JES2 Messages - Documents the messages issued by the JES2 subsystem. The descriptions explain why the component issued the message, give the actions of the 2 PKZIP/SecureZIP for z/os 11.1 System Administrator s Guide

11 operating system, and suggest responses by the applications programmer, system programmer, and/or operator. JCL User's Guide - Describes the job control tasks needed to enter jobs into the operating system, control the system's processing of jobs, and request the resources needed to run jobs. To perform the tasks, programmers code job control statements. The user's guide assists in deciding how to perform job control tasks. JCL Reference - Describes the job control tasks needed to enter jobs into the operating system, control the system's processing of jobs, and request the resources needed to run jobs. To perform the tasks, programmers code job control statements. The reference guide; is designed to be used while coding the statements. Access Methods Services - Documents the functions that are available with Virtual Storage Access Method (VSAM) and describes the IDCAMS commands that can be issued to control VSAM datasets. DFSMS Using Data Sets Reference materials regarding z/os file systems and their usage. DFSMS Macro Instructions for Data Sets Reference material regarding I/O handling and diagnostics. ICSF Application Programmers Guide Describes how to use the callable services provided by the Integrated Cryptographic Service facility. ICSF Administrators Guide Describes how to manage cryptographic keys by using the z/os Integrated Cryptographic Service facility. ICSF Overview Contains overview and planning information for the z/os Integrated Cryptographic Service facility. ISPF bookshelf Reference materials regarding run-time environments supporting, and used by SecureZIP z. Language Environment bookshelf Reference materials regarding run-time environments supporting, and used by SecureZIP z. TSO/E Command Reference - Documents the functions of the TRANSMIT and RECEIVE Command Facility used for the distribution and allocation of SecureZIP z installation libraries. TSO/E Rexx Reference Reference materials regarding run-time environments supporting, and used by SecureZIP z. z/os XL C/C++ bookshelf Reference materials regarding run-time environments supporting, and used by SecureZIP z. z/os Unix System Services User s Guide Provides information that is fundamental to working with UNIX File Systems (also known as the hierarchical file system). MVS/QuickRef 6.3 (Chicago-Soft, Ltd.) - Includes both messages and command reference material for SecureZIP z. Preface 3

12 Related Information on the Internet PKWARE, Inc. FTP site Product manuals - ftp://bigiron.pkware.com/pub/manuals/zos Product downloads - ftp://bigiron.pkware.com/pub/products o o PKZIP for z/os - ftp://bigiron.pkware.com/pub/products/pkzip/zos SecureZIP for z/os - ftp://bigiron.pkware.com/pub/products/securezip/zos o SecureZIP Partner for z/os - ftp://bigiron.pkware.com/pub/products/partnerlink/zos National Institutes of Standards and Technology Computer Security Resource Center - Information on the AES development - Information on Key Management - RSA BSAFE Content Library User Help and Contact Information For licensing, please contact Sales at (888-4PKWARE / ) or pksales@pkware.com. For technical assistance, contact Technical Support at or visit the support web site: 4 PKZIP/SecureZIP for z/os 11.1 System Administrator s Guide

13 1 System Planning and Administration SecureZIP z contains two main programs: PKZIP (or SECZIP in SecureZIP) and PKUNZIP (or SECUNZIP in SecureZIP). The ZIP program is used to compress or store files into a ZIP format archive, while the UNZIP program is used to extract data compressed into ZIP-compatible archives. Processing control is available through the use of customized option modules, shared command lists, and individual job inputs. In addition to file selection, features such as compression levels and performance selections can be specified. To guarantee data integrity, a 32-bit cyclic redundancy check (CRC) is a standard feature. A ZIP archive is platform-independent; therefore, data compressed (zipped) on one platform, such as UNIX or Windows, can be decompressed (unzipped) on another platform, such as z/os, by using a compatible version of the UNZIP program. With its advanced password and certificate-based security features, SecureZIP for z/os offers multiple methods of encryption and is an excellent choice for securing data and data transfers. However, it is important that system administrators carefully plan in advance the design, development, and testing tasks required to successfully integrate SecureZIP for z/os as a secure solution into a production environment. The following sections chart the production and pre-production planning activities for administration and discuss SecureZIP z model environments and important concepts for the systems administrator. They also describe encryption, types of algorithms in use, information about specific mandates requiring the use of secure data, and how SecureZIP z will secure that data. Planning for Administration Activities The SecureZIP z software is often installed and maintained by a single party within an installation s system programming staff. However, there are several system interface components that may require attention from other departments relating to the administration of SecureZIP operation. Use the following installation and feature configuration checklist to help plan out the installation and operational use of SecureZIP z. Chapter 1 System Planning and Administration 5

14 Feature or Activity Base software installation; includes: Licensing Tailoring of the installation defaults module Translate table selection SAFETYEX module tailoring Migration Considerations Activating the TSO ISPF Interface Initial Tuning Optional LLA, VLF and LPA Configure Cryptographic Services for data Encryption, Digital Signing and Authentication with SecureZIP for z/os Use of ICSF Cryptographic Facilities CLASS(CSFSERV) service profiles Define the SecureZIP for z/os Key Store Index and Certificate Store Administer Digital Certificates to the SecureZIP for z/os Key Store for use in RECIPIENT, SIGN_FILES, SIGN_ARCHIVE or AUTHCHK processing. DATASET update access to SecureZIP Key Store components Administer Digital Certificates to the Security Server for use in RECIPIENT, SIGN_FILES, SIGN_ARCHIVE or AUTHCHK processing with SecureZIP for z/os. Certificate and Key Ring controls Administer Passphrase Registration to the ICSF CKDS for use with SecureZIP for z/os. CLASS(CSFSERV,CSFKEYS) service profiles Enable and Administer SecureZIP for z/os Policy Lockdown features Resources Ref. chapter 2 Required: System Programmer Optional: Data transfer architect for Translate Tables Optional: Storage administrator for related defaults module settings Optional: Security policy manager for related defaults module settings. Required: Security Administrator to define data set protection for supporting software libraries. Ref. chapter 1, SecureZIP ICSF Operations Ref. SecureZIP Security Administrator s Guide; ICSF Service Controls Required: ICSF Administrator, Security Server Administrator Ref. chapter 1, Setting Up Stores for Digital Certificates on z/os Ref. chapter 1, Public-Key Infrastructure and Digital Certificates Ref. chapter 4 Required: Security Server Administrator, SecureZIP Key Administrator Ref. SecureZIP Security Administrator s Guide Ref. IBM z/os Security Server RACF Administration Ref. IBM z/os Security Server RACF Command Reference (RACDCERT) Ref. IBM z/os Security Server Callable Services (R_datalib) Required: Security Server Administrator, SecureZIP Key Administrator, ICSF CKDS Administrator Ref. SecureZIP for z/os Security Administrator s Guide, chapter 5 ( SAF-protected Passphrase Feature ) Required: Security Server Administrator Ref. SecureZIP for z/os Security Administrator s Guide, Policy Lockdown chapter 6 PKZIP/SecureZIP for z/os 11.1 System Administrator s Guide

15 Feature or Activity Enable and Administer Contingency Keys for use with SecureZIP for z/os Generate and install certificates Define Contingency Key Ring(s) Administer Key Rings and PROFILEs (by JOB) Enable and tailor the SMF recording feature used with SecureZIP for z/os Use SMF data for audit controls Configuring jobs for operational use of the z/os UNIX File Systems Archives and/or files in the UNIX File System Application Integration with FIFO Special File (named pipes) Configuring for operations as a PartnerLink Sponsor or Partner Sponsor Distribution Packages Resources Required: Security Server Administrator, Operations JOB Planner Ref. SecureZIP for z/os Security Administrator s Guide, chapter 2, section Contingency Key Enforcement Required: z/os System Programmer Required: SMF Administrator, SMF Data Reduction Programmer, Security Auditor Ref. SecureZIP for z/os Security Administrator s Guide, Security Auditor s Guide chapter Ref. chapter 1, HFS Operational Knowledge Ref. PKWARE PartnerLink System Requirements This section describes the system requirements for SecureZIP z. Operating System The minimum operating system levels supported are: A release of z/os supported by IBM For installations intending to use digital certificates residing in the RACF Security Server, maintenance associated with APAR OA26639 is recommended to avoid spurious ICH408I messages. To extract files greater than 2 gigabytes or to create archives greater than 2 gigabytes in a PDSE, operating system maintenance associated with APAR BW57702 is required. z/os installations intending to use ICSF cryptographic services should ensure that RACF maintenance associated with APAR OA11874 is installed. System requirements for ICSF apply to facility settings of IBMHARDWARE and IBMSOFTWARE associated with ENCRYPTDATA, HASH, and RANDOM. Installations intending to use AES 128-bit ICSF hardware-based encryption/decryption on a System-z9 (2094 or 2096) with ICSF FMID HCR7730 should ensure that PTF UA22474 is applied. (Reference PKWARE HIPER TT3686 and IBM APAR OA13766). Chapter 1 System Planning and Administration 7

16 Installations intending to use SHA-256 ICSF hardware-based hashing in support of digital signature creation will require a minimum ICSF level of HCR7730 while operating on a System z9-109, z9, or z10. Language Environment release-dependent runtime options modules are supplied with the product and are dynamically selected for use at the release levels shown in the following table. If higher levels of Language Environment are encountered, informational system messages may be issued (CEE3611I, CEE3615I, CEE3627I). These have no functional impact on product operations. Operating System Release Language Environment FMID Language Environment Options Release OS/ HLE z/os 1/1 HLE z/os 1.2 HLE z/os 1.3 HLE z/os 1.4 HLE z/os 1.5 HLE z/os 1.6 HLE z/os 1.7 HLE z/os 1.8 HLE z/os 1.9 HLE z/os 1.10 HLE For installations using Security Server RACF and requiring RSA public or private keys to be stored in the ICSF PKDS, the PTF associated with APAR OA13030 must be installed. Region Size and Storage See the section Region Size and Storage in chapter 3 of the PKZIP/SecureZIP for z/os User s Guide for information relating to minimum virtual storage requirements. 8 PKZIP/SecureZIP for z/os 11.1 System Administrator s Guide

17 Static Disk Space Product data set allocations are approximately as follows: Tracks %Used XT Device CEXEC HELP INSTLIB INSTLIB LICENSE LOAD MACLIB SPKZCLIB SPKZMLIB SPKZPLIB SPKZSLIB SPKZTLIB SecureZIP certificate store data set allocations are approximately as follows: Tracks %Used XT Device CERTSTOR.DBX.DATA 150? CERTSTOR.DBX.INDEX 1? CERTSTOR.DBXCN.DATA 15? CERTSTOR.DBXCN.INDEX 1? CERTSTOR.DBXEM.DATA 15? CERTSTOR.DBXEM.INDEX 1? CERTSTOR.DBXPUBK.DATA 15? CERTSTOR.DBXPUBK.INDEX 1? CERTSTOR.PRIVATE CERTSTOR.PUBLIC CERTSTOR.P7CA CERTSTOR.P7CRL CERTSTOR.P7ROOT CERTSTOR.SPONSOR.AUTH CERTSTOR.SPONSOR.INFO CERTSTOR.SPONSOR.RECIP Tape Device Considerations The following notes apply when ZIP archives may be directed to a tape or cartridge device. Do not use DCB option TRTCH=COMP when specifying a non-store form of ZIP compression. If Large Block Interface (LBI) tape processing is to be used (ARCHIVE_ZIPFORMAT= FULL_LBI or XTAPE_LBI) and there is any restriction on maximum block size for tape cartridges, review the setting for SMS Dataclass Block Size Limit, or PARMLIB(DEVSUPxx) TAPEBLKSZLIM, and set the ZIP defaults (or pre-defined command sets) for ARCHIVE_BLKSIZE accordingly. IECIOSxx parmlib parameter MIH: If your site does not specify an IOS= member in the IEASYSxx member, then a default value of 3:00 minutes for 3490 missing tape device interrupts is used. This value is too low for PKZIP tape processing. IBM 3490 Planning and Migration Guide recommends a value of 20 minutes for missing interrupts associated with 3490E tape drives. Set a temporary increase to the MIH values for tape by using the following MVS console Chapter 1 System Planning and Administration 9

18 command: SETIOS MIH,TAPE=20:00 To change parmlib, place the following in member IECIOSxx: MIH TIME=20:20,DEV=nnnn where nnnn is the device address. For devices configured as 3590s, the control unit controls both the primary and secondary MIH values. The primary MIH governs most commands, and the second MIH governs a small group of long-running commands, such as LOCATE and FORWARD SPACE FILE. UserID OMVS Segment The following features of SecureZIP require the executing UserID to have a valid OMVS segment: SecureZIP for z/os Certificate Store administration and digital certificate usage Unix File System operations SecureZIP ICSF Operations This section pertains to system-supplied cryptographic facilities that are supplemental to inherent SecureZIP cryptographic services. An appropriate SecureZIP license is required to access these facilities. The system-supplied cryptographic facilities available for SecureZIP for z/os to use depend on the hardware configuration and controlling system software. ICSF callable services are utilized by SecureZIP to facilitate access to system-supplied cryptographic facilities for selected system configurations. For planning purposes, the following checklist may be used to ensure that the operating environment is activated appropriately to support the desired cryptographic feature through SecureZIP: Refer to the ICSF Feature/Facility Requirements Table later in this section to identify the desired cryptographic feature and associated facility requirements Ensure that the correct hardware feature codes are installed for the target platform Ensure that the ICSF Program Product is installed at the proper release level Use the TSO/ISPF ICSF dialog to determine if ICSF is active and the necessary components are operative. Select option 1 and press Enter. If ICSF is not available, you will receive the message shown in the upper right portion of the screen below. HCR Integrated Cryptographic Serv OPTION ===> Enter the number of the desired option. ICSF IS NOT ACTIVE 1 COPROCESSOR MGMT - Management of Cryptographic Coprocessors 2 MASTER KEY - Master key set or change, CKDS/PKDS Processing 3 OPSTAT - Installation options 4 ADMINCNTL - Administrative Control Functions 5 UTILITY - ICSF Utilities 6 PPINIT - Pass Phrase Master Key/CKDS Initialization 10 PKZIP/SecureZIP for z/os 11.1 System Administrator s Guide

19 7 TKE - TKE Master and Operational Key processing 8 KGUP - Key Generator Utility processes 9 UDX MGMT - Management of User Defined Extensions Licensed Materials - Property of IBM 5694-A01 (C) Copyright IBM Corp. 1989, All rights reserved. US Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. Press ENTER to go to the selected option. Press END to exit to the previous menu. If ICSF is active, you will see screens like the following. These may or may not identify coprocessors, but they can be used by SecureZIP for z/os. The coprocessor status is based on the hardware configuration of your environment. System with no coprocessors available ICSF Coprocessor Management COMMAND ===> SCROLL ===> PAGE Select the coprocessors to be processed and press ENTER. Action characters are: A, D, E, K, R and S. See the help panel for details. COPROCESSOR SERIAL NUMBER STATUS ******************************* Bottom of data ******************************** System with coprocessors available ICSF Coprocessor Management Row 1 of 4 COMMAND ===> SCROLL ===> PAGE Select the coprocessors to be processed and press ENTER. Action characters are: A, D, E, R, and S. See the help panel for details. COPROCESSOR MODULE ID/SERIAL NUMBER STATUS C FD FD ACTIVE. C A A2 ACTIVE. P00 94E04777 ACTIVE. P01 94E04781 ACTIVE System with coprocessors online but not initialized for use ICSF Coprocessor Management Row 1 to 1 of 1 COMMAND ===> SCROLL ===> PAGE Select the coprocessors to be processed and press ENTER. Action characters are: A, D, E, K, R and S. See the help panel for details. COPROCESSOR SERIAL NUMBER STATUS E ONLINE ******************************* Bottom of data ******************************* Chapter 1 System Planning and Administration 11

20 If necessary, perform some or all of the following system configuration activities in accordance with the z/os ICSF Administrators Guide and the z/os Cryptographic Services System Programmer s Guide: o o o o o Ensure that the system (or LPAR) is configured for the hardware cryptographic facility Perform Hardware Management Console (HMC) activities to enable cryptographic usage through ICSF Perform Power On Reset to activate HMC settings Prepare ICSF run-time environment (e.g. allocation of control data sets) Start ICSF in update mode to establish passphrases Ensure that ICSF is started with production run-time parameters Conditionally update RACF (or equivalent security product) to permit access to the following CSFSERV Resource classes (if CSFSERV is desired to be an active class) for READ access: o o o o o CSFCKM CSFIQF CSFOWH CSFRNG CSFRNGL Consult the SecureZIP Security Administrator s Guide to identify additional Security Server rules that may require definition or adjustments. The following tables show the levels of system hardware and operating software required by various cryptographic features. ICSF Feature/Facility Requirements Table SecureZIP only This table provides an overview of system facilities required to access a specific cryptographic feature. For each supported Service within a platform configuration, three pieces of information are shown. The minimum Hardware facility required The Software callable service used A minimum ICSF release level (referenced by FMID) 12 PKZIP/SecureZIP for z/os 11.1 System Administrator s Guide

21 Table 1: ICSF feature/facility requirements Cryptographic Service DES/3DES Hardware Acceleration DES/3DES Secure Key Operations (FIPS 140 Compliant) AES ICSF Software AES128 Hardware Acceleration AES192, AES256 Hardware Acceleration z/800 & z/900 CCF CSNBENC HCR7704 CCF CSNBENC HCR7704 CCF CSNBSYE HCR7706 z/890 & z/990 CPACF CSNBSYE HCR7720 CEX2C CSNBENC HCR7720 CPACF CSNBSYE HCR7720 z9-109 System z9 System z10 CPACF CSNBSYE HCR7720 CEX2C CSNBENC HCR7720 CPACF CSNBSYE HCR7720 Not available Not available CPACF CSNBSYE HCR7730 CPACF CSNBSYE HCR7720 CEX2C CSNBENC HCR7720 CPACF CSNBSYE HCR7720 CPACF CSNBSYE HCR7730 Not available Not available Not available Not available CPACF CSNBSYE HCR7720 CEX2C CSNBENC HCR7720 CPACF CSNBSYE HCR7720 CPACF CSNBSYE HCR7730 CPACF CSNBSYE AES Secure Key Operations (all AES key lengths) (FIPS 140 Compliant) SHA-1 Hardware Acceleration MD5 ICSF Software SHA-256 Hardware Acceleration SHA-384/512 Hardware Acceleration Not available Not available Not available CEX2C CSNBSAE HCR7751 *requires MCL update CCF CSNBOWH HCR7704 CCF CSNBOWH HCR7704 Not available CPACF CSNBOWH HCR7720 CPACF CSNBOWH HCR7720 CPACF CSNBOWH HCR7750 CPACF CSNBOWH HCR7720 CPACF CSNBOWH HCR7720 CPACF CSNBOWH HCR7750 CPACF CSNBOWH HCR7720 CPACF CSNBOWH HCR7720 CPACF CSNBOWH HCR7750 Not available Not available Not available Not available HCR7750 CEX2C CSNBSAE HCR7751 *requires MCL update CPACF CSNBOWH HCR7720 CPACF CSNBOWH HCR7720 CPACF CSNBOWH HCR7750 CPACF CSNBOWH HCR7751 Chapter 1 System Planning and Administration 13

22 Cryptographic Service Pseudo Random Data Generation z/800 & z/900 CCF CSNBRNG z/890 & z/990 CPACF CSNBRNG z9-109 System z9 System z10 CPACF CPACF CPACF CSNBRNG CSNBRNG CSNBRNG HCR7704 HCR7720 HCR7720 HCR7720 HCR7720 Pseudo Random Data Generation-Long CCF CSNBRNGL PCIXCC/ CEX2C CEX2C CSNBRNGL CEX2C CSNBRNGL CEX2C CSNBRNGL HCR7750 CSNBRNGL HCR7750 HCR7750 HCR7750 HCR7750 Notes: ICSF is assumed to be running in non-pcf mode, and FMIDs are listed at the minimum supported level. SMP/E and ICSF settings should be checked to verify the ICSF operating level and configuration. (Note that HCRP220 and prior FMIDs were for PCF.) Some ICSF levels may be required to be at a higher level than those shown due to IBM system configuration requirements. Through the callable service, ICSF directs which hardware/software facility to use based on the call request and the available configuration. IBM technical support documents and maintenance buckets should be reviewed to determine a complete set of system feature enablement requirements to activate the necessary level of ICSF and associated system-provided services. Distributed Operating System ICSF Levels The following table is provided as a convenience for planning purposes to show ICSF levels typically provided with a given level of the operating system. System-specific planning and requirements review should be performed for an installation. 14 PKZIP/SecureZIP for z/os 11.1 System Administrator s Guide

23 Operating System Distributed ICSF Level Enabled Feature as Used by SecureZIP OS/ HCR7703 Base ICSF for CSNBENC z/os 1.2 HCR7704 z/os 1.3 HCR7706 CSNBSYE CPACF (z/x90, z9) z/os 1.4 z/os 1.5 z/os 1.6 z/os 1.7 HCR7706 or HCR7708 HCR7708 HCR770A HCR7720 or HCR7730 CSNBSYE CPACF for DES/3DES CSNBSYE AES128 hardware (z9) z/os 1.7 HCR7730 SHA-256 hashing (software only) z/os 1.8 z/os 1.9 HCR7731 HCR7740 z/os 1.10 HCR7750 HCR7751 may be installed as an upgrade to access advanced AES capabilities available through hardware. Note that many of the ICSF release levels can be installed on earlier releases of the operating system. For z/os 1.7, z/os 1.8 and z/os 1.9, HCR7750 is available for upgrades, providing for CSNBSYE AES192, AES256 hardware (z9 model dependent) and SHA-256 hashing hardware (z9). z/os UNIX File System (HFS) In the context of this section, Hierarchical File System (HFS) refers to the entire z/os UNIX file system architecture unless otherwise noted. SecureZIP z does not require any special configuration to operate with the HFS (Hierarchical File System). However, working with archives and data files located in the HFS in the z/os environment requires some setup. In particular: The run-time user s OMVS segment information must be associated with a HOME directory for that user Permissions need to be set to correspond with the run-time user s ownership of directories and files to be accessed (see PATHMODE for directory and file objects within the HFS) Group permissions for directories and files in the HFS need to support the GROUPs that the run-time user will connect to If the SAFETYEX module has been modified from releases prior to release 10.0, a fresh source copy (from INSTLIB) should be used and updated. HFS PATH entries can be added in a new section provided for this purpose in the release 10.0 version of the module. Chapter 1 System Planning and Administration 15

24 HFS Operational Knowledge To operate SecureZIP z with the HFS, you need a basic understanding of how the HFS works. For information specific to using SecureZIP z, see section z/os UNIX File System (Hierarchical File System) in chapter 9 ( File Processing ) of the PKZIP/SecureZIP for z/os User s Guide. For more general information, you will find the IBM documentation listed in the following table helpful. Resource Chapter/Section Description IBM z/os UNIX System Services Guide IBM z/os UNIX System Services Guide IBM z/os UNIX System Services Guide IBM z/os UNIX System Services Guide IBM z/os UNIX System Services Guide IBM z/os UNIX System Services Guide Chapter 14: An Introduction to the hierarchical file system Chapter 16: Working with directories Chapter 17: Working with files Chapter 18: Handling security for your file Chapter 21: Copying data between the HFS and MVS Chapter 22: Transferring file between systems Mountable File Systems Directories Files Path and Pathname Using commands to work with directories and files Using the Network File System The working directory Creating and removing a directory Naming files Deleting a file Identifying a file by its inode number Creating and deleting links Renaming a file or directory Simultaneous access to a file Default permissions set by the system Changing permissions Displaying file and directory permissions Setting the file mode creation mask Displaying extended attributes Examples and requirements for various data types File Transfer Protocol (FTP) IBM z/os JCL Reference FILEDATA Parameter describe the organization of a hierarchical file so that the system can determine how to process the file IBM z/os JCL Reference PATH Parameter specify the name of the HFS file. IBM z/os JCL Reference PATHMODE Parameter file access attributes when the system is creating the HFS file named on the PATH parameter IBM z/os JCL Reference PATHMODE Parameter specify the file access attributes when the system is creating the HFS file 16 PKZIP/SecureZIP for z/os 11.1 System Administrator s Guide

25 Resource Chapter/Section Description IBM z/os JCL Reference PATHOPTS Parameter specify the access and status for the HFS file named in the PATH parameter IBM z/os SecureWay Security Server RACF Security Administrator s Guide The OMVS segment in User Profiles The z/os UNIX Identifier (UID) The initial directory path name (HOME) The maximum number of active or open files the user can have (FILEPROCMAX) The maximum number of processes the user can have (PROCUSERMAX) Migration Considerations Release 11.1 provides enhanced volume count control with MULTIVOL command specifications (e.g. ARCHIVE_SPACE_MULTIVOL). With the added capability for specifying a numeric volume count value, the default volume count associated with xxxx_space_multivol=y is changed from 59 to 5. If default volume count values greater than 5 are required, modifications to the defaults module may be performed. Release 11.1 provides segregated control of temporary data compression work space from other temporary work files. See the new TEMPDATA_xxx settings for additional information. If enabled, adjustments to existing TEMP_xxx settings should be considered to reduce overall work file allocation requirements. SecureZIP for z/os Release 11 provides the ability for an installation to logically move digital certificates from the SecureZIP Certificate Store to the installation s Security Server (for example, RACF). The SecureZIP Key Store Index component of the SecureZIP Certificate Store provides a redirection capability that permits existing jobs accessing digital certificates through the DB: syntax to reference certificates installed to the Security Server so that run-time JCL and parameters do not require modification. The administrative process of reindexing Security Server certificates for existing DB: entries is accomplished through the Add Certificates (or Register KeyRing Certificates) option under the Local Certificate Store Administration dialog. SecureZIP for z/os Release 11 includes a change to the Certificate Store references. If a Certificate Store configuration is not specified, DUMMY will be used as the default. To maintain upgrade continuity, Certificate Store configurations may be included with the INCLUDE_CMD or added to INSTLIB(ACZDFLT). Release 10 renamed the DATA_DELIMITER setting to ZIPFILE_RECORD_DELIMITER for the purpose of distinguishing it from new HFS ZOSFILE_RECORD_DELIMITER setting. Processing message references will now be made to ZIPFILE_RECORD_DELIMITER instead of DATA_DELIMITER. To maintain upgrade continuity for existing job streams, the DATA_DELIMITER command and the MCZDFLTS DATA_DELIMITER= keyword designator for the defaults module will continue to be supported as mapping entries to ZIPFILE_RECORD_DELIMITER. Release 10 renamed the PATH setting to USE_SOURCE_PATH to eliminate ambiguity with respect to HFS PATH names and PATH catalog entries. To maintain upgrade continuity for existing job streams, the PATH command and the MCZDFLTS PATH= Chapter 1 System Planning and Administration 17

26 keyword designator for the defaults module will continue to be supported as mapping entries to USE_SOURCE_PATH. Release 10 introduced newer forms of self-extractor (ref. INCLUDE_SFX for details) programs which support ZIP64 processing and Strong Decryption. Although the older versions of the self extractors are still available, they are specified with different names. Jobs coded with the previous names will include the newer form of the selfextraction programs in the archive. Release 10 introduced the command OUTFILE_LONGREC to support optional wrapping of extracted data (rather than truncating them). This command replaces a maintenance option PROC_OPT3=W setting (with alias command LONGREC_WRAP) introduced with TT3392. Although PROC_OPT3=W is still supported in this release, it is recommended that commands and default module settings be changed to use OUTFILE_LONGREC=WRAP instead. The LONGREC_WRAP alias command will now be assigned to OUTFILE_LONGREC and continue to be supported. Note: When changing the defaults module to use OUTFILE_LONGREC=W, PROC_OPT3= should be removed from the ACZDFLT source to avoid possible conflicts. When either setting is found to be W/WRAP, the record will be wrapped. Release 10 and higher permits the use of CRLF= Y,NOEOFDELIM and FILE_TERMINATOR= in the defaults module to prevent unwanted delimiter and terminator characters from being placed at the end of a file as it is added to an archive. This approach replaces old techniques of adding the commands CRLF(C) FILE_TERMINATOR() in the command stream. Release 10.0 introduced a new format for the SAFETYEX module, from INSTLIB. Transfer to a copy of the new module any installation entries you have made in the SAFETYEX that you have been using. The new version of the module has a separate section for HFS PATH entries. Installations using GZIP=Y in customized default modules should convert to ARCHIVE_ZIPFORMAT=GZIP. The GZIP setting is no longer honored when defined in the defaults module. Installations activating ARCHIVE_ZIPFORMAT Enhanced Tape Processing (XTAPE, XTAPE_LBI or FULL_LBI) should be aware that there are back-level release sharing considerations. ARCHIVE_ZIPFORMAT=FULL is recommended if a tape archive created by the current release is to be accessed by an older release of SecureZIP z. However, toleration maintenance change TT2741 is available for PKZIP for zseries (releases 5.6 & 8.2) and SecureZIP for zseries (releases 8.1 & 8.2) to provide restricted UNZIP processing capabilities. For information, refer to the ARCHIVE_ZIPFORMAT and ARCHIVE_BLKSIZE commands in the PKZIP/SecureZIP for z/os User s Guide. Installations suppressing the //SYSIN PDS member verification for performance reasons with PROC_OPT1=N (available with PKZIP for MVS maintenance) in ACZDFLT should change to CHECK_SYSIN_MEMBER=N in the assembly of ACZDFLT. PROC_OPT1 is no longer used for this purpose in PKZIP for MVS Release 5.5 or SecureZIP for z/os. Installations controlling the //SYSPRINT DCB attributes with PROC_OPT2 (available with PKZIP for MVS maintenance) in ACZDFLT should change to SYSPRINT_DCB in the assembly of ACZDFLT. PROC_OPT2 is no longer used for this purpose in PKZIP for MVS Release 5.5 or SecureZIP for z/os. 18 PKZIP/SecureZIP for z/os 11.1 System Administrator s Guide

27 Installations utilizing the filename case-insensitivity feature with PROC_OPT3=U (available with PKZIP for MVS maintenance) in ACZDFLT should change to FILENAME_SELECT_CASE=U in the assembly of ACZDFLT. PROC_OPT3 is no longer used for this purpose in SecureZIP for z/os. Upgrade note: Installations previously using text translation tables other than EBC#8859 for TRANSLATE_TABLE_DATA or TRANSLATE_TABLE_FILEINFO should review the data translation characters used. The newer default tables in EBC#8859 use the IBM ICONV standard character sets for IBM-1047 EBCDIC and ISO ASCII. In general, the newer default table is better for general-purpose text translation than the older ASCIIUS, ASCIIUSE, ASCIIUK, and ASCIIUKE tables. However, the older tables are still provided for compatibility in case installation-dependent processing requires translation of specialized character sets. The command ZIP_UNMOVABLE_CHKPT replaces functional fix TT1825 using PROC_OPT5 in earlier releases of the product. Installations previously using PROC_OPT5 are encouraged to use ZIP_UNMOVABLE_CHKPT. PROC_OPT5 is still active in this release, with differences in message notification (see command Usage Notes in the User s Guide for more information). The command GZIPCRC_IGNORE replaces functional fix TT2367 using PROC_OPT6 in earlier releases of the product. Installations previously using PROC_OPT6 are encouraged to use the new command. PROC_OPT6 is still active in this release, but may be removed in the future. Encryption features associated with the Advanced Encryption Module of PKZIP for zseries releases 5.5 and 5.6 are now only available with SecureZIP for z/os. However, PKZIP for z/os Enterprise Edition does include decryption capabilities allowing access to ZIP files created by earlier releases. SecureZIP installations previously using MASTER_RECIPIENT commands for contingency key processing will find a difference in processing if multiple MASTER_RECIPIENT command settings are provided in an execution. Whereas release 8.1 used the last command value, now all MASTER_RECIPIENT settings are cumulatively added to the run to provide support for multiple contingency keys. Installations using password-based encryption with passphrases greater than 95 characters should reference information from PKWARE HIPER fix TT3057. Contact the PKWARE Support team at with any questions related to this HIPER. Release History and Setting Changes A historical list of release changes is documented in the User Guide, Chapter 3, in the sections Release Summary and New Commands and Defaults. It is highly recommended that this section be reviewed to identify changes that may require attention for your installation s current operating environment. Chapter 1 System Planning and Administration 19