PKZIP /SecureZIP for z/os

Transcription

1 PKZIP /SecureZIP for z/os System Administrator s Guide SZZSA- V111R0002 PKWARE Inc.

2 PKWARE, Inc. 648 N Plankinton Avenue, Suite 220 Milwaukee, WI Main office: 888-4PKWARE ( ) Sales: (888-4PKWARE / ) Sales - [email protected] Support: Support - Web Site: Edition (2009) SecureZIP for z/os, PKZIP for z/os, SecureZIP for i5/os, PKZIP for i5/os, SecureZIP for UNIX, and SecureZIP for Windows are just a few of the members of the PKWARE product family. PKWARE Inc. would like to thank all the individuals and companies including our customers, resellers, distributors, and technology partners who have helped make PKZIP the industry standard for trusted ZIP solutions. SecureZIP enables our customers to efficiently and securely transmit and store information across systems of all sizes, ranging from desktops to mainframes. This edition applies to the following PKWARE Inc. licensed programs: PKZIP for z/os (Version 11, Release 1, 2009) SecureZIP for z/os (Version 11, Release 1, 2009) SecureZIP Partner for z/os (Version 11, Release 1, 2009) PKWARE, PKZIP, and SecureZIP are registered trademarks of PKWARE, Inc. z/os, i5/os, zseries, and iseries are registered trademarks of IBM Corporation. Other product names mentioned in this manual may be trademarks or registered trademarks of their respective companies and are hereby acknowledged. Any reference to licensed programs or other material, belonging to any company, is not intended to state or imply that such programs or material are available or may be used. The copyright in this work is owned by PKWARE Inc., and the document is issued in confidence for the purpose only for which it is supplied. It must not be reproduced in whole or in part or used for tendering purposes except under an agreement or with the consent in writing of PKWARE Inc., and then only on condition that this notice is included in any such reproduction. No information as to the contents or subject matter of this document or any part thereof either directly or indirectly arising there from shall be given or communicated in any manner whatsoever to a third party being an individual firm or company or any employee thereof without the prior consent in writing of PKWARE Inc. Copyright PKWARE Inc. All rights reserved. MVS/QuickRef Copyright , Chicago-Soft, Ltd.

3 Contents PREFACE... 1 Notices...1 About This Manual...1 Conventions Used in This Manual...1 Related Publications...2 Related Information on the Internet...4 User Help and Contact Information SYSTEM PLANNING AND ADMINISTRATION... 5 Planning for Administration Activities...5 System Requirements...7 Operating System...7 Region Size and Storage...8 Static Disk Space...9 Tape Device Considerations...9 UserID OMVS Segment...10 SecureZIP ICSF Operations...10 z/os UNIX File System (HFS)...15 Migration Considerations...17 Release History and Setting Changes...19 Distinctive Features of PKZIP and SecureZIP for z/os...20 Distinctive Features of SecureZIP for z/os...21 PKWARE PartnerLink: SecureZIP Partner for z/os...21 Encryption...22 Authentication...22 Data Integrity...22 Digital Signature Validation...23 Digital Signature Source Validation...23 Public-Key Infrastructure and Digital Certificates...24 Contents iii

4 Public-Key Infrastructure (PKI)...24 x Digital Certificates...25 Certificate Authority (CA)...25 Private Key...25 Public Key...25 Certificate Authority and Root Certificates...26 Setting Up Stores for Digital Certificates on z/os...26 Setting Up the Certificate Stores...26 Updating the Certificate Stores...28 Types of Encryption Algorithms...28 Standard...28 FIPS 46-3, Data Encryption Standard (DES)...29 Triple DES Algorithm (3DES)...29 Advanced Encryption Standard (AES)...29 Comparison of the 3DES and AES Algorithms...29 RC Key Management...31 Passwords and PINS...31 Recipient Based Encryption...31 Random Number Generation...32 Integrity of Public and Private Keys...32 Data Encryption INSTALLATION, LICENSING, AND CONFIGURATION Installation Overview...34 Type of Media Distribution for Installation...34 Installation from Downloaded File or CD...35 Non-SMP/E Installation...35 SMP/E Installation...37 Installing from Tape...41 Tailoring Site-Specific Changes to the Defaults Module...42 Tailoring Site-Locking Commands...43 Protecting Files with the SAFETYEX Module...43 Tailoring for Filename and Data Character Set Conversions...44 SMS Dataclass Considerations...44 Note for users of PKZIP for MVS and PKZIP for zseries Considerations when Exporting Private Keys using RACDCERT...45 Evaluation Activity Log...45 Activity Log Setup and Configuration...46 Licensing Requirements...48 Licensed Types...49 Product Features...50 iv PKZIP/SecureZIP for z/os 11.1 System Administrator s Guide

5 Evaluation Period...53 Release-Dependent Licensing...53 Current Use License...53 Show System Information...55 Conditional Use...56 Initializing the License...56 PKZIP and Full-Featured SecureZIP License Activation...57 SecureZIP Partner License Activation...57 Reporting the PKZIP/SecureZIP for z/os License...58 PKZIP/SecureZIP for z/os Grace Period...59 Running a Disaster Recovery Test...59 Activating the ISPF Interface...60 ISPF Main Menu...61 Running PKZIP/SecureZIP with Library Lookaside (LLA and LNKLST)...61 Verifying the Installation...62 Run-time Performance Considerations...62 Main Tuning Ingredients...63 Initialization JOBLIB/STEPLIB Elimination, LLA, VLF and/or LPA...64 Initialization SYSIN Command Records via Partitioned Members...66 Initialization PARMLIB Commands via Partitioned Members...67 Enable SMF Recording...67 SMF Activation...68 Install and Activate the PKWSVC Module...68 Select a Unique SMF Record Type...71 Activate SVC and SMF Settings in the SecureZIP Defaults Module...72 Default Module Settings Affecting SMF Recording SECURITY ADMINISTRATION OVERVIEW Accessing Certificates...77 Public Key Certificate...77 Private Key Certificates...78 Certificate Authority and Root Certificates...78 Configuration Profile...78 Contents of the Configuration Profile...78 Data Base (DB) Profile (Local Certificate Store)...79 LDAP Profile (Networked Certificate Store)...79 Recipient Searches...80 Local Certificate Stores...81 Access x.509 Public and Private Key Certificates...81 Authentication and Certificate Validation Policies...82 Other Profile Commands...86 Passphrase Registration...87 Accessing the Passphrase Registration Dialogs CERTIFICATE STORE MANAGEMENT SecureZIP Main Panel Access to the Certificate Stores...89 Contents v

6 SecureZIP Certificate Store Administration and Configuration...89 Local Certificate Store Administration...90 SecureZIP Local Certificate Store...91 Create a New Local Certificate Store DB...92 Certificate Validation Options...93 Generated JCL to Build the Initial Certificate Store...94 View Data Base Certificate Entries...95 List Certificate Entries Add a Certificate to the Local Store Add a New Certificate to the CA Store Add a New Trusted Root Certificate to the Root Store Add a New Certificate via Batch Processing Register Security Server Certificates in the Key Store Index Delete a Certificate from the Local Store Synchronize the Index for the Local Certificate Store Generated JCL for Synchronization CA, Root, and CRL Verification Report DB Statistics Edit Active DB Profile Backup and Restore Process Directory Certificate Store Configuration - LDAP Create/Test LDAP Profile Statements Edit existing LDAP profile Create/Test LDAP Link Create New LDAP Profile Settings Load Existing LDAP Profile Testing the LDAP Connection Runtime Configuration Zip/Unzip Runtime Configuration Panel SecureZIP Runtime Configuration Panel SecureZIP Runtime Configuration Panel Undefined SecureZIP Runtime Configuration Panel with DB Profile Defined SecureZIP Runtime Configuration Panel with Private Certificate Location x.509 Certificate Utilities The Options Certificate Revocation Lists Filename Encryption How SecureZIP for z/os Encrypts File Names When SecureZIP for z/os Encrypts File Names Encrypting File Names When You Update an Archive Opening and Viewing an Archive that Has Encrypted File Names Input required to View Recipients in a Filename Encrypted Archive View of Recipients in a Filename Encrypted Archive View Detail of an Archive that Has Encrypted File Names Decrypting a Filename Encrypted Archive SECURITY QUESTIONS AND SOLUTIONS Which encryption settings should be chosen? How is encryption activated? vi PKZIP/SecureZIP for z/os 11.1 System Administrator s Guide

7 How is ICSF hardware acceleration activated? What is the difference between an Encryption Method and an algorithm? How many recipients can be specified? What virtual storage is required for certificate-based encryption? How does ENCRYPTION_METHOD affect certificate-based encryption? How does SecureZIP activate MASTER_RECIPIENT contingency keys? How does MASTER_RECIPIENT affect activation? How do I copy a local certificate store? How do I remove a local certificate store? How can the contents of an x.509 certificate file be determined? PKWARE PARTNERLINK: SECUREZIP PARTNER About SecureZIP Partner for z/os If You Are a Sponsor: Sign the Central Directory Terms and Acronyms Used in This Chapter PKWARE PartnerLink Program: Overview Decrypting and Extracting Sponsor Data (Read Mode) Creating an Archive for a Sponsor Getting Started Co-existence with Other PKWARE Products Recommendations PartnerLink Certificate Store Administration and Configuration Choosing a Configuration Model Installing a Sponsor Distribution Package Updating a Sponsor Distribution Package Removing a Sponsor Distribution Package Providing a Sponsor Configuration for Execution CRYPTOGRAPHIC FACILITY UTILITY - PKCRYUTL Cryptographic Facility Categories Assessing a System s Cryptographic Capabilities with PKCRYUTL PKCRYUTL Execution PKCRYUTL Reporting PKCRYUTL Sample Report PKCRYUTL Interpretation SMF RECORD FORMATS GLOSSARY INDEX Contents vii

8 viii PKZIP/SecureZIP for z/os 11.1 System Administrator s Guide

9 Preface SecureZIP for z/os, like PKZIP for z/os, is a member of the PKWARE family of products providing high-performance data compression and data protection across multiple operating systems and platforms. PKZIP for z/os provides powerful, easy-to-use data compression on the mainframe. PKZIP for z/os Enterprise Edition additionally includes support for password-based decryption of encrypted files, powered by trusted RSA BSAFE. Files created by PKZIP for z/os use the widely-adopted ZIP format and can be accessed on all major platforms throughout the enterprise from mainframe to PC. SecureZIP for z/os provides powerful, easy-to-use data compression and data protection on the mainframe. SecureZIP for z/os protects data with digital signatures and several encryption choices. Both trusted RSA BSAFE encryption or IBM ICSF are offered, either password- or certificate-based, and with key lengths of up to 256 bits. Like PKZIP for z/os, SecureZIP for z/os uses the widely-adopted ZIP format and creates files that can be accessed on all major platforms throughout the enterprise. Notices Licensing requirements have changed for this release. See chapter 2 for current information. About This Manual This manual provides information to help a system administrator install and use PKZIP for z/os or SecureZIP for z/os in an operational environment on supported IBM releases of z/os. It is assumed that anyone using this manual has a good understanding of JCL and dataset processing. Conventions Used in This Manual Throughout this manual, the following conventions are used: SecureZIP z (bold-italicized) is used as a shorthand to refer to both SecureZIP for z/os and PKZIP for z/os. Statements made about SecureZIP z apply to both products. Information given specifically for SecureZIP for z/os or PKZIP for z/os applies specifically to that product. Preface 1

10 The terms ZIP and UNZIP are used to refer to the respective overall processes of operating on an archive. The term PKZIP is often used generically to refer to any of the underlying executable programs that process archives in PKZIP for z/os and SecureZIP for z/os. These include programs PKZIP and SECZIP, to ZIP archives, and programs PKUNZIP and SECUNZIP, to UNZIP them. PKZIP is also more narrowly used to refer to either the PKZIP or SECZIP program, and PKUNZIP is often used to refer to either the PKUNZIP or SECUNZIP program. The use of the Courier font indicates text that may be found in job control language (JCL), parameter controls, or printed output. The use of italics in a command line indicates a value that must be substituted by the user, for example, a data set name. Italics are also used in body text to quote command names and so forth or to indicate the title of a manual or other publication. The use of <angle brackets> in a command definition indicates a mandatory parameter. The use of [square brackets] in a command definition indicates an optional parameter. A vertical bar ( ) in a command definition is used to separate mutually exclusive parameter options or modifiers. When sample JCL is shown, or references to the SecureZIP z libraries are made, the high-level qualifier PKWARE.MVS may be used generically. The high-level qualifier specifically for the packaged product SecureZIP for z/os is SECZIP.MVS. The high-level qualifier specifically for the packaged product PKZIP for z/os is PKZIP.MVS. Note that the actual high-level qualifiers installed on your system may be different. Program examples may show either SecureZIP for z/os or PKZIP for z/os constructs, for backward compatibility. In general, examples apply to both programs unless the examples appear in sections of the manual that relate exclusively to SecureZIP features. Such sections are marked like this: SecureZIP only Related Publications IBM Manuals relating to the SecureZIP z products include: System Codes - Documents the completion codes issued by the operating system when it terminates a task or an address space. Describes the wait state codes placed in the program status word (PSW) when the system begins a wait state. Describes the causes of loops. System Messages - Documents the messages issued by the z/os operating system. The descriptions explain why the component issued the message, give the actions of the operating system, and suggest responses by the applications programmer, system programmer, and/or operator. JES2 Messages - Documents the messages issued by the JES2 subsystem. The descriptions explain why the component issued the message, give the actions of the 2 PKZIP/SecureZIP for z/os 11.1 System Administrator s Guide

11 operating system, and suggest responses by the applications programmer, system programmer, and/or operator. JCL User's Guide - Describes the job control tasks needed to enter jobs into the operating system, control the system's processing of jobs, and request the resources needed to run jobs. To perform the tasks, programmers code job control statements. The user's guide assists in deciding how to perform job control tasks. JCL Reference - Describes the job control tasks needed to enter jobs into the operating system, control the system's processing of jobs, and request the resources needed to run jobs. To perform the tasks, programmers code job control statements. The reference guide; is designed to be used while coding the statements. Access Methods Services - Documents the functions that are available with Virtual Storage Access Method (VSAM) and describes the IDCAMS commands that can be issued to control VSAM datasets. DFSMS Using Data Sets Reference materials regarding z/os file systems and their usage. DFSMS Macro Instructions for Data Sets Reference material regarding I/O handling and diagnostics. ICSF Application Programmers Guide Describes how to use the callable services provided by the Integrated Cryptographic Service facility. ICSF Administrators Guide Describes how to manage cryptographic keys by using the z/os Integrated Cryptographic Service facility. ICSF Overview Contains overview and planning information for the z/os Integrated Cryptographic Service facility. ISPF bookshelf Reference materials regarding run-time environments supporting, and used by SecureZIP z. Language Environment bookshelf Reference materials regarding run-time environments supporting, and used by SecureZIP z. TSO/E Command Reference - Documents the functions of the TRANSMIT and RECEIVE Command Facility used for the distribution and allocation of SecureZIP z installation libraries. TSO/E Rexx Reference Reference materials regarding run-time environments supporting, and used by SecureZIP z. z/os XL C/C++ bookshelf Reference materials regarding run-time environments supporting, and used by SecureZIP z. z/os Unix System Services User s Guide Provides information that is fundamental to working with UNIX File Systems (also known as the hierarchical file system). MVS/QuickRef 6.3 (Chicago-Soft, Ltd.) - Includes both messages and command reference material for SecureZIP z. Preface 3

12 Related Information on the Internet PKWARE, Inc. FTP site Product manuals - ftp://bigiron.pkware.com/pub/manuals/zos Product downloads - ftp://bigiron.pkware.com/pub/products o o PKZIP for z/os - ftp://bigiron.pkware.com/pub/products/pkzip/zos SecureZIP for z/os - ftp://bigiron.pkware.com/pub/products/securezip/zos o SecureZIP Partner for z/os - ftp://bigiron.pkware.com/pub/products/partnerlink/zos National Institutes of Standards and Technology Computer Security Resource Center - Information on the AES development - Information on Key Management - RSA BSAFE Content Library User Help and Contact Information For licensing, please contact Sales at (888-4PKWARE / ) or [email protected]. For technical assistance, contact Technical Support at or visit the support web site: 4 PKZIP/SecureZIP for z/os 11.1 System Administrator s Guide

13 1 System Planning and Administration SecureZIP z contains two main programs: PKZIP (or SECZIP in SecureZIP) and PKUNZIP (or SECUNZIP in SecureZIP). The ZIP program is used to compress or store files into a ZIP format archive, while the UNZIP program is used to extract data compressed into ZIP-compatible archives. Processing control is available through the use of customized option modules, shared command lists, and individual job inputs. In addition to file selection, features such as compression levels and performance selections can be specified. To guarantee data integrity, a 32-bit cyclic redundancy check (CRC) is a standard feature. A ZIP archive is platform-independent; therefore, data compressed (zipped) on one platform, such as UNIX or Windows, can be decompressed (unzipped) on another platform, such as z/os, by using a compatible version of the UNZIP program. With its advanced password and certificate-based security features, SecureZIP for z/os offers multiple methods of encryption and is an excellent choice for securing data and data transfers. However, it is important that system administrators carefully plan in advance the design, development, and testing tasks required to successfully integrate SecureZIP for z/os as a secure solution into a production environment. The following sections chart the production and pre-production planning activities for administration and discuss SecureZIP z model environments and important concepts for the systems administrator. They also describe encryption, types of algorithms in use, information about specific mandates requiring the use of secure data, and how SecureZIP z will secure that data. Planning for Administration Activities The SecureZIP z software is often installed and maintained by a single party within an installation s system programming staff. However, there are several system interface components that may require attention from other departments relating to the administration of SecureZIP operation. Use the following installation and feature configuration checklist to help plan out the installation and operational use of SecureZIP z. Chapter 1 System Planning and Administration 5

14 Feature or Activity Base software installation; includes: Licensing Tailoring of the installation defaults module Translate table selection SAFETYEX module tailoring Migration Considerations Activating the TSO ISPF Interface Initial Tuning Optional LLA, VLF and LPA Configure Cryptographic Services for data Encryption, Digital Signing and Authentication with SecureZIP for z/os Use of ICSF Cryptographic Facilities CLASS(CSFSERV) service profiles Define the SecureZIP for z/os Key Store Index and Certificate Store Administer Digital Certificates to the SecureZIP for z/os Key Store for use in RECIPIENT, SIGN_FILES, SIGN_ARCHIVE or AUTHCHK processing. DATASET update access to SecureZIP Key Store components Administer Digital Certificates to the Security Server for use in RECIPIENT, SIGN_FILES, SIGN_ARCHIVE or AUTHCHK processing with SecureZIP for z/os. Certificate and Key Ring controls Administer Passphrase Registration to the ICSF CKDS for use with SecureZIP for z/os. CLASS(CSFSERV,CSFKEYS) service profiles Enable and Administer SecureZIP for z/os Policy Lockdown features Resources Ref. chapter 2 Required: System Programmer Optional: Data transfer architect for Translate Tables Optional: Storage administrator for related defaults module settings Optional: Security policy manager for related defaults module settings. Required: Security Administrator to define data set protection for supporting software libraries. Ref. chapter 1, SecureZIP ICSF Operations Ref. SecureZIP Security Administrator s Guide; ICSF Service Controls Required: ICSF Administrator, Security Server Administrator Ref. chapter 1, Setting Up Stores for Digital Certificates on z/os Ref. chapter 1, Public-Key Infrastructure and Digital Certificates Ref. chapter 4 Required: Security Server Administrator, SecureZIP Key Administrator Ref. SecureZIP Security Administrator s Guide Ref. IBM z/os Security Server RACF Administration Ref. IBM z/os Security Server RACF Command Reference (RACDCERT) Ref. IBM z/os Security Server Callable Services (R_datalib) Required: Security Server Administrator, SecureZIP Key Administrator, ICSF CKDS Administrator Ref. SecureZIP for z/os Security Administrator s Guide, chapter 5 ( SAF-protected Passphrase Feature ) Required: Security Server Administrator Ref. SecureZIP for z/os Security Administrator s Guide, Policy Lockdown chapter 6 PKZIP/SecureZIP for z/os 11.1 System Administrator s Guide

15 Feature or Activity Enable and Administer Contingency Keys for use with SecureZIP for z/os Generate and install certificates Define Contingency Key Ring(s) Administer Key Rings and PROFILEs (by JOB) Enable and tailor the SMF recording feature used with SecureZIP for z/os Use SMF data for audit controls Configuring jobs for operational use of the z/os UNIX File Systems Archives and/or files in the UNIX File System Application Integration with FIFO Special File (named pipes) Configuring for operations as a PartnerLink Sponsor or Partner Sponsor Distribution Packages Resources Required: Security Server Administrator, Operations JOB Planner Ref. SecureZIP for z/os Security Administrator s Guide, chapter 2, section Contingency Key Enforcement Required: z/os System Programmer Required: SMF Administrator, SMF Data Reduction Programmer, Security Auditor Ref. SecureZIP for z/os Security Administrator s Guide, Security Auditor s Guide chapter Ref. chapter 1, HFS Operational Knowledge Ref. PKWARE PartnerLink System Requirements This section describes the system requirements for SecureZIP z. Operating System The minimum operating system levels supported are: A release of z/os supported by IBM For installations intending to use digital certificates residing in the RACF Security Server, maintenance associated with APAR OA26639 is recommended to avoid spurious ICH408I messages. To extract files greater than 2 gigabytes or to create archives greater than 2 gigabytes in a PDSE, operating system maintenance associated with APAR BW57702 is required. z/os installations intending to use ICSF cryptographic services should ensure that RACF maintenance associated with APAR OA11874 is installed. System requirements for ICSF apply to facility settings of IBMHARDWARE and IBMSOFTWARE associated with ENCRYPTDATA, HASH, and RANDOM. Installations intending to use AES 128-bit ICSF hardware-based encryption/decryption on a System-z9 (2094 or 2096) with ICSF FMID HCR7730 should ensure that PTF UA22474 is applied. (Reference PKWARE HIPER TT3686 and IBM APAR OA13766). Chapter 1 System Planning and Administration 7

16 Installations intending to use SHA-256 ICSF hardware-based hashing in support of digital signature creation will require a minimum ICSF level of HCR7730 while operating on a System z9-109, z9, or z10. Language Environment release-dependent runtime options modules are supplied with the product and are dynamically selected for use at the release levels shown in the following table. If higher levels of Language Environment are encountered, informational system messages may be issued (CEE3611I, CEE3615I, CEE3627I). These have no functional impact on product operations. Operating System Release Language Environment FMID Language Environment Options Release OS/ HLE z/os 1/1 HLE z/os 1.2 HLE z/os 1.3 HLE z/os 1.4 HLE z/os 1.5 HLE z/os 1.6 HLE z/os 1.7 HLE z/os 1.8 HLE z/os 1.9 HLE z/os 1.10 HLE For installations using Security Server RACF and requiring RSA public or private keys to be stored in the ICSF PKDS, the PTF associated with APAR OA13030 must be installed. Region Size and Storage See the section Region Size and Storage in chapter 3 of the PKZIP/SecureZIP for z/os User s Guide for information relating to minimum virtual storage requirements. 8 PKZIP/SecureZIP for z/os 11.1 System Administrator s Guide

17 Static Disk Space Product data set allocations are approximately as follows: Tracks %Used XT Device CEXEC HELP INSTLIB INSTLIB LICENSE LOAD MACLIB SPKZCLIB SPKZMLIB SPKZPLIB SPKZSLIB SPKZTLIB SecureZIP certificate store data set allocations are approximately as follows: Tracks %Used XT Device CERTSTOR.DBX.DATA 150? CERTSTOR.DBX.INDEX 1? CERTSTOR.DBXCN.DATA 15? CERTSTOR.DBXCN.INDEX 1? CERTSTOR.DBXEM.DATA 15? CERTSTOR.DBXEM.INDEX 1? CERTSTOR.DBXPUBK.DATA 15? CERTSTOR.DBXPUBK.INDEX 1? CERTSTOR.PRIVATE CERTSTOR.PUBLIC CERTSTOR.P7CA CERTSTOR.P7CRL CERTSTOR.P7ROOT CERTSTOR.SPONSOR.AUTH CERTSTOR.SPONSOR.INFO CERTSTOR.SPONSOR.RECIP Tape Device Considerations The following notes apply when ZIP archives may be directed to a tape or cartridge device. Do not use DCB option TRTCH=COMP when specifying a non-store form of ZIP compression. If Large Block Interface (LBI) tape processing is to be used (ARCHIVE_ZIPFORMAT= FULL_LBI or XTAPE_LBI) and there is any restriction on maximum block size for tape cartridges, review the setting for SMS Dataclass Block Size Limit, or PARMLIB(DEVSUPxx) TAPEBLKSZLIM, and set the ZIP defaults (or pre-defined command sets) for ARCHIVE_BLKSIZE accordingly. IECIOSxx parmlib parameter MIH: If your site does not specify an IOS= member in the IEASYSxx member, then a default value of 3:00 minutes for 3490 missing tape device interrupts is used. This value is too low for PKZIP tape processing. IBM 3490 Planning and Migration Guide recommends a value of 20 minutes for missing interrupts associated with 3490E tape drives. Set a temporary increase to the MIH values for tape by using the following MVS console Chapter 1 System Planning and Administration 9

18 command: SETIOS MIH,TAPE=20:00 To change parmlib, place the following in member IECIOSxx: MIH TIME=20:20,DEV=nnnn where nnnn is the device address. For devices configured as 3590s, the control unit controls both the primary and secondary MIH values. The primary MIH governs most commands, and the second MIH governs a small group of long-running commands, such as LOCATE and FORWARD SPACE FILE. UserID OMVS Segment The following features of SecureZIP require the executing UserID to have a valid OMVS segment: SecureZIP for z/os Certificate Store administration and digital certificate usage Unix File System operations SecureZIP ICSF Operations This section pertains to system-supplied cryptographic facilities that are supplemental to inherent SecureZIP cryptographic services. An appropriate SecureZIP license is required to access these facilities. The system-supplied cryptographic facilities available for SecureZIP for z/os to use depend on the hardware configuration and controlling system software. ICSF callable services are utilized by SecureZIP to facilitate access to system-supplied cryptographic facilities for selected system configurations. For planning purposes, the following checklist may be used to ensure that the operating environment is activated appropriately to support the desired cryptographic feature through SecureZIP: Refer to the ICSF Feature/Facility Requirements Table later in this section to identify the desired cryptographic feature and associated facility requirements Ensure that the correct hardware feature codes are installed for the target platform Ensure that the ICSF Program Product is installed at the proper release level Use the TSO/ISPF ICSF dialog to determine if ICSF is active and the necessary components are operative. Select option 1 and press Enter. If ICSF is not available, you will receive the message shown in the upper right portion of the screen below. HCR Integrated Cryptographic Serv OPTION ===> Enter the number of the desired option. ICSF IS NOT ACTIVE 1 COPROCESSOR MGMT - Management of Cryptographic Coprocessors 2 MASTER KEY - Master key set or change, CKDS/PKDS Processing 3 OPSTAT - Installation options 4 ADMINCNTL - Administrative Control Functions 5 UTILITY - ICSF Utilities 6 PPINIT - Pass Phrase Master Key/CKDS Initialization 10 PKZIP/SecureZIP for z/os 11.1 System Administrator s Guide

19 7 TKE - TKE Master and Operational Key processing 8 KGUP - Key Generator Utility processes 9 UDX MGMT - Management of User Defined Extensions Licensed Materials - Property of IBM 5694-A01 (C) Copyright IBM Corp. 1989, All rights reserved. US Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. Press ENTER to go to the selected option. Press END to exit to the previous menu. If ICSF is active, you will see screens like the following. These may or may not identify coprocessors, but they can be used by SecureZIP for z/os. The coprocessor status is based on the hardware configuration of your environment. System with no coprocessors available ICSF Coprocessor Management COMMAND ===> SCROLL ===> PAGE Select the coprocessors to be processed and press ENTER. Action characters are: A, D, E, K, R and S. See the help panel for details. COPROCESSOR SERIAL NUMBER STATUS ******************************* Bottom of data ******************************** System with coprocessors available ICSF Coprocessor Management Row 1 of 4 COMMAND ===> SCROLL ===> PAGE Select the coprocessors to be processed and press ENTER. Action characters are: A, D, E, R, and S. See the help panel for details. COPROCESSOR MODULE ID/SERIAL NUMBER STATUS C FD FD ACTIVE. C A A2 ACTIVE. P00 94E04777 ACTIVE. P01 94E04781 ACTIVE System with coprocessors online but not initialized for use ICSF Coprocessor Management Row 1 to 1 of 1 COMMAND ===> SCROLL ===> PAGE Select the coprocessors to be processed and press ENTER. Action characters are: A, D, E, K, R and S. See the help panel for details. COPROCESSOR SERIAL NUMBER STATUS E ONLINE ******************************* Bottom of data ******************************* Chapter 1 System Planning and Administration 11

20 If necessary, perform some or all of the following system configuration activities in accordance with the z/os ICSF Administrators Guide and the z/os Cryptographic Services System Programmer s Guide: o o o o o Ensure that the system (or LPAR) is configured for the hardware cryptographic facility Perform Hardware Management Console (HMC) activities to enable cryptographic usage through ICSF Perform Power On Reset to activate HMC settings Prepare ICSF run-time environment (e.g. allocation of control data sets) Start ICSF in update mode to establish passphrases Ensure that ICSF is started with production run-time parameters Conditionally update RACF (or equivalent security product) to permit access to the following CSFSERV Resource classes (if CSFSERV is desired to be an active class) for READ access: o o o o o CSFCKM CSFIQF CSFOWH CSFRNG CSFRNGL Consult the SecureZIP Security Administrator s Guide to identify additional Security Server rules that may require definition or adjustments. The following tables show the levels of system hardware and operating software required by various cryptographic features. ICSF Feature/Facility Requirements Table SecureZIP only This table provides an overview of system facilities required to access a specific cryptographic feature. For each supported Service within a platform configuration, three pieces of information are shown. The minimum Hardware facility required The Software callable service used A minimum ICSF release level (referenced by FMID) 12 PKZIP/SecureZIP for z/os 11.1 System Administrator s Guide

21 Table 1: ICSF feature/facility requirements Cryptographic Service DES/3DES Hardware Acceleration DES/3DES Secure Key Operations (FIPS 140 Compliant) AES ICSF Software AES128 Hardware Acceleration AES192, AES256 Hardware Acceleration z/800 & z/900 CCF CSNBENC HCR7704 CCF CSNBENC HCR7704 CCF CSNBSYE HCR7706 z/890 & z/990 CPACF CSNBSYE HCR7720 CEX2C CSNBENC HCR7720 CPACF CSNBSYE HCR7720 z9-109 System z9 System z10 CPACF CSNBSYE HCR7720 CEX2C CSNBENC HCR7720 CPACF CSNBSYE HCR7720 Not available Not available CPACF CSNBSYE HCR7730 CPACF CSNBSYE HCR7720 CEX2C CSNBENC HCR7720 CPACF CSNBSYE HCR7720 CPACF CSNBSYE HCR7730 Not available Not available Not available Not available CPACF CSNBSYE HCR7720 CEX2C CSNBENC HCR7720 CPACF CSNBSYE HCR7720 CPACF CSNBSYE HCR7730 CPACF CSNBSYE AES Secure Key Operations (all AES key lengths) (FIPS 140 Compliant) SHA-1 Hardware Acceleration MD5 ICSF Software SHA-256 Hardware Acceleration SHA-384/512 Hardware Acceleration Not available Not available Not available CEX2C CSNBSAE HCR7751 *requires MCL update CCF CSNBOWH HCR7704 CCF CSNBOWH HCR7704 Not available CPACF CSNBOWH HCR7720 CPACF CSNBOWH HCR7720 CPACF CSNBOWH HCR7750 CPACF CSNBOWH HCR7720 CPACF CSNBOWH HCR7720 CPACF CSNBOWH HCR7750 CPACF CSNBOWH HCR7720 CPACF CSNBOWH HCR7720 CPACF CSNBOWH HCR7750 Not available Not available Not available Not available HCR7750 CEX2C CSNBSAE HCR7751 *requires MCL update CPACF CSNBOWH HCR7720 CPACF CSNBOWH HCR7720 CPACF CSNBOWH HCR7750 CPACF CSNBOWH HCR7751 Chapter 1 System Planning and Administration 13

22 Cryptographic Service Pseudo Random Data Generation z/800 & z/900 CCF CSNBRNG z/890 & z/990 CPACF CSNBRNG z9-109 System z9 System z10 CPACF CPACF CPACF CSNBRNG CSNBRNG CSNBRNG HCR7704 HCR7720 HCR7720 HCR7720 HCR7720 Pseudo Random Data Generation-Long CCF CSNBRNGL PCIXCC/ CEX2C CEX2C CSNBRNGL CEX2C CSNBRNGL CEX2C CSNBRNGL HCR7750 CSNBRNGL HCR7750 HCR7750 HCR7750 HCR7750 Notes: ICSF is assumed to be running in non-pcf mode, and FMIDs are listed at the minimum supported level. SMP/E and ICSF settings should be checked to verify the ICSF operating level and configuration. (Note that HCRP220 and prior FMIDs were for PCF.) Some ICSF levels may be required to be at a higher level than those shown due to IBM system configuration requirements. Through the callable service, ICSF directs which hardware/software facility to use based on the call request and the available configuration. IBM technical support documents and maintenance buckets should be reviewed to determine a complete set of system feature enablement requirements to activate the necessary level of ICSF and associated system-provided services. Distributed Operating System ICSF Levels The following table is provided as a convenience for planning purposes to show ICSF levels typically provided with a given level of the operating system. System-specific planning and requirements review should be performed for an installation. 14 PKZIP/SecureZIP for z/os 11.1 System Administrator s Guide

23 Operating System Distributed ICSF Level Enabled Feature as Used by SecureZIP OS/ HCR7703 Base ICSF for CSNBENC z/os 1.2 HCR7704 z/os 1.3 HCR7706 CSNBSYE CPACF (z/x90, z9) z/os 1.4 z/os 1.5 z/os 1.6 z/os 1.7 HCR7706 or HCR7708 HCR7708 HCR770A HCR7720 or HCR7730 CSNBSYE CPACF for DES/3DES CSNBSYE AES128 hardware (z9) z/os 1.7 HCR7730 SHA-256 hashing (software only) z/os 1.8 z/os 1.9 HCR7731 HCR7740 z/os 1.10 HCR7750 HCR7751 may be installed as an upgrade to access advanced AES capabilities available through hardware. Note that many of the ICSF release levels can be installed on earlier releases of the operating system. For z/os 1.7, z/os 1.8 and z/os 1.9, HCR7750 is available for upgrades, providing for CSNBSYE AES192, AES256 hardware (z9 model dependent) and SHA-256 hashing hardware (z9). z/os UNIX File System (HFS) In the context of this section, Hierarchical File System (HFS) refers to the entire z/os UNIX file system architecture unless otherwise noted. SecureZIP z does not require any special configuration to operate with the HFS (Hierarchical File System). However, working with archives and data files located in the HFS in the z/os environment requires some setup. In particular: The run-time user s OMVS segment information must be associated with a HOME directory for that user Permissions need to be set to correspond with the run-time user s ownership of directories and files to be accessed (see PATHMODE for directory and file objects within the HFS) Group permissions for directories and files in the HFS need to support the GROUPs that the run-time user will connect to If the SAFETYEX module has been modified from releases prior to release 10.0, a fresh source copy (from INSTLIB) should be used and updated. HFS PATH entries can be added in a new section provided for this purpose in the release 10.0 version of the module. Chapter 1 System Planning and Administration 15

24 HFS Operational Knowledge To operate SecureZIP z with the HFS, you need a basic understanding of how the HFS works. For information specific to using SecureZIP z, see section z/os UNIX File System (Hierarchical File System) in chapter 9 ( File Processing ) of the PKZIP/SecureZIP for z/os User s Guide. For more general information, you will find the IBM documentation listed in the following table helpful. Resource Chapter/Section Description IBM z/os UNIX System Services Guide IBM z/os UNIX System Services Guide IBM z/os UNIX System Services Guide IBM z/os UNIX System Services Guide IBM z/os UNIX System Services Guide IBM z/os UNIX System Services Guide Chapter 14: An Introduction to the hierarchical file system Chapter 16: Working with directories Chapter 17: Working with files Chapter 18: Handling security for your file Chapter 21: Copying data between the HFS and MVS Chapter 22: Transferring file between systems Mountable File Systems Directories Files Path and Pathname Using commands to work with directories and files Using the Network File System The working directory Creating and removing a directory Naming files Deleting a file Identifying a file by its inode number Creating and deleting links Renaming a file or directory Simultaneous access to a file Default permissions set by the system Changing permissions Displaying file and directory permissions Setting the file mode creation mask Displaying extended attributes Examples and requirements for various data types File Transfer Protocol (FTP) IBM z/os JCL Reference FILEDATA Parameter describe the organization of a hierarchical file so that the system can determine how to process the file IBM z/os JCL Reference PATH Parameter specify the name of the HFS file. IBM z/os JCL Reference PATHMODE Parameter file access attributes when the system is creating the HFS file named on the PATH parameter IBM z/os JCL Reference PATHMODE Parameter specify the file access attributes when the system is creating the HFS file 16 PKZIP/SecureZIP for z/os 11.1 System Administrator s Guide

25 Resource Chapter/Section Description IBM z/os JCL Reference PATHOPTS Parameter specify the access and status for the HFS file named in the PATH parameter IBM z/os SecureWay Security Server RACF Security Administrator s Guide The OMVS segment in User Profiles The z/os UNIX Identifier (UID) The initial directory path name (HOME) The maximum number of active or open files the user can have (FILEPROCMAX) The maximum number of processes the user can have (PROCUSERMAX) Migration Considerations Release 11.1 provides enhanced volume count control with MULTIVOL command specifications (e.g. ARCHIVE_SPACE_MULTIVOL). With the added capability for specifying a numeric volume count value, the default volume count associated with xxxx_space_multivol=y is changed from 59 to 5. If default volume count values greater than 5 are required, modifications to the defaults module may be performed. Release 11.1 provides segregated control of temporary data compression work space from other temporary work files. See the new TEMPDATA_xxx settings for additional information. If enabled, adjustments to existing TEMP_xxx settings should be considered to reduce overall work file allocation requirements. SecureZIP for z/os Release 11 provides the ability for an installation to logically move digital certificates from the SecureZIP Certificate Store to the installation s Security Server (for example, RACF). The SecureZIP Key Store Index component of the SecureZIP Certificate Store provides a redirection capability that permits existing jobs accessing digital certificates through the DB: syntax to reference certificates installed to the Security Server so that run-time JCL and parameters do not require modification. The administrative process of reindexing Security Server certificates for existing DB: entries is accomplished through the Add Certificates (or Register KeyRing Certificates) option under the Local Certificate Store Administration dialog. SecureZIP for z/os Release 11 includes a change to the Certificate Store references. If a Certificate Store configuration is not specified, DUMMY will be used as the default. To maintain upgrade continuity, Certificate Store configurations may be included with the INCLUDE_CMD or added to INSTLIB(ACZDFLT). Release 10 renamed the DATA_DELIMITER setting to ZIPFILE_RECORD_DELIMITER for the purpose of distinguishing it from new HFS ZOSFILE_RECORD_DELIMITER setting. Processing message references will now be made to ZIPFILE_RECORD_DELIMITER instead of DATA_DELIMITER. To maintain upgrade continuity for existing job streams, the DATA_DELIMITER command and the MCZDFLTS DATA_DELIMITER= keyword designator for the defaults module will continue to be supported as mapping entries to ZIPFILE_RECORD_DELIMITER. Release 10 renamed the PATH setting to USE_SOURCE_PATH to eliminate ambiguity with respect to HFS PATH names and PATH catalog entries. To maintain upgrade continuity for existing job streams, the PATH command and the MCZDFLTS PATH= Chapter 1 System Planning and Administration 17

26 keyword designator for the defaults module will continue to be supported as mapping entries to USE_SOURCE_PATH. Release 10 introduced newer forms of self-extractor (ref. INCLUDE_SFX for details) programs which support ZIP64 processing and Strong Decryption. Although the older versions of the self extractors are still available, they are specified with different names. Jobs coded with the previous names will include the newer form of the selfextraction programs in the archive. Release 10 introduced the command OUTFILE_LONGREC to support optional wrapping of extracted data (rather than truncating them). This command replaces a maintenance option PROC_OPT3=W setting (with alias command LONGREC_WRAP) introduced with TT3392. Although PROC_OPT3=W is still supported in this release, it is recommended that commands and default module settings be changed to use OUTFILE_LONGREC=WRAP instead. The LONGREC_WRAP alias command will now be assigned to OUTFILE_LONGREC and continue to be supported. Note: When changing the defaults module to use OUTFILE_LONGREC=W, PROC_OPT3= should be removed from the ACZDFLT source to avoid possible conflicts. When either setting is found to be W/WRAP, the record will be wrapped. Release 10 and higher permits the use of CRLF= Y,NOEOFDELIM and FILE_TERMINATOR= in the defaults module to prevent unwanted delimiter and terminator characters from being placed at the end of a file as it is added to an archive. This approach replaces old techniques of adding the commands CRLF(C) FILE_TERMINATOR() in the command stream. Release 10.0 introduced a new format for the SAFETYEX module, from INSTLIB. Transfer to a copy of the new module any installation entries you have made in the SAFETYEX that you have been using. The new version of the module has a separate section for HFS PATH entries. Installations using GZIP=Y in customized default modules should convert to ARCHIVE_ZIPFORMAT=GZIP. The GZIP setting is no longer honored when defined in the defaults module. Installations activating ARCHIVE_ZIPFORMAT Enhanced Tape Processing (XTAPE, XTAPE_LBI or FULL_LBI) should be aware that there are back-level release sharing considerations. ARCHIVE_ZIPFORMAT=FULL is recommended if a tape archive created by the current release is to be accessed by an older release of SecureZIP z. However, toleration maintenance change TT2741 is available for PKZIP for zseries (releases 5.6 & 8.2) and SecureZIP for zseries (releases 8.1 & 8.2) to provide restricted UNZIP processing capabilities. For information, refer to the ARCHIVE_ZIPFORMAT and ARCHIVE_BLKSIZE commands in the PKZIP/SecureZIP for z/os User s Guide. Installations suppressing the //SYSIN PDS member verification for performance reasons with PROC_OPT1=N (available with PKZIP for MVS maintenance) in ACZDFLT should change to CHECK_SYSIN_MEMBER=N in the assembly of ACZDFLT. PROC_OPT1 is no longer used for this purpose in PKZIP for MVS Release 5.5 or SecureZIP for z/os. Installations controlling the //SYSPRINT DCB attributes with PROC_OPT2 (available with PKZIP for MVS maintenance) in ACZDFLT should change to SYSPRINT_DCB in the assembly of ACZDFLT. PROC_OPT2 is no longer used for this purpose in PKZIP for MVS Release 5.5 or SecureZIP for z/os. 18 PKZIP/SecureZIP for z/os 11.1 System Administrator s Guide

27 Installations utilizing the filename case-insensitivity feature with PROC_OPT3=U (available with PKZIP for MVS maintenance) in ACZDFLT should change to FILENAME_SELECT_CASE=U in the assembly of ACZDFLT. PROC_OPT3 is no longer used for this purpose in SecureZIP for z/os. Upgrade note: Installations previously using text translation tables other than EBC#8859 for TRANSLATE_TABLE_DATA or TRANSLATE_TABLE_FILEINFO should review the data translation characters used. The newer default tables in EBC#8859 use the IBM ICONV standard character sets for IBM-1047 EBCDIC and ISO ASCII. In general, the newer default table is better for general-purpose text translation than the older ASCIIUS, ASCIIUSE, ASCIIUK, and ASCIIUKE tables. However, the older tables are still provided for compatibility in case installation-dependent processing requires translation of specialized character sets. The command ZIP_UNMOVABLE_CHKPT replaces functional fix TT1825 using PROC_OPT5 in earlier releases of the product. Installations previously using PROC_OPT5 are encouraged to use ZIP_UNMOVABLE_CHKPT. PROC_OPT5 is still active in this release, with differences in message notification (see command Usage Notes in the User s Guide for more information). The command GZIPCRC_IGNORE replaces functional fix TT2367 using PROC_OPT6 in earlier releases of the product. Installations previously using PROC_OPT6 are encouraged to use the new command. PROC_OPT6 is still active in this release, but may be removed in the future. Encryption features associated with the Advanced Encryption Module of PKZIP for zseries releases 5.5 and 5.6 are now only available with SecureZIP for z/os. However, PKZIP for z/os Enterprise Edition does include decryption capabilities allowing access to ZIP files created by earlier releases. SecureZIP installations previously using MASTER_RECIPIENT commands for contingency key processing will find a difference in processing if multiple MASTER_RECIPIENT command settings are provided in an execution. Whereas release 8.1 used the last command value, now all MASTER_RECIPIENT settings are cumulatively added to the run to provide support for multiple contingency keys. Installations using password-based encryption with passphrases greater than 95 characters should reference information from PKWARE HIPER fix TT3057. Contact the PKWARE Support team at with any questions related to this HIPER. Release History and Setting Changes A historical list of release changes is documented in the User Guide, Chapter 3, in the sections Release Summary and New Commands and Defaults. It is highly recommended that this section be reviewed to identify changes that may require attention for your installation s current operating environment. Chapter 1 System Planning and Administration 19

28 Distinctive Features of PKZIP and SecureZIP for z/os Distinctive features available for both PKZIP and SecureZIP include: Ability to process execution from ISPF Panels, as a TSO/E command, within TSO/E REXX EXECs or CLISTs, from an application program, or a stand-alone batch utility A robust ISPF panel interface that displays the ZIP archive directory in a table format and enables selection of individual archived (zipped) files for browsing, viewing, extracting, or deleting Compression and extraction of datasets of the following types on DASD: o Sequential files o o PDS and PDSE members VSAM files (KSDS, ESDS, RRDS) o JES2 subsystem input files (for example, //ddname DD *) Command extensions allowing greater flexibility in file selection Unique filename translation to and from MVS DSNAME conventions and the UNIX-style names typically found in zip archives Compressing and extracting of datasets of the following types on tape: o o o o Sequential files Compressing and extracting of files to z/os Load Libraries Compressing and extracting of files to Generation Data Groups (GDGs) GDG files can be used as a ZIP archive Retention of dataset allocation information, such as dataset organization, device type, and DCB/Cluster attributes. Preservation of this information allows for duplication of the file with the same characteristics during the UNZIP process. Support of ZIP archives within the following dataset organizations: o Sequential files (DASD, Tape, or Cartridge) o o o PDS and PDSE members VSAM ESDS HFS (Hierarchical File System) UNIX files residing in mounted FILESYSTYPEs of HFS, NFS, TFS and ZFS. Selection of datasets for processing based upon user-specified control statements, DD JCL specifications, or user-defined filtering lists Execution in AMODE 31, using storage primarily above the 16-Mb line. However, certain operating system control blocks and system services require virtual storage below the 16-Mb line. The amount of virtual storage available within each of these areas of an address space will limit the use of some performance options (for example, multi-tasking and temporary files in storage) and capabilities. Defaults are customizable during installation. Multiple defaults modules may be created for use for a variety of application needs. Commands can be locked in the default 20 PKZIP/SecureZIP for z/os 11.1 System Administrator s Guide

29 modules, precluding their use in a ZIP or UNZIP run with values or settings other than the locked ones. Use of pre-defined command files saved in a place selected by the user or system administrator. These can be referenced by multiple jobs or users, thus eliminating the need for individual JCL command streams. They can also be used in combination with individual job inputs to provide a consistent set of processing controls. Certain features of PKZIP for z/os are separately licensed. Distinctive Features of SecureZIP for z/os Distinctive features of SecureZIP for z/os include: Incorporation of the IBM Integrated Cryptographic Service Facility (ICSF) APIs, enabling the use of hardware acceleration on a variety of hardware platforms for data encryption/decryption and digital signature creation/authentication. Dynamic run-time selection of a cryptographic facility appropriate to the current operating environment. This allows the same SecureZIP configuration to perform data encryption and signature hash operations under different system cryptographic profiles and also to take advantage of newly activated cryptographic hardware. Ability to access certificates in directory servers through an LDAP-compliant interface. SecureZIP can look for certificates in LDAP certificate stores and automatically search these stores for recipients to whom you are sending an message so that you can use their keys when encrypting an attachment. (Requires the optional Directory Integration module.) Use of digital certificates located in the z/os security server Registration of passphrases to eliminate exposed run-time passphrase values Policy control through security server general resource rules Encryption Contingency Key adherence SMF recording in support of audit trails Certain features of SecureZIP for z/os are separately licensed. PKWARE PartnerLink: SecureZIP Partner for z/os SecureZIP for z/os is also available in a special version SecureZIP Partner for z/os through the PKWARE PartnerLink program. The PKWARE PartnerLink program provides a straightforward, secure way for an organization to exchange sensitive information with outside partners who perhaps do not have SecureZIP. SecureZIP Partner for z/os differs from the full SecureZIP for z/os in that it only extracts archives from, and only creates and encrypts archives for, a PartnerLink sponsor. See chapter 6 for information about SecureZIP Partner for z/os. Contact PKWARE for more information about the PKWARE PartnerLink program. Chapter 1 System Planning and Administration 21

30 Note: SecureZIP Partner for z/os was called SecureZIP for z/os Reader/SecureLink prior to release 9.0 of SecureZIP for z/os. Encryption Encryption provides confidentiality for data. Unencrypted data is called plaintext. Encryption transforms the plaintext data into an unreadable form, called ciphertext, using an encryption key. Decryption transforms the ciphertext back into plaintext using a decryption key. PKZIP for z/os provides limited support for passphrase encryption and decryption using a traditional 96-bit key (ENCRYPTION_METHOD=STANDARD). In addition, a licensable feature is available to decrypt passphrase-encrypted files that had been encrypted with SecureZIP with more advanced encryption methods. SecureZIP only Several algorithms have been approved in FIPS for the encryption of general purpose data. Each of these algorithms is a symmetric key algorithm, where the encryption key is the same as the decryption key. SecureZIP for z/os uses symmetric key algorithms when encrypting user data. In order to maintain the confidentiality of the data encrypted by a key, the key must be known only by the entities that are authorized to access the data. These symmetric key algorithms are commonly known as block cipher algorithms because the encryption and decryption processes each operate on blocks (chunks) of data of a fixed size. FIPS 46-3 and FIPS 197 have been approved for the encryption of general-purpose data. The protection of keys is discussed below under Key Management. Authentication SecureZIP only Authentication is the process of validating digital signatures that may be attached to files in an archive or to an archive s central directory. Authentication is a separate operation from data encryption. Whereas encryption is concerned with preventing parties from accessing sensitive data (such as private medical or financial information), authentication confirms that information actually comes unchanged from the purported source. Authenticating digitally signed data both verifies the signature and validates the signed data. Data Integrity SecureZIP z uses a Cyclic Redundancy Check (CRC) to ensure that data is successfully transferred into and out of a ZIP archive. The CRC process creates a unique hash value thumbprint from the original data stream. The thumbprint is regenerated at the receiving end and compared with the hash of the source for equality. The thumbprint value is stored 22 PKZIP/SecureZIP for z/os 11.1 System Administrator s Guide

31 independently of the data stream and is used during UNZIP processing to complete validation of the data. SecureZIP for z/os extends the concept of the CRC in two ways for the purpose of providing a tamper-resistant container within the ZIP archive. First, more rigorous HASH algorithms (MD5 and SHA-1) are used (as specified by the SIGN_HASHALG command) in addition to the 32-bit CRC to accurately reflect the uniqueness of the data stream. Second, the hash value is encrypted within a digital signature using a private-key certificate for the purpose of tamper detection at the completion of file extraction. For more information regarding SHA-1 (Secure Hash Algorithm), see FIPS PUB 180-1, describing the Secure Hash Standard, at SecureZIP for z/os provides two commands, SIGN_ARCHIVE and SIGN_FILES, to initiate the creation of digital signatures within the ZIP archive. The AUTHCHK command is used to perform a tamper check operation using the digital signature and hash. Digital Signature Validation SecureZIP only SecureZIP for z/os makes use of certificate-based encryption within the public key infrastructure (PKI) to generate and validate digital signatures. PKI provides an authentication chain for certificates to guarantee that the signature was created by the purported source. SecureZIP supports the certificate chain authentication process by including necessary identification information within the ZIP archive. Subsequently, the certificate(s) used for signing can be authenticated through a complete chain of trust. To complete the chain of trust, a root (or self-signed) certificate representing the certificate s issuing organization is installed on the authenticating system. This provides the receiving organization with the authority to declare how the final trust sequence should be treated. Signatures based on certificates from certificate authorities (CA) that are not authorized or trusted are declared as being untrusted by SecureZIP. Additional facets of validating a certificate s viability for use include a defined range of dates within which a certificate may be used and whether the certificate has been declared to have been revoked. Configurable SecureZIP policies (EXPIRED and REVOKED attributes) provide support to ensure that the certificates involved in authentication also adhere to these restrictions. SecureZIP for z/os provides a means to install and access the certificates necessary for signing and authentication. The AUTHCHK command, along with configured policy settings governs the type (archive directory or data files) and level of authentication that is to be performed. Digital Signature Source Validation SecureZIP only A final step in the authentication process is to ensure that the archive and/or file data was sent from a particular source. The previous steps verified that the archive directory and/or Chapter 1 System Planning and Administration 23

32 files were signed with a private-key certificate that came from a trusted source (CA) and that the data stream has not been tampered with since it was placed into the ZIP archive. However, these steps alone do not guarantee that a different party under the same root/ca chain did not perform the signing operation. SecureZIP for z/os provides an optional parameter in the AUTHCHK command to declare the specific party from whom the data is expected. Public-Key Infrastructure and Digital Certificates SecureZIP only Public-Key Infrastructure (PKI) Use of digital certificates for encryption and digital signing relies on a combination of supporting elements known as a public-key infrastructure (PKI). These elements include software applications such as SecureZIP that work with certificates and keys as well as underlying technologies and services. The heart of PKI is a mechanism by which two cryptographic keys associated with a piece of data called a certificate are used for encryption/decryption and for digital signing and authentication. The keys look like long character strings but represent very large numbers. One of the keys is private and must be kept secure so that only its owner can use it. The other is a public key that may be freely distributed for anyone to use to encrypt data intended for the owner of the certificate or to authenticate signatures. How the Keys Are Used With encryption/decryption, a copy of the public key is used to encrypt data such that only the possessor of the private key can decrypt it. Thus anyone with the public key can encrypt for a recipient, and only the targeted recipient has the key with which to decrypt. With digital signing and authentication, the owner of the certificate uses the private key to sign data, and anyone with access to a copy of the certificate containing the public key can authenticate the signature and be assured that the signed data really proceeds unchanged from the signer. Authentication has one additional step. As an assurance that the signer is who he says he is that the certificate with Bob s name on it is not fraudulent the signer s certificate itself is signed by an issuing certificate authority (CA). The CA in effect vouches that Bob is who he says he is. The CA signature is authenticated using the public key of the CA certificate used. This CA certificate too may be signed, but at some point the trust chain stops with a selfsigned root CA certificate that is simply trusted. The PKI provides for these several layers of end-user public key certificates, intermediate CA certificates, and root certificates, as well as for users private keys. x.509 X.509 is an International Telecommunication Union (ITU-T) standard for PKI. X.509 specifies, among other things, standard formats for public-key certificates. A public-key certificate 24 PKZIP/SecureZIP for z/os 11.1 System Administrator s Guide

33 consists of the public portion of an asymmetric cryptographic key (the public key), together with identity information, such as a person s name, all signed by a certificate authority. The CA essentially guarantees that the public key belongs to the named entity. Digital Certificates A digital certificate is a special message that contains a public key and identity information about the owner, usually including name and perhaps address. An ordinary, end-user digital certificate is digitally signed by the CA that issued it to warrant that the CA issued the certificate and has received satisfactory documentation that the owner of the certificate is who he says he is. This warrant, from a trusted CA, enables the certificate to be used to support digital signing and authentication, and encryption of data uniquely for the owner of a certificate. For example, Web servers frequently use digital certificates to authenticate the server to a user and create an encrypted communications session to protect transmitted secret information such as Personal Identification Numbers (PINs) and passwords. Similarly, an message may be digitally signed, enabling the recipient of the message to authenticate its authorship and that it was not altered during transmission. To use PKI technology in SecureZIP for z/os for encryption and to attach digital signatures, you must have a digital certificate. Certificate Authority (CA) A certificate authority (CA) is a company (usually) that, for a fee, will issue a public-key certificate. The CA signs the certificate to warrant that the CA issued the certificate and has received satisfactory documentation that the owner of the new certificate is who he says he is. Private Key A digital certificate contains both private and public portions of an asymmetric cryptographic key together with identity information, such as a person's name and (possibly) address. The private portion of the key is called the private key and is used to decrypt data encrypted with the associated public key and to attach digital signatures. A private key must be accessible solely by the owner of the certificate because it represents that person and provides access to encrypted data intended only for the owner. SecureZIP for z/os may use a private key maintained in x.509 PKCS#12 format. To access such keys, a password must be entered for each SecureZIP request. When the private key is held in the z/os Security Server (such as RACF) or the ICSF PKDS, access permission to the private key is governed by the security server, and a password is not required. Public Key A public key consists of the public portion of an asymmetric cryptographic key in a certificate that also contains identity information, such as the certificate owner s name. The public key is used to authenticate digital signatures created with the private key and to encrypt files for the owner of the key s certificate. Chapter 1 System Planning and Administration 25

34 Certificate Authority and Root Certificates End entity certificates and their related keys are used for signing and authentication. They are created at the end of the trust hierarchy of certificate authorities. Each certificate is signed by its CA issuer and is identified in the Issued By field in the end certificate. In turn, a CA certificate can also be issued by a higher level CA. Such certificates are known as intermediate CA certificates. At the top of the issuing chain is a self-signed certificate known as the root. SecureZIP for z/os uses public-key certificates in PKCS#7 format. The intermediate CA certificates are maintained independently from the ROOT certificates. Setting Up Stores for Digital Certificates on z/os SecureZIP only To use certificates for encryption/decryption or digital signing/authentication, SecureZIP needs to access the keys in the certificates. An installation may choose any combination of the following options for storing digital certificates in a repository: Security Server (for example, RACF) key rings with public and private keys suitable for signing, authentication, encryption, and decryption. If the system is appropriately equipped with a cryptographic coprocessor supporting asymmetric keys, private keys may optionally be stored in the ICSF PKDS. SecureZIP Certificate Store with public and private keys suitable for signing, authentication, encryption, and decryption. LDAP server with public key certificates suitable for encryption. Regardless of the certificate repositories chosen, it is recommended that you create and configure a SecureZIP certificate store. The key store index component of the SecureZIP certificate store can be used for other features, such as providing a cross-reference lookup of decryption recipients in a ZIP archive, or registering passphrases in the ICSF CKDS. Setting Up the Certificate Stores The PKWARE utility used to administer the local certificate store is accessed through an ISPF dialog. The CREATE option assists you in setting up the store and imports certificates you want SecureZIP to use. For detailed instructions on creating certificate stores on z/os, refer to chapter 4. The utility procedure maintains the stores listed in the following table. 26 PKZIP/SecureZIP for z/os 11.1 System Administrator s Guide

35 Store Public Private Intermediate Certificate Authority Trusted Root Certificate Authority Description A store for end-entity certificates used to identify encryption recipients or for authentication of digital signatures. Certificate files in this store contain only public keys; they do not contain private keys. SecureZIP for z/os represents these certificates held in the local certificate store through the ISPF interface as CER entries. Other system types may refer to this store as Other People or Address Book A store for end-entity certificate files with their respective private keys. Private keys are used to decrypt files or perform digital signing. SecureZIP for z/os represents these certificates held in the local certificate store through the ISPF interface as PFX entries. (Private keys in this store are encrypted using PKCS#8 format and PKCS#5 version 2.) Other system types may refer to this store as Personal or MY Store A store of issuing certificates files associated with the end-entity certificates. These certificates are used to authenticate the validity of an end-entity digital signature on a receiving system. They are also included in a SecureZIP archive when a signing operation is performed. Other system types may refer to this store as CA A store of issuing certificates that are classified as self signed, meaning that each one is at the top of a hierarchy of issuing CAs. These certificates are used to authenticate the validity of an end-entity digital signature on a receiving system. They are deemed to be trusted by virtue of their installation on an authenticating system. They are also included in a SecureZIP archive when a signing operation is performed. Other system types may refer to this store as ROOT The local certificate store administrative utility sets up the certificate stores as physical files containing X.509 certificates, with a VSAM index structure providing search and selection capabilities. A SecureZIP for z/os create dialog is provided to lead a systems administrator through the steps needed to allocate and prime a new local certificate store. Sample test certificates are installed to each store type, making it ready for use. In addition, a configuration file is generated that should be made accessible for SecureZIP users for use in encryption, decryption, signing, and authentication requests. The configuration file may be included explicitly through an INCLUDE_CMD command, or implicitly by activating it through the PARMLIB configuration of the SecureZIP defaults module. A set of high-level qualifiers is used to control the allocation of the physical store data sets and index components. This permits multiple distinct local certificate stores to be created, administered and accessed independently within a system. This is useful for segregating test from production, or other departmental separation. Data set protection may then be applied to various components to control update or read access as needed. RACF ALTER authority (or equivalent) must be granted to the systems administrator responsible for creating a new certificate store. This authority is also required for creating Chapter 1 System Planning and Administration 27

36 backups, performing recovery operations, or performing some synchronization tasks which reallocate components. Updating the Certificate Stores X.509 certificates may be added to the local certificate store through the SecureZIP local certificate store administration tool. These certificates are frequently obtained through another platform and transferred (binary) to the operational z/os system for installation. Important: All X.509 certificates should be transferred to the local z/os environment in binary mode with no translation. When certificates are added, the certificate administration tool determines the appropriate store location based on the certificate type specified and dynamically builds an index entry for future search and selection. SecureZIP can import certificates and keys in the following file formats: Format PEM PKCS#12 PKCS#7 Description Contains a single end-entity public-key certificate. It may be in Base-64 encoded (ASCII text with ASCII headers) or DERencoded binary format. Common file extensions:.pem,.cer,.key Contains a single end-entity private-key certificate (which also contains its public keys). By definition, it is in binary format. Common file extensions:.pfx,.p12 Contains one or more CA (and or Root) certificates Common file extension:.p7b You must tell the certificate store administrative dialog what certificate file-type and key-type to import. The utility copies the existing certificates and keys from their specified location and adds them to the appropriate store locations. When transferring certificates to the z/os environment in preparation for an import to the local certificate store, be sure to allocate the file they are stored in as sequential, with a DCB RECFM of F, FB, V or VB. RACF UPDATE authority (or equivalent) must be granted to the systems administrator responsible for altering the certificate store. This authority is also required when performing the on-line Synchronize function. Types of Encryption Algorithms Standard PKZIP for z/os provides support for password-based encryption and decryption using a 96- bit Standard encryption algorithm that is supported by older ZIP-compatible utilities. In 28 PKZIP/SecureZIP for z/os 11.1 System Administrator s Guide

37 addition, PKZIP for z/os Enterprise Edition supports the decryption of all password-based algorithms provided in SecureZIP for z/os. SecureZIP only FIPS 46-3, Data Encryption Standard (DES) The FIPS (Federal Information Processing Standards) specification 46-3 formerly specified the DES algorithm for use in Federal government applications. In 2004, the specification was changed such that DES is no longer approved for Federal government applications. Triple DES Algorithm (3DES) Triple DES is a more recent algorithm related to DES. Triple DES is a method for encrypting data in 64-bit blocks using three 56-bit keys by combining three successive invocations of the DES algorithm. ANSI X9.52 specifies seven modes of operation for 3DES and three keying options: 1) the three keys may be identical (one key 3DES), 2) the first and third key may be the same but different from the second key (two key 3DES), or 3) all three keys may be different (three key 3DES). One key 3DES is equivalent to DES under the same key; therefore, one key 3DES, like DES, will not be approved after Two key 3DES provides more security than one key 3DES (or DES), and three key 3DES achieves the highest level of security for 3DES. NIST recommends the use of three different 56-bit keys in Triple DES for Federal Government sensitive/unclassified applications. SecureZIP for z/os uses three-key 3DES when Triple DES is selected as the data encryption algorithm. Advanced Encryption Standard (AES) The Advanced Encryption Standard (AES) encryption algorithm specified in FIPS 197 is the result of a multiyear, worldwide competition to develop a replacement algorithm for DES. The winning algorithm (originally known as Rijndael) was announced in 2000 and adopted in FIPS 197 in The AES algorithm encrypts and decrypts data in 128-bit blocks, with three possible key sizes: 128, 192, or 256 bits. The nomenclature for the AES algorithm for the different key sizes is AES-x, where x is the size of the AES key. NIST considers all three AES key sizes adequate for Federal Government sensitive/unclassified applications. Please see a press release recapping NIST s position SecureZIP for z/os uses AES as the default encryption algorithm. Comparison of the 3DES and AES Algorithms Both the 3DES and AES algorithms are considered to be secure for the foreseeable future. Below are some points of comparison: Chapter 1 System Planning and Administration 29

38 3DES builds on DES implementations and is readily available in many cryptographic products and protocols. The AES algorithm is new; although many implementers are quickly adding the algorithm to their products, and protocols are being modified to incorporate the algorithm, it may be several years before the AES algorithm is as pervasive as 3DES. The AES algorithm was designed to provide better performance (e.g., faster speed) than 3DES. Although the security of block cipher algorithms is difficult to quantify, the AES algorithm, at any of the key sizes, appears to provide greater security than 3DES. In particular, the best attack known against AES-128 is to try every possible 128-bit key (i.e., perform an exhaustive key search, also known as a brute force attack)). By contrast, although three key 3DES has a 168-bit key, there is a shortcut attack on 3DES that is comparable, in the number of required operations, to performing an exhaustive key search on 112-bit keys. However, unlike exhaustive key search, this shortcut attack requires a lot of memory. Assuming that such shortcut attacks are not discovered for the AES algorithm, the uses of the AES algorithm may be more appropriate for the protection of high-risk or long-term data. The smallest AES key size is 128 bits; the recommended key size for 3DES is 168 bits. The smaller key size means that fewer resources are needed for the generation, exchange, and storage of key bits. The AES block size is 128 bits; the 3DES block size is 64 bits. For some constrained environments, the smaller block size may be preferred; however, the larger AES block size is more suitable for cryptographic applications, especially those requiring data authentication on large amounts of data. See for a press release describing NIST s position on the two algorithms. With a block cipher algorithm, the same plaintext block will always encrypt to the same ciphertext block whenever the same key is used. If the multiple blocks in a typical message were to be encrypted separately, an adversary could easily substitute individual blocks, possibly without detection. Furthermore, data patterns in the plaintext would be apparent in the ciphertext. Cryptographic modes of operation have been defined to alleviate these problems by combining the basic cryptographic algorithm with a feedback of the information derived from the cryptographic operation. FIPS 81, DES Modes of Operation, defines four confidentiality (encryption) modes for the DES algorithm specified in FIPS 46-3: the Electronic Codebook (ECB) mode, the Cipher Block Chaining (CBC) mode, the Cipher Feedback (CFB) mode, and the Output Feedback (OFB) mode. SecureZIP for z/os uses Cipher Block Chaining for data encryption. RC4 The RC4 algorithm is a stream cipher designed by Rivest for RSA Security. It is a variable keysize stream cipher with byte-oriented operations. The algorithm is based on the use of a random permutation. Analysis shows that the period of the cipher is overwhelmingly likely to be greater than Eight to sixteen machine operations are required per output byte, and 30 PKZIP/SecureZIP for z/os 11.1 System Administrator s Guide

39 the cipher can be expected to run very quickly in software. Independent analysts have scrutinized the algorithm and it is considered secure. RC4 is used for secure communications, as in the encryption of traffic to and from secure web sites using the SSL protocol. Key Management The proper management of cryptographic keys is essential to the effective use of cryptography for security. Keys are like the combination of a safe. If the combination becomes known to an adversary, the strongest safe provides no security against penetration. Similarly, poor key management can easily compromise strong algorithms. Ultimately, the security of information protected by cryptography directly depends on the strength of the keys, the effectiveness of mechanisms and protocols associated with keys, and the protection afforded the keys. Cryptography can be rendered ineffective by the use of weak products, inappropriate algorithm pairing, poor physical security, and the use of weak protocols. All keys need to be protected against modification, and secret and private keys need to be protected against unauthorized disclosure. Key management provides the foundation for the secure generation, storage, distribution, and destruction of keys. Further information is available on key management at the NIST Computer Security Resource Center web site, Passwords and PINS FIPS 112, Password Usage, provides guidance on the generation and management of passwords used to authenticate the identity of a system user and, in some instances, to grant or deny access to private or shared data. This standard recognizes that passwords are widely used in computer systems and networks for these purposes, although passwords are not the only method of personal authentication, and the standard does not endorse the use of passwords as the best method. The password used to encrypt a file with SecureZIP z may be from 1 to 250 characters in length. Different passwords may be used for various files within a ZIP archive, although only one password may be specified per run. The password is not stored in the ZIP archive and, as a result, care must be taken to keep passwords secure and accessible by some other source. Recipient Based Encryption SecureZIP only Password-based encryption depends on both the sender and receiver knowing, and providing intellectual input (the password) in clear text. The password is used to derive a binary master session key for each decryption run. No key information is kept within the ZIP archive, therefore both parties must retain the password in an external location. Chapter 1 System Planning and Administration 31

40 Recipient-based encryption provides a means by which the master session key (MSK) information can be hidden, protected, and carried within the ZIP archive. This is done by using a technique known as digital enveloping with public key encryption. The technique requires that the creating process have a copy of the recipient's public key digital certificate, which is used to protect and store the MSK. In addition, the receiving side must have a copy of the recipient's private key digital certificate. With these two pieces of information in place, there is no need for users to retain or recall a password for decryption. Random Number Generation SecureZIP only Random numbers are used within many cryptographic applications, such as the generation of keys and other cryptographic values, the generation of digital signatures, and challenge response protocols. Some approved algorithms to produce random numbers have been specified in FIPS 186-2, Digital Signature Standard. An effort is in progress by the Financial Services Committee of ANSI to develop a random number generation standard. Integrity of Public and Private Keys SecureZIP only Public and private keys must be managed properly to ensure their integrity. The key owner is responsible for protecting private keys. The private signature key must be kept under the sole control of the owner to prevent its misuse. The integrity of the public key, by contrast, is established through a digital certificate issued by a certification authority (CA) that cryptographically binds the individual s identity to his or her public key. Binding the individual s identity to the public key enables the key to be reliably used, for example, to authenticate signatures created with the corresponding private key. A PKI includes the ability to recover from situations where an individual s private signature key is lost, stolen, compromised, or destroyed. This is done by revoking the digital certificate that contains the private signature key s corresponding public key (discussed further below). The user then creates or is issued a new public/private signature key pair and receives a new digital certificate for the new public key. Data Encryption SecureZIP only SecureZIP for z/os security functions include strong encryption tools using RSA BSAFE and IBM ICSF. SecureZIP for z/os provides symmetric data encryption through these facilities using the RC4, DES, 3DES or AES algorithms. 32 PKZIP/SecureZIP for z/os 11.1 System Administrator s Guide

41 RSA High-Quality Security - RSA Security submits its Crypto-C products for FIPS 140 testing and validation. FIPS and FIPS are U.S. Government standards which specify the security requirements to be satisfied by a cryptographic module. RSA Security supports this testing and certification with over 20 years of experience in the security industry. IBM z/os Integrated Cryptographic Service Facility (ICSF) provides several callable services to access both hardware and software implementations of the DES, 3DES and AES algorithms. With access to FIPS-validated hardware (such as the CEX2C), SecureZIP for z/os provides FIPS compliant encryption and decryption services. SecureZIP for z/os uses a multi-layer key generation process based on a user-specified password of up to 250 characters, and/or a user s digital certificate, that creates a unique internal key for each file being processed. The same password will result in a different systemgenerated key for each file. SecureZIP for z/os also implements the use of cipher block chaining (CBC) to further enhance industry standard encryption algorithms. This feature ensures that each block of data is uniquely modified, further protecting the data from fraudulent access. SecureZIP for z/os encryption is activated through the use of the PASSWORD and/or RECIPIENT commands. If a value is present for either setting, whether through commands or default settings, then encryption will be attempted in accordance with other settings (for example, ENCRYPTION_METHOD). However, if ENCRYPTION_METHOD=NONE is specified, then encryption will be bypassed. Chapter 1 System Planning and Administration 33

42 2 Installation, Licensing, and Configuration Installation Overview The installation of SecureZIP z is accomplished by following the steps summarized below: Select the media to be used in installing SecureZIP z. Install from downloaded file, CD or tape. Review the README.TXT file for recent information updates. Evaluate system requirements. Edit the supplied job control (JCL) with appropriate parameter changes for your data center. Review the present chapter on installation, license, and configuration in this manual and proceed accordingly. Run the installation verification jobs and test product features by modifying the sample JCL supplied in PKWARE.MVS.INSTLIB. Begin using the product. Details of these summarized instructions may be found below. Type of Media Distribution for Installation The SecureZIP z program may be received and installed from a variety of media types: Downloaded from the PKWARE web site Received from PKWARE on compact disc (CD). Received from PKWARE on magnetic cartridge. 34 PKZIP/SecureZIP for z/os 11.1 System Administrator s Guide

43 Installation from Downloaded File or CD Non-SMP/E Installation If you have downloaded SecureZIP z from PKWARE s Web site, ftp site, or have received the product on CD, then the file you need to start with is the self-extracting zip file called PKZIPzOS.exe (PKZIP), SecureZIPzOS.exe (SecureZIP) or PartnerLinkzOS.exe (SecureZIP Partner). The self-extracting file contains the binary XMIT files needed for installation along with various other supporting text and documentation. The files extracted include: Text Files GLOBAL CONTACTS.TXT LICENSE.TXT README.TXT ALLOC.JCL RECEIVE.JCL WHATSNEW.TXT How to contact domestic and international resellers PKWARE's license agreement Installation and Configuration Instructions Allocation JCL (IEFBR14) Receive the transmitted files A text file documenting product changes Product Binaries PKZIP Data Set SecureZIP Data Set PartnerLink Data Set Distribution Library PKZIP.XMIT.CEXEC SECZIP.XMIT.CEXEC PLINK.XMIT.CEXEC Compiled REXX Library PKZIP.XMIT.HELP SECZIP.XMIT.HELP PLINK.XMIT.HELP Help Library PKZIP.XMIT.INSTLIB SECZIP.XMIT.INSTLIB PLINK.XMIT.INSTLIB Install Library PKZIP.XMIT.INSTLIB2 SECZIP.XMIT.INSTLIB2 PLINK.XMIT.INSTLIB2 Install Library 2 PKZIP.XMIT.LOAD SECZIP.XMIT.LOAD PLINK.XMIT.LOAD Common Load Module PKZIP.XMIT.MACLIB SECZIP.XMIT.MACLIB PLINK.XMIT.MACLIB Macro Library PKZIP.XMIT.SPKZCLIB SECZIP.XMIT.SPKZCLIB PLINK.XMIT.SPKZCLIB REXX Exec Library PKZIP.XMIT.SPKZMLIB SECZIP.XMIT.SPKZMLIB PLINK.XMIT.SPKZMLIB Message Library PKZIP.XMIT.SPKZPLIB SECZIP.XMIT.SPKZPLIB PLINK.XMIT.SPKZPLIB Panel Library PKZIP.XMIT.SPKZSLIB SECZIP.XMIT.SPKZSLIB PLINK.XMIT.SPKZSLIB Skeleton Library PKZIP.XMIT.SPKZTLIB SECZIP.XMIT.SPKZTLIB PLINK.XMIT.SPKZTLIB Table Library Chapter 2 Installation, Licensing, and Configuration 35

44 Available Documentation (distributed in Adobe Acrobat.PDF format) PKZIP and SecureZIP for zos V11.0 SYSTEM ADMINISTRATORS GUIDE.PDF PKZIP and SecureZIP for zos V11.0 MESSAGES GUIDE.PDF PKZIP and SecureZIP for zos V11.0 SECURITY ADMINISTRATORS GUIDE.PDF PKZIP and SecureZIP for zos V11.0 USERS GUIDE.PDF PKZIP and SecureZIP for zos V11.0 APPLICATION INTEGRATION GUIDE.PDF PKZIP and SecureZIP for zos V11.0 SEARCHABLE INDEX.PDX Review the installation instructions found below if you are installing from download or CD. If the software was received on magnetic cartridge, please see Installing from Tape, below, for the installation JCL, or download the JCL from our Web site. In either case, follow the instructions applicable to your installation method before continuing through this document. Below are the step-by-step non-smp/e installation instructions. I. TRANSFERRING THE TEXT FILES TO THE HOST 1. Transfer the text file "ALLOC.JCL" to the host. You may transfer the file into an existing PDS, or you may use the allocation in step 2 below: o Convert the data from ASCII to EBCDIC o Insert CR/LF's 2. A suitable allocation for "ALLOC.JCL" is as follows: SPACE UNITS: TRKS BLKS: 1 (PRI) 1 (SEC) DIRBLKS: 0 RECFM: FB LRECL: 80 BLKSIZE: 6160 DSORG: PS (or BASIC; release dependent) 3. Follow the same procedure for the "RECEIVE.JCL" provided file. II. RUNNING THE ALLOC JCL The ALLOC job contains JCL that will perform an IEFBR14 for the eleven (11) binary dataset allocations. You will need to edit the ALLOC JCL with the appropriate variables in order to achieve a RC= Before you submit the ALLOC JCL (ALLOC.JCL), you will need to supply a job card. You will also need to modify the job variables. As an example: // CEXEC DD DSN={pkware}.XMIT.CEXEC,DISP=(NEW,CATLG), // UNIT={sysda},VOL=SER={volume1},SPACE=(CYL,(2,2)), // DCB=(RECFM=FB,LRECL=80,BLKSIZE=3120) 2. {pkware} is the name of the pre-allocated dataset that is being created by this job. These are the target datasets that you transfer the binary files into. 3. {sysda} is the unit where SecureZIP z files will reside. 36 PKZIP/SecureZIP for z/os 11.1 System Administrator s Guide

45 4. {volume1} is the volume where the SecureZIP z files reside 5. Submit the job, and review and correct any non-zero return codes. 6. Your eleven (11) target datasets have successfully been allocated. III. TRANSFERRING THE BINARY FILES TO THE HOST Before you transfer the files to the host, it is imperative that you do not perform any kind of translation of the data from ASCII to EBCDIC or append CR/LF's. If you do, your uploaded datasets will be corrupted. 1. Transfer the binary files (PKWARE.XMIT.*) from your PC into the target datasets that you created in Step II: o Do not translate the data o Do not insert CR/LF's 2. Be sure to transfer all eleven binaries, and then move onto the next step. IV. RUNNING THE RECEIVE JCL The RECEIVE job contains JCL that will perform an IKJEFT01 for the eleven binary datasets. You will need to edit the RECEIVE JCL with the appropriate variables in order to achieve a RC= Before you submit the RECEIVE JCL, you will need to supply a job card. You will also need to modify the job variables. As an example: RECEIVE INDSN('{xmitdsn}.XMIT.CEXEC') DSNAME('{dsnhlq}.CEXEC') 2. INDSN {xmitdsn} is the high-level qualifier of the XMIT'd dataset you transferred from the PC to the host. 3. DSNAME {dsnhlq} is the DSN that gets created by this job. It s what you want to call the installed SecureZIP z product libraries. 4. Submit the job, and review and correct any non-zero return codes. 5. Your eleven binary datasets have successfully been converted to a trial-ready version of SecureZIP z. V. Licensing PKZIP/SecureZIP for z/os Please refer to Initializing the License, later in this chapter, for information and instructions on how to license your copy of SecureZIP z. This ends the installation of SecureZIPz if you are installing from PKZIPzOS.exe or SecureZIPzOS.exe. If you are performing an SMP/E installation or installing from a tape cartridge, then continue on to the next section. SMP/E Installation The installation and software management of SecureZIP z can also be accomplished with SMP/E. Although the product requires no operating system modifications or authorized routines, the ability to manage the software is enhanced using IBM s SMP/E facilities. Chapter 2 Installation, Licensing, and Configuration 37

46 The PKZIPzOSSMP.exe (PKZIP), SecureZIPzOSSMP.exe (SecureZIP) or PartnerLinkzOSSMP.exe (PartnerLink) file contains the binary XMIT files needed for installation, along with text files, a README.TXT, and other files that have sample JCL to process the files for implementation. The files are listed in the following tables. Text Files GLOBAL CONTACTS.TXT LICENSE.TXT README.TXT RECEIVE.JCL ALLOC.JCL SMPALCSI.TXT SMPALPDS.TXT SMPAPPLY.TXT SMPRECV.TXT SMPUCLIN.TXT WHATSNEW.TXT How to contact domestic and international resellers PKWARE's license agreement Installation and Configuration Instructions Receive the transmitted files Allocation JCL (IEFBR14) This job allocates the VSAM files needed to build a new SMP/E environment. If SecureZIP z is being installed in an existing SMP/E CSI, this job will not be needed. This job allocates the Partitioned Data Set files needed to build an SMP/E environment. This job applies the elements of the FUNCTION PKZIP82. A return code of four (RC=4) is expected in the listings from IEBCOPY for z/os load modules. This job receives the FUNCTION PKZIP82. All of the ++ MCS elements are in the input file PKWARE.MVS.SMP.MCS. This job updates the SMP/E CSI environment to prepare for the install of SecureZIP z. A text file documenting product changes Product Binaries PKZIP Data Set SecureZIP Data Set PartnerLink Data Set Distribution Library PKZIP.XMIT.SMP.DCEXE SECZIP.XMIT.SMP.DCEXE PLINK.XMIT.SMP.DCEXE Compiled REXX Library PKZIP.XMIT.SMP.DHELP SECZIP.XMIT.SMP.DHELP PLINK.XMIT.SMP.DHELP Help Library PKZIP.XMIT.SMP.DINST SECZIP.XMIT.SMP.DINST PLINK.XMIT.SMP.DINST Install Library PKZIP.XMIT.SMP.DINST2 SECZIP.XMIT.SMP.DINST2 PLINK.XMIT.SMP.DINST2 Install Library 2 PKZIP.XMIT.SMP.DLOAD SECZIP.XMIT.SMP.DLOAD PLINK.XMIT.SMP.DLOAD Common Load Module PKZIP.XMIT.SMP.DMACL SECZIP.XMIT.SMP.DMACL PLINK.XMIT.SMP.DMACL Macro Library PKZIP.XMIT.SMP.DCLIB SECZIP.XMIT.SMP.DCLIB PLINK.XMIT.SMP.DCLIB REXX Exec Library PKZIP.XMIT.SMP.DMLIB SECZIP.XMIT.SMP.DMLIB PLINK.XMIT.SMP.DMLIB Message Library PKZIP.XMIT.SMP.DPLIB SECZIP.XMIT.SMP.DPLIB PLINK.XMIT.SMP.DPLIB Panel Library PKZIP.XMIT.SMP.DSLIB SECZIP.XMIT.SMP.DSLIB PLINK.XMIT.SMP.DSLIB Skeleton Library PKZIP.XMIT.SMP.DTLIB SECZIP.XMIT.SMP.DTLIB PLINK.XMIT.SMP.DTLIB Table Library PKZIP.XMIT.SMP.MCS SECZIP.XMIT.SMP.MCS PLINK.XMIT.SMP.MCS SMP MCS Control Cards 38 PKZIP/SecureZIP for z/os 11.1 System Administrator s Guide

47 Documentation (distributed in Adobe Acrobat.PDF format) PKZIP and SecureZIP for z/os SYSTEM ADMINISTRATOR S GUIDE.PDF PKZIP and SecureZIP for z/os MESSAGES AND CODES.PDF PKZIP and SecureZIP for z/os SECURITY ADMINISTRATOR S GUIDE.PDF PKZIP and SecureZIP for z/os USER S GUIDE.PDF PKZIP and SecureZIP for z/os APPLICATION INTEGRATION GUIDE.PDF INDEX.PDX You should have downloaded or copied a file on your PC called PKZIPzOSSMP.exe (PKZIP), SecureZIPzOSSMP.exe (SecureZIP) or PartnerLinkzOSSMP.exe (PartnerLink). These are self-extracting ZIP files. Double-click on the file to extract the files inside to a pre-defined folder on your PC. Below are step-by-step SMP/E installation instructions. I. TRANSFERRING THE TEXT FILES TO THE HOST 1. Transfer the text file "ALLOC.JCL" to the host. You may transfer the file into an existing PDS or you may use the allocation in step "2" below: o Convert the data from ASCII to EBCDIC o Insert CR/LF's 2. A suitable allocation for "ALLOC.JCL" is as follows: SPACE UNITS: BLKS BLKS: 5 (PRI) 1 (SEC) DIRBLKS: 0 RECFM: FB LRECL: 80 BLKSIZE: 3120 DSORG: PS 3. Follow the same procedure for the "RECEIVE.JCL" provided file. II. RUNNING THE ALLOC JCL The ALLOC job contains JCL that will perform an IEFBR14 for the twelve binary dataset allocations. You will need to edit the ALLOC JCL with the appropriate variables in order to achieve a RC= Before you submit the ALLOC JCL (ALLOC.JCL), you will need to supply a job card. You will also need to modify the job variables. As an example: // CEXEC DD DSN={pkware}.XMIT.SMP.DCEXE,DISP=(NEW,CATLG), // UNIT={sysda},VOL=SER={pkware1},SPACE=(CYL,(2,2)), // DCB=(RECFM=FB,LRECL=80,BLKSIZE=3120) 2. {pkware} is the name of the preallocated dataset that is being created by this job. Chapter 2 Installation, Licensing, and Configuration 39

48 These are the target datasets that you transfer the binary files into. 3. {sysda} is the unit where SecureZIP z files will reside. 4. {volume1} is the volume where the SecureZIP z files reside 5. Submit the job, and review and correct any non-zero return codes. 6. Your twelve target datasets have successfully been allocated. III. TRANSFERRING THE BINARY FILES TO THE HOST Before you transfer the files to the host, it is imperative that you do not perform any kind of translation of the data from ASCII to EBCDIC or append CR/LF's. If you do, your uploaded datasets will be corrupted. 1. Transfer the binary files (PKWARE.XMIT.*) from your PC into the target datasets that you created in step IV. o Do not translate the data o Do not insert CR/LF's 2. Be sure to transfer all twelve binaries, and then move onto the next step. IV. RUNNING THE RECEIVE JCL The "RECEIVE" job contains JCL that will perform an IKJEFT01 for the twelve binary datasets. You need to edit the RECEIVE JCL with the appropriate variables in order to achieve a RC= Before you submit the RECEIVE JCL, you will need to supply a job card. You will also need to modify the job variables. As an example: RECEIVE INDSN('{xmitdsn}.XMIT.SMP.DCEXE') DSNAME('{dsnhlq}.SMP.DCEXE') 2. INDSN {xmitdsn} is the high level qualifier of the XMIT'd dataset you transferred from the PC to the host. 3. DSNAME {dsnhlq} is the DSN that gets created by this job. 4. Submit the job, and review and correct any non-zero return codes. 5. Your twelve binary datasets have successfully been converted to a distribution package for the SMP installation. V. SMP/E INSTALLATION: The installation and software management of SecureZIP z can be accomplished with SMP/E. Although the product requires no operating system modifications or authorized routines, the ability to manage the software is enhanced using IBM s SMP/E facilities. The file PKWARE.MVS.SMP.MCS is the SMPPTFIN DD file for the RECEIVE processing. This file contains all of the control information to build the SecureZIP z environment. After running the RECEIVE JCL, all of the necessary files that you need to start the SMP process have been allocated on your system. The included five (SMP*.JCL files) jobs allocate, define, and build SecureZIP z and must be run in the following sequence: 40 PKZIP/SecureZIP for z/os 11.1 System Administrator s Guide

49 SMPALPDS.JCL SMPALCSI.JCL SMPUCLIN.JCL SMPRECV.JCL SMPAPPLY.JCL Please note that user-specific customization may be required if you choose to install SecureZIP z in an existing SMP/E CSI. Consideration has been given to this possibility, but it is up to each individual site to verify that there are no problems with duplicate DDDEF, library structures, or utility definitions that may prevent these job streams from completing successfully. VI. Licensing PKZIP for z/os and SecureZIP for z/os Please refer to the section Tailoring Site-Specific Changes to the Defaults Module, below, for required information and procedures to properly license your copy of SecureZIP z. This ends the SMP/E installation of SecureZIP z. If you are installing from a tape cartridge, then continue on to the next section. Installing from Tape If you have received SecureZIP z on a magnetic cartridge, the installation is as simple as an IEBCOPY of the SecureZIP z libraries from tape to DASD. The screen below shows the first step of the IEBCOPY, one of the steps needed to complete the installation of SecureZIP z from tape. //JS010 EXEC PGM=IEBCOPY //* //SYSUT1 DD DSN=PKWARE.MVS.CEXEC, // UNIT=tape,LABEL=(,SL), <=== // DISP=OLD,VOL=(,RETAIN,,,SER=seczip1) <=== //* //SYSUT2 DD DSN=pkware.mvs.CEXEC, <=== // DISP=(NEW,CATLG,DELETE), // SPACE=(CYL,(2,1,52)), // UNIT=disk, <=== // VOL=SER=volume <=== //* //SYSUT3 DD UNIT=sysda,SPACE=(CYL,(5,5)) <=== //SYSUT4 DD UNIT=sysda,SPACE=(CYL,(5,5)) <=== //* //SYSPRINT DD SYSOUT=* //* //SYSIN DD * COPY INDD=SYSUT1,OUTDD=SYSUT2 /* If you prefer not to type this entire job stream, you may download the COPYCART.TXT JCL from our website and upload it to a data set or member. Remember to perform an ASCII or TEXT transfer to convert the data from ASCII to EBCDIC, modify the JCL, and submit. Chapter 2 Installation, Licensing, and Configuration 41

50 Tailoring Site-Specific Changes to the Defaults Module The configuration defaults module, *.MVS.LOAD(ACZDFLT), is provided with the product. It is coded to allow for execution in a generic MVS environment. However, to make changes to the defaults, you will need to modify the *.MVS.INSTLIB(ACZDFLT) module. YOU MUST MODIFY THIS MODULE BEFORE YOU PROCEED TO USE SecureZIP z. It is recommended that the values defined in the module be reviewed before running in a production setting. Upgrade note: Installations suppressing the //SYSIN PDS member verification for performance reasons with PROC_OPT1=N (available with maintenance and above) in ACZDFLT should change to CHECK_SYSIN_MEMBER=N in the assembly of ACZDFLT. PROC_OPT1 will no longer be used for this purpose in Release 5.5 and above. MCZDFLTS TYPE=CSECT, * LICENSE_HLQ=PKWARE.MVS, * == Change this to reflect your installation ACTIVITY_LOG=PKWARE.ACTIVITY.LOG, * == Change this to reflect your installation PARMLIB_DSNAME_ZIP=NULLFILE * PARMLIB_DSNAME_UNZIP=NULLFILE, * Once you have, at minimum, modified the LICENSE_HLQ statement to reflect your installation, you will need to assemble these changes via the ASMDFLT member in the *.MVS.INSTLIB to assist in creating a customized defaults module. You may modify the other values in this module, or you may add to it. At minimum, the above four lines need to be modified or validated. The table below represents the contents of the SecureZIP z defaults module. This table explains, in brief, the default parameters of the ACZDFLT s member and their relevance. LICENSE_HLQ ARCHIVE_UNIT OUTFILE_UNIT TEMP_UNIT ARCHIVE_STORCLASS OUTFILE_STORCLASS TEMP_STORCLASS VSAM_STORCLASS ARCHIVE_VOLUMES OUTFILE_VOLUMES TEMP_VOLUMES VSAM_VOLUMES The high-level qualifiers of the xxx.license dataset. LICENSE_HLQ= is generally set to the same qualifier used during installation of SecureZIP z The default qualifier is PKWARE.MVS. See also: $INSTLIC and LICxxxx members. Device types to use during dynamic allocation request for non-vsam files. In DF/SMS environment, dynamic allocation information in lieu of volume allocation specifications. Dynamic allocation target volumes for non-df/sms datasets. These are optional for non-vsam datasets but are required for VSAM DEFINE CLUSTER control cards. 42 PKZIP/SecureZIP for z/os 11.1 System Administrator s Guide

51 Tailoring Site-Locking Commands Commands may be locked in the defaults module by adding a MCZLOCKS macro preceding the MCZDFLTS macro. This forces the use of the MCZDFLTS value in all executions regardless of the commands entered for the run. MCZLOCKS accepts the same list of commands as MCZDFLTS, and expects ZIP, and/or UNZIP as the parameter. ZIP locks the command during ZIP runs. UNZIP locks the command during UNZIP runs. If both are specified the command is locked in both modes. Usage notes: Only one MCZLOCKS macro should be coded with all keyword options requiring a lock specification. Specifying a setting to be locked with MCZLOCKS will lock the keyword even if a default value is taken for the MCZDFLTS macro. If a locked command is encountered in a ZIP or UNZIP run, message ZPCM101W is issued, the command is ignored, and the return code is set to 4. The return code may be overridden by using the command PKSUPPRC(ZPCM101W), but the message will always be issued, and the command ignored. Commands for locked settings are blocked from usage regardless of the command source (SYSIN, INCLUDE_CMD, PARMLIB, EXEC parm). The following example forces the License HLQ to PKWARE.MVS, and COMPRESSION_LEVEL to FAST. MCZLOCKS LICENSE_HLQ=(ZIP,UNZIP), COMPRESSION_LEVEL=ZIP * == Forces use of the MCZDFLTS value on all runs == Forces use of the MCZDFLTS value on all runs MCZDFLTS TYPE=CSECT, * LICENSE_HLQ=PKWARE.MVS, * == Change this to reflect your installation ACTIVITY_LOG=PKWARE.ACTIVITY.LOG, * == Change this to reflect your installation COMPRESSION_LEVEL=FAST, * == Change this to reflect your installation PARMLIB_DSNAME_ZIP=NULLFILE * PARMLIB_DSNAME_UNZIP=NULLFILE, * Protecting Files with the SAFETYEX Module As delivered, the SAFETYEX module will protect SECUNZIP from overwriting SYS1. dataset names. If you would like to remove this restriction or add additional restrictions, you will need to edit the SAFETYEX source member in *.MVS.INSTLIB, make and save your changes, and run the ASMSAFE member of the *.MVS.INSTLIB to protect any files you specify from UNZIP overwrite processing. There are two sections to the table. The first is for MVS Data Set names, and the second is for Hierarchical File System PATH names. Entries are case-sensitive; HFS entries can be up to 255 characters in length. If you do not want to make any changes to this module, then there is nothing that you need to do. Chapter 2 Installation, Licensing, and Configuration 43

52 Tailoring for Filename and Data Character Set Conversions SecureZIP z provides cross-platform character set conversion capabilities. This affects both the data stream (such as converting EBCDIC to ASCII to represent text data on a work station) and the file names shown in the ZIP archive. The character translation controls use assembled control tables. These are referenced by the settings for TRANSLATE_TABLE_DATA and TRANSLATE_TABLE_FILEINFO, as described in the User s Guide. You should confirm that the default translation tables are appropriate for the intended cross-platform processing environment(s). When a different default translation table for either aspect of processing is required (the settings may also be specified with commands), the respective setting can be modified in the defaults module and re-assembled, or additional defaults modules can be assembled for selection by the user. When code page translation requirements exist that are not covered by those tables provided with SecureZIP z, additional tables can be created. INSTLIB contains sample JCL members MAKETRT and ASMTRTS to complete this process. See the appendix Making Code Page Translate Tables in the User s Guide for more information. SMS Dataclass Considerations SecureZIP z parameters overlap with several SMS Data Class parameters. In general, SMS Data Class specifications will provide default values in place of SecureZIP z default settings. Explicit SecureZIP z commands (SYSIN, PARMLIB, included command streams and EXEC PARM values) will be presented to Dynamic Allocation as overrides for any default setting. Due to the way DFSMS handles override requests, sub-groups of parameters are defined in SecureZIP to assist with control of where default values should come from. These subgroups are: Allocation SPACE Directory Blocks Volume Count DCB Attributes Output archive block size extensions DFSMS Data Classes may or may not contain values for all of the attribute sets above. SecureZIP z provides a means of identifying which sets of attributes should be expected to be handled by SMS Data Classes so that SecureZIP z does not specify its own default values. (DFSMS receives control after SecureZIP z has built its list and does not provide a means by which SecureZIP z can systematically pre-determine which values will be provided by SMS). DFSMS groups allocation type (Cylinders, Tracks, etc.), primary space, and secondary space into a category. If even one of these values is provided in an allocation request, then SMS will not provide its default values for the remaining entries. For example, if ARCHIVE_SPACE_PRIMARY is provided as a command, then SecureZIP z needs to supply the TYPE and SECONDARY default values even if a DATACLASS is specified. 44 PKZIP/SecureZIP for z/os 11.1 System Administrator s Guide

53 DFSMS treats the Directory Block allocation value separately from other space parameters. In the previous example, SecureZIP will not provide its default ARCHIVE_DIRBLKS value even though it provides the other allocation attributes. This is consistent with SMS Data Class operations. SecureZIP z makes use of temporary files during various phases of processing that have very specific DCB attribute requirements. For this reason, SecureZIP z will specify the necessary overrides regardless of TEMPFILE_DATACLASS usage. Output archive block size control extensions are provided with SecureZIP z to work in conjunction with existing system controls, for both LBI (Large Block Interface) and non-lbi processing. Configurable default settings for ARCHIVE_BLKSIZE and ARCHIVE_ZIPFORMAT should be reviewed for applicability. Details regarding block size selection are documented in the User s Guide under the ARCHIVE_BLKSIZE command. LBI processing has a specific tie to the DFSMS Dataclass Block Size Limit (BLKSZLIM). Note for users of PKZIP for MVS and PKZIP for zseries 5.6 Previous levels of maintenance for release 5.6 specified a volume count even if it was 1. The maintenance level associated with fix TT1777 eliminated VOLCNT=1 from the allocation request. In addition, the maximum number specified for any of the MULTIVOL=Y commands is now 59 to be consistent with system limitations for DASD devices. If a unit type other than DASD is assigned (either explicitly or indirectly through SMS), and a volume count greater than 59 is desired, then MULTIVOL=N should be specified in PKZIP, and an SMS Data Class should be designated which can assign the desired volume count. Considerations when Exporting Private Keys using RACDCERT SecureZIP only If X.509 certificate information is to be obtained through RACDCERT for subsequent import processing to the SecureZIP Local Certificate Store, then PTF UW94302 associated with APAR OW56418 must be installed prior to the RACDCERT EXPORT action. (OW56418: RACDCERT EXPORT CREATING PKCS#12 PACKAGES THAT DO NOT CONFORM TO ASN.1 STANDARD THEREFORE CANNOT BE IMPORTED.) Evaluation Activity Log During your evaluation period of SecureZIP z, a PKWARE sales support associate will contact you and request the PKACTLOG Analyze command be executed, at which point we ask that you relay the information to us so that we may fully understand your usage of the SecureZIP z product. When a demonstration license key is active for the product, certain activities are written to a pre-allocated sequential data set specified by this setting. The following is the sequence of events necessary to initiate the Evaluation Activity Log. 1. First, before applying your demo license key for SecureZIP z, an ACTIVITY_LOG data set must be pre-allocated using the PKACTLOG dialog command (shown in screen samples below). Chapter 2 Installation, Licensing, and Configuration 45

54 2. Next, modify the ACZDFLT member, specifying the ACTIVITY_LOG= target data set name. Once the ACZDFLT member has been modified, you must re-assemble the defaults by submitting the ASMDFLT member under the INSTLIB. The ACTIVITY_LOG command is specified in the defaults module only. 3. Finally, after the defaults are modified, apply the demo license key you have received from PKWARE to the license data set before attempting to use other PKACTLOG options. Note: Users of SecureZIP z must be given update authority to the log data set within the installation security software. A failure to write to the log data set will cause SecureZIP z to terminate without completing the requested operation. Messages will be issued to indicate the reason for the termination. Concurrent SecureZIP z operations are permitted while the ACTIVITY_LOG feature is active. However, the log data set will be serialized through normal operating system ENQ/DEQ actions associated with Data Set Allocation. The data set is only allocated by SecureZIP z when brief write operations are required. It is released during long-running processes such as compression and encryption. When a permanent license key is applied, SecureZIP z will cease to allocate and write to the ACTIVITY_LOG Data Set. At this time, the ACTIVITY_LOG data set may be migrated/deleted from the system, and the ACTIVITY_LOG= setting in ACZDFLT may be removed. These actions are discretionary to the installation and are not required for SecureZIP z operation. The PKACTLOG ISPF dialog command is accessible from the main SecureZIP z User Interface panel although the command is not listed on the menu. Activity Log Setup and Configuration If you do not use the high-level qualifier PKWARE.MVS, you must change module ACZDFLT supplied in INSTLIB to define the License high-level qualifier and the ACTIVITY LOG data set name. Once ACZDFLT is set up, enter the command PKACTLOG on the product's main panel. SecureZIP Version 10.0 Option ===> C Config Modify Run-time Configuration Settings ZD Zip Defaults Modify Default ZIP Command Settings UD Unzip Defaults Modify Default UNZIP Command Settings U Unzip Decompress, Decrypt, Authenticate File(s) in an Archive V View Display the Contents of a Zip Archive Z Zip Compress, Encrypt, Sign File(s) into a Zip Archive S Sysprint M Messages Browse Log of Last Foreground Execution Message ID lookup A Administration Administration Services and Reference Information W Wizard List For HELP Press PF1 Release Date: 09/13/ LVL(Q1) 46 PKZIP/SecureZIP for z/os 11.1 System Administrator s Guide

55 SecureZIP Version 10.0 Option ===> Evaluation Activity Log Options Log Dataset: PKWARE.ACTIVITY.LOG C Config A Analyze B Browse Modify Evaluation Activity Log Settings Analyze Evaluation Activity Log Browse Evaluation Activity Log file X EXIT ******************************************************************************** * * * This panel will be disabled when a permanent license is applied. * * * ******************************************************************************** For HELP Press PF1 Configuration Option Select option 'C' to execute the Activity Log Configuration and allocate the data set whose name you placed in ACZDFLT ALLOCATE EVALUATION ACTIVITY LOG Command ===> Data Set Name... : 'PKWARE.ACTIVITY.LOG' Management class... SUPPORT (Blank for default management class) Storage class.... SUPPORT (Blank for default storage class) Volume serial.... SUP004 (Blank for system default volume) ** Device type..... (Generic unit or device address) ** Data class **NONE** (Blank for default data class) Space units..... CYLS (BLKS, TRKS, CYLS, KB, MB) Primary quantity.. 50 (In above units) Secondary quantity 20 (In above units) Directory blocks.. (Zero for sequential data set) * Record format.... VB Record length Block size (Zero for SMS default) Analysis Option Select option A to initiate the Analyze routine which reads the Activity Log and presents a summation of all activities. PKZIP Version 10.0 Command ===> Activity Log Summary Log Dataset: PKWARE.ACTIVITY.LOG Invocation Summary File Compression Summary ZIP Calls : 2037 Total Number of Files : Add.... : 374 Total Input Size... : GB Update... : 1644 Total Compressed Size.. : 6.108GB Freshen... : 19 Compression Ratio.... : 70.9 Copy.... : 4 Number Files > 4 Gig... : 3 Delete... : 6 Number of Files by Type Chapter 2 Installation, Licensing, and Configuration 47

56 UNZIP Calls : 3370 Sequential : 4767 View.... : 1627 Partitioned members.. : Test.... : 171 VSAM : 30 Extract... : 1562 Number of Files by Data Type Mode of Operation Binary : Batch.... : 4167 Text : ISPF.... : 14 Applic. Call : 1152 Archive Type Summary PKZIP Format : 2006 GZIP Format : 31 Browse Option Selecting option B uses ISPF Browse to look at the raw Activity Log data. Character fields will be visible in normal browse mode. Some fields are stored in binary and will only be visible in HEX mode. CAUTION: During Browse, the Activity Log file is allocated DISP=SHR and will cause batch jobs to wait for DISP=MOD access to the file. Menu Utilities Compilers Help BROWSE PKWARE.ACTIVITY.LOG Line Col Command ===> Scroll ===> CSR *********************************************************** Top of Data ************************************************************ OPENDVPGNL F BAZSZIP.IVP.ASM.FIRST... FILEDVPGNL F BAZSZIP.IVP.ASM.FIRST SZIP.IVP.IN.ASM($LCGL FILEDVPGNL F BAZSZIP.IVP.ASM.FIRST SZIP.IVP.IN.ASM($COPY FILEDVPGNL F BAZSZIP.IVP.ASM.FIRST SZIP.IVP.IN.ASM($QZGL FILEDVPGNL F BAZSZIP.IVP.ASM.FIRST SZIP.IVP.IN.ASM(ACAMN FILEDVPGNL F BAZSZIP.IVP.ASM.FIRST SZIP.IVP.IN.ASM(ACAMH Licensing Requirements PKZIP for z/os, SecureZIP for z/os and the PartnerLink SecureZIP Partner are licensed products. Without proper licensing the products can only be used to view archives. Product features can be licensed separately as the user needs dictate. The license key will contain all of the elements necessary to validate a customer s use of SecureZIP z. SecureZIP z provides a set of processes that update the current use license data set, allow reporting of the license information, allow conditional use of the product during a disaster recovery, and allow conditional use during a modification of the customer s physical environment. The licensing process is comprised of several key elements that are described in the following sections. 48 PKZIP/SecureZIP for z/os 11.1 System Administrator s Guide

57 Licensed Types The following table contains the parameters, and a brief description, used to determine licensing: Type Description Use BASIC CAPACITY DEMO DISASTER RECOVERY ENTERPRISE FEATURES The BASIC license type is the base line. It represents a license for which there are no restrictions, other than time. In contrast, all the other license types define restrictions within which the application is licensed and the customer is to abide. The CAPACITY license type compares the capacity of the operating environment (as defined by the machine serial number) along with a predefined table; for instance, to assure the application is running in a machine whose computing capacity is not larger than that for which the product is licensed. A DEMO license is typically restricted to a certain time period, number of executions, or limited set of functions. These licenses may allow any of the other types of use. This license is also known as Try and Buy or Supply before Buy. These terms and conditions can be an added restriction to any of the license types. A DISASTER RECOVERY license is granted by the vendor to allow a specified product to execute under conditions defined as disaster recovery for a specified period of time or for a specified number of occurrences. These terms and conditions can be an added restriction to any of the license types. An ENTERPRISE license is assigned to an enterprise; which may be comprised of multiple sites, complexes, nodes, and/or serial numbers. It is an all-encompassing license to a single entity. These terms and conditions are derived from any of the license types. A packaging and enablement option. An optional feature of a product can be packaged, licensed, and enabled at the discretion of the software publisher. Features can be licensed in the same manner as software products and can, therefore, be of any license type. Customer will receive a predetermined set of product features. Customer will designate the serial number of the processor(s). Trial period. Implemented with a 5-day grace period to allow the customer to contact PKWARE to update the license. The grace period will never expire on a weekend. Allows a customer full access to all features of SecureZIP z on all systems. See product options below. TIME-DELIMITED Each license type is modifiable by time. Each license will have a finite time period. Chapter 2 Installation, Licensing, and Configuration 49

58 Product Features The license key contains codes to reflect the product features available with the Edition selected by the customer. PKZIP for z/os PKZIP for z/os contains the following features: Compression Decompression Traditional Decryption Cross Platform Interoperability 32-bit CRC Error Checking Automatically Converts from EBCDIC to ASCII/ASCII to EBCDIC Multiple Compression Formats Includes International Translation Tables Integrated Help Feature Multi-Volume Archive Support Enhanced File Handling that supports up to 17 different RECFMs Supports GDGs and GDG Base Groups Simulate Mode Automatic Device Detection Cataloged Tape Datasets Customizable configuration and Installation SEQ File Handlers PDS File Handlers VSAM File Handlers UNIX File System handlers Magnetic Tape Handlers User Exits Application Callable PDS/E File Handlers Command Line Interface Decrypts password-based strongly encrypted ZIP files from SecureZIP Decrypts password-based filename encryption from SecureZIP Provides GZIP-compatibility support 50 PKZIP/SecureZIP for z/os 11.1 System Administrator s Guide

59 Provides foreground ZIP/UNZIP processing using an ISPF dialog Enhanced tape processing Provides the ability to create self-extracting archives for selected platforms Provides ZIP64 large file support, which includes processing for: o Archives with more than 65,535 files o File sizes of 4 gigabytes or greater o Archives with a total size of 4 gigabytes or greater SecureZIP for z/os SecureZIP for z/os includes all features found in the PKZIP for z/os. In addition to the PKZIP compression features, SecureZIP for z/os provides access to the following securityrelated features: Advanced encryption/decryption (AES, DES, 3DES and RC4 algorithms) with passphrase and/or PKI Certificate-based key control. Certificate-based digital signing and signature authentication. Filename encryption IBM Cryptographic Facilities Integration. Provides support to use ICSF cryptographic service APIs for supported data encryption and digital signature hash algorithms. Both hardware acceleration and ICSF software emulation are supported. FIPS and Compliance Passphrase key registration with the ICSF CKDS Integrated use of digital certificates located in the z/os Security Server (RACF, CA- ACF2 or CA-Top Secret Security) Secure key operations Cryptographic policy lockdown control through Security Server resource rules SecureZIP for z/os Standard Edition contains the following features: Compression Decompression Traditional Decryption Cross Platform Interoperability 32-bit CRC Error Checking EBCDIC to ASCII/ASCII to EBCDIC Conversion Multiple Compression Formats Includes International Translation Tables Integrated Help Feature Multi-Volume Archive Support Chapter 2 Installation, Licensing, and Configuration 51

60 Enhanced File Handling that supports up to 17 different RECFMs Supports GDGs and GDG Base Groups Simulate Mode Automatic Device Detection Cataloged Tape Datasets Customizable configuration and Installation SEQ File Handlers PDS File Handlers VSAM File Handlers UNIX File System Handlers Magnetic Tape Handlers User Exits Application Callable PDS/E File Handlers Command Line Interface Provides GZIP-compatibility support Provides foreground ZIP/UNZIP processing using an ISPF dialog Enhanced tape processing File name encryption Provides the ability to create self-extracting archives for selected platforms Provides ZIP64 large file support, which includes processing for: o Archives with more than 65,535 files o File sizes of 4 gigabytes or greater o Archives with a total size of 4 gigabytes or greater FIPSMODE FIPS and Compliance IBM Cryptographic Facilities Integration RSA BSAFE strong passphrase encryption Certificate Based Decryption Signing Authentication 52 PKZIP/SecureZIP for z/os 11.1 System Administrator s Guide

61 SecureZIP for z/os Enterprise Edition includes the following features. These may also optionally be licensed to Standard Edition: Advanced Encryption - Provides public/private key PKI certificate-based encryption and digital signing (Integrated with SecureZIP Partner) Directory Integration - Enables access to certificates residing on an LDAP server (Not available with SecureZIP Partner) Contingency key Application Integration Heirarchical File Support The following features are also available to be licensed with SecureZIP for z/os: SAF Certificates Policy Lockdown Secured Passphrase Management SecureZIP Partner PartnerLink SecureZIP Partner is a software activation license provided with the product package. This license activates a predefined set of features when operating in this mode. Operational capabilities are defined by the PartnerLink program with distributed sponsorexchange authorizations. Evaluation Period You can obtain a trial license that allows full use of the product for a specified evaluation period. Contact Sales for a key to generate a trial license. For Technical Support, please contact the Product Services Division or visit the Support Web site. Release-Dependent Licensing Each release of SecureZIP z requires that a new license key be obtained from Customer Service and that a new license record be generated. The new release fails with the message ZPLI901E Product License is Invalid if the license data set is used from a previous release. Current Use License When you receive the license control card information from PKWARE, you build the license data set using the Build License program (there is a sample job stream in member LICUPDAT in the Installation Data set (INSTLIB)). Executing this job stream deletes any existing LICENSE data set, builds a new LICENSE data set and produces a report that reflects the state of SecureZIP z at your location. Following is a sample of the output: Chapter 2 Installation, Licensing, and Configuration 53

62 ZPLI230I CONTROL CARD INPUT TO THE LICENSE RECORD 57 HRM3QB2K PKWARE, INC 66 MD688PXB FECE2096O04 1 AD6FCPXR FECE2096O04 2 CD6C0PX FECE2096O04 11 LD689PX FECE2096O04 ZPLI235I The license record will be updated for SecureZIP (R) for z/os in ********************************************************************************** To report on the status of the license at your location, run the sample job stream in member LICPRINT in the Installation Data set (seczip.mvs.instlib). Sample Full-feature product license report ZPLI200I A license report has been requested on 09/15/08 AT 2:28pm VER: 11.0 ZPLI200I For Technical Support assistance, please contact Product Services Division ZPLI200I at or go on-line at ZPLI001I Portions copyright (C) PKWARE, Inc. All rights reserved. ZPLI200I Reg. U.S. Pat. and Tm. Off. Patent No. 5,051,745 ZPLI200I Other U.S. and international patent applications pending. ZPLI200I Portions of this software include RSA BSAFE(R) cryptographic ZPLI200I or security protocol software from RSA Security Inc. ********************************************************************************* ZPLI200I SecureZIP (R) IS LICENSED TO CUSTOMER # ZPLI200I - CUSTOMER NAME - PKWARE, INC ********************************************************************************* ZPLI200I The CPU type is ZPLI200I The CPU model number is O04. ZPLI200I The number of online CPUs is 4. The maximum number of CPUs is 4. ZPLI200I The LPAR Name is SYS3 ZPLI200I The LPAR Number is 03 ZPLI200I The Serial # for Licensing is FECE ZPLI200I The service units per second per online CPU is ZPLI200I The approximate total MIPS (SUs/SEC / 48.5 * # general CPUs) is ********************************************************************************* ZPLI200I The OS version is z/os FMID HBB7740 (SP7.0.9). ZPLI200I The SMF system id (SID) is PKW1. ZPLI200I Model from CPC SI ********************************************************************************* ********************************************************************************* ZPLI200I SAF Certificates are licensed on the following processors ZPLI200I Serial# 00FECE processor type 2096 version/model O04 - expiration ZPLI200I Policy Lockdown is licensed on the following processors ZPLI200I Serial# 00FECE processor type 2096 version/model O04 - expiration ZPLI200I Hardware CRYPTO is licensed on the following processors ZPLI200I Serial# 00FECE processor type 2096 version/model O04 - expiration ZPLI200I Application Integration is licensed on the following processors ZPLI200I Serial# 00FECE processor type 2096 version/model O04 - expiration ZPLI200I HFS file handler is licensed on the following processors ZPLI200I Serial# 00FECE processor type 2096 version/model O04 - expiration ZPLI200I Compression / Decompression is licensed on the following processors ZPLI200I Serial# 00FECE processor type 2096 version/model O04 - expiration ZPLI200I Enhanced tape processing is licensed on the following processors ZPLI200I Serial# 00FECE processor type 2096 version/model O04 - expiration ZPLI200I Decryption is licensed on the following processors ZPLI200I Serial# 00FECE processor type 2096 version/model O04 - expiration ZPLI200I GZIP supported files licensed on the following processors ZPLI200I Serial# 00FECE processor type 2096 version/model O04 - expiration ZPLI200I ISPF is licensed on the following processors ZPLI200I Serial# 00FECE processor type 2096 version/model O04 - expiration ZPLI200I Secured Passphrase Management is licensed on the following processors ZPLI200I Serial# 00FECE processor type 2096 version/model O04 - expiration ZPLI200I Advanced Encryption is licensed on the following processors ZPLI200I Serial# 00FECE processor type 2096 version/model O04 - expiration 54 PKZIP/SecureZIP for z/os 11.1 System Administrator s Guide

63 ZPLI200I Directory Integration is licensed on the following processors ZPLI200I Serial# 00FECE processor type 2096 version/model O04 - expiration ZPLI200I ZIP64 large file support is licensed on the following processors ZPLI200I Serial# 00FECE processor type 2096 version/model O04 - expiration ZPLI200I Self extraction creator is licensed on the following processors ZPLI200I Serial# 00FECE processor type 2096 version/model O04 - expiration ZPLI200I FIPS Mode is licensed on the following processors ZPLI200I Serial# 00FECE processor type 2096 version/model O04 - expiration ********************************************************************************** Sample Evaluation (Demo) product license report ZPLI220I A demo license has been requested on 03/18/04 AT 9:12am ZPLI220I Please contact PKWARE Sales at to receive an evaluation license. ********************************************************************************* CPU model 2066 with 1 online CPU serial number for CPU 0 is 04263B2066 (4263B), version code 00. Service units per second per online CPU is Approximate total MIPS (SUs/SEC / 48.5 * #CPUs) is Central Processing Complex (CPC) Node Descriptor: CPC ND = B1.IBM B CPC ID = 00 Type(002066) Model(0B1) Manufacturer(IBM) Plant(02) Seq Num( B) ********************************************************************************* Sample SecureZIP Partner Product License Report ZPLI200I A license report has been requested on 09/15/08 AT 2:31pm VER: 11.0 ZPLI200I For Technical Support assistance, please contact Product Services Division ZPLI200I at or go on-line at ZPLI001I Portions copyright (C) PKWARE, Inc. All rights reserved. ZPLI200I Reg. U.S. Pat. and Tm. Off. Patent No. 5,051,745 ZPLI200I Other U.S. and international patent applications pending. ZPLI200I Portions of this software include RSA BSAFE(R) cryptographic ZPLI200I or security protocol software from RSA Security Inc. ********************************************************************************* ZPLI200I PKWARE PartnerLink SecureZIP(R) IS LICENSED TO CUSTOMER # ZPLI200I - CUSTOMER NAME - PKWARE PartnerLink SecureZip ********************************************************************************* ZPLI200I The CPU type is ZPLI200I The CPU model number is O04. ZPLI200I The number of online CPUs is 4. The maximum number of CPUs is 4. ZPLI200I The LPAR Name is SYS3 ZPLI200I The LPAR Number is 03 ZPLI200I The Serial # for Licensing is FECE ZPLI200I The service units per second per online CPU is ZPLI200I The approximate total MIPS (SUs/SEC / 48.5 * # general CPUs) is ********************************************************************************* ZPLI200I The OS version is z/os FMID HBB7740 (SP7.0.9). ZPLI200I The SMF system id (SID) is PKW1. ZPLI200I Model from CPC SI ********************************************************************************* ********************************************************************************* ZPLI200I This is a SecureZIP (R) Partner for z/os License ********************************************************************************** Show System Information When establishing a valid license with PKWARE for your system, specific operating information is required. To display hardware and software information at your location, run the sample job Chapter 2 Installation, Licensing, and Configuration 55

64 stream in member LICSHSYS in the Installation Data set (seczip.mvs.instlib). Executing this job stream displays a Show System Information report. Following is a sample of the report: ZPLI210I PKZIP - Display System Information - Version 11.0 ********************************************************************************* SecureZIP (R) is a registered trademark of PKWARE (R), Inc. PKZIP (R) is a registered trademark of PKWARE (R), INC. Portions copyright (C) PKWARE, Inc. All rights reserved. Reg. U.S. Pat. and Tm. Off. Patent No. 5,051,745 Other U.S. and international patent applications pending. Portions of this software include RSA BSAFE(R) cryptographic or security protocol software from RSA Security Inc. *************************************************************************************** For Licensing, please contact the Sales Division at or [email protected] For Technical Support assistance, please contact the Product Services Division at or go online at Wednesday 08/01/2007 ( ) 09:27:14 *************************************************************************************** ZPLI210I The CPU type is ZPLI210I The CPU model number is O04. ZPLI210I The number of online CPUs is 4. The maximum number of CPUs is 4. ZPLI210I The LPAR Name is SYS1 ZPLI210I The LPAR Number is 01 ZPLI210I The Serial # for Licensing is FECE *************************************************************************************** Service units per second per online CPU is SUSEC. Approximate total MIPS (SUs/SEC / 48.5 * #CPUs) is MIPS. CEC MSU per hour capacity is 67 - LPAR MSU per hour capacity is 67 *************************************************************************************** The OS version is z/os FMID HBB7730 (SP7.0.8). JES2 z/os 1.8 DFSMS z/os Model from CPC SI READY Conditional Use PKWARE recognizes that there may be periods where the licensing environment established by the customer is no longer valid. Circumstances such as disaster recovery processing or the installation or upgrade of new processors will affect the environment. See SecureZIP for z/os Grace Period later in this chapter for more information. Initializing the License The SecureZIP Partner for z/os product comes with a predefined software activation license for use on any z/os system. For more information, see SecureZIP Partner License Activation, later in this chapter. For all other products, each release of SecureZIP z requires that a new license key be obtained from Customer Service and that a new license record be generated. The new release 56 PKZIP/SecureZIP for z/os 11.1 System Administrator s Guide

65 will fail with ZPLI901E Product License is Invalid message if the License dataset is used from a previous release. PKZIP and Full-Featured SecureZIP License Activation Transfer the license file provided by PKWARE from the PC to the host. Be sure to convert the data from ASCII to EBCDIC and insert CR/LF s. Copying the authorization code from the text file and pasting it to the LICENSE member of the INSTLIB is an acceptable alternative. After the file has been transferred or copied to the host, edit the INSTLIB(LICUPDAT) member, supply a job card, and modify the following line of JCL: //LICENSE PROC HLVL=SECZIP.MVS,URUNIT=SYSDA,URVOL=WORK01 SECZIP.MVS is your high level qualifier for your installation. URUNIT and URVOL are the target unit and volume for the installed SecureZIP z product. SecureZIP Partner License Activation A software license is provided with the SecureZIP Partner for z/os package for the purpose of activating, configuring and verifying the installation of the software. A Sponsor Distribution Package must also be obtained independently through the PKWARE PartnerLink program to activate data interchange capabilities with a PartnerLink sponsor. The SecureZIP Partner software license enables a pre-defined set of features to be run on any system. Because of this, you are not required to identify your specific processor to be used to run the products. The PKWARE PartnerLink SecureZIP Partner license is created by member LICRPLKB in INSTLIB. Executing this job stream creates the LICENSE dataset and produces a report that reflects the state of PKWARE PartnerLink SecureZIP at your location. The JCL in INSTLIB for the sample jobs contains the symbolic parameter HLVL. HLVL is used as the high level qualifier for the REXX EXEC libraries and as the high level qualifier for the LICENSE dataset. By default, they both point to the same high level qualifier. If you use more than one high level qualifier, you must use override JCL. Edit the INSTLIB(LICRPLKB) member, supply a job card, and modify the following line of JCL: //LICENSE PROC HLVL=SECZIP.RPLK,URUNIT=SYSDA,URVOL=WORK01 SECZIP.MVS is the high-level qualifier for your installation. URUNIT and URVOL are the target unit and volume for the installed SecureZIP z product. In addition, you must change the value "license hlq" in the UPDATE SYSIN control cards to reflect the high level qualifier of the license dataset. //UPDATE.SYSTSIN DD * RECEIVE INDDN(LICIN) DSNAME('license hlq.license') Chapter 2 Installation, Licensing, and Configuration 57

66 Reporting the PKZIP/SecureZIP for z/os License The procedures below describe how to obtain the license report. Edit the *.INSTLIB(LICPRINT) member, supply a job card, and substitute the following default line: //LICENSE PROC HLVL=SECZIP.MVS SECZIP.MVS represents the high-level qualifier for your installation. When you submit this job, the output should give you a return code of zero (RC=00) and the following additional lines. ZPLI200I A license report has been requested on 09/15/08 AT 2:28pm VER: 11.0 in ZPLI200I For Technical Support assistance, please contact Product Services Division ZPLI200I at or go on-line at ZPLI001I Portions copyright (C) PKWARE, Inc. All rights reserved. ZPLI200I Reg. U.S. Pat. and Tm. Off. Patent No. 5,051,745 ZPLI200I Other U.S. and international patent applications pending. ZPLI200I Portions of this software include RSA BSAFE(R) cryptographic ZPLI200I or security protocol software from RSA Security Inc. ********************************************************************************* ZPLI200I SecureZIP (R) IS LICENSED TO CUSTOMER # ZPLI200I - CUSTOMER NAME - PKWARE, INC ********************************************************************************* ZPLI200I The CPU type is ZPLI200I The CPU model number is O04. ZPLI200I The number of online CPUs is 4. The maximum number of CPUs is 4. ZPLI200I The LPAR Name is SYS3 ZPLI200I The LPAR Number is 03 ZPLI200I The Serial # for Licensing is FECE ZPLI200I The service units per second per online CPU is ZPLI200I The approximate total MIPS (SUs/SEC / 48.5 * # general CPUs) is ********************************************************************************* ZPLI200I The OS version is z/os FMID HBB7740 (SP7.0.9). ZPLI200I The SMF system id (SID) is PKW1. ZPLI200I Model from CPC SI ********************************************************************************* ********************************************************************************* ZPLI200I SAF Certificates are licensed on the following processors ZPLI200I Serial# 00FECE processor type 2096 version/model O04 - expiration ZPLI200I Policy Lockdown is licensed on the following processors ZPLI200I Serial# 00FECE processor type 2096 version/model O04 - expiration ZPLI200I Hardware CRYPTO is licensed on the following processors ZPLI200I Serial# 00FECE processor type 2096 version/model O04 - expiration ZPLI200I Application Integration is licensed on the following processors ZPLI200I Serial# 00FECE processor type 2096 version/model O04 - expiration ZPLI200I HFS file handler is licensed on the following processors ZPLI200I Serial# 00FECE processor type 2096 version/model O04 - expiration ZPLI200I Compression / Decompression is licensed on the following processors ZPLI200I Serial# 00FECE processor type 2096 version/model O04 - expiration ZPLI200I Enhanced tape processing is licensed on the following processors ZPLI200I Serial# 00FECE processor type 2096 version/model O04 - expiration ZPLI200I Decryption is licensed on the following processors ZPLI200I Serial# 00FECE processor type 2096 version/model O04 - expiration ZPLI200I GZIP supported files licensed on the following processors ZPLI200I Serial# 00FECE processor type 2096 version/model O04 - expiration ZPLI200I ISPF is licensed on the following processors ZPLI200I Serial# 00FECE processor type 2096 version/model O04 - expiration ZPLI200I Secured Passphrase Management is licensed on the following processors ZPLI200I Serial# 00FECE processor type 2096 version/model O04 - expiration ZPLI200I Advanced Encryption is licensed on the following processors ZPLI200I Serial# 00FECE processor type 2096 version/model O04 - expiration 58 PKZIP/SecureZIP for z/os 11.1 System Administrator s Guide

67 ZPLI200I Directory Integration is licensed on the following processors ZPLI200I Serial# 00FECE processor type 2096 version/model O04 - expiration ZPLI200I ZIP64 large file support is licensed on the following processors ZPLI200I Serial# 00FECE processor type 2096 version/model O04 - expiration ZPLI200I Self extraction creator is licensed on the following processors ZPLI200I Serial# 00FECE processor type 2096 version/model O04 - expiration ZPLI200I FIPS Mode is licensed on the following processors ZPLI200I Serial# 00FECE processor type 2096 version/model O04 - expiration ********************************************************************************** PKZIP/SecureZIP for z/os Grace Period PKWARE recognizes that there may be periods where the licensing environment established by the customer is no longer valid. Circumstances such as disaster recovery processing or the installation or upgrade of new processors will affect the environment. To accommodate the installation, SecureZIP z has a process that will allow you to continue to use the product for a grace period of five days when the established licensing environment is no longer valid. Note that the user must have write authority on the license dataset to invoke the grace period. This authority is only required the first time PKZIP/PKUNZIP is run after a CPU change has occurred; it is not required after the grace period has been successfully invoked (this is one time per CPU, not one time per IPL). During the grace period, error messages will be displayed on the console (and the printout) for each execution of SecureZIP z. At the end of the period, if the license is not updated, the product will no longer function for the new CPUs except to VIEW an archive. The five-day grace period is designed so that the program will not cease to function on a weekend or the Monday following the five-day grace period. You must contact PKWARE at [email protected] during the grace period to obtain licensing to allow extended use. Note: The SecureZIP Partner for z/os software activation license does not require or support grace period processing. Running a Disaster Recovery Test There are no special procedures necessary in order for you to use SecureZIP z during a disaster recovery test. Because SecureZIP z licensing allows for such contingencies, the user can perform the following process to have SecureZIP z run at the DR site with a RC= First, copy the production image of SecureZIP z from the production system over to the Disaster Recovery system. 2. Once the image is on the system, simply run SecureZIP z from the CPU you want, and SecureZIP z will run conditionally for five days with a RC=0. (This time limit does not apply to SecureZIP Partner for z/os.) If operation beyond this time frame is required, contact PKWARE [email protected]. If operating SecureZIP Partner for z/os, you can rerun the predefined license job from INSTLIB (LICRPLKB) if necessary. Chapter 2 Installation, Licensing, and Configuration 59

68 Activating the ISPF Interface The ISPF interface requires a PKZIP Enterprise Edition or SecureZIP license. Activation of the SecureZIP z ISPF interface is accomplished as follows: During product installation, the SecureZIP z ISPF libraries are loaded to disk. The high level qualifiers (dsnhlq) are selected by the user during the installation process. To configure the SecureZIP Certificate Store Processing and ISPF Panels, the user will need to make a few modifications to the PKWARE.MVS.INSTLIB(PKISPF) and PKWARE.MVS.INSTLIB(PKZSTART) members. Optionally, a shortcut EXEC to run the ZIP archive VIEW dialog from an ISPF 3.4 data set list may be installed from PKWARE.MVS.INSTLIB(PKV). For certificate store processing you must edit the PKISPF member and make the following changes to reflect your installation: Change the value of HLVL' to reflect the high level qualifier for your installation. Change the value of 'ISP' to reflect the high level qualifier for your system ISPF files. This defaults to 'ISP'. ISP=ISP Change the value of 'SYSDA' to indicate the unit type for temporary files. The default is 'SYSDA'. SYSDA=SYSDA To prepare the SecureZIP z ISPF panels you must edit the PKZSTART member and make the following changes to reflect your installation: If the user environment can not support compiled REXX, change the value of env to 'EXEC'. If your environment does support compiled REXX, then you do not have to change anything on this line. This defaults to 'CEXEC'. env = 'CEXEC' Change the value of 'ispfhlq' to reflect the high level qualifier for your installation. Change the value of 'llib' to indicate the name of the installed load library. Now save your changes to the PKZSTART member. To quickly test whether the user configuration has worked, simply type "EXEC" next to the PKZSTART member. If everything has gone accordingly during the installation, after typing in EXEC, the user should be prompted to enter the configuration screen for SecureZIP z. You may choose to add the PKZSTART member to a REXX exec in your SYSEXEC or SYSPROC concatenation that will initialize the ISPF interface. If the user prefers to activate the SecureZIP z ISPF from your ISPF main menu, add an entry that will activate SecureZIP z. Both methods are explained in the following paragraphs. Significant performance improvements can be achieved by using the compiled REXX exec. To install the optional PKV line command EXEC (for use with ISPF 3.4 Data Set List Utility): Copy PKWARE.MVS.INSTLIB(PKV) to an active SYSPROC or SYSEXEC library and modify it to execute the PKZSTART member installed in the previous step. 60 PKZIP/SecureZIP for z/os 11.1 System Administrator s Guide

69 ISPF Main Menu To execute SecureZIP z from an ISPF menu panel you must add an entry to the main menu for ISPF. This is normally a panel named (ISR@PRIM). Add the following line (or whatever the user deems appropriate) to the BODY section of the panel definition: P SecureZIP for z/os 11.0 ISPF Add the following line to the PROC section: P,'CMD(%PKZSTART)' Replace the P with whatever main menu option you added in the BODY section of the panel definition. The user will notice that the PKZSTART exec has an argument passed to it. The argument CEXEC causes the libraries containing the compiled REXX routines to be allocated. The user will gain significant increases in performance by using these libraries. If your operating system release or any other reason might prevent you from using the compiled REXX, then call PKZSTART with the argument of EXEC and the normal interpreted REXX libraries will be used. PKZSTART is the initial exec that starts the interface and it also allocates the necessary ISPF application libraries. Consequently, it must be modified to reflect the installed library names (as it was documented in the previous section). Running PKZIP/SecureZIP with Library Lookaside (LLA and LNKLST) This section applies only if SecureZIP z is to be executed from Library Lookaside. To install SecureZIP z into Library Lookaside for the purpose of eliminating JOBLIB and STEPLIB DD statements for execution, follow your installation s standards for implementing LNKLST for the SecureZIP z LOAD library. See the IBM z/os Initialization and Tuning publications for more information. To access SecureZIP z from the system LNKLST while running ISPF, enter the Configuration panel (option C from the menu panel). In the field labeled Execution load library, enter the string: *LNKLST (no quotes) in the Execution load library field. In this mode of operation, the ISPF EXEC procedures call SecureZIP z programs from the system link list instead of from a particular library. In addition, ISPF-generated background jobs will not include a STEPLIB. Be sure to perform a MODIFY LLA REFRESH or UPDATE operation for the SecureZIP z data set when adding or maintaining tailored SecureZIP z modules. Doing this causes Library Lookaside to rebuild its directory indexes and enables future executions to access new copies of the modules. (For more information regarding LLA commands, see the IBM z/os MVS Commands manual.) Tailored SecureZIP z modules include: Defaults modules Translation tables for TRANSLATE_TABLE_DATA and TRANSLATE_TABLE_FILEINFO The SAFETYEX load module Chapter 2 Installation, Licensing, and Configuration 61

70 Verifying the Installation To ensure proper design and implementation has taken place, it is crucial for the system administrator to run the installation verification procedures that ship with SecureZIP z. Once the product has completed installation and is properly licensed, you can run the pre-defined IVP streams. Instructions for customizing these jobs to the standards of your facility are included in comments at the beginning of each job s JCL stream. The pre-packaged IVP streams located under the *.INSTLIB dataset are as follows: IVPBASIC Demonstrates the compression, viewing, testing, and decompression of a catalog listing to an archive contained in a PDS member. IVPLMOD Compresses LOAD module members and then views, tests, and rebuilds the LOAD library from the archive. IVPSECUR Sample strong encryption jobs to compress 1MB, 10MB, 100MB, and 1GB data files and to test and decompress the files from the archives. SecureZIP for z/os users only. IVPVSAM Demonstrates the compression, viewing, testing, and decompression of a VSAM KSDS to a VSAM archive. (Non-VSAM files and archives can be mixed with VSAM. This job simply shows that VSAM can be used for either.) IVPVSPAN Sample job to IEBCOPY-Unload a PDS, ZIP it, and reload it to verify the operation of variable spanned files. Recipient-based encryption, signing and authentication can also be tested from the Local Certificate Store main menu. Option 8, Option 2 (Run Installation Verification Job) prompts the user with the IVP JCL stream that has been customized for the signing and authentication standards of your facility. This job demonstrates the compression, encryption, signing, and authentication of an archive using SecureZIP for z/os. The expected return code is zero for each of the IVP job runs. To report any unexpected job results when running the various IVP streams, contact PKWARE Technical Support. Users of SecureZIP Partner for z/os should not run the IVP jobs detailed above, as they are intended only for the full-featured PKZIP and SecureZIP for z/os products. The prepackaged PartnerLink IVP job is located under the *.INSTLIB dataset: PLIVPZIP Demonstrates the successful configuration of the PKWARE, Inc., test Sponsor Distribution Package. A pre-signed archive is provided in INSTLIB2(PLIVPZIP) for SecureZIP Partner access. Run-time Performance Considerations The product is configured with default settings to enable full functionality and operate effectively for many environments. However, there are some installation, configuration, and run-time controls that may improve installation-defined performance objectives, depending on the local operating profile. Improving performance may involve taking steps to identify the best configuration and settings profile for a specific workload. When SecureZIP z is used for different applications, each should be examined to determine the mix of settings that will achieve the desired 62 PKZIP/SecureZIP for z/os 11.1 System Administrator s Guide

71 performance objective for that workload. In addition, it is recommended that benchmark information be retained between performance tests so that a basis of comparison exists when changes are introduced, either for the product or the operating environment. Variations in the operating environment may also affect SecureZIP z performance. For example, when data sets being accessed for ZIP or UNZIP processing are dynamically allocated in a SYSPLEX, the GRS serialization for the data sets (or Partitioned members) may introduce delays in processing. Main Tuning Ingredients Meeting an acceptable level of performance involves balancing the consumption of system resources with the functional objectives for the workload. Because of the number of variables to consider in tuning, it is helpful to organize them into categories to quickly identify which aspects of processing to focus on. Inasmuch as system resources are rarely unconstrained, it is also important to rank the importance for each category, as in the order suggested below, so that a reasonable trade-off may be decided upon when two or more items appear to conflict. 1. Qualify the performance objectives As settings are being considered for evaluation, it is important to understand which performance measurements are important, and in what rank if not all can be easily met. Typical measurements include: o Elapsed Time o o CPU Time Archive size 2. Resource Constraints The following resources are involved in various phases of ZIP processing. Making adjustments to either reduce the processing requirement of constrained resources or to provide additional resources to achieve the functional processing requirement may significantly affect the measurement objectives. o o o o o Processor Time I/O File Allocation (serialization) Virtual Storage Temporary DISK work space 3. Feature Processing Requirements The SecureZIP z products provide multiple processing features, many of which provide flexibility for setting levels within a category of functionality. For example, there are multiple levels of compression available to meet constraints associated with an archive s size. Some of the major processing phases associated with SecureZIP z features include: Chapter 2 Installation, Licensing, and Configuration 63

72 o o o o o o o Run-time initialization File Selection File data handling Compression/Inflation Encryption/Decryption Digital Signature/Authentication Archive access (Read and Write) The following table assists in relating the above categories to actions that can lead to performance improvement. Processing Phase Configuration/Setting Resources Metrics Initialization Use case: Quick ZIP/UNZIP runs or calls JOBLIB/STEPLIB Elimination with LLA and/or LPA I/O for Program Fetch Elapsed Time I/O (EXCP) Initialization Use case: Quick ZIP/UNZIP runs or calls SYSIN records via Partitioned library - CHECK_SYSIN_MEMBER=N setting I/O for PDS directory search Elapsed Time I/O (EXCP) Initialization Use case: Quick ZIP/UNZIP runs or calls PARMLIB commands via Partitioned library - PARMLIB_DSNAME_UNZIP I/O for PDS directory search Elapsed Time I/O (EXCP) DYNALLOC - PARMLIB_DSNAME_ZIP - INCLUDE_CMD Initialization JOBLIB/STEPLIB Elimination, LLA, VLF and/or LPA Several programs are loaded through Program Fetch during initialization. (Different load modules are obtained based on the processing options that are requested, as well as the runtime operating environment). Two levels of I/O are required to complete the program fetch for each module: 1) Directory Search and 2) Load module read. z/os defines a selection order for locating modules. Each LOAD request done by SecureZIP z initialization results in a search being done in the following order shown below: 1. JOBLIB or STEPLIB o o If only a JOBLIB is used, all libraries in the JOBLIB concatenation are searched. If the SecureZIP z load library containing the modules is not first in the concatenation, then other library directories will have I/O (and directory processing analysis) performed for each LOAD request. If present, STEPLIB supersedes a JOBLIB. By introducing STEPLIB for the SecureZIP z programs, extraneous library directory search processing will be eliminated. 64 PKZIP/SecureZIP for z/os 11.1 System Administrator s Guide

73 o o o JOBLIB or STEPLIB will be searched before LPA or Library Lookaside (LLA). Recommendation: If multiple libraries are used in a JOBLIB concatenation to locate SecureZIP z modules, use a STEPLIB override for the SecureZIP z step to eliminate unnecessary searching of other libraries. Alternatively, place the SecureZIP z load library at the beginning of the concatenation. Recommendation: If more significant reductions are necessary, to eliminate directory search for SecureZIP z modules, as well as the elimination of LOAD module fetch for reentrant modules, substitute STEPLIB for JOBLIB for other program steps in the job, eliminate STEPLIB for SecureZIP z and activate the SecureZIP z load library in LLA and VLF with the FREEZE option. 2. Link Pack Area (LPA) JOBLIB and STEPLIB elimination A sample job in the SecureZIP z INSTLIB(LPACOPY) member is provided to copy eligible LPA modules from the SecureZIP z load library to a valid LPA-loadable data set. o o o o o o o o Assuming that JOBLIB search was completed (or eliminated completely), LPA will be searched for qualifying modules. Only reentrant/refreshable modules may be placed into LPA. These modules are loaded into system storage and retained for jobs to access directly. No directory search I/O is required for LPA modules. No read time is required for LPA modules. Note: If a JOBLIB is active (for other job libraries), and there is no STEPLIB for SecureZIP z, then the JOBLIB concatenation will be searched before LPA, thereby introducing I/O and elapsed time delays. For this search technique to be effective in eliminating directory search, there should be no active JOBLIB. Activation note: Not all SecureZIP z modules qualify for LPA. It is recommended that a separate library be created that contains SecureZIP z modules marked with RENT/REFR. You may also leave them in the original library. Be sure to include ALIAS entries associated with LOAD module members (for example, PKZIP is an ALIAS for ACZMAIN). Activation note: The use of LPA is intended for use in conjunction with LLA. It is not required for LLA, but LLA usage is required for the LPA technique to be effective. Maintenance note: Modules loaded into LPA must be manually synchronized with SecureZIP z maintenance through the appropriate systems programming facility used in the operating environment. LPA Modules may be administered in accordance with IBM z/os management facilities. LPA modules may be activated in the system by any of the following means (Ref. IBM z/os MVS Initialization and Tuning Guide, and z/os MVS Commands): Dynamic LPA via system PARMLIB PROGxx or SETPROG LPA command Fixed LPA (FLPA) via system PARMLIB IEAFIXxx Modified LPA (MLPA) via system PARMLIB IEALPAxx Pageable LPA (PLPA) via system PARMLIB LPALSTxx or PROGxx Chapter 2 Installation, Licensing, and Configuration 65

74 SETPROG LPA,ADD,DSNAME=USER.PKZIP.LPALIB,MASK=* IEF196I IEF237I 2820 ALLOCATED TO SYS00194 IEF196I IEF285I USER.PKZIP.LPALIB IEF196I IEF285I VOL SER NOS= Z8SYS1. CSV551I LPA ADD 040 SUCCESSFUL: 20 UNSUCCESSFUL: 0 NOT PROCESSED: 0 MODULE RESULT ACAMHLQ SUCCESSFUL ACCOMAIN SUCCESSFUL ACCOZIPC SUCCESSFUL ACFMBSAM SUCCESSFUL ACFMGR SUCCESSFUL ACZMAIN SUCCESSFUL CCCOZIP SUCCESSFUL CL16UT01 SUCCESSFUL CL16UT02 SUCCESSFUL CL16UT03 SUCCESSFUL CL17UT01 SUCCESSFUL CL17UT02 SUCCESSFUL CL17UT03 SUCCESSFUL CSBSHASH SUCCESSFUL CSBSPRNG SUCCESSFUL PKCRYMTX SUCCESSFUL PKUNZIP SUCCESSFUL PKZIP SUCCESSFUL SECUNZIP SUCCESSFUL SECZIP SUCCESSFUL 3. Library Lookaside (LLA) JOBLIB and STEPLIB elimination o o o o o LLA may be used independently from, or in conjunction with LPA to speed the directory search process for module LOAD. To have full effect, other libraries must be eliminated from the JOBLIB/STEPLIB search sequence. VLF, along with FREEZE (see CSVLLAxx and COFVLFxx z/os PARMLIB member specifications in the IBM z/os Initialization & Tuning Guide/Reference manuals for more information) is recommended to eliminate additional module fetch I/O. LLA has no effect on the actual program read time associated with program fetch, only on the directory search portion. LLA members may be administered in accordance with IBM z/os management facilities. LLA libraries may be activated in the system by any of the following means (Ref. IBM z/os MVS Initialization and Tuning Guide and z/os MVS Commands): SETPROG LNKLST PARMLIB PROGxx (with SET PROG=xx command, or IPL) Initialization SYSIN Command Records via Partitioned Members A common means for specifying utility control cards is to store them in a partitioned data set and reference the member through JCL. SecureZIP z initialization processing includes a default setting of CHECK_SYSIN_MEMBER=Y. This setting is intended to act as a protection mechanism to avoid S013 abends when a member name is referenced, but does not exist in the partitioned data set. SecureZIP z 66 PKZIP/SecureZIP for z/os 11.1 System Administrator s Guide

75 performs a preliminary search of the partitioned data set directory to verify that the member exists before attempting to OPEN the SYSIN DD. The validation process involves an independent DYNALLOC for the partitioned dataset to access the directory and (without the member name) an OPEN/CLOSE and read operations for the directory. When the directory of the partitioned dataset is large, as when a common application parameter library is used, the directory search can require several input operations to determine whether the member exists. Recommendation: Assuming that the member is correctly specified, and an analysis for an abend S is acceptable in the event that the corresponding member is deleted or renamed, the ACZDFLT setting of CHECK_SYSIN_MEMBER=N may be specified to bypass this procedure. Initialization PARMLIB Commands via Partitioned Members SecureZIP z initialization processing includes the capability of including commands through dynamically allocated PDS members (other than for SYSIN). The settings for PARMLIB_DSNAME_UNZIP and PARMLIB_DSN_ZIP in the defaults module (ACZDFLT), as well as the use of INCLUDE_CMD activate this functionality. Each specification induces an independent DYNALLOC for the partitioned dataset to access the member, an OPEN/CLOSE and read operations for the statements. DYNALLOC causes system GRS serialization activities, while access method time for each additional data set introduces elapsed time delay. Recommendations: Determine whether a different means of grouping common commands together can be done to eliminate excessive PDS allocation processing. Consolidate commands into SYSIN and eliminate PARMLIB_DSNAME_UNZIP/ZIP and INCLUDE_CMD where practical (specifying NULLFILE for the associated defaults module settings). Use ACZDFLT module settings in lieu of external data sets that house commands. (See also DM to select one of many tailored defaults modules). Place override commands into the EXEC PARM to eliminate control card I/O handling if operational limits permit. (The EXEC PARM in z/os is restricted to 100 characters). Use //PARMLIB DD in lieu of the defaults module settings to eliminate the DYNALLOC overhead. This is the DD statement name that is used internally to dynamically allocate the PARMLIB_DSNAME_UNZIP/ZIP data sets. Enable SMF Recording The SecureZIP for z/os Policy Lockdown feature is required for this feature to operate. SecureZIP for z/os provides a configurable option to record operational events in SMF for use by third-party reporting tools. The SMF record number and recording level are configurable through settings in the default module. The types of information that can be recorded include: Chapter 2 Installation, Licensing, and Configuration 67

76 ZIP/UNZIP session startup and shutdown records, with correlation fields to existing SMF type 30 records. Operational setting values that can be useful in auditing security-related facilities. File correlation information describing the flow of files in and out of SecureZIP archives and the corresponding z/os files used in the process. When activated for SMF recording, SecureZIP for z/os requests the writing of subtype records for various phases of processing. (See chapter 8, on SMF record formats; also reference IBM z/os MVS System Management Facility, Standard SMF Record Header with Subtypes. ) Record Filtering SecureZIP provides the SMF_SUBTYPES setting to manage the levels of subtype records generated. To prevent the creation of noise records, SMF recording is automatically disabled when early initialization failures such as command syntax errors are encountered, or SIMULATE=Y processing is requested. If additional record filtering is required, z/os SMF processing controls may be employed with facilities such as: PARMLIB(SMFPRMxx) parameters IEFU84 SMF installation exit IFASMFDP utility during the SMF offload process Post-offload processes defined by the installation. SMF Activation The following steps must be performed for SecureZIP to actively perform SMF recording. Each step is described in the sections that follow. 1. Install and activate the PKWSVC module under z/os 2. Select a unique SMF record type and activate it within the System Management Facility 3. Activate SVC and SMF settings in the SecureZIP defaults module. The following IBM reference publications may be consulted for details regarding the installation steps. z/os MVS System Management Facilities (SMF) z/os Initialization and Tuning Reference Install and Activate the PKWSVC Module The installation of an SVC should be performed by a qualified and authorized z/os system programmer. Appropriate backup and recovery procedures should be followed for all components critical to system IPL and operations. 68 PKZIP/SecureZIP for z/os 11.1 System Administrator s Guide

77 The SMF recording facility requires that a program using the SMFEWTM macro service either be APF-authorized or run in supervisor state. Because SecureZIP for z/os executes in a non-apf authorized state, an SVC module is provided to invoke the service. SecureZIP for z/os provides the SVC routine in load module IGC00PKW (with ALIAS PKWSVC) for installation as a type(3) SVC. The following operating characteristics may be noted: No record-tailoring work is performed in the PKWSVC module. The record is passed to the SVC for invocation of the SMFEWTM macro service. The SVC routine is intended for use only with the SecureZIP for z/os product. The SecureZIP for z/os defaults module setting SVC= governs which SVC # SecureZIP for z/os should attempt to use. SecureZIP for z/os covers the use of the SVC with an ESTAEX recovery routine. A partial or incorrect installation of the SVC should not interfere with SecureZIP for z/os functionality. The following procedure provides guidance for activation of the PKWSVC through an IPL. SVC number 201 will be used in all illustrations. Alternative SVC activation procedures adopted by an installation may also be used. 1. Choose an available SVC number for the system(s) on which SecureZIP for z/os will operate. 2. In the installation s system PARMLIB(IEASVCxx) member, add a line that defines the desired SVC number and relates it to the PKWSVC module to be identified at the next IPL. In the sample below, SVC 201 has been chosen, along with the ALIAS name PKWSVC that will be assigned to the corresponding SVC load module (to be defined in a subsequent step). SVCPARM 201,REPLACE,TYPE(3),EPNAME(PKWSVC) /* PKWARE SVC */ Ref. IBM z/os Initialization and Tuning Reference Statements/Parameters for IEASVCxx 3. Identify a target LPALIB for the PKWARE SVC to be installed to. This may either be an existing library used by the installation for LPA/MLPA modules, or a newly defined one. If a new library is to be used, be sure to configure the system LPALSTxx or IEALPAxx PARMLIB members to use the new library during the next IPL. Ref. IBM z/os Initialization and Tuning Reference LPALSTxx (LPA Library List) Ref. IBM z/os Initialization and Tuning Reference IEALPAxx (modified LPA List) 4. Position the SVC load module and ALIAS PKWSVC into the target LPA library that will be used during an IPL to load the Link Pack Area, either with CLPA or MLPA. This process requires that the module IGC00PKW be renamed to support the SVC number selected while retaining the ALIAS PKWSVC (Ref. z/os MVS Authorized Assembler Services Guide, user-written SVC routines). Chapter 2 Installation, Licensing, and Configuration 69

78 Per IBM naming conventions for type 3 SVCs, must be named IGC00nnn; nnn is the signed decimal number of the SVC routine. For example, SVC 251 would be IGC0025A and SVC 245 would be IGC0024E Using our example of SVC 201, the SVC Load module name is IGC0020A. A two-step process is described below. o First, using ISPF option 3.3 (Move/Copy), copy members IGC00PKW and PKWSVC from the SecureZIP LOAD library to the target LPA library to be used. Be sure to copy both members with a single selection so that member PKWSVC is retained as an ALIAS of IGC00PKW. o Using ISPF option 3.1 (Library) with Member List display, verify that PKWSVC shows as an Alias-of IGC00PKW. Menu Functions Confirm Utilities Help LIBRARY MAS.TESTLPA Row of Command ===> Scroll ===> CSR Name Prompt Alias-of Size TTR AC AM RM IGC00PKW ANY PKWSVC IGC00PKW ANY **End** o Next, use ISPF option 3.1 (Library) against the target LPA library and RENAME IGC00PKW to IGC0020A. Menu Functions Confirm Utilities Help LIBRARY MAS.TESTLPA Row of Command ===> Scroll ===> CSR Name Prompt Alias-of Size TTR AC AM RM R IGC00PKW IGC0020A ANY PKWSVC IGC00PKW ANY **End** <ENTER> Menu Functions Confirm Utilities Help LIBRARY MAS.TESTLPA Row of Command ===> Scroll ===> CSR Name Prompt Alias-of Size TTR AC AM RM IGC00PKW *Renamed PKWSVC IGC00PKW ANY **End** 70 PKZIP/SecureZIP for z/os 11.1 System Administrator s Guide

79 o Finally, verify that the rename is complete with PKWSVC as an Alias-of the target SVC load module name by ending the prior display and re-entering the Display Member List as shown below. Menu Functions Confirm Utilities Help LIBRARY MAS.TESTLPA Row of Command ===> Scroll ===> CSR Name Prompt Alias-of Size TTR AC AM RM IGC0020A ANY PKWSVC IGC0020A ANY **End** 5. Review system PARMLIB members LPALSTxx or IEALPAxx to ensure that the module will be correctly loaded to LPA. 6. IPL using CLPA, MLPA or other means appropriate to the operating environment to activate the SVCPARM and load the PKWSVC module. This task may be deferred until preparations are complete for SMF recording with the selected SMF record type identified in the next section. Select a Unique SMF Record Type The activation of SMF recording should be performed by a qualified and authorized z/os system programmer. Appropriate backup and recovery procedures should be followed for all components critical to system IPL and operations. The SMFEWTM system macro is used within the PKWARE SVC with BRANCH=YES and is not in cross memory mode. Installation exit IEFU84 will be given control before the record is written to SMF. SecureZIP setting SMF_RECORD#= designates which SMF record type will be issued. For error conditions encountered other than IEFU84 record filtering, SMF recording is suspended for the remainder of the ZIP/UNZIP run. The following procedure provides guidance for activating the use of a designated SecureZIP SMF record through an IPL. SMF record number 250 will be used in all illustrations. Alternative SMF record activation procedures adopted by an installation may also be used. 1. Choose an available SMF record number for the system(s) on which SecureZIP for z/os will operate. This SMF record number must be unique and should be coordinated with other SMF record types used in the environment. 2. Conditionally Modify (or create a new) system PARMLIB(SMFPRMxx) with appropriate SYS and SUBSYS statements that will permit the correct level of SMF records to be written for the operating environments where SecureZIP will be executing. When SecureZIP builds the SMF record header for subtypes, it does not fill in the SMFxSSI Subsystem Identifier field. Ref. z/os MVS System Management Facility: o Chapter 4. Customizing SMF Chapter 2 Installation, Licensing, and Configuration 71

80 o o Entering SMFPRMxx in SYS1.PARMLIB Preserving SMF Data 3. Conditionally review the logic of any active SMF installation exits (IEFU84) that may affect the recording of the designated SMF record. Optional filtering logic may be employed by the installation to further restrict the volume of records that are written. 4. Activate related SMFPRMxx changes through an IPL or other means available to the installation. Activate SVC and SMF Settings in the SecureZIP Defaults Module The administrative tasks of activating the supporting SVC and SMF system parameters are covered in separate sections. Although these tasks may be performed prior to the SVC activation, some overhead will be incurred by ESTAEX recovery management when an incomplete SVC activation is encountered. Therefore, it is recommended that the system administrative tasks be completed first. The SecureZIP defaults module (ref. ACZDFLT) provides three settings that govern an attempt to engage SMF recording. SVC=sss SMF_RECORD#=rrr SMF_SUBTYPES= Corresponds with the PKWSVC installation used to write the SMF records. See Install and Activate the PKWSVC Module, above. Corresponds with the SMF record number to be written by SecureZIP See Select a Unique SMF Record Type, above Controls which subtype records should be attempted to be written by SecureZIP. Possible values include: 'START,SUMMARY' (This is the default) 'START,SETTINGS,SUMMARY' 'START,FILES,SUMMARY' 'START,SETTINGS,FILES,SUMMARY' Both SVC= and SMF_RECORD#= must be declared to trigger SecureZIP SMF processing. For testing purposes, these settings may be placed into a SecureZIP command stream to verify that the SVC is correctly installed and activated. The levels of recording should be selected in accordance with the enterprise requirements for auditing. See the chapter 8 for information regarding the frequency and type of information recorded for each subtype to assist in selecting the correct levels. In order to keep the volume of recording down, an installation exit such as IEFU84 may also be considered to filter out unnecessary SecureZIP SMF recording events. 1. Before changing the run-time defaults module, execute a test SecureZIP run on the target system(s) to ensure that the SVC and SMF system parameters are correctly activated. 72 PKZIP/SecureZIP for z/os 11.1 System Administrator s Guide

81 For example: -SVC=201 -SMF_RECORD#=250 TRACE_CSERV=1 ZPCM082I SMF recording is ACTIVE to record type 250 {START,SUMMARY }... SMF RECORD ADDRESS=20301FFC,LENGTH= FFC EFA D7D2.c..;...PK C E6F D4C1E2F4 F5F9F8C8 W1...MAS4598H C C347FA B39E0AFB C C E9C9 D7C9E ZIPIT C D1D6 C2F3F5F9 F4F4D4C1 JOB35944MA C E E2E9 F1F14BF0 C485A540 S SZ11.0Dev C D3E5D34D F05D4040 C2C1E3C3 C LVL(0) BATCH C C D4 C1E24BE3 C5D4D74B A...MAS.TEMP C E9C9D ZIP... TRCM002T <ACCMGR> PKWSVC RC R14-R1: F o o The trace setting TRACE_CSERV=1 will cause selected internal processing messages to be issued so that SMF recording events may be reviewed without dumping the live SMF data sets. R15 in the TRCM002T message shows RC = indicating that the SMF record was successfully written. During SecureZIP startup, if LOGGING_LEVEL=VERBOSE is active, one of the following messages will be issued to indicate whether SMF recording will be attempted: ZPCM081I SMF recording is INACTIVE - OR ZPCM082I SMF recording is ACTIVE to record type +3+C+ {+30+C+} When ZPCM082I is issued, the SMF_RECORD# being used is shown along with the SMF_SUBTYPE information levels requested. The levels START and SUMMARY are the minimal levels of recording that may be specified once an SMF_RECORD# is activated for use. o When an error condition is raised in writing the SMF record, message ZPCS001I will be issued to the SYSPRINT with an indication as to why the record could not be written. Chapter 2 Installation, Licensing, and Configuration 73

82 ZPCS001I SMF rc= +8+H+ +80+C+ Explanation: SMF recording was configured for operation. The requested record(s) may not have been written. The rc = value generally corresponds to the SMFEWTM macro return codes as documented in the z/os MVS System Management Facilities manual. An rc = value of the form 00000Fxx indicates that an error associated with the supporting SVC for SMF recording has been detected. "xx" corresponds to the hexadecimal representation of the SVC number. For example, 00000FF0 corresponds to SVC 240 (x'f0') The most common cause of this type of failure is an incomplete or incorrect activation of the PKWSVC module for SVC processing. 2. Using instructions in the SecureZIP System Administrators Guide, the section entitled Tailoring Site-specific Changes to the Defaults Module, make a backup copy of the ACZDFLT source module used in the installation process, add the lines SVC=, SMF_RECORD#= and SMF_SUBTYPES= to match the desired parameters, and re-assemble the defaults module. o o Optionally, these parameters may be specified on the MCZLOCKS macro in the defaults module to ensure that users do not attempt to override the specifications. Ensure that all copies of the defaults modules are distributed to all live run-time libraries, including those included in LNKLST, if any. 4. Execute a test job without the SVC or -SMF_RECORD# commands to verify operation. (Ref. ZPCM082I above) Default Module Settings Affecting SMF Recording SMF_RECORD# Synonyms Include: none SecureZIP only SMF_RECORD#=nnn This defaults module setting specifies the SMF record type value that SecureZIP should use when SMF recording is activated. The value specified should be coordinated with the use of other SMF records in an installation to prevent record type overlap between products or systems. The value corresponds to the SMFxRTY field as described in the SMF Standard Header in the IBM z/os MVS System Management Facility manual. The use of this setting, along with SVC=, activates SMF recording in SecureZIP for z/os. 74 PKZIP/SecureZIP for z/os 11.1 System Administrator s Guide

83 SMF_SUBTYPES Synonyms Include: none SecureZIP only SMF_SUBTYPES= 'START,SETTINGS,FILES,SUMMARY' This defaults module setting indicates the level of recording that should be attempted by SecureZIP when SMF recording is activated. START Create a subtype 1 record for the beginning of the SecureZIP session. SETTINGS Create a subtype 2 record following the START record to describe critical process settings to be used for the session. FILES Create a subtype 3 record for each file that is processed for ADD, FRESHEN, UPDATE, or EXTRACT processing. SUMMARY Create a subtype 99 record for the end of the SecureZIP session to track final status information (e.g. final return code). The values START and SUMMARY are the distributed default values. The use of this combination will result in two records for each session of SecureZIP. Detail record information may be found in the SMF Record Formats chapter. Usage notes The use of FILES may result in a high volume of SMF records being written unless it is controlled through filtering techniques. See Record Filtering in the section Enable SMF Recording, above, for information about on record volumes. SVC Synonyms Include: none SecureZIP only SVC=nnn This defaults module setting specifies the SVC number that was used to install PKWSVC. (See Install and Activate the PKWSVC module topic for more information). This SVC is used to perform the SMF record write requests. The use of this setting, along with SMF_RECORD#, activates SMF recording in SecureZIP for z/os. Chapter 2 Installation, Licensing, and Configuration 75

84 Usage notes In order to avoid unnecessary processing overhead in SecureZIP operations, it is preferable that this setting not be used until the PKWSVC module has been properly activated in the system. 76 PKZIP/SecureZIP for z/os 11.1 System Administrator s Guide

85 3 Security Administration Overview SecureZIP only This chapter discusses how to utilize SecureZIP for z/os to secure your data. Elements that are required to make a SecureZIP for z/os archive are discussed in detail. These elements, when selectively used, combine to create a SecureZIP for z/os archive or allow the extraction of a file or files from a SecureZIP for z/os archive. A series of ISPF panels assists you in building and maintaining the SecureZIP for z/os Certificate Store, where digital certificates used by SecureZIP for z/os are kept. These panels are not part of the separately licensed feature ISPF. They are standard with SecureZIP for z/os. The ISPF screens and SecureZIP for z/os commands used to work with them are shown in this chapter, along with notes and comments. Beginning with SecureZIP for z/os 11.0, digital certificates can be used from the system Security Server (for example, RACF). The present chapter applies for the initialization of the SecureZIP key store index components and for defining policy controls for the use of all certificates. Administration of Security Server certificates is covered in the SecureZIP for z/os Security Administrator s Guide. Accessing Certificates SecureZIP for z/os provides access to certificates held within the z/os Security Server, local data sets, and VSAM index paths when control card requests are present. In addition, RECIPIENT(LDAP"...) requests are resolved through configured network definitions. Public Key Certificate Certificate-based encryption allows the exchange of encrypted data without the exposure of also exchanging or retaining a password. This form of encryption uses a public-key digital certificate when creating and it then uses a corresponding private-key certificate by the Chapter 3 Security Administration Overview 77

86 recipient to decrypt. Digital certificates may be identified and selected by naming information, such as Common Name, or address. When encrypting data for specified public-key recipients, SecureZIP for z/os uses digital certificates in a process called digital enveloping. See the Secure.ZIP Envelopes whitepaper at the PKWARE Web site. A public-key certificate consists of the public portion of an asymmetric cryptographic key (the "public key"), together with identity information, such as a person's name, all signed by a certificate authority (CA). The CA essentially guarantees that the public key belongs to the named entity. Private Key Certificates To UNZIP a file that has been encrypted with a public-key certificate, the receiver must supply a matching private-key certificate. This is done by including RECIPIENT commands that specify the location of the private-key certificate along with its associated access password. Note this password is not a password used to encrypt a file, but rather a password that is used to access the private-key certificate. RECIPIENT commands may be included in the command input stream directly or be included through the INCLUDE CMD command. A Private-Cert profile designates a saved repository of the private-key certificates. The RECIPIENT commands are automatically included when SecureZIP for z/os dialogs prepare batch JCL or UNZIP call streams and File Decryption is requested. Certificate Authority and Root Certificates End entity certificates and their related keys are used for signing and authentication. They are created at the end of the hierarchy of certificate authorities. Each certificate is signed by its CA issuer and is identified in the Issued By field in the end certificate. In turn, a CA certificate can also be issued by a higher level CA. Such certificates are known as intermediate CA certificates. At the top of the issuing chain is a self-signed certificate known as the root. SecureZIP uses the certificates for signing and authentication operations. SecureZIP for z/os makes use of these certificates in PKCS#7 format. The intermediate CA certificates are maintained independently from the ROOT certificates. Configuration Profile A configuration profile is a collection of SecureZIP for z/os commands that describe the necessary environment. At execution time this profile is read to locate the appropriate stores and index. SecureZIP for z/os provides various means by which the configuration information can be supplied. Contact your technical support staff for instructions regarding access to the configuration. Contents of the Configuration Profile Execution configuration values may be supplied in any of the following ways. It is highly recommended that the command sources be coordinated in logical groups (Local Cert Store settings, or LDAP settings) so that overrides are not overly complex. 78 PKZIP/SecureZIP for z/os 11.1 System Administrator s Guide

87 Direct commands in the SYSIN stream When accepted, these commands take precedence over other sources. INCLUDE_CMD indirect reading of profile commands This is the method employed when you specify a file location through the SecureZIP Active DB Profile: field. When accepted, these commands take precedence over profiles read by the Defaults module, but may be overridden by SYSIN commands. Defaults module indirect reading of profile commands This is the method employed when you specify UNDEFINED in the SecureZIP Active DB Profile: field. Data Base (DB) Profile (Local Certificate Store) During SecureZIP for z/os processing that requires encryption intended for a RECIPIENT, associated public-key certificate(s) must be located. One way of designating which public-key recipients to include is through the DB: form of the RECIPIENT command. This allows for recipient selection based on name or address through a configured database of certificates on the system that is executing SecureZIP for z/os. Your technical support staff is responsible for configuring the local certificate store and should provide you with information on which profile dataset, typically a member of a partitioned data set, to use. Below is a sample of the contents of the data base profile. * * * Local zseries development certificate store * * * -{CSPUB=4;1;SECZIP.CERTSTOR.PUBLIC} -{CSPRVT=4;1;SECZIP.CERTSTOR.PRIVATE} -{CSCA=1;1;SECZIP.CERTSTOR.PUBLIC(CAP7)} -{CSROOT=1;1;SECZIP.CERTSTOR.PUBLIC(ROOTP7)} -{CSPUB_DBX=SECZIP.CERTSTOR.PUBLIC.DBX} -{CSPUB_DBX_PATH_CN=SECZIP.CERTSTOR.PATHCN} -{CSPUB_DBX_PATH_EM=SECZIP.CERTSTOR.PATHEM} -{CSPUB_DBX_PATH_PUBKEY=SECZIP.CERTSTOR.PATHPUBK} LDAP Profile (Networked Certificate Store) During SecureZIP for z/os processing that requires encryption intended for a RECIPIENT, the associated public-key certificate(s) must be located. One way of designating which public-key recipients to include is through the LDAP interface to a directory server: form of the RECIPIENT command. This allows for recipient selection based on name, address or other installation-configured LDAP fields. One or more LDAP compliant servers may be configured for searching. The technical support staff responsible for configuring the LDAP compliant directory that stores certificates will provide you with information of which profile dataset, which is typically a member of a Partitioned Data Set, to use. Below is a sample of the contents of the file. Chapter 3 Security Administration Overview 79

88 * * * zseries LDAP access * * * * --- * Primary LDAP * --- -{LDAP=1; ;389;0;0;;;* ; o=pkware,c=us,cn=user,dc=cosmos,dc=securezip,dc=com} * --- Recipient Searches When RECIPIENT requests are made for either the local certificate store (DB:), an LDAP store (LDAP:), or both, (SYSTEM:), a set of search criteria are provided. The search criteria of address (EM= or mail=) and Common Name (CN=) are accepted by both the DB: and LDAP: service providers. When multiple RECIPIENT requests are made, it is possible that two or more search criteria may resolve to the same recipient certificate. For example, if both EM= and CN= are used in different RECIPIENT (or MASTER_RECIPIENT) requests, then the same public key certificate may be found. The first entry found will be used, and any duplicate copies of the same certificate will be ignored, resulting in only one representation of that certificate. A search for an individual by name or address may result in multiple digital certificates being located, whether from the same certificate store source or not. This means that more than one representation of an individual can be included in the run. LDAP searching can be accomplished with direct RECIPIENT requests via RECIPIENT(LDAP:search_criteria) or implicitly with RECIPIENT(*system:search_criteria). In both cases, the Certificate Store Configuration settings define the order in which the LDAP servers are to be searched. However, in the case of using "*system", local certificate stores are searched prior to any of the configured LDAPs. When multiple stores are to be searched (*system: or LDAP:), all RECIPIENT requests are searched in one store before the next store is referenced. If a RECIPIENT request has one or more entries found in one Store, then subsequent stores are not searched for that request. This means that it is possible for generic LDAP search criteria to bypass entries defined in subsequent LDAP servers. RECIPIENT requests that were not satisfied at all by the higherlevel Store search will continue to be searched for. Example: LDAP #1 0 entries LDAP #2 3 entries Add entry LDAP #1 1 entry LDAP #2 3 entries Search LDAP s for RECIPIENT matches 0 matches 3 matches LDAP #1 has an entry added matching RECIPIENT 1 match 0 matches 80 PKZIP/SecureZIP for z/os 11.1 System Administrator s Guide

89 Local Certificate Stores Access x.509 Public and Private Key Certificates SecureZIP for z/os introduces a new subtask, CSERV, that utilizes RSA s BSAFE Cert-C Toolkit to access X.509 Public and Private key certificates. The access to the various certificate stores by this task is governed by various forms of the RECIPIENT, SIGN_ARCHIVE, SIGN_FILES and AUTHCHK commands, as well as by a suite of configuration commands. The configuration commands are read either through SYSIN, INCLUDE_CMD(parmlib) or SECUREZIP_CONFIG specifications. The syntax of the commands is -{... }. The semi-colon (;) is used as a parameter delimiter. -{CSPUB=type;Seq;string PUB} -{CSPRVT=type;Seq;string Prvt} -{CSCA=type;Seq;string CA} -{CSROOT=type;Seq;string Root} -{CSPUB_DBX=vsam_cluster_base_index} -{CSPUB_DBX_PATH_CN=vsam_path_through_AIX_for_Common_Name} -{CSPUB_DBX_PATH_EM=vsam_path_through_AIX_for_ _address} -{CSPUB_DBX_PATH_PUBKEY=vsam_path_through_AIX_for_PublicKey} -{AUTHENTICATE=TRUSTED,EXPIRED,REVOKED,TAMPERCHECK} -{VALSIGN=TRUSTED,EXPIRED,NOTREVOKED} -{VALENCRYPT=TRUSTED,EXPIRED,NOTREVOKED} -{RESET} Where: type (*PATH 0) (FILE 1) (*DB 2) (*LDAP 3) (*PDS 4) Seq 0 through 9 (Cert Store search order) LDAP - timeout of 0 results in system settings user of NULL or ";;" will use "anonymous" login Certificate Store References {CSxxx} If not supplied through configuration changes, the defaults are: {CSPUB=1;9;DUMMY} {CSPRVT=1;9;DUMMY} {CSCA=1;9;DUMMY} {CSROOT=1;9;DUMMY} {CSPUB_DBX=DUMMY} {CSPUB_DBX_PATH_CN=DUMMY} {CSPUB_DBX_PATH_EM=DUMMY} {CSPUB_DBX_PATH_PUBKEY=DUMMY} The local zseries certificate store for public key certificates (configuration settings for {CSPUB_...}), can be built as a PDS[E] indexing scheme for common name and address Chapter 3 Security Administration Overview 81

90 searches. This is accomplished through a VSAM base cluster and a set of alternate index paths to access the appropriate field types. The PDS[E] and the VSAM suite are managed as a unit and should not be manipulated independently from the supplied SecureZIP utilities. When no Public Key Store (CSPUB=) PDS[E] is specified, then the indexing (CSPUB_DBX...) files are not accessed. The CSCA (Certificate Authority) and CSROOT (Trusted Root Certificate Authority) certificates are maintained in respective sequential files in X.509 PKCS#7 format. Overrides to {CSxxx } or {LDAP } configuration commands can be done through input command streams or included members. However care must be taken to coordinate overrides so that intermixed PATHS do not result in different databases or indexes being used when resolving the various search criteria. Authentication and Certificate Validation Policies Certificate validation may be done when activities in the following functional areas are performed: Recipient based encryption Archive or file signing Authentication of digital signatures for files and/or archive directory Validation policies are passed to SECZIP and SECUNZIP to govern various aspects of certificate validation at execution time. The policies are defined in configuration profile settings, and may also be included as override commands for individual executions of SECZIP and SECUNZIP. The policy command settings are coded in the same format as other certificate store profile commands, with the syntax -{...} Each functional area supports a single policy statement with its associated settings. The CERTSTORE Policy Setup panel generates a policy statement for each functional area for use in the certificate store profile. -{AUTHENTICATE=...} -{VALENCRYPT=...} -{VALSIGN=...} When SAF (System Access Facility security server) based certificates are used with the certificate store type specification of SAF: in the recipient, signing, and authentication commands, an additional policy setting is used: -{SAFSET= } {AUTHENTICATE} Policy The {AUTHENTICATE} setting can be used within an include member that contains configuration commands, or within the standard command stream. It defines the level of processing that AUTHCHK commands will perform. The last AUTHENTICATE command found in the input stream will be used for processing and fully defines the signature authentication elements to be verified. The default settings may be changed by the SecureZIP administrator 82 PKZIP/SecureZIP for z/os 11.1 System Administrator s Guide

91 at any time. However, if this command is not supplied, all supported elements default to being checked. Elements include: [NO]TAMPERCHECK The signature associated with the archive or file(s) involved will be used to verify that the content has not been altered since the archive was built. [NOT]EXPIRED The digital certificates used to originally perform the signing operation contain internal date ranges of validity. The AUTHCHK operation will fail if any of the certificates in the trust chain are not found to be within their stated data range. Note that an end-certificate may have expired at the time that the archive is being accessed, and NOTEXPIRED may be used to continue processing. [NOT]REVOKED A certificate owner may request that the issuing certificate authority declare a certificate to be revoked and thereby no longer consider that certificate to be valid. The AUTHCHK operation will fail if any of the certificates in the trust chain are found to have been revoked or if the revocation status could not be determined. [NOT]TRUSTED Each end-certificate used in the signature must be traced back to a trusted root certificate. The CACA and CSROOT stores on the local system performing the authentication check will be accessed to determine if the entire certificate chain can be trusted. Although the Root ( self-signed ) certificate may be included within the archive, it MUST also exist in the CSROOT store to complete the TRUSTED state. {VALSIGN} Policy The {VALSIGN} setting can be used within an include member that contains configuration commands, or within the standard command stream. It defines the level of processing that SIGN_FILES and SIGN_ARCHIVE commands will perform during SECZIP execution. The last VALSIGN command found in the input stream will be used for processing and fully defines the signing certificate elements to be verified. The default settings may be changed by the SecureZIP administrator at any time. However, if this command is not supplied, all supported elements default to being checked. Elements include: [NOT]EXPIRED The digital certificates used to originally perform the signing operation contain internal date ranges of validity. The AUTHCHK operation will fail if any of the certificates in the trust chain are not found to be within their stated data range. Note that an end-certificate may have expired at the time that the archive is being accessed, and NOTEXPIRED may be used to continue processing. [NOT]REVOKED A certificate owner may request that the issuing certificate authority declare a certificate to be revoked and thereby no longer consider that certificate to be valid. The AUTHCHK operation will fail if any of the certificates in the trust chain are found to have been revoked or if the revocation status could not be determined. [NOT]TRUSTED Each end-certificate used in the signature must be traced back to a trusted root certificate. The CACA and CSROOT stores on the local system performing the authentication check will be accessed to determine if the entire certificate chain can be trusted. Although the Root ( self-signed ) certificate may be included within the archive, it MUST also exist in the CSROOT store to complete the TRUSTED state. {VALENCRYPT} Policy The {VALENCRYPT} setting can be used within an include member that contains configuration commands, or within the standard command stream. It defines the level of processing that Chapter 3 Security Administration Overview 83

92 RECIPIENT-based encryption requests will perform during SECZIP execution. The last VALENCRYPT command found in the input stream will be used for processing and fully defines the signing certificate elements to be verified. The default settings may be changed by the SecureZIP administrator at any time. However, if this command is not supplied, all supported elements default to being checked. Elements include: [NOT]EXPIRED The digital certificates used to originally perform the signing operation contain internal date ranges of validity. The AUTHCHK operation will fail if any of the certificates in the trust chain are not found to be within their stated data range. Note that an end-certificate may have expired at the time that the archive is being accessed, and NOTEXPIRED may be used to continue processing. [NOT]REVOKED A certificate owner may request that the issuing certificate authority declare a certificate to be revoked and thereby no longer consider that certificate to be valid. The AUTHCHK operation will fail if any of the certificates in the trust chain are found to have been revoked or if the revocation status could not be determined. [NOT]TRUSTED Each end-certificate used in the signature must be traced back to a trusted root certificate. The CACA and CSROOT stores on the local system performing the authentication check will be accessed to determine if the entire certificate chain can be trusted. Although the Root ( self-signed ) certificate may be included within the archive, it MUST also exist in the CSROOT store to complete the TRUSTED state. Be aware there are some conditions under which a certificate validation will fail because superfluous certificates are selected during a DB: search request. By marking a certificate entry in the local certificate store as "Suspended", DB: search requests will filter out the suspended entry from the request. For example, assume the following: A recipient command has been used with "DB:CN=Joe Smith,R", thereby requiring the certificate to be available for use for ZIP encryption. VALENCRYPT=EXPIRED is active The original certificate for Joe Smith is about to expire, and a new certificate for the same common name is acquired and installed to the certificate store The older certificate may remain in the certificate store to resolve references to that recipient when viewing older archives. However, the sample DB: search request will return both certificates in the search for new encryption requests. Since the request is marked as Required, the older certificate will fail the validation and the ZIP encryption will fail. By marking the older certificate as Suspended when the newer certificate is installed, subsequent DB: requests will only return the currently active certificate. The older one will still be available for VIEW processing of older archives that used it as a recipient. {SAFSET} Policy The {SAFSET} settings govern how certificates obtained from the System Access Facility Security Server should be treated. First, the Security Server may introduce its own designation of TRUST. So an installation may choose to adopt that indication without performing the trust chain processing normally performed for non-saf certificates. 84 PKZIP/SecureZIP for z/os 11.1 System Administrator s Guide

93 Secondly, the Security Server provides its own repository support for holding Certificate Authority (and Trusted Root CA) certificates. -{SAFSET=NO*AUTH* *AUTH*} specifies whether SecureZIP should perform SAF requests to load TRUSTED CA certificates from that store location in addition to those loaded from the configured SecureZIP Certificate Store. An installation may administer the certificates into whichever store suits its certificate processing needs. Table: -{SAFSET} Controls SAFSET= Setting Description Notes NO*AUTH*,TRUSTSAF Do not access the Security Server Certificate Authority pool. Adopt the TRUST status returned by the Security Server without processing the CA chain. Default value used when a -RECIPIENT(SAF: ) command is encountered. When SAF trust is adopted for recipients, there is no need to search the CERTAUTH trust chain. *AUTH*,TRUSTSAF Access the Security Server Certificate Authority pool when required for CA chain processing Adopt the TRUST status returned by the Security Server without processing the CA chain. Default value used when a SIGN_ARCHIVE, -SIGN_FILES or AUTHCHK SAF command is encountered. The Security Server CERTAUTH certificate pool will be used to resolve and include the CA chain. Note: During signing operations, the CA chain is included in the ZIP archive for ease of trust chain analysis on the receiving system. *AUTH*,NOTTRUSTED NO*AUTH*,NOTTRUSTED Access the Security Server Certificate Authority pool when required for CA chain processing Do not Adopt the TRUST status returned by the Security Server. Rather perform the TRUST chain analysis in accordance with the affiliated policy setting. Do not access the Security Server Certificate Authority pool. Do not Adopt the TRUST status returned by the Security Server. Rather perform the TRUST chain analysis in accordance with the affiliated policy setting. This combination may be of use when signature/authentication operations are to be performed and SecureZIP TRUST chain policy is desired, including CA certificates from the Security Server CERTAUTH pool. This combination may be of use when SecureZIP TRUST chain policy is desired, and the CA certificates are held in the configured SecureZIP Certificate Store instead of in the Security Server. SAFSET Processing Notes The use of a {SAFSET= } command overrides any default SAFSET settings. The placement of {SAFSET= } within the command stream is independent of the functional commands (for example, RECIPIENT). The final {SAFSET= } command encountered in the command processing stream takes effect. Chapter 3 Security Administration Overview 85

94 Any specification of the {SAFSET= } command resets both the *AUTH* and TRUST sub-parameters. That is, previous sub-parameter values are not retained. If the {SAFSET= } command is provided without a sub-parameter, the default values are NO*AUTH* and NOTTRUSTED. If no {SAFSET= } command is provided, and combinations of functions (for example, RECIPIENT and SIGN_FILES) are used, the default SAFSET for SIGN_ARCHIVE, SIGN_FILES, and AUTHCHK all override the default for RECIPIENT. That is, *AUTH*,TRUSTSAF is used as the default for all processing. For signing and authentication processes, -{SAFSET=*AUTH* } may be used to resolve certificate authority certificates from the Security Server CERTAUTH pool even if SAF: designations are not used in the signing and AUTHCHK commands. Other Profile Commands {RESET} Clearing the Active Configuration The {RESET} command can be used at the beginning of an include member that contains configuration commands, or within the standard command stream to clear all existing {CSxxx } and {LDAP } configuration commands that may have been previously loaded. This will help avoid mixed entries if an incomplete set of overrides is present. Remember that the defaults module may include settings for the configuration commands even if commands are not explicitly coded at run-time. The default settings may be changed by the SecureZIP administrator at any time. Execution Time SecureZIP for z/os is commonly run as a batch job step utility to place one or more files into a SecureZIP container (archive) prior to subsequent processing (such as transporting to an off-board system). Processing considerations when utilizing Recipient-based Encryption include: Using INCLUDE_CMD to reference the Local Certificate Store configuration control records (created by the initial setup in Certificate Store Administration) in the SYSIN command stream Using the RECIPIENT command to trigger certificate-based encryption. (Optionally, the RECIPIENT command used for extraction (decryption) may be referenced via INCLUDE_CMD to protect the password information contained within it). Having dataset-level READ authority (via RACF or equivalent product) to the privatekey certificate and referenced command files necessary to access the certificate Performing JCL return code checking within the job stream after the SECZIP program has completed to test the success of Encryption/Decryption processing Security Considerations To ensure the continued integrity of private-key certificates within an organization, special attention should be paid to protecting access to them. The X.509 PKCS#12 certificate format supported by SecureZIP has an inherent security mechanism designed to protect the private keys within the transportable certificate by way of 86 PKZIP/SecureZIP for z/os 11.1 System Administrator s Guide

95 an access password. This means that without the appropriate password, the private keys cannot be accessed from the private-key PKCS#12 digital certificate (on any system or location). RACF READ authority (or equivalent) must be granted to the job accessing certificate store, X.509 certificate file and the referenced input stream containing the command having the certificate request (and password for a private-key certificate). To perform a decryption operation, SecureZIP for z/os requires read access to the PKCS#12 private-key certificate (file or PDS member), as well as a command (RECIPIENT) containing the corresponding password. Similarly, the signing and authentication commands (SIGN_ARCHIVE, SIGN_FILES and AUTHCHK) may reference private keys. The following should be considered when using SecureZIP to access private keys: Password information will be masked out in SecureZIP SYSPRINT output. If jobstream inputs can be viewed by operational staff members, then an indirect reference to the command(s) containing the password should be considered. Read protection of command files containing passwords Read protection of PKCS#12 certificate files Optionally use ECHO=N within the command sequence to eliminate the command from showing in the SYSPRINT output. SecureZIP administrative certificate files are located within the INSTLIB2 dataset and must be available for some administrative functions. Read access should be provided to the SecureZIP administrator for this library as the create and verification processes will fail if the library is not accessible. Passphrase Registration SecureZIP for z/os provides a feature that allows an installation to register encryption and decryption passphrase values in ICSF for controlled use in SecureZIP jobs, thereby eliminating the use of exposed passphrase values in the operational environment. Through the use of ICSF APIs, the registration process generates keys from the passphrase provided by the administrator and stores them in the ICSF CKDS (Cryptographic Key Data Set). Each key has a unique CKDS reference label defined for subsequent access by SecureZIP invocations. As documented in the SecureZIP User s Guide, new CKDS reference forms of the PASSWORD command are made available so that a SecureZIP job may reference the required keys through a LABEL or TITLE reference assigned during registration, rather than by providing the passphrase value in the clear. Accessing the Passphrase Registration Dialogs To administer passphrase registrations, access the SecureZIP Administration panel and select option CKDS as shown below. Chapter 3 Security Administration Overview 87

96 PKZADM01 Option ===> SecureZIP Administration CS Cert Store Certificate Store Administration and Configuration CU Crypto Utility Cryptographic Services Utility ICSF IBM ICSF Integrated Cryptographic Service Facility Dialog CKDS ICSF CKDS Passphrase Registration Service L License Display License Information M Messages Message ID lookup Once selected, the passphrase registration dialog will be presented. PKCS14 SecureZIP ICSF CKDS Passphrase Registration Option ===> More: ICSF Facilities supporting the CKDS must be operationally active Select One of the Following 1 Register a Passphrase Key in the active CKDS 2 List Registered Entries 3 Delete a Key set from the active CKDS 4 CKDS and SecureZIP Key Store Index Reporting Q Query the ICSF CKDS operational status Active Store Configuration: 'SECZIP.MVS.PROFILES(member)' -{CSPUB=4;1;prefix.CERTSTOR.PUBLIC} -{CSPRVT=4;1; prefix.certstor.private} -{CSPUB_DBX= prefix.certstor.dbx} Detailed information regarding the use of this set of dialogs is covered in the SecureZIP for z/os Security Administrator s Guide. See the chapter titled SAF-protected Passphrase Feature, section Registering Passphrases. 88 PKZIP/SecureZIP for z/os 11.1 System Administrator s Guide

97 4 Certificate Store Management SecureZIP only The ISPF panels in this chapter are used to build and maintain the SecureZIP for z/os certificate store. These panels are not part of the separately licensed feature ISPF. They are standard with SecureZIP for z/os. SecureZIP Main Panel Access to the Certificate Stores SecureZIP Version 10.0 Option ===> C Config Modify Run-time Configuration Settings ZD Zip Defaults Modify Default ZIP Command Settings UD Unzip Defaults Modify Default UNZIP Command Settings U Unzip Decompress, Decrypt, Authenticate File(s) in an Archive V View Display the Contents of a Zip Archive Z Zip Compress, Encrypt, Sign File(s) into a Zip Archive S Sysprint M Messages Browse Log of Last Foreground Execution Message ID lookup A Administration Administration Services and Reference Information W Wizard List For HELP Press PF1 Release Date: 09/13/ LVL(Q1) To access the certificate store administration and configuration, enter A in the Option field from the main SecureZIP panel; then enter CS from the main SecureZIP Administration panel. SecureZIP Certificate Store Administration and Configuration Local certificate store SecureZIP for z/os provides access to both public and private key certificates Chapter 4 Certificate Store Management 89

98 through a set of local files, either PDS or PDSE, and VSAM index paths. The composite of these elements is known as recipient database access. LDAP certificate store SecureZIP for z/os also provides access to public key certificates located in an external LDAP (Light Weight Directory Access Protocol) server via a TCPIP network connection. x.509 certificate information SecureZIP for z/os also provides identification of and simulation with certificates prior to including them in your local certificate store. Each certificate store is described in detail below. Local Certificate Store Administration This section assists with allocating the components necessary to support the local DB, as well as administer the certificates within it. SecureZIP for z/os provides access to both public and private key certificates through a set of local files, PDS or PDSE, and index paths. The files and VSAM indexing components (Cluster, Alternate Indexes and Paths) must be allocated and synchronized. The following administration phases should be planned for: Initial Setup: A one-time initialization of the local certificate store datasets. This is initiated through the SecureZIP ISPF Dialogs and is performed by a generated batch job stream. Certificate store datasets are allocated and initialized for future use. In addition, a set of run-time configuration control records is generated for run-time access by SecureZIP. Certificate Administration: The addition of new certificates to be used for encryption must be periodically performed as new exchange partners are identified. Installation of the certificates may be performed either through ISPF dialog foreground (manual) processing, or via a batch job stream. The following certificate administration actions must be accounted for: One or more public-key certificates must be available for use when a RECIPIENT encryption operation is performed (when updating an archive). These digital certificates may either be placed into MVS datasets (or PDS members) on the system that will be used to perform the encryption. A private-key certificate must be available for use when a decryption operation is performed (either during extract processing, or when accessing an archive that has been protected with Filename Encryption). Corresponding RECIPIENT command instructions with the associated private-key certificate password must also be prepared for run-time access. In order to complete the above tasks, digital certificate data must be made available to the activating system in the form of sequential files: o o Private-key certificates in PKCS#12 format (.PFX DSN suffix) Certificate Authority and Root Certificates in DER or B64 format (.CER DSN suffix) 90 PKZIP/SecureZIP for z/os 11.1 System Administrator s Guide

99 PartnerLink SecureZIP Partner: Supplemental administration activities unique to SecureZIP Partner for z/os are covered in the section PartnerLink Certificate Store Administration and Configuration in chapter 6. A configuration profile is a collection of SecureZIP for z/os commands that describe the collection of components. At execution time this profile is read to locate the appropriate stores and index. Option ===> SecureZIP Certificate Store Administration Select one of the following options and press Enter: 1 Local Certificate Store Administration 2 LDAP Certificate Store Configuration 3 x.509 Certificate Utilities 4 ICSF CKDS Passphrase Registration Service To access the local certificate store administration and configuration, enter 1 in the Option field. SecureZIP Local Certificate Store Option ===> SecureZIP Local Certificate Store Local Certificate Store Administration 1 View Certificate Entries (ISPF Table) 2 List Certificate Entries 3 Add new Certificates 4 Delete a Certificate 5 Synchronize/Verify Local Store Certificates 6 Report Statistics 7 Edit Active Profile 8 Supplemental Administration Utilities Create Define and Initialize a New Local Certificate Store CRL Work with Certificate Revocation Lists Active Store Configuration: 'PKWARE.MVS.JCL(DBPROF)' -{CSPUB=4;1;SECZIP.CERTSTOR.PUBLIC} -{CSPRVT=4;1;SECZIP.CERTSTOR.PRIVATE} -{CSPUB_DBX=SECZIP.CERTSTOR.DBX} -{CSPUB_DBX_PATH_CN=SECZIP.CERTSTOR.PATHCN} -{CSPUB_DBX_PATH_EM=SECZIP.CERTSTOR.PATHEM} -{CSPUB_DBX_PATH_PUBKEY=SECZIP.CERTSTOR.PATHPUBK} This is the main local certificate store panel. It will guide you in establishing your local certstore environment. To create a new local certificate store database, enter CREATE in the Option field. Chapter 4 Certificate Store Management 91

100 Create a New Local Certificate Store DB Option ===> SecureZIP Local Certificate Store Create and Prime New Local Certificate Store Fill in the required information below using the DOWN PFK to complete all fields, including storage management options if necessary. Then Press ENTER to generate the create JCL. Batch Job Card information: //SECZIP81 JOB 'SEZIP82',CLASS=A,REGION=8M, // MSGCLASS=H,MSGLEVEL=(1,1),NOTIFY=&SYSUID //* High-Level Qualifier(s): PKWARE.MVS (up to 20 characters) A set of PDS/PDSE datasets, VSAM Clusters, Alternate Indexes and PATHs will be allocated by the JOB. All components of the store must be allocated in the form: hlqs...certstor.type New Store Configuration Profile: 'PKWARE.MVS.JCL(DBPROF)' For example: 'PKWARE.MVS.PARMLIB(CERTCFG1)' Specify the PDS and member where the run-time configuration commands are to be placed for SecureZIP. The PDS dataset and/or member will be allocated if they do not already exist. If the PDS member already exists, it will be overwritten. This member is to be referenced in SecureZIP runs requiring requests from the Local Certificate Store via -RECIPIENT=DB This may be achieved in one of the following ways: 1. Use -INCLUDE_CMD=dsname(member) in the command stream for an individual run. 2. Specify this dataset in the DB Profile field of each user's SecureZIP Runtime Configuration panel. 3. Specify this dataset in the SECUREZIP_CONFIG= parameter of the SecureZIP defaults module (ACZDFLT) to make it effective as a default for all users. Specify SMS/non-SMS allocation parameters Management class... Storage class.... Data class Volume serial.... Device type..... (Blank for default management class) (Blank for default storage class) (Blank for default data class) (Specify for NON sms volume) (Specify for NON sms volume) This panel will set up the job stream to create the public, private, CA and root certificate stores, the data base, all corresponding paths, and the data base profile. The public, private, CA and root certificate stores, and the DB profile are PDS files. The data base is a VSAM cluster with alternate index paths. The certificate stores are initialized with 1 CA, 1 root, four public and four private certificates in their respective stores. The password for those private certificates is PKWARE. New Data Base Profile The profile is used to read the configuration commands to allow access to the certificates during execution of SecureZIP for z/os in either ZIP or UNZIP operations. If the data base profile does not exist, one will be dynamically allocated. If it exists you will see the message Profile Exists in the upper right corner of the screen. 92 PKZIP/SecureZIP for z/os 11.1 System Administrator s Guide

101 The data base profile follows the standard PDS dataset name format: datasetname(membername). High-Level Qualifier The high-level qualifier (hlq) is used to prefix the certificate stores as well as all components of the database. Multiple nodes are acceptable. For the certificates, the PDS names are: hlq.certstor.public hlq.certstor.private For the Data Base, the names are: hlq.certstor.dbx hlq.certstor.dbxcn hlq.certstor.dbxem hlq.certstor.dbxpubk hlq.certstor.pathcn hlq.certstor.pathem, hlq.certstor.pathpubk hlq.certstor.p7ca hlq.certstor.p7root hlq.certstor.p7crl Batch Job Card information This is the JOB Card to be used for the batch run. Certificate Validation Options When you are satisfied with the parameters you have entered, press ENTER and enter Y or N into the associated certificate validation fields. Command ===> SECUREZIP CERTSTORE Policy Setup Specify whether certificate validation should be performed for each phase of processing ( Y or N ). Press PF1 for detailed information. Encryption: Y Trusted Y Expired Y Revoked Signing: Y Trusted Y Expired Y Revoked Authentication: Y Trusted Y Expired Y Revoked Y Tampercheck The configuration profile for certificate store access also defines default policy settings to be used for certificate validation. Certificates may be validated for use during RECIPIENT selection for Encryption, Signing Certificate selection (SIGN FILES/SIGN ARCHIVE), and Authentication (AUTHCHK) processing. Chapter 4 Certificate Store Management 93

102 Generated JCL to Build the Initial Certificate Store When you are satisfied with the parameters you have entered you would then press ENTER. An Edit session will be created for you to review and submit to generate the certificate store. File Edit Edit_Settings Menu Utilities Compilers Test Help ****** ********************************* Top of Data **************** //FPDCS1 JOB 'ACCOUNTING INFO',CLASS=A,REGION=8M, // MSGCLASS=H,MSGLEVEL=(1,1),NOTIFY=&SYSUID //* //****************************************************************** //* PLEASE BE SURE PROCEDURE PKISPF IN INSTLIB HAS BEEN TAILORED * //* TO MEET YOUR SITES SPECIFICATIONS. * //****************************************************************** // JCLLIB ORDER=PKWARE.MVS.INSTLIB //JOBLIB DD DISP=SHR,DSN='PKWARE.MVS.LOAD' //* //* GENERATED JCL TO BUILD INITIAL CERTIFICATE STORE //* DELETE OLD CERTIFICATE STORE //DELCERT EXEC PGM=IEFBR //DPUB DD DISP=(MOD,DELETE,DELETE),SPACE=(TRK,(0)), // DSN=PKWARE.MVS.CERTSTOR.PUBLIC //DPRV DD DISP=(MOD,DELETE,DELETE),SPACE=(TRK,(0)), // DSN=PKWARE.MVS.CERTSTOR.PRIVATE //* CREATE PUBLIC CERTIFICATE STORE //COPYIN EXEC PGM=IEBCOPY.. After you have SUBmitted the JOB and then pressed PF3 to end the Edit session, the following screen appears. ****************************** Top of Data ******************************* *** * LOCAL CERTIFICATE STORE CONFIGURATION CONTROL * * Include this member in SecureZIP runs requiring Local Certificate * Store RECIPIENTS, SIGN_ARCHIVE, SIGN_FILES and AUTHCHK signatories. *** -{CSPUB=4;1;PKWARE.MVS.CERTSTOR.PUBLIC} -{CSPRVT=4;1;PKWARE.MVS.CERTSTOR.PRIVATE} -{CSPUB_DBX=PKWARE.MVS.CERTSTOR.DBX} -{CSPUB_DBX_PATH_CN=PKWARE.MVS.CERTSTOR.PATHCN} -{CSPUB_DBX_PATH_EM=PKWARE.MVS.CERTSTOR.PATHEM} -{CSPUB_DBX_PATH_PUBKEY=PKWARE.MVS.CERTSTOR.PATHPUBK} -{CSCA=1;0;PKWARE.MVS.CERTSTOR.P7CA} -{CSROOT=1;0;PKWARE.MVS.CERTSTOR.P7ROOT} -{CSCRL=1;0;PKWARE.MVS.CERTSTOR.P7CRL} -{AUTHENTICATE=TRUSTED,EXPIRED,REVOKED,TAMPERCHECK} -{VALSIGN=TRUSTED,EXPIRED,REVOKED} -{VALENCRYPT=TRUSTED,EXPIRED,REVOKED} ****************************** Bottom of Data **************************** This is the data base profile that will be saved in the dataset and member you specified. It is used to read the configuration commands to allow access to the certificates during execution of SecureZIP for z/os in either ZIP or UNZIP operations. 94 PKZIP/SecureZIP for z/os 11.1 System Administrator s Guide

103 View Data Base Certificate Entries You can view details about a certificate. Option ===> SecureZIP Local Certificate Store View Data Base Certificate Entries Active Store Configuration: 'PKWARE.MVS.JCL(DBPROF) Select one or more types for viewing: (Default is all) Public Private Certificate-Authority Root Optional Search Criteria: Search String: Search Fields: ALL (CN/EM/ALL) Case Sensitive: N (Y/N) Filters: Exclusion - Do not show certificates with the following characteristics. Revoked Suspended Expired Not Trusted Inclusion - Show certificates only having the specific indicators. Encryption Signing This panel will create a data base table display using the criteria entered in the fields. The table view will provide an opportunity to select individual entries for various actions. Active Store Configuration The data base to be operated upon. Select Types: This is a report filter that you can use to select the types of certificates to report on. You may report on all certificates in the store by pressing Enter (Default) or selecting a specific type(s). Public key (CER) end-entity certificates will be included from the certificate store index. Private key (PFX) end-entity certificates will be included from the certificate store index. Certificate-authority (P7B) intermediate issuing certificates will be displayed from the active x.509 CA store data set. Root (P7B) self-signed issuing certificates will be displayed from the active x.509 root store data set. Search String Enter a string of characters to be used as a filter, listing only those certificates containing a match for the string. Leave this field blank if no filtering is desired. Search Fields Enter ALL, CN (common name) or EM ( address). Case Sensitive Specify whether the search string should be case sensitive. Chapter 4 Certificate Store Management 95

104 Filters Filters can be useful in viewing qualified certificates in the local certificate store. The filters may be used in combination with other type and search criteria to further restrict the number of entries returned. The Exclusion filters will eliminate entries known to have failed the specified characteristic (based on the information held in the index). For example, index entries marked as Revoked by the System Administration Validate function will fail the Revoked policy test when an attempt is made to use them for signing or encryption. This filter will assist in locating certificate entries that are known to have never failed the Validation test. However, it does not guarantee that the trust chain is currently intact within the certificate store configuration. (The system administrator may not have run the Validate service request against the certificate). The Inclusion filters will assist in identifying certificates issued for a specific purpose. However, certificates issued without the designated use flag will be eliminated from the display. Your enterprise must obtain certificates specific to the qualifications from a certificate authority for this filter to be of use. Be aware that when a certificate validation policy is set for a given SecureZIP action such as Encryption, Signing or Authentication, a dynamic check against the live certificate store is performed in lieu of the database index record settings. This means that multiple certificates identified by a CN= or = search may still be identified at run-time and be flagged as unusable based on the policy in force. When records are no longer desired to be referenced at run-time because they are Expired, Revoked, or Not Trusted, the system administrator should mark the entries as Suspended. PKCSV001 SecureZIP View Certificate Store Row 1 to 10 Command ===> SCROLL ===> CSR Certificate Database: 'SECZIP.NEWDB.CERTSTOR.DBX' Primary commands: LOCATE, SORT and SAVE. Scroll RIGHT or LEFT for more information. Enter line command or '/' for list of valid line commands. Cmd Type Common Name /_ CER Al Smith CER Bill Jones CER Kevin Johnson CER Mark Arrow CER Matt Brewster CER Michael Stanley CER PKWARE Test1 PFX PKWARE Test1 CER PKWARE Test2 PFX PKWARE Test2 96 PKZIP/SecureZIP for z/os 11.1 System Administrator s Guide

105 Valid Line Commands Command ==> SecureZIP Certstore Line Commands Action: I D Delete Certificate I Detailed Certificate Information EX Edit Certificate Index information VAL Validate Certificate RC Generate -RECIPIENT command based on Common Name RE Generate -RECIPIENT command based on Address SAC Generate -SIGN_ARCHIVE command based on Common Name SAE Generate -SIGN_ARCHIVE command based on Address SFC Generate -SIGN_FILES command based on Common Name SFE Generate -SIGN_FILES command based on Address AAC Generate -AUTHCHK archive command based on Common Name AAE Generate -AUTHCHK archive command based on Address AFC Generate -AUTHCHK files command based on Common Name AFE Generate -AUTHCHK files command based on Address SUS Suspend a certificate from use The Generate option(s) will place the commands to a memory clipboard for a subsequent SAVE command. Specifying D to delete the certificate will remove the specified certificate from your local store. Please be aware that deleting certificate authority and/or root certificates will prevent authentication processing from completing a TRUST check operation. Before permanently removing the certificate from the local store, SecureZIP will prompt the user with the following screen: Confirm Certificate Delete Active DB Profile: 'PKWARE.MVS.PROFILE(CERTCFG1)' Certificate to be deleted: Location= 1 Name = Class 3 Public Primary Certification Authority Serial #= 02CDBA356FFDWE4BC54FE22ACBA72A325 Note: Certificates that are issued by the certification authorities or any lower level certification authorities will no longer be trusted. Press ENTER to continue or PF3 to exit without deleting the certificate. Press ENTER to continue or PF3 to exit without deleting the certificate By requesting I for additional information about the certificate, a report will be generated and displayed. PKSCANCRT 005I scan(0) file is: //'PKWARE.MVS.CERTSTOR.PUBLIC(PUB1CERT)' PKSCANCRT 008I Certificate #1 found (924) //'PKWARE.MVS.CERTSTOR.PUBLIC(PUB1CERT)' --- Certificate PKWARE Test1 Subject: C=US OU=Certification Services Chapter 4 Certificate Store Management 97

106 CN=PKWARE Test1 Issuer: C=US OU=Certification Services CN=PKWARE Test1 SerialNumber: 00 NotBefore: Wed Apr 14 13:20: NotAfter: Sat Apr 13 13:20: SHA-1 Hash of Certificate(Thumbprint): DF 31 1E 8D DF 02 BD 0C 7C 4A CA 03 6D C9 Public Key Hash: 83 0A 0A E9 DB F E CE 7A 34 BB 7A 56 Self Signed Certificate Authority The following table explains fields of certificate details in the display. Heading Subject Issuer Serial Number NotBefore/NotAfter SHA-1 Hash of Certificate Public Key Hash Key Usage Description Information about the entity to whom the certificate was issued. Information about the entity that issued the certificate Serial number of the certificate Date range for which the certificate is valid The SHA-1 algorithm hash, or thumbprint, of the certificate The hash or thumbprint, of the public key Key usage flags that determine how the certificate was intended to be used. The public key hash value is the prime key used in the local certificate store index. The Issuer fields are composed of several x.509 subfields. The exact set varies; the following table describes some of the most commonly used. Code O OU CN E C ST L Description Organization Organizational Unit Common Name address Country State or Province Locality or City The Common Name (CN) and (E) fields can be searched to identify Recipients. 98 PKZIP/SecureZIP for z/os 11.1 System Administrator s Guide

107 By entering EX from the SecureZIP Line Commands panel, you may edit the certificate index information such as the certificate member name. See resulting screen below: Edit Certificate Index Information Active DB Profile: 'PKWARE.MVS.PROFILE(CERTCFG1)' Certificate Path: //'PKWARE.MVS.CERTSTOR.PUBLIC(PUB4CERT)' Common Name: PKWARE Test4 Address: Certificate PDS member name: PUB4CERT The member name may be changed here. The Certificate Store index will be updated to reflect the new location. Press ENTER to process, or END to return. If you request VAL SecureZIP will look to validate the certificate by using the current -{VALENCRYPT=...} setting in the profile. It validates the certificate by generating a -RECIPIENT(...,R,PASSWORD=pppppp) command, and running SecureZIP for both ZIP and TEST. Please be aware that, if -{VALENCRYPT=} is not active, the certificate will always pass the validation check. You may also generate and save commands for the RECIPIENT, SIGN_ARCHIVE, SIGN_FILES and AUTHCHK (archive and/or file) parameters. For example, by selecting RC, you will see the RC appear on the far right of the screen (see below): Command ===> Certificate Database: 'PKWARE.MVS.CERTSTOR.DBX' Selection Mode: Administration SCROLL ===> PAGE Primary commands: LOCATE, SORT and SAVE. Scroll RIGHT or LEFT for more info. Enter line command or '/' for list of valid line commands. Cmd Type Common Name CER PKWARE Test4 -RC Enter SAVE on the command line to save the command string to a PDS member where you will decide if the saved command is to be used for ZIP or UNZIP processing (see below): Command ===> Select (/) the recipient list type you wish to use: ZIP UNZIP/View Press ENTER to process - Enter END or press PF3 to exit Upon selecting the appropriate data set and member name, insert a forward slash / next to the desired options (see below): Chapter 4 Certificate Store Management 99

108 Command ===> Save a Recipient List Save Recipient List in: Data set name ==> 'SECZIP.PKWARE.PROFILE' Member Name ==> $ZRECIPS Enter / for Edit/Member List/Data Set List/New Data Set Enter / to make this list your active list. Press ENTER to process - Enter END or press PF3 to exit Once you ve made your selection(s), press ENTER, and you will have successfully saved the RECIPIENT command to a PDS member: BROWSE SECZIP.PKWARE.PROFILE($RECIPS) Command ===> ****** ******************************* Top of Data ************************************ RECIPIENT(DB:CN=PKWARE Test4) ****** ****************************** Bottom of Data ********************************** By requesting SUS, you effectively suspend a certificate from use. As discussed above, if certificates are no longer desired to be referenced at run-time because they are expired, revoked, or not trusted, the system administrator should mark the entries as Suspended. To re-enable or unsuspend the certificate, enter UNS next to the appropriate certificate. Please note that a suspended certificate is still available for VIEW processing of older archives that used it as a recipient. List Certificate Entries Command ===> SecureZIP Local Certificate Store List Certificate Entries Active DB Profile: 'PKWARE.MVS.STORE.PROFILES(SAG)' PKWARE.MVS.CERTSTOR.DBX PKWARE.MVS.CERTSTOR.PUBLIC PKWARE.MVS.CERTSTOR.PRIVATE PKWARE.MVS.CERTSTOR.P7CA PKWARE.MVS.CERTSTOR.P7ROOT Select the following types for listing: (Default is all) Public Private Certificate-Authority Root Sort Options for Public and Private Certificates CN (CN-common name, EM- , PA-path) This panel will run the data base report of the selected data base using the criteria entered in the fields. The report will be run in foreground and an ISPF browse session will be invoked to allow you to review the report. Active Data Base Profile The data base to be reported upon. 100 PKZIP/SecureZIP for z/os 11.1 System Administrator s Guide

109 List Public, Private or Both This is a report filter that you can use to select the type of report. You may report on all certificates in the store by simply hitting enter, only the private certificates by selecting PRIVATE, only the public certificates by selecting PUBLIC, only the certificate authority certificates by selecting Certificate-Authority, or only the root certificates by specifying Root. Sort Report The report can be sorted by common name, , path, or be allowed to default to public hash, in which case no actual sort takes place. The commands can be abbreviated as follows: Common Name - CN, - EM, Path - PA. Example of a report in physical order (no sort) IDC0005I NUMBER OF RECORDS PROCESSED WAS Certificate Data Base Report for 'PKWARE.MVS.CERTSTOR.DBX' Public Certificate Public Key Hash 39A01D5F31B3455B69195AE3A1AF81BED3B28C Common Name PKWARE Test Common Name Hash 6DE947807CDCFF6B2996BEA359BF39FEB009958B [email protected] Hash 1C6D2FBA039AE4B91E4199E0F9A71B4F46D30AF Path //'PKWARE.MVS.CERTSTOR.PUBLIC(PUB2CERT)' Public Certificate Public Key Hash 830A0AE9DBF ECE7A34BB7A Common Name PKWARE Test Common Name Hash F8D28D6D8291BBB2BC EADAC9DCE [email protected] Hash A236B17D27B439CAB2EBB8FCE98500D10332E Path //'PKWARE.MVS.CERTSTOR.PUBLIC(PUB1CERT)' Private Certificate Public Key Hash 39A01D5F31B3455B69195AE3A1AF81BED3B28C Common Name PKWARE Test Common Name Hash 6DE947807CDCFF6B2996BEA359BF39FEB009958B [email protected] Hash 1C6D2FBA039AE4B91E4199E0F9A71B4F46D30AF Path //'PKWARE.MVS.CERTSTOR.PRIVATE(PVT2CERT)' Private Certificate Public Key Hash 830A0AE9DBF ECE7A34BB7A Common Name PKWARE Test Common Name Hash F8D28D6D8291BBB2BC EADAC9DCE [email protected] Hash A236B17D27B439CAB2EBB8FCE98500D10332E Path //'PKWARE.MVS.CERTSTOR.PRIVATE(PVT1CERT)' Chapter 4 Certificate Store Management 101

110 Example of a report in order by address ****** ******************************************************* Top of Da IDC0005I NUMBER OF RECORDS PROCESSED WAS Certificate Data Base Report for 'PKWARE.MVS.CERTSTOR.DBX' Public Certificate Public Key Hash 830A0AE9DBF ECE7A34BB7A Common Name PKWARE Test Common Name Hash F8D28D6D8291BBB2BC EADAC9DCE [email protected] Hash A236B17D27B439CAB2EBB8FCE98500D10332E Path //'PKWARE.MVS.CERTSTOR.PUBLIC(PUB1CERT)' Private Certificate Public Key Hash 830A0AE9DBF ECE7A34BB7A Common Name PKWARE Test Common Name Hash F8D28D6D8291BBB2BC EADAC9DCE [email protected] Hash A236B17D27B439CAB2EBB8FCE98500D10332E Path //'PKWARE.MVS.CERTSTOR.PRIVATE(PVT1CERT)' Private Certificate Public Key Hash 39A01D5F31B3455B69195AE3A1AF81BED3B28C Common Name PKWARE Test Common Name Hash 6DE947807CDCFF6B2996BEA359BF39FEB009958B [email protected] Hash 1C6D2FBA039AE4B91E4199E0F9A71B4F46D30AF Path //'PKWARE.MVS.CERTSTOR.PRIVATE(PVT2CERT)' Public Certificate Public Key Hash 39A01D5F31B3455B69195AE3A1AF81BED3B28C Common Name PKWARE Test Common Name Hash 6DE947807CDCFF6B2996BEA359BF39FEB009958B [email protected] Hash 1C6D2FBA039AE4B91E4199E0F9A71B4F46D30AF Path //'PKWARE.MVS.CERTSTOR.PUBLIC(PUB2CERT)' Add a Certificate to the Local Store The following instructions detail how to add new public and private keys to the local certificate store. Please note that when performing certificate administration add or delete activities, SecureZIP will write change activity messages to the ISPF LOG if it is active. If an historical record of certificate store changes is desired, be sure to set the ISPF log data set defaults in the Log/List Settings panel to allocate and retain the LOG data set. Add New Certificate to the Local Store Store Option ===> SecureZIP Local Certificate Add new Certificate to the Local Store Active Store Configuration: 'SECZIP.FPD.PROFILES(DBPROF)' Specify Certificate sub-store to be updated: 1 - Public Certificate Store - "CER" 2 - Private Certificate Store - "PFX" 3 - Intermediate Certificate Authorities - "CER" or "P7B" 4 - Trusted Root Certificate Authorities - "CER" or "P7B" 102 PKZIP/SecureZIP for z/os 11.1 System Administrator s Guide

111 5 - Register SAF certs in the SecureZIP Key Index Press ENTER to identify the certificate source file. The Local Certificate Store is organized into 4 sub-stores. When importing new certificates, you must indicate which section is to be updated based on the type of x.509 certificate file is being used as input. The annotated suffixes are provided as a guide to help identify the type of source file being imported. The suffix of the data set name is not required, nor is it analyzed during the import process. SAF Certificates may be registered in the Local Certificate Store to make them available using the DB: keyword on SecureZIP commands. Use option 5 to manage SAF Certificate registration. This panel is used to select the type of certificate to be added to the local certificate store. Specify Certificate sub-store to be updated Enter the number representing the certificate to be added. Option ===> SecureZIP Local Certificate Store Add new Public Key Certificate to the Local Store Active Store Configuration: 'SECZIP.FPD.PROFILES(DBPROF)' Input Certificate PDS/File: Enter the full PDS/Sequential file name of the source certificate. Certificate PDS member name: Enter an optional member name for ease of reference, such as 3 initials plus the year that the certificate was issued in. If left blank, a name will be generated of the form GENnnnnn. Press ENTER to continue. This panel is for adding public key certificates to the local cert store and Data Base. Input Certificate PDS or File A sequential file or member of a PDS can be used as input. All members of a PDS can be copied by entering (*) for the member name. For private Certificate(s), enter password Password is required for private certificate store. Output Certificate PDS member name For a sequential file or a single PDS member addition, the certificate store member name can be chosen; otherwise the store member name will be generated. If an entire PDS is used as input then the inputted PDS member names will be used. Chapter 4 Certificate Store Management 103

112 Add a New Certificate to the CA Store This panel is for adding certificate authority certificates to the store. SecureZIP Local Certificate Store Option ===> Add new Certificate Authority to the Local Store Active Store Configuration: 'PKWARE.MVS.STORE.PROFILES(SAG)' Input Certificate File: 'SECZIP.CERT.CMS.ENCRYPT.P7B' Enter the full file name of the source certificate(s). For example: your.instlib2.library(castore) Input Certificate Type : Enter the file type to be imported. Either CER or P7B Backup Copy... : N ( Y - Copy Store Before Update, N - No Copy) Backup DSN... : 'SEG.PKWARE.BACKUP.CERTSTOR' Press ENTER to continue or PF3 to exit without adding the certificate Add a New Trusted Root Certificate to the Root Store This panel is for adding trusted root certificates to the store. Add new Trusted Root to the Local Store More: + Warning: The certificates are from a certification authority (CA) claiming to represent the organizations that will be displayed on the next screen. Once you install the certificate, SecureZIP will use it to complete future certificate Trust Chain validation processing associated with the certification authority. Note: Before you install the certificate you must verify that the certificate is actually from the certification authority and can be trusted. You should install the certificate only once you have confirmed its authenticity. To do this, you should contact the CA listed to verify the certificate authenticity. To help you in your verification please use the Thumbprint HASH. If you install this certificate without confirming the authenticity you may be creating a security risk. Input Certificate File: 'SECZIP.FPD.SEC.PKTICAF.CRT' Enter the full Sequential file name of the source certificate(s). For example: your.instlib2.library(rtstore) Input Certificate Type : Enter the file type to be imported. Either CER or P7B Backup Copy... : N ( Y - Copy Store Before Update, N - No Copy) Backup DSN... : 'FPD.PKWARE.BACKUP.CERTSTOR' Press ENTER to continue or PF3 to exit without adding the certificate The following message will appear prior to adding any root certificate: Warning: The certificates are from a certification authority (CA) claiming to represent the organizations that will be displayed on the next screen. Once you install the certificate, SecureZIP will use it to complete future certificate Trust Chain validation processing associated with the certification authority. Review the warning and enter the source file of the root certificate along with the type of certificate. 104 PKZIP/SecureZIP for z/os 11.1 System Administrator s Guide

113 If you would like to backup your existing root store, place a Y+ in the Backup Copy field and enter a dataset to be used to hold the root store. After reviewing the data presented on the next screen, you will then enter SAVE to process the root certificate. A table of certificates to be added will be displayed. You will use this information to verify the authenticity of the certificates. Once that has been completed, enter SAVE on the command line, or press PF3 to stop the add. Certificate Source: CA Store : ROOT Store : If you install the certificate(s) without confirming the authenticity you may be creating a security risk. Enter SAVE to continue adding the ROOT Certificate, Else PF3 to end Scroll RIGHT or LEFT for more info. Type Friendly Name Please note that once all certificate chain components for a private-key certificate are installed to the local certificate store, a verification of the trust chain should be performed to ensure that future signing operations will carry the necessary certificate store information for authentication processing. This can be accomplished by performing the following steps: 1. Perform a ZIP SIGN_ARCHIVE run with the private-key certificate 2. Perform an UNZIP VIEWDETAIL run against the archive from the previous step with the following command settings: -AUTHCHK(ARCHIVE) -VERBOSE -{AUTHENTICATE=ALL} 3. Perform a manual check on the reported signature certificates saved in the archive to ensure that the root certificate is in the list. 4. Review the messages to ensure that the authentication check passed with message ZPEN035I ZPEN035I Archive Directory Authentication Succeeded ZPAM700I Archive was digitally signed by PKWARE Test3 ZPAM329I 3 Signature Certificates were saved in the archive: ZPAM321I Cert Name: PKWARE Test3 ZPAM323I [email protected] ZPAM325I Valid: 12/20/ /13/2024 ZPAM326I Issuer: PKWARE, Inc. ZPAM321I Cert Name: PKTESTDB Root ZPAM323I [email protected] ZPAM325I Valid: 12/20/ /19/2024 ZPAM326I Issuer: PKWARE, Inc. ZPAM321I Cert Name: PKWARE Test Intermediate Cert ZPAM323I [email protected] Chapter 4 Certificate Store Management 105

114 ZPAM325I Valid: 12/20/ /14/2024 ZPAM326I Issuer: PKWARE, Inc. To assist in performing this process, the Local Certificate Administration "View Certificate Entries" table display provides a VAL line command. Selecting this command line option will cause a ZIP/UNZIP sequence to run in the foreground and will analyze the results for display. Add a New Certificate via Batch Processing The ISPF panel interface provides a fast and easy method of adding new certificates to the local store. Although the panel interface is fine for adding a few certificates, navigating through the various panels can be repetitive and cumbersome if the user needs to add certificates for every employee in his or her company, for example. Therefore, SecureZIP for z/os provides functionality to add certificates to the local stores through a JCL job submitted in batch processing mode. The JCL member PKCSADD in the PKWARE.MVS.INSTLIB library provides the user with a sample program to add a certificate to the local store. The JCL calls program PKCS023 which adds the certificate to the local store. There are five parameters that allow the user to specify the certificate store location, the dataset containing the certificate to be added to the store and the other data necessary to add the certificate. The comments in the PKCSADD member fully explain the purpose of each parameter to the PKCS023 program. After the PKCSADD member is customized for the user s system, the job can be submitted to add a new certificate to the local store. By using the PKCSADD job as a model, the user can automate the process of adding certificates to the local store. In this way, any number of certificates can be added to a certificate store without repeatedly navigating through the ISPF panels. Register Security Server Certificates in the Key Store Index Security Server certificates that are to be used by SecureZIP can be registered in the SecureZIP Certificate Index. This allows access to SAF certificates through historic SecureZIP DB: references, as well as providing VIEWDETAIL query capabilities to display encryption recipient common name and address information. SAF certificates are generally referenced by Key Ring and/or LABEL name under a UserID or SITE repository identifier. Three types of rings are used to house encryption, decryption and signing certificates: User REAL Rings are named key rings defined under a UserID, to which certificates (not necessarily installed under that UserID are connected) User VIRTUAL Ring is an unnamed key ring representing all trusted certificates installed under a UserID SITE VIRTUAL Ring is an unnamed key ring representing all trusted certificates installed under SITE The registration process provides a "bridge" between the traditional SecureZIP commands and SAF Rings by placing entries in the SecureZIP Key Store Index that cross-reference the traditional index fields to a SAF Certificate Label. 106 PKZIP/SecureZIP for z/os 11.1 System Administrator s Guide

115 The panels that register certificates work on a "table" basis, where a list of SAF certificates to be registered is generated, then applied by: 1. Registering the certificates online: Requires Write access to the SecureZIP Certificate Index 2. Generating a batch job to register the certificates in the background 3. Saving the certificate list in a data set, and processing it later Options 2 and 3 would normally be used when a user needs to register SAF certificates, but does not have write access to the SecureZIP Certificate index. The list data set can be created, and the SecureZIP administrator can load and process it. The Batch job can be saved in a data set, and the administrator can submit it under the proper userid. SAF Certificate Candidate List The first panel displays a list of candidate SAF certificates available to be registered in the Local Store. When it is initially displayed, it is shown with an empty list. You can load a saved list using the Load command, or locate SAF ring entries using the Search command. Each time you issue a Load or Save command the results are added to the current list. No updates to the Certificate Store are made unless the Update command is issued. Attempts to exit after modifying a candidate list result in a confirmation prompt. PKCS026B SecureZIP Local Certificate Store Empty list Command ===> Register SAF Ring Certificates in the SecureZIP Key Index Active Store Configuration : 'PKWARE.MVS.STORE.PROFILES(DEVCERT1)' Commands: Search for certificates Load a saved list. Submit a batch job Update the SecureZIP Index Reset the list. Save the list in a file. Line commands: I Display info X Exclude the certificate from the list. Press PF3 to exit without further processing. Certificates in list: 2 ACTION/Common Name SAF Label/ ADD 1 SAF:DEV1/MyRing,LABEL='Eng_TMPContKey_01_2008' Eng TMPContKey 01 PK [email protected] CONVERT 3 SAF:CWB1/MyRing,LABEL='JOHNADAMS' John Adams [email protected] Note that, when a certificate is marked as CONVERT, as in the sample just above, a SAF certificate was found that matches a certificate already residing in the Cert Store data base. If the certificate is converted to SAF, the source for the original certificate in the Cert Store will be deleted. If you need to retain the certificate store copy, make a backup copy before issuing the Update or Submit commands. Chapter 4 Certificate Store Management 107

116 Commands Search Submit Update Load Save Reset Search SAF rings for certificates. See Searching for SAF Certificates, below. Submit a batch job to perform the Certificate Store update Online update of the Certificate Store Load a saved list from a file Save the list in a file Clear the list Use the X (exclude) line command to remove any entries that you do not wish to update in the Cert Store. Use the I (info) line command to display details about that certificate. Searching for SAF Certificates You can search: All SITE certificates A user virtual ring All rings associated with a User ID A specific ring associated with a User ID When the Search command is entered on panel PKCS026B, the following panel is displayed. Fill in the appropriate fields, and press Enter. Any SAF certificates that are located are added to the list, and panel PKCS026B is redisplayed with the result of the search added to the original list. Certificates that are already registered as SAF in the Cert Store are excluded from the search results. The Search command displays a panel requesting filter parameters. SITE Virtual Ring Accesses the Site ring, which is generally available to all users. If this field is nonblank, all other fields are ignored. USERID The User whose rings will be searched. This field is required if SITE is not selected. It defaults to the active TSO userid. ALL USERID REAL RINGS If this field is non-blank, RACDCERT LISTRING is used to list all rings defined by SAF USERID. Then, each ring is searched for eligible certificates. When selected, SAF RING is ignored. KEY RING NAME The SAF User ring to be searched. * is valid to search the user virtual ring. Required if not using SITE and SAF USERID REAL RINGS is not selected. 108 PKZIP/SecureZIP for z/os 11.1 System Administrator s Guide

117 PKCS026A SecureZIP Local Certificate Store Command ===> Register SAF ring certificates in the Cert Store. Active Store Configuration: ' PKWARE.MVS.STORE.PROFILES(DEVCERT1)' Certificates in list : SITE Virtual Ring ==> All other parms ignored if non-blank UserID ==> DEV1 All User Real Rings==> Key Ring below ignored if non-blank Key Ring Name ==> MyRing You may enter * for the Key Ring Name to access the UserID Virtual Ring) All trusted certificates found under the requested Key Ring will be added to the candidate list, and you will be given the choice of installing all of them, or selecting individual certificates. Press ENTER to continue or PF3 to exit. Delete a Certificate from the Local Store OPTION ===> SecureZIP Local Certificate Store Delete a Certificate from the Local Store Active Store Configuration: ' PKWARE.MVS.STORE.PROFILES(DBPSTD)' Specify Certificate sub-store to be updated: 1 - Public Certificate Store - "CER" 2 - Private Certificate Store - "PFX" - Intermediate Certificate Authorities - "CER" or "P7B" - Trusted Root Certificate Authorities - "CER" or "P7B" The Local Certificate Store is sub-divided into 4 sub-stores. When deleting certificates, you must indicate which section is to be updated based on the type of x.509 certificate file being used. The Intermediate Certificate Authorities and the Trusted Root Certificate Authorities must be deleted from the View Certificate Entries (ISPF Table) Panel - Option 1 Press ENTER to process. This panel is used to select the type of certificate to be deleted from the local certificate store. Chapter 4 Certificate Store Management 109

118 Specify Certificate sub-store to be updated Enter the number representing the certificate to be deleted. OPTION ===> SecureZIP Local Certificate Store Delete a Public Certificate from the Local Store Active Store Configuration: ' PKWARE.MVS.STORE.PROFILES(DBPROF)' Certificate PDS member to Delete: PDS member in the certificate store to delete. This delete process will also delete the Database entry and all corresponding paths. Only the member name should be entered, which can be found by performing option 2 List DB Certificate Entries Press ENTER to continue. This panel is for deleting a public certificate from the local certificate store and data base. Certificates are deleted individually. Certificate PDS member to Delete Enter the PDS member name to be deleted from the certificate store. Contents of a particular certificate can be derived from the data base report. OPTION ===> SecureZIP Local Certificate Store Delete a Private Certificate from the Local Store More: Active Store Configuration: 'PKWARE.MVS.STORE.PROFILES(SAG)' Certificate PDS member to Delete: TESTME PDS member in the certificate store to delete. This delete process will also delete the Database entry and all corresponding paths. Only the member name should be entered, which can be found by performing option 2 List DB Certificate Entries Display password text: N ( Y - To View) Hit enter and then type the password Enter the password for the Private Certificate: Password (up to 200 characters): Password entry indicates that a private-key certificate is to be deleted. WARNING: Files in archives that have been encrypted with only this private-key certificate cannot be opened if the private-key certificate This panel is for deleting a private certificate from the local certificate store and data base. Certificates are deleted individually. Enter password A password is required to delete a private certificate. 110 PKZIP/SecureZIP for z/os 11.1 System Administrator s Guide

119 WARNING: Once a private certificate is deleted, any files that are in archives encrypted with only that certificate cannot be opened. The private-key certificate would need to be reinstalled from an external source. Synchronize the Index for the Local Certificate Store Command ===> SecureZIP Local Certificate Store Synchronize / Verify Certificates Active Store Configuration: 'PKWARE.MVS.STORE.PROFILES(SAG)' Specify Certificate store type: 1 - Public / Private Store 2 - CA / Root / Revocation List Store Press ENTER to continue. This panel directs you to the types of stores to be processed. Select 1 or 2 and press Enter Command ===> SecureZIP Local Certificate Store Synchronize the Index of the Local Store Active Store Configuration: 'PKWARE.MVS.STORE.PROFILES(SAG)' Batch processing options Enter / here if you want to reorganize the VSAM index components. This will take you to the Backup/Restore panel. Foreground processing options Enter / below to select certificate analysis processes Remove Unmatched Index Entries Index Unresolved Certificate Information Process Private-key Certificates (password prompting as required) Delete Duplicate-key Certificate members Refresh existing fields from certificate data This panel (Option 1) serves two functions: Rebuilds the Database index in batch from an existing public-key store. Performs specific foreground index synchronization tasks. Batch rebuild When selecting to rebuild the database in batch, all of the index components are deleted and redefined. The index entries are rebuilt by opening each certificate in the store and parsing the appropriate information. A separate job step is required (see job step 'BUILD SEQ DATABASE FROM PRIVATE STORE') for each separate password represented in the private store. Chapter 4 Certificate Store Management 111

120 Warning: Without the correct password for each private-key certificate, the index entries cannot be rebuilt and will be lost. The index entries may be restored by providing the correct password through a Foreground synchronization. Foreground Operations In the event that individual certificates or index entries require synchronization, the following cleanup tools are available: Remove unmatched index entries Select this option to remove index entries for which there are no matching certificate (as, for example, when a certificate member is manually removed from the PDS). This feature removes the index entry if the associated PDS or member does not exist. Index Unresolved Certificates Select this option when certificates for which there is currently no index entry have been added manually to the PDS store. The certificate(s) will be identified from a member list and scanned as if a certificate Add function had been requested. Process Private-key Certificates (password prompt when required) A sub-option of "Index Unresolved Certificates": Select this option in conjunction with the previous option to index unresolved certificates. A password prompt will be presented for each private-key certificate that has not yet been indexed so that the certificate may be opened. An opportunity is given to bypass each certificate for which the password is not known. Delete Duplicate-key Certificates A sub-option of "Index Unresolved Certificates": Select this option to physically delete certificates for which there is already a matching index. (It is recommended that any potential orphan index entries first be deleted by using the option "Remove unmatched index entries" to avoid deleting certificates which do not have a true duplicate). Refresh existing fields from certificate data This option invokes a re-read of the certificate to parse field data and update the index record information. Updated field information includes: o o o o o Valid Date Range Serial number Use Flags Trust Status (conditionally updated) Revocation Status (conditionally updated) 112 PKZIP/SecureZIP for z/os 11.1 System Administrator s Guide

121 Generated JCL for Synchronization ****** ********************************* Top of Data **************************** //FPDCS1 JOB 'ACCOUNTING INFO',CLASS=A,REGION=8M, // MSGCLASS=H,MSGLEVEL=(1,1),NOTIFY=&SYSUID //* //****************************************************************** //* PLEASE BE SURE PROCEDURE PKISPF IN INSTLIB HAS BEEN TAILORED * //* TO MEET YOUR SITES SPECIFICATIONS. * //****************************************************************** // JCLLIB ORDER=PKWARE.MVS.INSTLIB //JOBLIB DD DISP=SHR,DSN='PKWARE.MVS.LOAD' //* //* GENERATED JCL TO BUILD DATA BASE FROM CERTIFICATE STORE //* BUILD SEQ DATABASE FROM PUBLIC STORE //PDS2DBPB EXEC PKISPF //STDOUT DD SYSOUT=* //STDERR DD SYSOUT=* //ISPF.SYSTSIN DD * ISPSTART CMD(%RMPDS2DB PKWARE.MVS.CERTSTOR.PUBLIC FPD.CERT.SEQDBPUB.TEMP ) //* BUILD SEQ DATABASE FROM PRIVATE STORE //PDS2DBPV EXEC PKISPF //STDOUT DD SYSOUT=*... Review and SUBmit the JOB. CA, Root, and CRL Verification Command ===> SecureZIP Local Certificate Store Verify CA / Root / Revocation List Store Active Store Configuration: 'SECZIP.FPD.PROFILES(DBPSTD)' Select Store for viewing: (Default is all) Certificate-Authority Root Revocation List Press ENTER to continue. This panel (Option 2) is used to select the type of store. Place a Y for CA, Root, or CRL or simply press Enter to verify the stores. *********************************************************** Top of Data PKCSDEL - Verify CA / Root / CRL Store 2 Feb :07:18 PKCSDEL - CA=SECZIP.FPDSTD.CERTSTOR.P7CA SUCCESS: CA Store '//'SECZIP.FPDSTD.CERTSTOR.P7CA'' verified successfully. 1 certificates found. PKCSDEL - ROOT=SECZIP.FPDSTD.CERTSTOR.P7ROOT SUCCESS: Root Store '//'SECZIP.FPDSTD.CERTSTOR.P7ROOT'' verified successfully. 1 certificates found. The panel above is the output from the verify process. Chapter 4 Certificate Store Management 113

122 Report DB Statistics Option ===> SecureZIP Local Certificate Store Local Certificate Store Administration 1 View Certificate Entries (ISPF Table) 2 List DB Certificate Entries 3 Add new Certificates to the Local Store 4 Delete a Certificate from the Local Store 5 Re-synchronize the Index for the Local Store 6 Report DB Statistics 7 Edit Active DB Profile 8 Supplemental Administration Utilities Option 6 Report DB Statistics Generates a view of the local certificate store information. This view will contain details on the certificate datasets, the local store data base, and the path/alternate indexes to the local store data base Public Certificate Dataset Information Data Set Name = PKWARE.MVS.CERTSTOR.PUBLIC Number of certificates = Dataset Organization = PDS Record Format = VB Logical Record Length = Block Size = Space Type = CYLINDER Primary Allocation = Secondary Allocation = Total Allocated = Allocated extents = Used Extents = Directory Blocks Allocated = Used = Private Certificate Dataset Information Data Set Name = PKWARE.MVS.CERTSTOR.PRIVATE Number of certificates = Dataset Organization = PDS Record Format = VB Logical Record Length = Block Size = Space Type = CYLINDER Primary Allocation = Secondary Allocation = Total Allocated = Allocated extents = Used Extents = Directory Blocks Allocated = Used = Public Certificate Store DataBase Information Data Set Name = PKWARE.MVS.CERTSTOR.DBX Cluster Name = PKWARE.MVS.CERTSTOR.DBX PKZIP/SecureZIP for z/os 11.1 System Administrator s Guide

123 Data Name = PKWARE.MVS.CERTSTOR.DBX.DATA Space Type = CYLINDER Primary Allocation = Secondary Allocation = Percent Free Space = Total Records = High Allocated RBA = High Used RBA = Index Name = PKWARE.MVS.CERTSTOR.DBX.INDEX Space Type = TRACK Primary Allocation = Secondary Allocation = Total Records = High Allocated RBA = High Used RBA = Public Certificate Store DataBase Alternate Indexes with Path Alternate Index Name = PKWARE.MVS.CERTSTOR.DBXCN Cluster Name = PKWARE.MVS.CERTSTOR.DBX Data Name = PKWARE.MVS.CERTSTOR.DBXCN.DATA Space Type = CYLINDER Primary Allocation = Secondary Allocation = Percent Free Space = Total Records = High Allocated RBA = High Used RBA = Index Name = PKWARE.MVS.CERTSTOR.DBXCN.INDEX Space Type = TRACK Primary Allocation = Secondary Allocation = Total Records = High Allocated RBA = High Used RBA = Path Name = PKWARE.MVS.CERTSTOR.PATHCN Public Certificate Store DataBase Alternate Indexes with Path Alternate Index Name = PKWARE.MVS.CERTSTOR.DBXEM Cluster Name = PKWARE.MVS.CERTSTOR.DBX Data Name = PKWARE.MVS.CERTSTOR.DBXEM.DATA Space Type = CYLINDER Primary Allocation = Secondary Allocation = Percent Free Space = Total Records = High Allocated RBA = High Used RBA = Index Name = PKWARE.MVS.CERTSTOR.DBXEM.INDEX Space Type = TRACK Primary Allocation = Secondary Allocation = Total Records = High Allocated RBA = High Used RBA = Path Name = PKWARE.MVS.CERTSTOR.PATHEM Public Certificate Store DataBase Alternate Indexes with Path Alternate Index Name = PKWARE.MVS.CERTSTOR.DBXPUBK Cluster Name = PKWARE.MVS.CERTSTOR.DBX Data Name = PKWARE.MVS.CERTSTOR.DBXPUBK.DATA Chapter 4 Certificate Store Management 115

124 Space Type = CYLINDER Primary Allocation = Secondary Allocation = Percent Free Space = Total Records = High Allocated RBA = High Used RBA = Index Name = PKWARE.MVS.CERTSTOR.DBXPUBK.INDEX Space Type = TRACK Primary Allocation = Secondary Allocation = Total Records = High Allocated RBA = High Used RBA = Path Name = PKWARE.MVS.CERTSTOR.PATHPUBK Edit Active DB Profile Option 7 Edit Active DB Profile SecureZIP for z/os uses a set of configuration commands to determine the location of Public and Private Certificates via an index. The commands can be grouped together within a PDS or PDSE member as a Data Base profile. Specify the dataset (and member) of a saved DB profile. File Edit Edit_Settings Menu Utilities Compilers Test Help EDIT SECZIP.FPD.PROFILES(DBPROF) Columns Command ===> Scroll ===> CSR ****** ********************************* Top of Data ********************************** *** * LOCAL CERTIFICATE STORE CONFIGURATION CONTROL * * Include this member in SecureZIP runs requiring Local Certificate * Store RECIPIENTS, SIGN_ARCHIVE, SIGN_FILES and AUTHCHK signatories *** {CSPUB=4;1;SECZIP.FPD.CERTSTOR.PUBLIC} {CSPRVT=4;1;SECZIP.FPD.CERTSTOR.PRIVATE} {CSPUB_DBX=SECZIP.FPD.CERTSTOR.DBX} {CSPUB_DBX_PATH_CN=SECZIP.FPD.CERTSTOR.PATHCN} {CSPUB_DBX_PATH_EM=SECZIP.FPD.CERTSTOR.PATHEM} {CSPUB_DBX_PATH_PUBKEY=SECZIP.FPD.CERTSTOR.PATHPUBK} {CSCA=1;0;SECZIP.FPD.CERTSTOR.P7CA} {CSROOT=1;0;SECZIP.FPD.CERTSTOR.P7ROOT} {AUTHENTICATE=TRUSTED,EXPIRED,NOTREVOKED,TAMPERCHECK} ****** ******************************** Bottom of Data ******************************** Option 8 Supplemental Administration Utilities Included within the Supplemental Administration Utilities option you will see the ability to run report statistics (1), run the installation verification job (2) and the backup and restore process (3). Report Statistics See Option 6 Report Statistics above. 116 PKZIP/SecureZIP for z/os 11.1 System Administrator s Guide

125 Run Installation Verification Job By selecting this option SecureZIP for z/os will validate your configuration. Submit the job and review the output. File Edit Edit_Settings Menu Utilities Compilers Test Help EDIT FPD.SPFTEMP4.CNTL Columns Command ===> Scroll ****** ********************************* Top of Data //FPDCS1 JOB 'ACCOUNTING INFO',CLASS=A,REGION=8M, // MSGCLASS=H,MSGLEVEL=(1,1),NOTIFY=&SYSUID //* //****************************************************************** //* PLEASE BE SURE PROCEDURE PKISPF IN INSTLIB HAS BEEN TAILORED * //* TO MEET YOUR SITE'S SPECIFICATIONS. * //****************************************************************** // JCLLIB ORDER=PKWARE.MVS.INSTLIB //JOBLIB DD DISP=SHR,DSN='PKWARE.MVS.LOAD' //* //*** //* CLEANUP RESIDUAL WORK ARCHIVE //* STORE //*** //CLEAN1 EXEC PGM=IEFBR //DEL DD DISP=(MOD,DELETE),DSN=FPD.IVPDB.ZIP,SPACE=(TRK,(0)) //*** //* ZIP A TEST FILE USING A -RECIPIENT FROM THE LOCAL CERTIFICATE //* STORE //*** //SECZIP EXEC PGM=SECZIP CS IVP Sample Output Portions of the output from SecureZIP for z/os CS IVP steps. ZPLI001I SecureZIP(R) for z/os, Version /13/ LVL(Q1) ZPLI001I Portions copyright (C) PKWARE, Inc. All rights reserved. ZPLI001I SecureZIP(R) is a trademark of PKWARE, Inc. ZPLI001I Registered, Processor Type=2096 Processor Group=00 Serial Number=01FECE Model=O04 ZPLI001I OS Level: HBB7730 SP INCLUDE_CMD=SECZIP.IVP.JCL(DEVCERT1) -ECHO=N -INFILE_DD(INFILE) -ARCHOUTDD(ARCHOUT) -RECIPIENT(DB:CN=PKWARE TEST1,R) -ENCRYPTION_METHOD(AES128) -VERBOSE -LOGGING_LEVEL(VERBOSE) -INCLUDE_CMD=PKWARE.MVS.JCL(DBPROF) ZPCM027I Including commands from PKWARE.MVS.JCL(DBPROF) * * * PROFILE PKWARE.MVS.JCL(DBPROF) * * * * DATABASE ACCESS CONTROL CARDS -{CSPUB=4;1;PKWARE.MVS.CERTSTOR.PUBLIC} -{CSPRVT=4;1;PKWARE.MVS.CERTSTOR.PRIVATE} -{CSPUB_DBX=PKWARE.MVS.CERTSTOR.DBX} -{CSPUB_DBX_PATH_CN=PKWARE.MVS.CERTSTOR.PATHCN} -{CSPUB_DBX_PATH_EM=PKWARE.MVS.CERTSTOR.PATHEM} -{CSPUB_DBX_PATH_PUBKEY=PKWARE.MVS.CERTSTOR.PATHPUBK} ZPCM011I Processing EXEC PARM parameters ZPCS200I Opening Common Name DB Index (//'PKWARE.MVS.CERTSTOR.PATHCN') Chapter 4 Certificate Store Management 117

126 ZPEN110I Locating Digital Certificates... ZPCM023I Digital Certificate Store Configuration {CSCA=1;1;PKWARE.MVS.CERTSTOR.PUBLIC(CAP7)} {CSROOT=1;1;PKWARE.MVS.CERTSTOR.PUBLIC(ROOTP7)} {LDAP=1; ;4389;1;0;CN=LDAP Administrator;secret;;O=PKWARE;} {CSPUB=4;1;PKWARE.MVS.CERTSTOR.PUBLIC} {CSPRVT=4;1;PKWARE.MVS.CERTSTOR.PRIVATE} {CSPUB_DBX=PKWARE.MVS.CERTSTOR.DBX} {CSPUB_DBX_PATH_CN=PKWARE.MVS.CERTSTOR.PATHCN} {CSPUB_DBX_PATH_EM=PKWARE.MVS.CERTSTOR.PATHEM} {CSPUB_DBX_PATH_PUBKEY=PKWARE.MVS.CERTSTOR.PATHPUBK} ZPCM023C ZPCM024I Digital Certificate Request List ZPCM024C Req'd Public Recipient //'PKWARE.MVS.CERTSTOR.PUBLIC(PUB1CERT)' ZPCM024C FILE FOUND *REQUIRED* ZPCM024C ZPCM025I Digital Certificates Found: 1 ZPCM025C PKWARE Test1;[email protected]; ZPCM025C ZPAP900I NO API REQUIRED ZPAM030I OUTPUT Archive opened: FPD.IVPDB.ZIP ZPCM017I A total of 1 ADD/UPDATE candidate file(s) were identified. ZPCO100I Compression Task { 5} TCB: 008D4698 Started. ZPCM100I Configuration Manager Shutdown. Posting Main Task: ZPAM253I ADDED File PKWARE.MVS.INSTLIB($COPYRIT) ZPAM254I as PKWARE/MVS/INSTLIB/$COPYRIT ZPAM255I (DEFLATED 31%/30%) SecureZIP(R): AES128 ORIG. SIZE 1,280; ZIP ZPAM140I FILES: ADDED EXCLUDED BYPASSED IN ERROR ZPAM140I ZPAM101I Archive Manager Task { 3} TCB: 008D4A98 shutdown begun. ZPAM109I Archive Manager Task { 3} TCB: 008D4A98 shutdown complete. ZPCO101I Compression Task { 5} TCB: 008D4698 shutdown begun. ZPCO109I Compression Task { 5} TCB: 008D4698 shutdown complete. ZPMT002I PKZIP processing complete. RC= (Dec) ZPLI001I SecureZIP(R) for z/os, Version /13/ LVL(Q1) ZPLI001I Portions copyright (C) PKWARE, Inc. All rights reserved. ZPLI001I SecureZIP(R) is a trademark of PKWARE, Inc. ZPLI001I Registered, Processor Type=2096 Processor Group=00 Serial Number=01FECE Model=O04 ZPLI001I OS Level: HBB7730 SP INCLUDE_CMD=SECZIP.IVP.JCL(DEVCERT1) -ECHO=N -ARCHINDD(ARCHIN) -VIEWDETAIL -ACTION(VIEWDETAIL) -VERBOSE -LOGGING_LEVEL(VERBOSE) -INCLUDE_CMD=PKWARE.MVS.JCL(DBPROF) ZPCM027I Including commands from PKWARE.MVS.JCL(DBPROF) * * * PROFILE PKWARE.MVS.JCL(DBPROF) * * * * DATABASE ACCESS CONTROL CARDS -{CSPUB=4;1;PKWARE.MVS.CERTSTOR.PUBLIC} -{CSPRVT=4;1;PKWARE.MVS.CERTSTOR.PRIVATE} -{CSPUB_DBX=PKWARE.MVS.CERTSTOR.DBX} -{CSPUB_DBX_PATH_CN=PKWARE.MVS.CERTSTOR.PATHCN} -{CSPUB_DBX_PATH_EM=PKWARE.MVS.CERTSTOR.PATHEM} -{CSPUB_DBX_PATH_PUBKEY=PKWARE.MVS.CERTSTOR.PATHPUBK} ZPCM011I Processing EXEC PARM parameters ZPAP900I NO API REQUIRED ZPCM100I Configuration Manager Shutdown. Posting Main Task: ZPAM030I INPUT Archive opened: FPD.IVPDB.ZIP ZPAM014I 1 file(s) are in the input Archive. ZPAM012I ZIP comment: SecureZIP for z/os by PKWARE ZPAM013I ********************************************************************************* ZPAM001I Filename: PKWARE/MVS/INSTLIB/$COPYRIT ZPAM002I File type: TEXT 118 PKZIP/SecureZIP for z/os 11.1 System Administrator s Guide

127 ZPAM003I Date/Time: 11-JUN :24:00 ZPAM004I Compression Method: Deflate- Super Fast ZPAM005I Compressed Size: 900 ZPAM006I Uncompressed Size: 1,313 ZPAM007I 32-bit CRC: A6B5182A LHDR Offset: 0 ZPAM008I Created by: PK zseries 8.1 ZPAM009I Needed to extract: PKUNZIP 6.1 ZPAM010I Encryption: AES_128 Certificate Key BSAFE(R) ZPAM301I File Type: NONVSAM PDS ZPAM302I File PDS Directory Blocks: 25 ZPAM303I File Record Format: FB ZPAM304I File Allocation Type: BLK ZPAM305I File Primary Space Allocated: 78 ZPAM306I File Secondary Space Allocated: 20 ZPAM307I File Record Size: 80 ZPAM308I File Block Size: ZPAM309I File Volume(s) Used: DEV002 ZPAM310I File Creation Date: 2004/07/23 ZPAM311I File Referenced Date: 2005/06/11 ZPAM319I SMS Storage Class: DEV ZPAM312I File PDS Extended Directory Information: DIRECTORY INFORMATION FOLLOWS LENGTH=00001E F F D4C1E ZPAM313I PDS member TTRKZC: F ZPAM320I 1 recipient(s) were designated: ZPCS200I Opening Public Key DB Index (//'PKWARE.MVS.CERTSTOR.PATHPUBK') ZPAM321I Recipient: PKWARE Test1 ZPAM322I Public Key Hash: 830A0AE9DBF ECE7A34BB7A56 ZPAM323I [email protected] ZPAM324I Cert: //'PKWARE.MVS.CERTSTOR.PUBLIC(PUB1CERT)' ZPAM013I ********************************************************************************* ZPAM140I FILES: VIEWED EXCLUDED BYPASSED IN ERROR ZPAM140I ZPAM101I Archive Manager Task { 3} TCB: 008D4A98 shutdown begun. ZPAM109I Archive Manager Task { 3} TCB: 008D4A98 shutdown complete. ZPMT002I PKZIP processing complete. RC= (Dec) ZPGE001T UNZIP STARTUP STORAGE QUERY: 24BIT= 8208K 31BIT= 32768K CACHE= ZPLI001I SecureZIP(R) for z/os, Version /13/ LVL(Q1) ZPLI001I Portions copyright (C) PKWARE, Inc. All rights reserved. ZPLI001I SecureZIP(R) is a trademark of PKWARE, Inc. ZPLI001I Registered, Processor Type=2096 Processor Group=00 Serial Number=01FECE Model=O04 ZPLI001I OS Level: HBB7730 SP INCLUDE_CMD=SECZIP.IVP.JCL(DEVCERT1) -ECHO=N -ARCHINDD(ARCHIN) -RECIPIENT(DB:CN=PKWARE TEST1,R,PASSWORD=******) -TEST -ACTION(TEST) -VERBOSE -LOGGING_LEVEL(VERBOSE) -INCLUDE_CMD=PKWARE.MVS.JCL(DBPROF) ZPCM027I Including commands from PKWARE.MVS.JCL(DBPROF) * * * PROFILE PKWARE.MVS.JCL(DBPROF) * * * * DATABASE ACCESS CONTROL CARDS -{CSPUB=4;1;PKWARE.MVS.CERTSTOR.PUBLIC} -{CSPRVT=4;1;PKWARE.MVS.CERTSTOR.PRIVATE} -{CSPUB_DBX=PKWARE.MVS.CERTSTOR.DBX} -{CSPUB_DBX_PATH_CN=PKWARE.MVS.CERTSTOR.PATHCN} -{CSPUB_DBX_PATH_EM=PKWARE.MVS.CERTSTOR.PATHEM} -{CSPUB_DBX_PATH_PUBKEY=PKWARE.MVS.CERTSTOR.PATHPUBK} ZPCM011I Processing EXEC PARM parameters ZPCS200I Opening Common Name DB Index (//'PKWARE.MVS.CERTSTOR.PATHCN') ZPEN110I Locating Digital Certificates... ZPCM023I Digital Certificate Store Configuration Chapter 4 Certificate Store Management 119

128 {CSCA=1;1;PKWARE.MVS.CERTSTOR.PUBLIC(CAP7)} {CSROOT=1;1;PKWARE.MVS.CERTSTOR.PUBLIC(ROOTP7)} {LDAP=1; ;4389;1;0;CN=LDAP Administrator;secret;;O=PKWARE;} {CSPUB=4;1;PKWARE.MVS.CERTSTOR.PUBLIC} {CSPRVT=4;1;PKWARE.MVS.CERTSTOR.PRIVATE} {CSPUB_DBX=PKWARE.MVS.CERTSTOR.DBX} {CSPUB_DBX_PATH_CN=PKWARE.MVS.CERTSTOR.PATHCN} {CSPUB_DBX_PATH_EM=PKWARE.MVS.CERTSTOR.PATHEM} {CSPUB_DBX_PATH_PUBKEY=PKWARE.MVS.CERTSTOR.PATHPUBK} ZPCM023C ZPCM024I Digital Certificate Request List ZPCM024C Req'd Private Recipient //'PKWARE.MVS.CERTSTOR.PRIVATE(PVT1CERT)' ZPCM024C FILE FOUND *REQUIRED* ZPCM024C ZPAP900I NO API REQUIRED ZPAM030I INPUT Archive opened: FPD.IVPDB.ZIP ZPCM100I Configuration Manager Shutdown. Posting Main Task: ZPEX100I Extract Task { 5} TCB: 008D4678 Started. ZPEN109T BSAFE(R) CryptoC request code= 3594 kpkerr_bsisetkeyinf ZPEX001I tested okay PKWARE/MVS/INSTLIB/$COPYRIT ZPAM140I FILES: TESTED EXCLUDED BYPASSED IN ERROR ZPAM140I ZPAM101I Archive Manager Task { 3} TCB: 008D4A98 shutdown begun. ZPAM109I Archive Manager Task { 3} TCB: 008D4A98 shutdown complete. ZPEX101I Extract Task { 5} TCB: 008D4678 shutdown begun. ZPEX109I Extract Task { 5} TCB: 008D4678 shutdown complete. ZPMT002I PKZIP processing complete. RC= (Dec) Backup and Restore Process SecureZIP for z/os allows you to perform a backup of your existing local certificate store. Selecting Option 8 then option 3 will start the process of backup. Initial setup screen Initially you will be required to enter the dataset and member information to store the generated JCL for backup and restore along with a dataset name for the created SecureZIP archive used to contain your local certificate store. OPTION ===> Backup & Restore Profile SECUREZIP Profile Information Certstore Profile Dataset.: 'PKWARE.MVS.PROFILES(DBFPD1)' Last Backup Submit Date...: Archive Dataset - Enter V to View: 'FPD.CSBKUP.ZIP' Process Options You can Create, Submit, Edit or View the backup and restore job stream Note: To track the last backup submit date you must use the submit option rather than issue the "SUB" command from an edit or view session Function C - Create, S - Submit, E - Edit, V -View Backup JCL...: 'FPD.JCLZ.CNTL(BK1)' Restore JCL...: 'FPD.JCLZ.CNTL(RS1)' Archive Allocation Options for Backup Management class... PRIVATE Storage class.... PRIVATE Volume serial.... FPD003 Device type Data class Space units..... CYLINDER (Blank for default management class) (Blank for default storage class) (Blank for system default volume) (Generic unit or device address) (Blank for default data class) (BLKS, TRKS, CYLS) 120 PKZIP/SecureZIP for z/os 11.1 System Administrator s Guide

129 Primary quantity.. 1 Secondary quantity. 50 (In above units) (In above units) Main Backup and Restore Panel This screen controls the types of processes that you can perform against the local certificate store. If you have done a previous backup, then the ZIP archive name will be displayed along with the date of the last backup. The datasets to be backed up are the datasets pointed to by the certstore profile dataset. Profile Information This is the certificate store profile dataset that will be used to backup the local certificate store. Archive Dataset Name of the archive that you wish to create or use in a restore process. If you select V this will display a VIEWDETAIL of the designated archive dataset. Process Options The options selected determine the functions performed: Backup JCL Enter C to Create the backup job stream Enter S to Submit the backup job stream Enter E to Edit the backup job stream Enter V to View the backup job stream Restore JCL Enter C to Create the backup job stream Enter S to Submit the backup job stream Enter E to Edit the backup job stream Enter V to View the backup job stream You may also choose to save the JCL using a different member name or dataset name/member name combination. Option ===> SecureZIP Certstore Restore Options Fill in any change information desired. Press ENTER to complete. If no changes are made then the original values will be used High Level Qualifier...: PKWARE.MVS Specify a different HLQ if desired. Note: Must contain the same number of nodes as the original. For example: Orig ==> QZIP.FPD.TEST New ==> FPD.NEW.TEST SMS Classes Management...: TECHUSER Storage...: SUPPORT Data.....: Chapter 4 Certificate Store Management 121

130 Restore Volume...: SUP004 Restore Unit...: 3390 Submit of a Restore JOB When you submit the restore JCL this screen will appear and give you the ability to Restore the datasets in the archive using a different high level qualifier and/or different allocation options. If you press ENTER without change the restore will take the default options. Option ===> Additional Input Control Cards for View Archive Enter any control card(s) desired for the selected View option. You may wish to view an archive using a Private Key Cert. If the certificate is not in your profile you can place an -INCLUDE_CMD in the input stream. Additional Control Card: 1: 2: 3: 4: Archive Dataset View - V Selecting V to view an existing archive displays a VIEWDETAIL of the designated archive dataset and generates a panel that allows you to place additional SecureZIP for z/os control cards into the command stream. You can then add private key certificate information if the archive to be viewed has been encrypted. Backing Up SecureZIP Partner for z/os An external utility such as DFDSS should be used to perform backup/restore operations for all local certificate store components. All components should be backed up and restored collectively to maintain store integrity. Sample jobs are provided in INSTLIB(CSDSSBKP) and INSTLIB(CSDSSRST) to perform backup and restore operations respectively. Important: When performing a RESTORE operation, do not rename the data sets. Renaming them will invalidate index references in the certificate store. Directory Certificate Store Configuration - LDAP This section assists with defining the network connectivity associated with LDAP compliant directory access. Please note that prior to using LDAP services to locate public key digital certificates for RECIPIENT processing, network connections must be defined. Command settings will be kept in an LDAP profile member for SecureZIP for z/os to access during ZIP processing. The LDAP connection commands can be coded manually, however, a series of panels and tools are provided to assist in properly formatting the command parameters and to test connectivity to the desired LDAP server. 122 PKZIP/SecureZIP for z/os 11.1 System Administrator s Guide

131 SecureZIP Certificate Store Administration Option ===> Select one of the following options and press Enter: 1 Local Certificate Store Administration 2 LDAP Certificate Store Configuration 3 x.509 Certificate Utilities 4 ICSF CKDS Passphrase Registration Service To access the LDAP certificate store configuration, enter 2 in the Option field from this panel. Create/Test LDAP Profile Statements This panel will allow you to create configuration information, validate existing configuration information, and read information from an existing profile, if it is established. Option ===> SecureZIP LDAP Configuration Setup LDAP Certificate Store Administration 1 Edit Active LDAP Profile 2 Create/Test LDAP Profile Statements Active LDAP Profile: 'PKWARE.MVS.JCL(LDAPPROF)' -{LDAP=1;SCULPTOR1.PKWARE.COM;389;0;0;;;*CN;O=PKWARE} To edit an existing LDAP profile, use the dataset and member name on the panel or enter a different dataset and/or member name and select 1 from this panel. To create, test, and save LDAP profile information, select 2 from this panel. Edit existing LDAP profile File Edit Edit_Settings Menu Utilities Compilers Test Help EDIT PKWARE.MVS.JCL(LDAPPROF) ****** ********************************* Top of Data {LDAP=1;SCULPTOR1.PKWARE.COM;389;0;0;;;*CN;O=PKWARE} ****** ******************************** Bottom of Data The results from selecting 1 are shown in this panel. You can change any information necessary and PF3 out of edit to save the changes. Create/Test LDAP Link This panel assists the SecureZIP for z/os administrator in configuring and testing LDAP connections. The following functions are covered: Create new LDAP Profile Settings Chapter 4 Certificate Store Management 123

132 Read values from an existing LDAP Profile with the LOAD command Test an LDAP connection with PING and TEST commands Save settings to an LDAP Profile OPTION ===> SecureZIP Create/Test LDAP Link Active LDAP Profile: 'PKWARE.MVS.JCL(LDAPPROF)' LDAP Number 1 Connect Information * Server Address/IP...: * Server Port...: 389 Connect USERID...: Connect Password...: Search Timeout...: 0 LDAP Search Configuration Starting Node * > > Default Filter Type.: *CN (* ,*CN) The following commands may be copied to an LDAP Profile: {... undefined...} Create New LDAP Profile Settings Fill in the required parameters and press ENTER to generate LDAP profile settings. These can then be copied and pasted into a LDAP profile member using the copy and paste functions of your terminal emulator. You may change fields and press ENTER to generate new settings. OPTION ===> SecureZIP Create/Test LDAP Link Active LDAP Profile: 'PKWARE.MVS.JCL(LDAPPROF)' LDAP Number 1 Connect Information * Server Address/IP...: SCULPTOR1.PKWARE.COM * Server Port...: 389 Connect USERID...: Connect Password...: Search Timeout...: 0 LDAP Search Configuration Starting Node * > O=PKWARE > Default Filter Type.: *CN (* ,*CN) More: + The following commands may be copied to an LDAP Profile: -{LDAP=1;SCULPTOR1.PKWARE.COM;389;0;0;;;*CN;O=PKWARE} 124 PKZIP/SecureZIP for z/os 11.1 System Administrator s Guide

133 Load Existing LDAP Profile With the Load option you read values from an existing LDAP profile. OPTION ===> LOAD SecureZIP Create/Test LDAP Link Active LDAP Profile: 'PKWARE.MVS.JCL(LDAPPROF)' LDAP Number 1 Connect Information * Server Address/IP...: SCULPTOR1.PKWARE.COM * Server Port...: 4389 Connect USERID...: Connect Password...: Search Timeout...: 0 LDAP Search Configuration Starting Node * > O=PKWARE > Default Filter Type.: *CN (* ,*CN) More: + The following commands may be copied to an LDAP Profile: -{LDAP=1;SCULPTOR1.PKWARE.COM;389;0;0;;;*CN;O=PKWARE} When an active LDAP profile is provided on the LDAP configuration setup screen, then a predefined LDAP command can be retrieved for testing or use as a model for a new setting. Specify the LDAP number, type LOAD into the command OPTION and press ENTER. If that LDAP number is in the active profile, the settings will be loaded into the screen. Testing the LDAP Connection Once the profile commands have been generated, you may verify that a connection to the intended LDAP Server can be established by using the PING and TEST options: When creating a configuration for an LDAP server at a new network address, it is recommended that a PING test be performed first. OPTION ===> PING The PING option will perform a "TSO PING" command to verify that the network address can be resolved and the associated IP address reached. Once completed, a BROWSE of the output will be automatically presented. Be aware that some network administrators may turn off PING response capabilities, so it is possible that the PING may time out even if the network name (e.g. can be resolved to an IP address. ************************************************ Attempting PING to SCULPTOR1.PKWARE.COM ************************************************ CS V1R4: Pinging host PKZ4 ( ) Ping #1 response took seconds. Possible errors can be: The network address cannot be resolved by the domain name server EZZ3111I Unknown host Network services may be down along the routes to reach the IP address. Chapter 4 Certificate Store Management 125

134 HOST unreachable The specified host may not be up, or is not accepting PING requests. Timed out OPTION ===> TEST [optional-filter] [LIST] The TEST option will call utility program PKZLDAPT to perform a bind request with the specified server, logon (if a userid/password combination is required), and then perform a search based on a filter. Once completed, a BROWSE of the output will be automatically presented. The default LDAP search filter used is (&(usercertificate=*)), which will give a summary count of the total number of LDAP entries containing a usercertificate. An optional filter may be specified with the test command. Note that the requested filter will automatically be surrounded by$(&...) to complete the LDAP syntax. See the samples below for typical syntax. Specifying LIST causes some detailed information for the LDAP entries to be listed. The default is to display a summary count of the number of LDAP entries located that match the search filter. Test Program Notes: Default Filter Type is not used with the test option. It is only used during live SecureZIP for z/os processing of RECIPIENTS. The filter is not retained in the LDAP configuration. It is only used for testing the connection during the administration process. A long delay (up to a few minutes) may occur if network timeout values are set high. You should contact your network technical support staff regarding network timeout settings. Sample TEST Syntax To count all entries with a common name: OPTION ===> test (cn=*) To list all entries with a common name: OPTION ===> test (cn=*) LIST To restrict the search to common names representing a person: OPTION ===> test (cn=joe S*)(objectclass=person) LIST 126 PKZIP/SecureZIP for z/os 11.1 System Administrator s Guide

135 Output from the TEST Command PKLDAPTEST LDAP Test Starting 2006/02/05 21:14:26 PKLDAPTEST Parameters:Action<S> - Server<SECZIP.PKWARE.COM> Port<4389> - User<> Password<0> - Start Node<O=PKWARE> - Search Filter<(&(cn=*))> LDAP_intialTest - --LDAP init... elapsed time seconds LDAP_intialTest - --LDAP bind... elapsed time seconds LDAP_intialTest - --LDAP Search... elapsed time seconds LDAP_intialTest - --LDAP Attributes... elapsed time seconds LDAP_intialTest - Total Entries=15 PKLDAPTEST LDAP Testing Ending RC=0 Common Error Conditions for TEST The bind phase to the server may fail with Can't contact LDAP server for any of the following reasons: The network/ip address specified is invalid. Use PING to gather additional information. The network cannot resolve the route to reach the specified address. Use PING to gather additional information. The PORT for the LDAP server is not correct. Verify the PORT number with the target system's network administrator regarding the LDAP server PORT assignment. The LDAP server is down. Output from the TEST Command with Errors PKLDAPTEST LDAP Test Starting 2005/05/05 21:12:42 PKLDAPTEST Parameters:Action<s> - Server<seczip.pkware.com> Port<389> - User<> Password<0> - Start Node<o=pkware> - Search Filter<(&(userCertificate=*))> LDAP_intialTest - --LDAP init... elapsed time seconds LDAP_intialTest - could not bind sculptor1.pkware.com for rc=81 <Can't contact LDAP server> PKLDAPTEST LDAP Testing Ending RC=0 Save Settings to an LDAP Profile Press PF3 (END) to access the LDAP configuration setup screen. EDIT an LDAP profile member and paste the generated settings. Once you have completed the EDIT, you may return to this screen once again to generate and test additional connections. Note: The input values will be retained throughout your SecureZIP for z/os session for reference while working on new configurations. However, they will not be saved for future use once the SecureZIP for z/os dialog has ended. Chapter 4 Certificate Store Management 127

136 Please be aware that the LDAP profile may not contain any certificate validation policies for encryption. If the end user specifies only the LDAP profile without a local certificate store, then the SecureZIP default validation settings of TRUSTED and REVOKED will be enforced for the run. This will cause the job to fail during validation of the trusted certificate path because there are no CA and/or root certificates available for processing. If you wish to execute the SecureZIP job with the LDAP profile only, then you need to include the validation policy in the job stream (see sample below), or add the VALENCRYPT policy statement to the LDAP profile. -INCLUDE_CMD(PKWARE.MVS.PROFILES(LDAP)) -RECIPIENT(LDAP:CN=PKWARE TEST4,R) -{VALENCRYPT=NOTTRUSTED,EXPIRED,NOTREVOKED} Runtime Configuration This panel is used for entering configuration information to be used for the ISPF SECZIP interface. That information includes active load library, default options files, job card and other miscellaneous information. In SecureZIP for z/os, an additional panel must be configured. Notice at the bottom of the following panel a message appears informing you to Hit ENTER to view the SecureZIP Certificate Store Settings. Zip/Unzip Runtime Configuration Panel SecureZIP Runtime Configuration Command ===> More: + Execution load library: 'PKWARE.MVS.LOAD' Initial Execution Default Command Settings Defaults module...: ACZDFLT (ACZDFLT) ZIP processing...: NULLFILE UNZIP processing...: NULLFILE Foreground Processing Controls Unquoted file specification Prefix with : P (P/U/N) Profile Prefix/Userid/None Temporary working files Use Prefix : P (P/U/O) Profile Prefix/Userid/Other Value==> Lowest Acceptable RC: 4 (0,4,8) SYSPRINT Allocation Type : CYLS (BLKS,TRKS,CYLS) Primary : 3 Secondary : 1 UNIT type for temp files 128 PKZIP/SecureZIP for z/os 11.1 System Administrator s Guide

137 SecureZIP Runtime Configuration Panel SecureZIP Runtime Configuration Option ===> Certificate Store Settings ( ENTER to validate, PF7/PF8 to scroll, END to save, / for field options) Private-Cert Recips > 'PKWARE.MVS.JCL(CERTPROF)' DB Profile > 'PKWARE.MVS.JCL(DBPROF)' LDAP Profile > 'PKWARE.MVS.JCL(LDAPPROF)' ZIP Recipient List > -RECIPIENT(DB:CN=PKWARE TEST02,R) UNZIP Recipient List> -RECIPIENT(DB:CN=PKWARE TEST02,R,PASSWORD=PKWARE) Archive Signing > UNDEFINED File Signing > UNDEFINED Authenticate Archive> UNDEFINED Authenticate Files > UNDEFINED ********************************* Top of Data ********************************* Private-key Certificate Recipient(s): =============================================================================== Profile: 'PKWARE.MVS.JCL(CERTPROF)' DATASET NOT FOUND Local Certificate Store DB Profile: =============================================================================== Profile: 'PKWARE.MVS.JCL(DBPROF)' DATASET NOT FOUND This panel is used for entering configuration information to be used for certificate profile information. That information includes the locations of the private certificate, the data base profile, and the LDAP profile. With the exception of the private certificate location the locations of the DB and LDAP profile will be completed for you by the certificate store administration and configuration option CS from the Main SecureZIP for z/os panel. SecureZIP Runtime Configuration Panel Undefined SecureZIP Runtime Configuration Option ===> Certificate Store Settings ( ENTER to validate PF7/PF8 to scroll) / to Edit the configuration file Private-Cert> undefined DB Profile > undefined LDAP Profile> undefined ***** Top of Data ************************************************************** Private-key Certificate Recipient(s): ===================================== Profile: MISSING DATASET NAME Local Certificate(DB) Profile: ============================== Profile: MISSING DATASET NAME Chapter 4 Certificate Store Management 129

138 LDAP Configuration Profile: =========================== Profile: MISSING DATASET NAME ***** Bottom of Data *********************************************************** Prior to completing certificate store administration and configuration option CS, the configuration panel is undefined. As you complete the CS functions the panel will be populated with your runtime settings. SecureZIP Runtime Configuration Panel with DB Profile Defined SecureZIP Runtime Configuration Option ===> Certificate Store Settings ( ENTER to validate PF7/PF8 to scroll) / to Edit the configuration file Private-Cert> undefined DB Profile > 'PKWARE.MVS.JCL(CCFGFPD1)' LDAP Profile> undefined ***** Top of Data ************************************************************** Private-key Certificate Recipient(s): ===================================== Profile: Undefined Local Certificate(DB) Profile: ============================== * DATABASE ACCESS CONTROL CARDS -{CSPUB=4;1;PKWARE.MVS.CERTSTOR.PUBLIC} -{CSPRVT=4;1;PKWARE.MVS.CERTSTOR.PRIVATE} -{CSPUB_DBX=PKWARE.MVS.CERTSTOR.DBX} -{CSPUB_DBX_PATH_CN=PKWARE.MVS.CERTSTOR.PATHCN} -{CSPUB_DBX_PATH_EM=PKWARE.MVS.CERTSTOR.PATHEM} -{CSPUB_DBX_PATH_PUBKEY=PKWARE.MVS.CERTSTOR.PATHPUBK} This is an example of how the runtime configuration panel would look after completing the local certificate store configuration SecureZIP Runtime Configuration Panel with Private Certificate Location SecureZIP Runtime Configuration Option ===> Certificate Store Settings ( ENTER to validate PF7/PF8 to scroll) / to Edit the configuration file Private-Cert> PKWARE.MVS.JCL(CERTPROF)' DB Profile > 'PKWARE.MVS.JCL(CCFGFPD1)' LDAP Profile> 'PKWARE.MVS.JCL(LDAPFPD1)' ***** Top of Data ************************************************************** Private-key Certificate Recipient(s): ===================================== * * * Profile PKWARE.MVS.JCL(CERTPROF) * * * -recipient(db:cn=pkware TEST,R,PASSWORD=PKWARE) 130 PKZIP/SecureZIP for z/os 11.1 System Administrator s Guide

139 This is the runtime configuration panel with the private certificate identified that will be used to provide the private key to decrypt the archive. Notice that the RECIPIENT location, the requirement to always find the certificate (R), and the password for the private key are displayed as part of the panel information provided. x.509 Certificate Utilities This panel is used for working with CA, ROOT, and CRL files. If you receive a file claiming to contain CA or ROOT certificates you can use the List and View features to allow you to review the data within the file. If you are not sure what type of store the file contains, use BG as a best guess to simulate and add. The utility will display detail information about each process. You may view your certificates in a table format, list the data about each certificate in a print format, simulate adding to a store, extract certificates to a temporary store, initialize a store, extract end entity certificates for input to a store, and convert EBCDIC BASE64 to ASCII BASE64. Option ===> x.509 Utilities SecureZIP x.509 Certificate Information More: + 1 View Certificate(s) - Table Format 2 List Certificate(s) 3 Simulate Certificate Add 4 Work with CRL files 5 Select Certificates from a P7B or PKCS12 source 6 Initialize a P7B Store 7 Extract End Entity for input to a Public Certificate Store 8 Translate EBCDIC BASE64 Certificate to ASCII BASE64 Enter the Certificate Source file to be used: Data Set Name... 'SECZIP.FPD.SEC.PKTICAF.CRT' This panel can be used to identify information about certificate files you have obtained but are not sure of the content, initialize a P7B store, or extract certificates from an existing P7B source file. If you know the source is a Certificate Revocation List then select Option 4 to proceed to CRL processing The Options Option 1 - View Certificate(s) This option builds an ISPF table display from the Certificate source file Certificate Source : PKWARE.MVS.INSTLIB2(PKWARERT) Certificate Type : P7B with Best Guess Primary commands:%sort+. Scroll%RIGHT+or%LEFT+for more info. To EXIT Press%PF3 +For HELP Press%PF1 Type Friendly Name P7B PKTESTDB Root Chapter 4 Certificate Store Management 131

140 Multiple passes will be completed with the input source file. Each pass will be detailed in the Certificate Type area. If all of the non password file types cannot be processed, then a popup screen will be displayed to enter a password for processing a PKCS12 file type. Option 2 - List Certificate(s) This option displays details about each certificate in the source file in a BROWSE window. In the sample below, the store type used to produce the report is identified for each processing attempt. In this instance, P7B was used as the store type ZPCA960I SecureZIP Certificate Administration 4 Mar :50:58 ZPCA960I List Certificate Source File 4 Mar :50:58 ZPCA960I Certificate Input=PKWARE.MVS.INSTLIB2(PKWARERT) ZPCA960I *************************************************************** ZPCA960I P7B Attempt 4 Mar :50:58 ZPCA960I *************************************************************** ZPCA960I Store Detail using DSN=PKWARE.MVS.INSTLIB2(PKWARERT) --- Certificate PKTESTDB Root Subject: C=US S=Wisconsin L=Milwaukee O=PKWARE, Inc. OU=PKWARE, Inc. -- for test and evaluation purposes only CN=PKTESTDB Root Option 3 - Simulate Certificate Add This option displays details about certificates as they are processed by the simulated ADD environment. Multiple passes will be completed with the input source file. Each pass will be detailed in the certificate type area. You may disregard any error messages that do not relate to the type of certificate that is in the source file. This Simulation does not require you to know exactly what it is that is being processed and, based on that assumption, the process can flag data that is in error when it would not be considered an error if it was used correctly. For example, when you input a certificate P7B, this process will correctly simulate an install to the root store using P7B as the type but will fail using CER as the type. using P7B Certificate Source : SECZIP.FPD.SEC.FPDALL.P7B Certificate Type : P7B with Best Guess Primary commands:%sort+. Scroll%RIGHT+or%LEFT+for more info. To EXIT Press%PF3 +For HELP Press%PF1 Type Friendly Name CA VeriSign Class 1 CA Individual Subscriber-Persona Not Validate ROOT Class 1 Public Primary Certification Authority using CER 132 PKZIP/SecureZIP for z/os 11.1 System Administrator s Guide

141 Command ===> SCROLL ===> CSR Certificate Source : SECZIP.FPD.SEC.PKTICAF.CRT Certificate Type : P7B with Best Guess Primary commands: SORT. Scroll RIGHT or LEFT for more info. To EXIT Press PF3 For HELP Press PF1 Type Friendly Name ZPCA990I Simulate Certificate processing 10 Mar :59:53 ZPCA990I Cert Input=SECZIP.FPD.SEC.PKTICAF.CRT ZPCA990I ******************************************************************** ZPCA990I CER Attempt 10 Mar :59:53 ZPCA990I ******************************************************************** ZPCA990I Store Detail using DSN=SECZIP.FPD.SEC.PKTICAF.CRT ZPCA810E ERROR: Failed to build certificate store '//'SECZIP.FPD.SEC.PKTICAF.CR ZPCA810E ERROR: Cannot continue. Unable to open certificate store. ZPCA810E ERROR: Cannot continue. Unable to process certificate file '//'SECZIP ZPCA991E ******************************************************************** ZPCA991E List Completed with errors 10 Mar :05:01 ZPCA991E ******************************************************************** Certain types of errors encountered will present a popup window similar to the one below. To get further information on the error press PF1. % %-Sim Error-PF1 for detail - % %************************************************************************** %*Sim Error-PF1 for detail - Certificate simulation encountered an error * %*during the add operation. Error text = ZPCA811E ERROR: Cert Wrap failed* %*to open '//'SECZIP.FPD.SEC.FPDALL.P7B''. CW Error = 0x0. Press Enter to * %*continue * %************************************************************************** Option 4 - Work with CRL files The CRL Utilities allow you to view details about installed certificates, simulate the addition of an update list to your CRL store, and update the CRL store. You may view the revocation lists in a table format, list the data about each revocation list in a print format, simulate adding to a store, and update the CRL store. 1+ View Installed CRLs from Store - Table Format 2+ List Installed CRLs from Store 3+ Update the CRL Store 4+ Simulate Update 5+ Synchronize Data Base For Options 3 and 4 you must specify the input CRL file. Input X.509 Certificate Revocation List File Data Set Name:_crlsrc+ File Type :_crltype+!(p7b, CRL or BG for Best Guess) Chapter 4 Certificate Store Management 133

142 Option 5 - Select Certificates from a P7B or a PKCS12 Source This option will take a P7B or a PKCS12 source file and attempt to separate and copy into the respective stores the certificates contained in the input. These separated certificates can then be used as input into the add processes for updating your local certificate stores. If a 2 is entered to process a PKCS12 source file, a popup screen is displayed in which to enter the password. x.509 Utilities Select Certificates from Package Type: 1=P7B, 2=PKCS12 Please note: -- Any existing data in the files will be deleted -- Enter the Sequential File Names to be used for output: These files should be used as temporary stores only CA = 'FPD.PKWARE.STORCSCA' ROOT = 'FPD.PKWARE.STORCSRT' CRL = 'FPD.PKWARE.STORCSRL' CERT Output = 'FPD.PKWARE.STORCSEE' Assume End Entity ==> / Non-blank accepts all non-certificate Authority certificates as End Entity certificates valid for encryption or signing operations, even if not so marked. This option displays details about Certificate as they are processed by the Select environment. If working with a P7B source file, multiple passes are completed with the input source file. Each pass is displayed with detail information, and a request box appears where you can stop the process if you are satisfied with the selected certificates to that point. If you allow the process to continue, each subsequent step reinitializes the output stores, and any certificates selected previously are deleted. Here is an unsuccessful example using P7B as the certificate type. using P7B ZPCA940I Select Certificate processing 10 Mar :42:56 ZPCA940I Certificate Input=SECZIP.FPD.SEC.PKTICAF.CRT ZPCA940I P7B Attempt 10 Mar :42:56 ZPCA940I ******************************************************************** ZPCA940I Store Detail using DSN=SECZIP.FPD.SEC.PKTICAF.CRT ZPCA811E ERROR: Cert Wrap failed to open '//'SECZIP.FPD.SEC.PKTICAF.CRT''. CW ZPCA850E ERROR: Cannot continue. Unable to open certificate file '//'SECZIP.FP ZPCA850E ERROR: Cannot continue. Unable to determine certificate file count. ZPCA850E ERROR: Cannot continue. Unable to process certificate file '//'SECZIP ZPCA941E ******************************************************************** ZPCA941E Select Completed with errors 10 Mar :42:56 The popup box will ask you if you wish to continue. If you press enter the output stores will be overwritten. %************************************************************** %*PKUT001 ===> * %* * %* Continue with next scenario - CER * %* * 134 PKZIP/SecureZIP for z/os 11.1 System Administrator s Guide

143 %*Press ENTER to continue. * %*Press PF3 or enter CANCEL command to return. * %* * %* * %************************************************************** using CER ZPCA940I CER Attempt 10 Mar :44:20 ZPCA940I ******************************************************************** ZPCA940I Store Detail using DSN=SECZIP.FPD.SEC.PKTICAF.CRT ZPCA000I SUCCESS: Added certificate to store '//'FPD.PKWARE.STORCSCA''. DSN= ZPCA000I SUCCESS: Saved certificate store '//'FPD.PKWARE.STORCSCA'' to disk. ZPCA000I Added 1 of a possible 1 certificates to the CA store. ZPCA000I 0 certificates in the CA store before the Add command. ZPCA000I 1 certificates in the CA store after the Add command. ZPCA940I ******************************************************************** ZPCA940I Select Completed rc=0 10 Mar :44:23 ZPCA940I ******************************************************************** Notice above that the CER attempt was successful and if you hit enter the certificates that have been extracted will be overwritten. If you press enter the output stores will be overwritten. %************************************************************** %*PKUT001 ===> * %* * %* Continue with next scenario - CRL * %* * %*Press ENTER to continue. * %*Press PF3 or enter CANCEL command to return. * %* * %* * %************************************************************** Option 6 - Initialize a P7B Store This option conditions a dataset for use as a P7B store. Initialize a P7B Store Please note: -- Any data in the file will be deleted -- Enter the Sequential File Name of the Certificate Store: For example: 'HLQ.CERTSTOR.P7CRL' Chapter 4 Certificate Store Management 135

144 Option 7 - Extract End-Entity for Input to a Public Certificate Store This option takes a P7B or a PKCS12 source file and attempts to copy its end-entity certificates into the destination file. These can then be used as input to the Add Certificate processing to place the certificates in the public key stores. Please note: The member names generated will always be EE and the certificate number. If you use the same output PDS as a previous attempt the existing members will be replaced with any newly generated members. Enter the PDS File Name to be used for output: Note: This file will be used as input to the add certificate function %EE File = 'FPD.PKWARE.STORCSNE' Assume End Entity ==> /_Non-blank accepts all non-certificate Authority certificates as End Entity certificates valid for encryption or signing operations, even if not so marked. Use PKCS12 Package for input source (Default is P7B Package) Please note: -- The member names generated will be composed of the following: EE pos 1 and 2 Generated Cert ID pos 3 thru 8 For example: EE1 for the first extracted certificate EE2 for the second extracted certificate Press%'ENTER'+for next topic If a PKCS12 source file is selected, a popup screen is displayed in which to enter the password of the PKCS12 package. Also, when selecting a PKCS12 file, the member name generated will have a prefix of PV in place of the EE prefix. These private end-entity members will be created with the same password as the inputted PKCS12 source file. Option 8 - Translate EBCDIC BASE64 Certificate to ASCII BASE64 This option will take an EBCDIC encoded BASE64 certificate and translate to a BASE64 encoded ASCII certificate. x.509 Utilities Translate EBCDIC Certificate to ASCII Certificate Note: The translation is standard BASE64 conversion with the addition of the SPACE character converted also. Enter the File Name to be used for input: EBCDIC Cert = Enter the File Name to be used for output: ASCII Cert = ENTER To Process, To EXIT Press PF3 For HELP Press PF1 136 PKZIP/SecureZIP for z/os 11.1 System Administrator s Guide

145 Certificate Revocation Lists Option ===> SecureZIP Certificate Revocation Lists Store Configuration: 'SECZIP.FPD.PROFILES(DB810X)' Active CRL Store: SECZIP.FPD900.CERTSTOR.P7CRL 1 View Installed CRLs from Store - Table Format 2 List Installed CRLs from Store 3 Update the CRL Store 4 Simulate Update 5 Synchronize Data Base Index Information requested below only applies to Option 3 and 4 Input X.509 Certificate Revocation List File Data Set Name: UNDEFINED File Type : CRL (P7B, CRL or BG for Best Guess) Option 1 - View Installed CRLs from Store This option builds an ISPF table display using the certificate revocation List and the current certificate store. The information is displayed on six screens. The first three screens represent the public or private certificate that is revoked, and the following three screens represent the certificate authority that issued the revocation list. Screen Certificate Store : SECZIP.FPD.CERTSTOR.P7CRL Certificate Type : CRL with Best Guess ASCII Based Certificate Primary commands:%sort+. Scroll%RIGHT+or%LEFT+for more info. To EXIT Press%PF3 +For HELP Press%PF1 #Revoked Certificate Information Type Serial Number IDHash #PVT 01 DA9F053EEF6684FC2BDF63962E24775EE81160ED Scroll%Left~or%Right~for additional information pertaining to the revoked certificates. Screen Certificate Store : SECZIP.FPD.CERTSTOR.P7CRL Certificate Type : CRL with Best Guess ASCII Based Certificate Primary commands:%sort+. Scroll%RIGHT+or%LEFT+for more info. To EXIT Press%PF3 +For HELP Press%PF1 #Revoked Certificate Information Type Common Name #PVT PKWARE TEST Chapter 4 Certificate Store Management 137

146 Screen Certificate Store : SECZIP.FPD.CERTSTOR.P7CRL Certificate Type : CRL with Best Guess ASCII Based Certificate Primary commands:%sort+. Scroll%RIGHT+or%LEFT+for more info. To EXIT Press%PF3 +For HELP Press%PF1 #Revoked Certificate Information Type Address #PVT [email protected] Screen Certificate Store : SECZIP.FPD.CERTSTOR.P7CRL Certificate Type : CRL Primary commands:%sort+. Scroll%RIGHT+or%LEFT+for more info. To EXIT Press%PF3 +For HELP Press%PF1 %CRL Issuer Information CertID CRL Friendly Name #1 %PKWARE Test Intermediate Cert A Screen Certificate Store : SECZIP.FPD.CERTSTOR.P7CRL Certificate Type : CRL Primary commands:%sort+. Scroll%RIGHT+or%LEFT+for more info. To EXIT Press%PF3 +For HELP Press%PF1 %CRL Issuer Information CertID Organizational Unit #1 %PKWARE, INC. -- FOR TEST AND EVALUATION PURPOSES ONLY Screen Certificate Store : SECZIP.FPD.CERTSTOR.P7CRL Certificate Type : CRL Primary commands:%sort+. Scroll%RIGHT+or%LEFT+for more info. To EXIT Press%PF3 +For HELP Press%PF1 %CRL Issuer Information CertID Total Revoked / Last Updated / Next Update #1 %1 UNKNOWN UNKNOWN Option 2 - List Installed CRLs from Store List details about each Certificate Revocation List in your store. In the sample below, each revocation list is identified by the heading CRL n, where n is the sequential number of the certificate in the store. Each certificate that is revoked has a SerialNumber= line followed by IDHash= of the CA that issued the certificate. This data is used to identify the public or private key certificate that has 138 PKZIP/SecureZIP for z/os 11.1 System Administrator s Guide

147 been revoked. When you choose Option 1, the information on those certificates is displayed if it matches public or private key certificates in your store ZPCA920I SecureZIP Certificate Administration 11 Mar :47:19 ZPCA920I List Certificate Revocations 11 Mar :47:19 ZPCA920I ********************************************************************* ZPCA920I CRL Input=SECZIP.FPD.CERTSTOR.P7CRL ZPCA920I ********************************************************************* Store Detail using DSN=SECZIP.FPD.CERTSTOR.P7CRL CRL PKWARE Test Intermediate Cert A Issuer: C=US;S=Wisconsin;L=Milwaukee;O=PKWARE, Inc.;OU=PKWARE, Inc. -- for test and LastUpdate: Unknown NextUpdate: Unknown Revoked Serial Numbers (1): SerialNumber=01; IDHash=DA9F053EEF6684FC2BDF63962E24775EE81160ED; --- CRL PKWARE Test Intermediate Cert F Issuer: C=US;S=Wisconsin;L=Milwaukee;O=PKWARE, Inc.;OU=PKWARE, Inc. -- for test and LastUpdate: Tue Feb 8 16:01: NextUpdate: Tue Apr 9 16:01: Revoked Serial Numbers (1): SerialNumber=01; IDHash=7A0F9161C04890CAAEF123170CCB83227EEBEB30; Option 3 - Update the CRL Store Allows you to update the P7CRL store used for Certificate Revocation. Store Configuration:%'SECZIP.FPD.PROFILES(DBPROF)' #Active CRL Store: SECZIP.FPD.CERTSTOR.P7CRL 1 View Installed CRLs from Store - Table Format 2 List Installed CRLs from Store 3 Update the CRL Store 4 Simulate Update 5 Synchronize Data Base Index You must enter the file location of the CRL list you wish to use as the input to the process and the type of data contained within. Input X.509 Certificate Revocation List File #Data Set Name: 'SECZIP.FPD.SEC.CRL1.CRL' # File Type : CRL +(P7B, CRL or BG for Best Guess) Chapter 4 Certificate Store Management 139

148 You will receive a pop up panel that will ask you the following information. This panel asks if you want to update the certificate store data base to reflect the revocations in the CRL file. Enter Y or N, and press ENTER. Pressing PF3 or entering the CANCEL command results in the N being entered for you. Normally, if you are installing a single CRL, you should pick Y, and update the data base. If you are installing multiple CRLs, pick N, and the popup will not appear again until you exit and re-enter Certificate Store Administration. If you pick 'N', you should run the Synchronize Data Base Index after all CRLs are installed. Not updating the data base will allow certificates to be viewed and selected, but they will fail during the associated SECZIP run. After you have hit Enter, you will receive a notification of completion in the message field of the panel: Done PF1 for info Messages inform whether certificates were added and, if so, how many. %************************************************************************** %*No added certificates Total Before = 2 Total After = 2 * %************************************************************************** %************************************************************************** %* Added 1 of a possible 1 Total Before = 2 Total After = 3 * %************************************************************************** Option 4 Simulate Update - This option can be used to test installation of a CRL. Below is a sample output of this option. ZPCA910I SecureZIP Certificate Administration 11 Mar :28:55 ZPCA910I Input Processing of 'SECZIP.FPD.SEC.CRL3.CRL' ZPCA910I Validation Processing of SECZIP.FPD.CERTSTOR.P7CA ZPCA910I Output Processing of SECZIP.FPD.CERTSTOR.P7CRL ZPCA000I SUCCESS: Added certificate '//'SECZIP.FPD.SEC.CRL3.CRL'' to store '//' ZPCA846W WARNING: Simulation Requested. Nothing will be saved to the store. ZPCA000I SUCCESS: Saved certificate store '//'SECZIP.FPD.CERTSTOR.P7CRL'' to di ZPCA846W WARNING: Simulation Requested. Nothing will be saved to the store. ZPCA000I Added 0 out of 1 certificates to the CRL store. ZPCA000I 3 entries in the CRL store before the Add command. ZPCA000I 3 entries in the CRL store after the Add command PKZIP/SecureZIP for z/os 11.1 System Administrator s Guide

149 Option 5 - Synchronize Data Base Index This option displays details about each certificate in the source file. If you specify BG as the store type, two passes are completed on the source file and two sets of listings are displayed. The first is for type CER, and the next is for type P7B. After each listing is displayed, press PF3 to return. Filename Encryption How SecureZIP for z/os Encrypts File Names SecureZIP for z/os encrypts file names using your current settings for (strong) encryption method and algorithm. File names can be encrypted using either strong password encryption or a recipient list (or both). You must use one of the strong encryption methods: you cannot encrypt file names using traditional, password encryption. Note: Encrypting names of files and folders in an archive encrypts and hides a good deal of other internal information about the archive as well. To encrypt file names, SecureZIP for z/os encrypts the archive's central directory, where virtually all such metadata about the archive is stored. Note: Be aware that archive comments are not encrypted even when you encrypt file names. Do not put sensitive information in an archive comment. When SecureZIP for z/os Encrypts File Names With archives that do not already contain encrypted file names: SecureZIP for z/os encrypts file names only when you add files to an archive: SecureZIP for z/os does not encrypt file names when you encrypt files that are already in an archive even if the option to encrypt file names is turned on. SecureZIP for z/os encrypts file names only when you add and encrypt files: SecureZIP for z/os does not encrypt file names when you add files without encrypting them, even if the option to encrypt file names is turned on. Encrypting File Names When You Update an Archive If you turn on the setting to encrypt file names and then add files to an archive that already contains files with unencrypted file names, SecureZIP for z/os encrypts the names of all files in the archive. If the archive contains files whose contents are already encrypted, SecureZIP for z/os will reject an attempt to add filename encryption. If you update an archive that already contains files with encrypted file names, SecureZIP for z/os encrypts the newly added files and their names using the same password or recipient list originally used to encrypt file names in the archive. Note: Once file names in an archive are encrypted, you cannot currently remove the encryption or change the password or recipient list used. Chapter 4 Certificate Store Management 141

150 You cannot change the encryption on files that are already in an archive that contains encrypted file names. Opening and Viewing an Archive that Has Encrypted File Names Opening an archive that contains encrypted file names requires PKZIP for zseries Enterprise Edition version 8.2 or later, or SecureZIP for zseries 8.1 with the Advanced Encryption Module. Input required to View Recipients in a Filename Encrypted Archive To view the recipients of an FNE archive you must place VERBOSE in the input. //FPDTEST3 JOB '0',CLASS=A,REGION=64M, // MSGCLASS=H,MSGLEVEL=(1,1),NOTIFY=&SYSUID //UNZIP EXEC PGM=SECUNZIP //STEPLIB DD DISP=SHR,DSN=PKWARE.MVS.LOAD // DD DISP=SHR,DSN=PKWARE.MVS.LOAD //CERT DD DSN=FPD.FPDPVT08.PFX,DISP=SHR //SYSPRINT DD SYSOUT=* //SYSIN DD * -ARCHIVE_DSN(PKWARE.MVS.FNEREC.ZIP) -VERBOSE -ACTION(VIEW) -RECIPIENT(DD:CERT,R,PASSWORD=PKWARE) View of Recipients in a Filename Encrypted Archive ZPLI001I SecureZIP(R) for z/os, Version /13/ LVL(Q1) ZPLI001I Portions copyright (C) PKWARE, Inc. All rights reserved. ZPLI001I SecureZIP(R) is a trademark of PKWARE, Inc. ZPLI001I Registered, Processor Type=2096 Processor Group=00 Serial Number=01FECE Model=O04 ZPLI001I OS Level: HBB7730 SP INCLUDE_CMD=SECZIP.IVP.JCL(DEVCERT1) -ECHO=N -ARCHIVE_DSN(PKWARE.MVS.FNEREC.ZIP) -VERBOSE -LOGGING_LEVEL(VERBOSE) -ACTION(VIEW) -RECIPIENT(DD:CERT,R,PASSWORD=******) ZPCM011I Processing EXEC PARM parameters ZPEN110I Locating Digital Certificates... ZPCM023I Digital Certificate Store Configuration {CSPUB=4;1;PKWARE.MVS.CERTSTOR.PUBLIC} {CSPRVT=4;1;PKWARE.MVS.CERTSTOR.PRIVATE} {CSCA=1;1;PKWARE.MVS.CERTSTOR.PUBLIC(CAP7)} {CSROOT=1;1;PKWARE.MVS.CERTSTOR.PUBLIC(ROOTP7)} {CSPUB_DBX=PKWARE.MVS.CERTSTOR.PUBLIC.DBX} {CSPUB_DBX_PATH_CN=PKWARE.MVS.CERTSTOR.PATHCN} {CSPUB_DBX_PATH_EM=PKWARE.MVS.CERTSTOR.PATHEM} {CSPUB_DBX_PATH_PUBKEY=PKWARE.MVS.CERTSTOR.PATHPUBK} {LDAP=1; ;4389;1;0;CN=LDAP Administrator;secret;;O=PKWARE;} ZPCM023C ZPCM024I Digital Certificate Request List ZPCM024C Req'd Private Recipient dd:cert ZPCM024C FILE FOUND *REQUIRED* ZPCM024C ZPAP900I NO API REQUIRED 142 PKZIP/SecureZIP for z/os 11.1 System Administrator s Guide

151 ZPCM100I Configuration Manager Shutdown. Posting Main Task: ZPAM030I INPUT Archive opened: PKWARE.MVS.FNEREC.ZIP ZPAM710I Archive Directory is Compressed 85% ZPAM711I Archive Directory is Encrypted: AES_256 Certificate Only ZPEX100I Extract Task { 5} TCB: 008D0A90 Started. ZPEX004I Archive Central Directory extracted for processing. ZPAM014I 234 file(s) are in the input Archive. ZPAM012I ZIP comment: SecureZIP for z/os by PKWARE ZPAM013I ********************************************************************************* ZPAM015I Length Method Size Ratio Date Time CRC-32 Name ZPAM016I ZPAM017I 4,183 Deflate-SFST 2,240 46% 08/30/ :24 419ABFDA! PKWARE/MVS/JCL/ACZDFLT ZPAM017I 4,183 Deflate-SFST 2,256 46% 08/30/ :24 18A324CE! PKWARE/MVS/JCL/ACZDFL ZPAM017I 1,067 Deflate-SFST 1,536 0% 08/30/ : D8! PKWARE/MVS/JCL/ZIPVIEW ZPAM017I 1,067 Deflate-SFST 1,536 0% 08/30/ :24 2F3E1C63! PKWARE/MVS/JCL/ZIP12 ZPAM017I 985 Deflate-SFST 1,520 0% 08/30/ :24 5A8D5879! PKWARE/MVS/JCL/ZIP123 ZPAM018I ZPAM019I 698, ,288 36% ZPAM013I ********************************************************************************* ZPAM140I FILES: VIEWED EXCLUDED BYPASSED IN ERROR ZPAM140I ZPAM712I Archive Directory Encryption Recipients: ZPAM320I 4 recipient(s) were designated: ZPAM321I Recipient: PKWARE Test01 ZPAM323I [email protected] ZPAM325I Valid: 07/23/ /23/2003 ZPAM326I Issuer: VeriSign, Inc. ZPAM321I Recipient: PKWARE Test02 ZPAM323I [email protected] ZPAM325I Valid: 11/05/ /04/2004 ZPAM326I Issuer: VeriSign, Inc. ZPAM321I Recipient: PKWARE Test03 ZPAM323I [email protected] ZPAM325I Valid: 07/22/ /21/2004 ZPAM326I Issuer: VeriSign, Inc. ZPAM321I Recipient: PKWARE Test04 ZPAM323I [email protected] ZPAM325I Valid: 07/22/ /21/2004 ZPAM326I Issuer: VeriSign, Inc. ZPAM101I Archive Manager Task { 3} TCB: 008D0E88 shutdown begun. ZPAM109I Archive Manager Task { 3} TCB: 008D0E88 shutdown complete. ZPEX101I Extract Task { 5} TCB: 008D0A90 shutdown begun. ZPEX109I Extract Task { 5} TCB: 008D0A90 shutdown complete. ZPMT002I PKZIP processing complete. RC= (Dec) View Detail of an Archive that Has Encrypted File Names ZPAM711I in the output below identifies the type of encryption used for filename encryption. ZPAM030I INPUT Archive opened: PKWARE.MVS.FNEREC.ZIP ZPAM710I Archive Directory is Compressed 85% ZPAM711I Archive Directory is Encrypted: AES_256 Certificate Only ZPAM014I 234 file(s) are in the input Archive. Chapter 4 Certificate Store Management 143

152 ZPAM012I ZIP comment: SecureZIP for z/os by PKWARE ZPAM013I ************************************************************* ZPAM001I Filename: PKWARE/MVS/JCL/ACZDFLT ZPAM002I File type: TEXT ZPAM003I Date/Time: 30-AUG :24:00 ZPAM004I Compression Method: Deflate- Super Fast ZPAM005I Compressed Size: 2,240 ZPAM006I Uncompressed Size: 4,183 ZPAM007I 32-bit CRC: 419ABFDA LHDR Offset: 0 ZPAM008I Created by: PK zseries 9.0 ZPAM009I Needed to extract: ZipSpec 6.1 ZPAM010I Encryption: AES_256 Certificate Key BSAFE(R) ZPAM301I File Type: NONVSAM PDS ZPAM302I File PDS Directory Blocks: 50 ZPAM303I File Record Format: FB ZPAM304I File Allocation Type: CYL ZPAM305I File Primary Space Allocated: 5 ZPAM306I File Secondary Space Allocated: 9 ZPAM307I File Record Size: 80 ZPAM308I File Block Size: ZPAM309I File Volume(s) Used: FPD002 ZPAM310I File Creation Date: 2005/07/22 ZPAM311I File Referenced Date: 2005/08/30 ZPAM319I SMS Storage Class: PRIVATE ZPAM312I File PDS Extended Directory Information: DIRECTORY INFORMATION FOLLOWS LENGTH=00001E F F ) _ C6D7C FPD.. ZPAM312C -SIZE -CREATED CHANGED ID-- -INIT VV.MM ZPAM312C /07/ /07/24 14:01:29 FPD ZPAM313I PDS member TTRKZC: F ZPAM320I 4 recipient(s) were designated: ZPAM321I Recipient: PKWARE Test03 ZPAM322I Public Key Hash: 07E091CE30862B61663CF9D356863BF84D3DC8D5 ZPAM323I [email protected] ZPAM324I Cert: //'PKWARE.MVS.CERTSTOR.PRIVATE(pkwt03)' ZPAM321I Recipient: PKWARE Test01 ZPAM322I Public Key Hash: AA344FBC35656BE68B5A46EE7E545F0 ZPAM323I [email protected] ZPAM324I Cert: //'PKWARE.MVS.CERTSTOR.PUBLIC(pkwt01)' ZPAM321I Recipient: PKWARE Test02 ZPAM322I Public Key Hash: 5D9E8B89B5948E9E853338A7250D64C5BED5E9E7 ZPAM323I [email protected] ZPAM324I Cert: //'PKWARE.MVS.CERTSTOR.PUBLIC(pkwt02)' ZPAM321I Recipient: PKWARE Test04 ZPAM322I Public Key Hash: 6E16CFEFFAA093242B89DEE623C7D F3E3 ZPAM323I [email protected] ZPAM324I Cert: //'PKWARE.MVS.CERTSTOR.PUBLIC(pkwt04)' ZPAM013I ************************************************************* Notice in the output above the following fields: Created by: The program and release level that placed the file in the archive. Needed To Extract: A program compatible with the listed ZIP file format specification. The number listed is not a version of the SecureZIP for z/os program but rather a version of the ZIP file format. For example, version 8.1 of the program uses features of the 6.20 ZIP file format that are not available in earlier versions. Preceding versions of the program used earlier versions of the ZIP file format. Decrypting a Filename Encrypted Archive When opening an archive, SecureZIP for z/os automatically decrypts file names for anyone on a recipient list for the encrypted file names. 144 PKZIP/SecureZIP for z/os 11.1 System Administrator s Guide

153 If file names are encrypted using a password (with or without a recipient list), SecureZIP for z/os requests a password when anyone who is not on the recipient list tries to open the archive. If the correct password is not entered, SecureZIP does not open the archive. Chapter 4 Certificate Store Management 145

154 5 Security Questions and Solutions This chapter contains answers to questions a system administrator is likely to have about integrating SecureZIP z into the operating environment. Which encryption settings should be chosen? Various external factors such as legislative requirements or corporate policy may influence your decision to select an algorithm or mode of encryption. However, when operating within those requirements, the following SecureZip z information may be of value. NIST has instructional information regarding password vs. certificate-based (PKI) encryption. In general, Certificate-based encryption is accepted to be more secure than Password-based encryption. Support is provided for a 56-bit key length for the DES encryption algorithm and for the older 96-bit Standard PKZIP for z/os ENCRYPTION_METHOD, but key lengths for newer algorithms are supported at a minimum of 128 bits. PKWARE provides interoperability between z/os, OS400, iseries, UNIX and Windows for all algorithms provided with ENCRYPTION_METHOD with its product set at release 8.0 and above. This includes more advanced algorithms with minimum key lengths of 128 bits. Older releases of PKZIP for z/os products support Standard 96-bit encryption for wider cross-platform compatibility when required. When RECIPIENT PKI exchanges are required, then ENCRYPTION_METHOD must specify an algorithm other than STANDARD. Password-based AES encryption is supported by PKWARE products at release 5.5 or higher. BSAFE_AES and AES password-based encryption are 100% compatible, whether or not an IBM ICSF Hardware-based encryption facility is used. Archives created with PKZIP for zseries Release 5.5 can be bi-directionally exchanged with SecureZip z products using the BSAFE AES algorithms. The highest level of performance may be achieved by selecting an algorithm that can be serviced by a hardware-based ENCRYPTION_FACILITY. The use of VERBOSE and SHOW_SETTINGS in a sample PKZIP run will report which facilities are available for 146 PKZIP/SecureZIP for z/os 11.1 System Administrator s Guide

155 each algorithm. In addition, the utility PKCRYUTL (with sample JCL in INSTLIB) can be used to assess the relative performance of each on a specific system. The IBM Cryptographic Facilities Integration feature of SecureZIP for z/os enables the use of a system s activated IBM Cryptographic Hardware feature through published ICSF APIs to achieve the best cryptographic service performance available for data encryption/decryption and digital signature processing. How is encryption activated? Encryption is activated through the use of the PASSWORD (and/or RECIPIENT for SecureZIP) commands. If a value is present for either setting, whether through explicit commands or default settings, then encryption will be attempted in accordance with other applicable settings (such as ENCRYPTION_METHOD). However, if ENCRYPTION_METHOD=NONE is specified, then encryption will be bypassed. Note that certificate-based encryption for recipients is supported only by SecureZIP for z/os, not by PKZIP for z/os. This mode of encryption requires that one of the strong ENCRYPTION_METHODs (minimum 128-bit) be selected. How is ICSF hardware acceleration activated? SecureZIP only ICSF hardware acceleration is discussed in chapter 7, on Cryptographic Facilities. The SecureZIP FACILITY_ENCRYPTDATA, FACILITY_HASH and FACILITY_RANDOM settings permit the use of actively enabled ICSF APIs for IBMHARDWARE and IBMSOFTWARE. What is the difference between an Encryption Method and an algorithm? An encryption algorithm is the fundamental component of a SecureZIP Encryption Method. The name of the algorithm (such as DES, 3DES, AES) is included in the Method name for ease of reference. However, the Method applies additional security mechanisms to the base algorithm processing. One such mechanism is Cipher Block Chaining with random data that is unique for each file encryption process. The use of Cipher Block Chaining ensures that the resulting cipher text for two different ZIP runs of the same data and password will be different. How many recipients can be specified? SecureZIP only Chapter 5 Security Questions and Solutions 147

156 The ZIP file format specification allows for a maximum recipient-list size of 3,275. This size can be restricted further by other file attributes associated with the data, and by run-time capacity limitations (such as virtual storage). (Note: Approximately 20 bytes is required for each recipient within the ZIP archive central directory record for each file. This area is limited to 64K in size). What virtual storage is required for certificate-based encryption? SecureZIP only When using recipient-based encryption, plan on an initial increase of 4MB of 31-bit storage for up to 15 recipients. LDAP will require an additional 1MB for every 27 recipients above 15. Filebased and local certificate store will require an additional 1MB for every 41 recipients above 15. How does ENCRYPTION_METHOD affect certificate-based encryption? SecureZIP only Public/private Key encryption using BSAFE(R) is used to digitally envelope the master session Key information. Once the master session Key is determined, an independent file session Key is derived (which is unique for each file) to encrypt the file data with a symmetric algorithm specified by ENCRYPTION_METHOD. Several encryption algorithms are supplied with SecureZip. Any algorithm may be specified for use with PASSWORD. However, an encryption method other than STANDARD must be specified for use with RECIPIENTs. How does SecureZIP activate MASTER_RECIPIENT contingency keys? SecureZIP only Note: Beginning with SecureZIP for z/os 11.0, contingency keys through the use of Security Server Key Rings is available as a replacement for MASTER_RECIPIENT to provide more advanced control of such keys. See the SecureZIP for z/os Security Administrator s Guide for more information. To meet corporate security policies, SecureZIP provides the ability to use the MASTER_RECIPIENT setting to include one or more master recipient contingency key certificate files in a SecureZIP job when an ENCRYPTION_METHOD specification other than STANDARD is activated. The setting causes the data to be encrypted for the master recipient(s) in addition to other recipient or password settings, thereby ensuring that the organization can always decrypt its encrypted data. The primary MASTER_RECIPIENT can be set directly in the defaults module, or indirectly by specifying MASTER_RECIPIENT in a command stream referenced by SECUREZIP_CONFIG. This default-module-only setting specifies a PDS[E] member that contains SecureZIP certificate 148 PKZIP/SecureZIP for z/os 11.1 System Administrator s Guide

157 store configuration commands to be automatically included in the processing stream. The configuration command values from this member will be included at the start of command input processing prior to //SYSIN statements being read. The data set(member) will be converted into an "INCLUDE_CMD=(pds[e](member)" command internally and will be echoed to the message log in accordance with the ECHO setting. The primary MASTER_RECIPIENT will be reported in the SHOW_SETTINGS report. Supplemental -MASTER_RECIPIENT commands may be provided via the primary SYSIN input stream, or indirectly from either the SECUREZIP_CONFIG or INCLUDE_CMD specifications. They will be internally converted to RECIPIENT commands for processing. MASTER_RECIPIENT settings are cumulative. Therefore a setting in the defaults module cannot be overridden or eliminated from an execution. How does MASTER_RECIPIENT affect activation? When SecureZIP is being used to encrypt data, either with RECIPIENT or PASSWORD (unless ENCRYPTION_METHOD=STANDARD), a recipient specified by MASTER_RECIPIENT is automatically included. However, a MASTER_RECIPIENT setting does not cause encryption to take place. How do I copy a local certificate store? Copying a Local Certificate Store: 1. Generate a set of backup/restore jobs - CS Generate both a Backup and Restore job 2. Run the backup 3. Copy the Restore job to another file, and edit. - In the UNZIP step, insert an UNZIPPED_DSN command.. Example: -UNZIPPED_DSN(SECZIP.CWB.CS1,SECZIP.CWB.CS2) - Mass change all HLQ s in the IDCAMS step from the old HLQ to the new one in this example, SECZIP.CWB.CS1 -> SECZIP.CWB.CS2. Be sure you don t accidentally change the ARCHIVE command in the UNZIP step 4. Run the modified Restore job 5. Call up the ZIP panels 6. Option C (config); press ENTER to get the second screen - Certificate Store Settings 7. On the DB Profile line, enter a / to edit the member 8. Once in the member, change all references to the old Cert Store to the new one. 9. Create a new member -- Command create newmem c99999 on the first line 10. Exit without saving the changed member under the old member name (CANCEL command and confirm no save). 11. Select the new DB Profile member on the Config panel, and you re in business Chapter 5 Security Questions and Solutions 149

158 How do I remove a local certificate store? SecureZIP only When a local certificate store is no longer required, the associated unused components may be deleted. However, be aware that distributed profiles may still reference these data sets. It is highly recommended that a backup of these components be made before deleting them. An IDCAMS DELETE may be done for: hlq.certstor.dbx hlq.certstor.private hlq.certstor.public hlq.certstor.p7ca hlq.certstor.p7root hlq.certstor.p7crl Note: The delete for the DBX cluster will automatically delete the alternate index and path components. Scan PARMLIB and JCL libraries for configuration profile references to the deleted components. Perform cleanup as needed. How can the contents of an x.509 certificate file be determined? SecureZIP only The PKSCNPRT member located under the INSTLIB dataset is designed to read and report on an end-entity X.509 certificate files. This job works with public key files in CER format (either DER or Base64 encoded), and private key files in PFX or P12 format (either DER or Base64 encoded). See the following sample job: ********************************* Top of Data *********************** //SCANCERT JOB (8900),PKWARE,MSGCLASS=H, // CLASS=B,REGION=8M,NOTIFY=&SYSUID // JCLLIB ORDER=PKWARE.MVS.INSTLIB <== VERIFY //JOBLIB DD DSN=PKWARE.MVS.LOAD,DISP=SHR <== VERIFY //*** //* BEFORE RUNNING THIS JOB, EDIT THE FOLLOWING ITEMS: //* //* 1. TAILOR THE JOB CARD TO FIT YOUR INSTALLATION STANDARDS. //* 2. IF NECESSARY, CHANGE HIGH-LEVEL QUALIFIERS FOR THE LOAD //* LIBRARY AND FILES FROM "PKWARE.MVS" TO FIT THE PRODUCT //* INSTALLATION SUPPORT FILES ON YOUR SYSTEM. //* 3. CHANGE THE SECOND PARAMETER OF THE %RMCRTPRT STATEMENT TO //* MATCH YOUR INSTALLED SECUREZIP LOAD LIBRARY. //* 4. THE 3RD PARAMETER, IF PROVIDED IS THE PASSWORD OF THE P12/PFX //* PRIVATE-KEY CERTIFICATE FILE. "*" MAY BE USED TO //* INDICATE THAT THE FILE IS FOR A PUBLIC-KEY CERTIFICATE FILE. //* NOTE: THE PASSWORD IS CASE-SENSITIVE AND MUST BE BRACKETED BY //* DOUBLE QUOTES. I.E. "your password goes here" //*** //LISTCER EXEC PKISPF //SCANIN DD DISP=SHR,DSN=PKWARE.MVS.INSTLIB2(PVT3CERT) <= INPUT X PKZIP/SecureZIP for z/os 11.1 System Administrator s Guide

159 //PKSCNPRT DD SYSOUT=* <= OUTPUT LIST //ISPF.SYSTSIN DD * ISPSTART CMD(RMCRTPRT DD:SCANIN PKWARE.MVS.LOAD "PKWARE" //* ******************************** Bottom of Data ********************* The following is the resulting output of the job above, detailing the end-entity certificate information. ********************************* TOP OF DATA ************************** PKSCANCRT scan(0) file is: dd:scanin PKSCANCRT Private Cert will be processed (6) PKSCANCRT --file #1 found (2106) dd:scanin Type=1 --- Certificate PKWARE Test3 Subject: CN=PKWARE Test3 [email protected] Issuer: C=US S=Wisconsin L=Milwaukee O=PKWARE, Inc. OU=PKWARE, Inc. -- for test and evaluation purposes only CN=PKWARE Test Intermediate Cert [email protected] SerialNumber: 03 NotBefore: Mon Dec 20 09:06: NotAfter: Fri Dec 13 09:06: KeyUsage: E0 00 SHA-1 Hash of Certificate(Thumbprint): 7B B FF 0B B1 2E E 60 EE Public Key Hash: A7 C6 BB 45 BF B7 3A FA 74 7C E C 31 End Entity RMCRTPRT - RMCRTPRT - Certificate Details RMCRTPRT - =================== RMCRTPRT - CN= RMCRTPRT - = RMCRTPRT - FN= RMCRTPRT - Issuer= RMCRTPRT - Valid Dates= RMCRTPRT - SerialNumber= RMCRTPRT - Usage= RMCRTPRT - Trust= RMCRTPRT - Revoke= RMCRTPRT - ******************************** BOTTOM OF DATA ************************* You may also report on an intermediate CA, trust root CA, and/or a CRL by selecting option 3 ( x.509 Certificate Utilities ) from the SecureZIP Certificate Store Administration panel. Here you will enter the certificate source file in question and select option 2 ( List Certificates ). This option displays details about each certificate in the source file in a BROWSE window. From here you can determine the contents. Chapter 5 Security Questions and Solutions 151

160 6 PKWARE PartnerLink: SecureZIP Partner This chapter applies only to participants in the PKWARE PartnerLink program. Other readers may skip this section. PKWARE PartnerLink enables a sponsor organization to give partner organizations that may not have SecureZIP for z/os the SecureZIP Partner for z/os application so that sponsor and partner can use SecureZIP for z/os to securely exchange ZIP archives. This chapter addresses administration activities unique to the SecureZIP Partner for z/os application, used by PartnerLink partners. About SecureZIP Partner for z/os SecureZIP Partner for z/os is a special version of SecureZIP for z/os. It provides most of the functionality of the full program but works only with archives created by (or for) a sponsor. SecureZIP Partner has two modes of operation: Read mode: Read mode enables SecureZIP functionality to extract files from a ZIP archive signed by a sponsor. In this mode, the program can decrypt and decompress files and authenticate digital signatures. In Read mode, the program only extracts; it does not add files to a new or existing archive and does not compress, encrypt, or sign files. SecureZIP Partner extracts only archives digitally signed by a sponsor. Write mode: Write mode enables SecureZIP functionality for adding files to a ZIP archive, including commands to compress, encrypt, and digitally sign files. In Write mode, the program can create and update archives, but only for a designated PartnerLink sponsor and only if the sponsor provides certificates for SecureZIP Partner to use to encrypt. New or updated archives are automatically encrypted for sponsor recipients: only those recipients can decrypt and read the files. SecureZIP Partner only does certificate-based encryption. It does not do passphrasebased encryption. See the chapter relating to PartnerLink in the SecureZIP for z/os User s Guide for an operational description of the SecureZIP Partner product. 152 PKZIP/SecureZIP for z/os 11.1 System Administrator s Guide

161 If You Are a Sponsor: Sign the Central Directory A sponsor organization uses SecureZIP as usual to work with archives for, or from, a partner. There is just one special requirement when creating an archive for a partner: In order for the partner to be able to extract the archive you must sign the central directory of the archive using a certificate included in the Sponsor Distribution Package. A Sponsor Distribution Package is a package that PKWARE assembles for a sponsor to configure for partners of that sponsor. Terms and Acronyms Used in This Chapter The PKWARE PartnerLink program introduces some new concepts and terminology: Sponsor An installation responsible for initiating and defining a PartnerLink sponsorpartner relationship with one or more other installations. A sponsor uses the fullfeatured SecureZIP product; a partner uses the special SecureZIP Partner for z/os version. Partner An installation configured using a particular sponsor s Sponsor Distribution Package (see below) to be a partner of that sponsor. A partner uses SecureZIP Partner for z/os to work with archives from, or for, the sponsor. Sponsor Distribution Package A configuration package distributed to a partner on behalf of a sponsor to define the authorization requirements and provide the certificates needed to process ZIP archives from, or for, the sponsor. The package is digitally signed using a PKWARE-assigned certificate. Sponsor File A component file in a Sponsor Distribution Package Sponsor Imprint A unique digital representation of a registered sponsor-partner relationship within the PKWARE PartnerLink program. This may represent the unique identification of Distribution Package components or of ZIP archives being read. Sponsor/Partner Registration ID A unique registration number that identifies a particular sponsor-partner relationship Read mode The mode of SecureZIP Partner UNZIP processing that extracts archives from (and only from) a PartnerLink sponsor configured on the partner s system Write mode The mode of SecureZIP Partner ZIP processing that creates an encrypted ZIP archive for a particular configured PartnerLink sponsor FF Acronym for full-featured SecureZIP operations, as distinct from those of SecureZIP Partner PKWARE PartnerLink Program: Overview The PKWARE PartnerLink program provides a straightforward, secure way for an organization to exchange sensitive information with outside partners. A PartnerLink sponsor organization establishes a PartnerLink partner relationship with another organization. As a PartnerLink partner, the external organization receives the SecureZIP Partner program to use to decrypt and extract archives created by the sponsor using the full Chapter 6 PKWARE PartnerLink: SecureZIP Partner 153

162 SecureZIP program. The partner can also use the program to create archives for the sponsor that only the sponsor can decrypt. The SecureZIP Partner program used by a PartnerLink partner extracts archives only from a sponsor and creates and encrypts archives only for a sponsor. Decrypting and Extracting Sponsor Data (Read Mode) When SecureZIP Partner is installed at a partner location, a sponsor can create, digitally sign, and encrypt SecureZIP secure containers (ZIP archives) for the partner. In Read mode, the SecureZIP Partner program verifies that the data file received has the appropriate signature from the sponsor and that the signature is valid. This confirms that the data is from the expected sender and that no tampering has occurred. The partner can then decrypt and extract the data. Creating an Archive for a Sponsor If a sponsor has provided an encryption key, a partner can also use SecureZIP Partner (Write mode) to create encrypted ZIP archives for the sponsor. SecureZIP Partner automatically encrypts any data placed in an archive. The archive can then be transferred to media or transmitted to the sponsor electronically. Getting Started SecureZIP customers join the PartnerLink program by contacting PKWARE and applying for a PartnerLink sponsorship. 154 PKZIP/SecureZIP for z/os 11.1 System Administrator s Guide

163 A PartnerLink sponsor provides PKWARE with a copy of the public key matching the certificate that will be used to sign secure containers sent to partners. This key enables a partner to authenticate sponsor signatures. A sponsor may also provide a copy of a public key for the partner to use to encrypt data files for the sponsor, and also a copy of a designated (public) contingency key. These encryption keys are needed only if a sponsor wants to enable partners to create archives for delivery to the sponsor. SecureZIP Partner creates only archives encrypted for a designated sponsor, using sponsor-provided keys. If a sponsor does not provide keys for encryption, a partner cannot use SecureZIP Partner to create archives. SecureZIP Partner does not create unencrypted archives. PKWARE incorporates the sponsor keys into a PartnerLink Sponsor Distribution Package (SDP). The Sponsor Distribution Package is used to configure a SecureZIP Partner installation to extract SecureZIP secure containers signed by a sponsor and (if encryption keys are provided) to encrypt data files for a sponsor using the sponsor s public keys. SecureZIP Partner extracts archives only if they are signed by a sponsor. If keys for encryption are included in the SDP, SecureZIP Partner automatically encrypts archives created for the respective sponsor using the included keys. Only the sponsor recipients who own those keys can decrypt and read the files in an archive that SecureZIP Partner encrypts. Once the Sponsor Distribution Package has been created, a sponsor can invite outside partner, customer, or vendor organizations to participate as PartnerLink partners. The sponsor supplies instructions on how to contact PKWARE to request a copy of the SecureZIP Partner application. After SecureZIP Partner is installed and configured at the partner location, sponsor and partner can exchange data files with confidence that the data is protected. Co-existence with Other PKWARE Products The SecureZIP Partner for z/os product package can be installed alongside other SecureZIP z product releases. If a full-featured SecureZIP for z/os is also to be run at the same release/maintenance level, a single software installation may be performed, using independent license control data sets and configuration settings to govern the operating characteristics. Recommendations Installations using both SecureZIP Partner and full-featured SecureZIP for z/os in the same system should configure separate local certificate stores for each. Although certificate store components can co-exist in the same Store, care must be taken that full-featured component names assigned by the system administrator do not conflict with names automatically generated by SecureZIP Partner. Installations using both SecureZIP Partner and full-featured SecureZIP for z/os in the same system at the same release level may elect to install only one set of execution libraries for ease of maintenance. The license control data set used at runtime (as controlled by the defaults module LICENSE_HLQ parameter) can be used to select the appropriate mode of operation. When other releases of SecureZIP z are operating in the same system, only one set of libraries may be installed in the system LINKLST. The other release of software must be run with a JOBLIB/STEPLIB for the load library. Chapter 6 PKWARE PartnerLink: SecureZIP Partner 155

164 If separation of software operation is required, separate ISPF startup dialogs should be configured in the system (Ref: PKZSTART startup exec) with the associated LIBDEF information. PartnerLink Certificate Store Administration and Configuration Certificate administration and use in the SecureZIP Partner operating environment differ slightly from the case with full-featured SecureZIP for z/os. Whereas all digital key components are individually administered in a full-function installation, SecureZIP Partner components are pre-packaged for distribution and installation into a Sponsor Distribution Package. Many features of SecureZIP Partner work the same as in fullfeatured SecureZIP, but some features work differently and use special components of a Sponsor Distribution Package instead of standard SecureZIP components. The following table indicates which components of the SecureZIP for z/os local certificate store are used in relationship with the mode of operation. Certificate Use Full Feature SecureZIP SecureZIP Partner Archive Signature Authentication Full Certificate Store* Sponsor Distribution Package SPONSOR AUTH/auth.p7 File Signature Authentication Full Certificate Store Archive Signing Full Certificate Store File Signing Full Certificate Store Encryption Sponsor Distribution Package SPONSOR RECIPIENT/recip.p7 Decryption Full Certificate Store * A fully functional certificate store includes public-key and/or private-key X.509 certificate files along with their associated certificate authority trust chain and an optional certificate revocation list. To set up a certificate store, use the SecureZIP for z/os certificate store administration tool. You are responsible for obtaining the appropriate digital certificate resources. Choosing a Configuration Model Depending on your installation s business requirements for segregated process controls, you may choose to coordinate the operation of sponsor profiles from a centralized certificate store, or segregate the configurations entirely. Components supporting a sponsor profile are installed as members of partitioned data sets with the unique sponsor/partner registration control number used as a relational index. Shared Certificate Store for Multiple Sponsor Profiles The SecureZIP for z/os certificate store supports the ability to install and configure multiple sponsor profiles within a single store. This centralized approach may be the simplest to manage. 156 PKZIP/SecureZIP for z/os 11.1 System Administrator s Guide

165 Segregated Certificate Store for Individual Sponsor Profiles If segregated access to sponsor information is desired, then multiple independent stores may be defined to provide data set level access control to the resources. Configured Sponsor Package Components When a Sponsor Distribution Package is installed, various components are configured within the certificate store. The following table describes the components and how they are used. Component Usage Location Sponsor Authentication Configuration Setting -{SPONSOR_AUTH=1;0;dsname} dsname: Used to access an input ZIP archive (via -AUTHCHK=ARCHIVE) by a SecureZIP Partner execution. Multiple Sponsor Authentication Configuration Settings commands are accepted, thereby permitting access to a ZIP archive that is from one of many possible sponsors. dsname references an installed Sponsor Authentication File The SPONSOR_AUTH parameter has the same format as the other Certificate Store files (e.g. CSCA= ) hlq.certstor.sponsor.info (Accccccc) Where hlq is the high level qualifier of the configured Local Certificate Store Where ccccccc is the Sponsor ID SecureZIP Partner Recipient Command Sponsor Authentication File -RECIPIENT(DSN: dsname ) Used to create a ZIP archive by a SecureZIP Partner execution. dsname references an installed SecureZIP Partner Authorized Recipient File. Only 1 SecureZIP Partner RECIPIENT configuration command will be accepted for processing per ZIP pass. PKCS#7 file identifying a list of authentication public-key/certificates to validate the source of an input ZIP archive Referred to by the Sponsor Authentication Configuration Setting supplied to the SecureZIP Partner run. dsname: hlq.certstor.sponsor.info (Rccccccc) Where hlq is the high level qualifier of the configured Local Certificate Store Where ccccccc is the Sponsor ID dsname: hlq.certstor.sponsor.auth (Accccccc) Where hlq is the high level qualifier of the configured Local Certificate Store Where ccccccc is the Sponsor ID Chapter 6 PKWARE PartnerLink: SecureZIP Partner 157

166 Component Usage Location SecureZIP Partner Authorized Recipient File PKCS#7 file identifying a list of Sponsor-provided public-key/certificates that can be used to encrypt new data being added to a ZIP archive. dsname: hlq.certstor.sponsor.recip Referred to by the SecureZIP Partner Recipient Command supplied to the SecureZIP Partner run. (Rccccccc) Where hlq is the high level qualifier of the configured Local Certificate Store Package Information File Local Certificate Store Index An XML file containing the Sponsor Package description. Used by package list and installation processes. Certificate Store index records are written to represent the Sponsor Authentication File and the SecureZIP Partner Authorized Recipient File. They are represented in the ISPF certificate table display as record types READ and SLNK respectively. Where ccccccc is the Sponsor ID hlq.certstor.sponsor.info (Xccccccc) Where hlq is the high level qualifier of the configured Local Certificate Store Where ccccccc is the Sponsor ID CSPUB_DBX Local Certificate Store Index During package installation, ISPF statistics will be set for component members to reflect the following: The Created Date will reflect the Sponsor Package create date (from inside the XML informational description). The Changed Date/Time will reflect the installation date/time on the local system. The ID will reflect the User ID associated with the installing job/session. Installing a Sponsor Distribution Package Although the SecureZIP Partner for z/os software license is provided with the product package, the ability to operate with ZIP archives is activated through the use of sponsor configuration components. Note: Before continuing with steps in this section, ensure that the Software Activation License has been applied. Sponsor Distribution Package Installation Steps A Sponsor Distribution Package is installed as a configuration to an existing local certificate store. The following steps define the process to configure SecureZIP Partner for operations with a related sponsor. Note: It is highly recommended that a copy of the original Sponsor Distribution Package be retained after the installation is complete in support of a subsequent installation to a certificate store of a different name or location. 158 PKZIP/SecureZIP for z/os 11.1 System Administrator s Guide

167 1. Verify that the PartnerLink SecureZIP Partner software license has been applied. Refer to chapter 2, SecureZIP Partner License Activation. 2. Verify that the Certificate Store has been created. Reference chapter 4, Create a New Local Certificate Store DB. 3. If not already done, perform a binary transfer of the Sponsor Distribution Package to the system. 4. View the Sponsor Package using the SecureZIP Certificate Store Administration and Configuration ISPF dialog (option CS) for PartnerLink Administration. Note the Sponsor Name and ID information. 5. Install the package o o Foreground install: Use the SecureZIP Certificate Store Administration and Configuration ISPF dialog (option CS) for PartnerLink Administration (option 4.3). Batch install: Use the SecureZIP Certificate Store Administration and Configuration ISPF dialog (option CS) for PartnerLink Administration to generate a batch job and submit. Use the SecureZIP Certificate Store Administration and Configuration ISPF dialog (option CS) for PartnerLink Administration (option 5.1) to view the installed Sponsor configuration. Sample PKWARE Sponsor Distribution Package A sample Sponsor Distribution Package has been included in INSTLIB2(PLIVPPKG) to assist you in understanding the process for Sponsor Distribution Package installation and to verify the certificate store setup. 1. Verify that the PartnerLink SecureZIP Partner software license has been applied. Refer to chapter 2, SecureZIP Partner License Activation. 2. Verify that the Certificate Store has been created. Reference chapter 4, Create a New Local Certificate Store DB. 3. Use the SecureZIP Certificate Store Administration and Configuration ISPF dialog (option CS) for PartnerLink Administration (option 5.2) to list sponsor package in seczip.mvs.instlib2(plivppkg). 4. Install the test package o o Foreground install: Use the SecureZIP Certificate Store Administration and Configuration ISPF dialog (option CS) for PartnerLink Administration (option 5.3) to install the test Sponsor package from seczip.mvs.instlib2(plivppkg). Batch install: Use the SecureZIP Certificate Store Administration and Configuration ISPF dialog (option CS) for PartnerLink Administration to generate a batch job for seczip.mvs.instlib2(plivppkg) and submit. 5. Use the SecureZIP Certificate Store Administration and Configuration ISPF dialog (option CS) for PartnerLink Administration (option 5.1) to view the installed Sponsor configuration. The following entries should be displayed: Chapter 6 PKWARE PartnerLink: SecureZIP Partner 159

168 Type Common Name SLNK PKWARE, Inc. READ PKWARE, Inc. 6. Modify and run the test job in seczip.mvs.instlib(plivpzip) to verify the use of the test Sponsor configuration. Updating a Sponsor Distribution Package A currently configured Sponsor in the local certificate store can be updated with a newer version by following the normal steps for installing a Sponsor Distribution Package. The installation procedure will check the creation date (as contained in the XML data) of the input package against the previously installed package information. If the creation date of the input package is later than the previously installed package, then the old components will be removed, and the new package components installed (both foreground and batch processing). When running the installation process via the foreground dialog and the creation date of the input package is equal to or older than the currently installed package, the administering user will be prompted to confirm the installation. When running the installation process via a batch job and the creation date of the input package is equal to or older than the currently installed package, installation will be halted. The administering user may then choose to do one of the following: o o Leave the existing package in place Remove the existing package and then retry the install Removing a Sponsor Distribution Package 1. Use the SecureZIP Certificate Store Administration and Configuration ISPF dialog (option CS) for PartnerLink Administration (option 5.1) to view the list of installed Sponsors. 2. Use the D line command for either the SLNK or READ table row. All components for the associated Sponsor ID will be removed. Providing a Sponsor Configuration for Execution The certificate store where the Sponsor Distribution Package components were installed must be provided (for Read access) to the executing Read (UNZIP) or Write (ZIP) jobs. In addition, specific configuration components will be required for the associated processing request. Read-Mode Configuration In addition to the basic certificate store configuration settings, one or more -{SPONSOR_AUTH } command settings as generated in the SPONSOR.INFO must be provided for proper authentication of the input ZIP archive. The UNZIP run-time process may include these command settings in the standard command input streams (SYSIN, INCLUDE_CMD), or as part of the SECUREZIP_CONFIG setting in the defaults module. 160 PKZIP/SecureZIP for z/os 11.1 System Administrator s Guide

169 See the following sample JCL, which displays the required SecureZIP Partner parameters that would allow a partner to authenticate the sponsor s digital signature, decrypt and extract the data to a valid output dataset: //EXTRACT EXEC PGM=SECUNZIP //STEPLIB DD DISP=SHR,DSN=SZPARTNR.PLINK.LOAD //SYSPRINT DD SYSOUT=* //SYSIN DD * -ARCHIVE_DSN(SPONSOR.SIGNED.ZIP) -ACTION(EXTRACT) -INCLUDE_CMD(PLINK.USER.PROFILES(PARTNER)) -{SPONSOR_AUTH=1;0;PLINK.PARTNER.CERTSTOR.SPONSOR.AUTH(A )} -RECIPIENT(DB:CN=PKWARE TEST4,PASSWORD=PKWARE) -UNZIPPED_DSN(SPONSOR.DATA.INPUT.FILE,PLINK.SPONSORS.OUTFILE) In the sample above, the partner s UNZIP includes the INCLUDE_CMD and SPONSOR_AUTH parameters. The INCLUDE_CMD parm (PLINK.USER.PROFILES(PARTNER)) points to the proper partner certificate store for processing, while the SPONSOR_AUTH statement (PLINK.PARTNER.CERTSTOR.SPONSOR.AUTH(A )) is related to the Sponsor Authorization details contained within the SDP that the partner must install prior to attempting to extract and decrypt an archive received from a sponsor. The sponsor s ID in the sample above is 1234, as the SPONSOR_AUTH command indicates by selecting the appropriate PDS member (A ). The UNZIPPED_DSN parameter, although not required, can be a very useful command as it allows a partner to specify the original input file (SPONSOR.DATA.INPUT.FILE) and a new outfile name (PLINK.SPONSORS.OUTFILE) during the extraction process, essentially renaming the outfile to a valid HLQ and node structure in accordance with their environment. If sponsor data is encrypted, then the partner must apply the appropriate decryption parameters during the UNZIP job. If the sponsor archive is encrypted with a digital certificate (using the partner s public key), as in the sample above, then the RECIPIENT parameter is required to specify the private key certificate to use to decrypt, along with the password protecting the private key. If passphrase-only encryption is used on the sponsor archive, then the partner must use the PASSWORD parameter instead of RECIPIENT and must enter the appropriate passphrase to decrypt. Write-Mode Configuration One SecureZIP Partner RECIPIENT command must be provided at ZIP run time to designate the sponsor the archive is being created for with data encryption. It may be specified by any of the following means: The SecureZIP Run Time Configuration DB Profile settings Included commands from the defaults SECUREZIP_CONFIG Indirect commands via INCLUDE_CMD Additional command line at the bottom of the screen for ZIP processing. Note: Only one RECIPIENT command is permitted per run. Care should be taken to ensure that only one RECIPIENT request is made when combining the RECIPIENT command with other configuration settings or using it with implicit includes. See the following sample JCL, which details the required SecureZIP Partner parameters that allow a partner to compress and encrypt data to send to the sponsoring organization: Chapter 6 PKWARE PartnerLink: SecureZIP Partner 161

170 -ARCHIVE_DSN(PARTNERS.SECURED.ZIP) -ACTION(ADD) -INCLUDE_CMD(PLINK.USER.PROFILES(PARTNER)) -RECIPIENT(DSN:'PLINK.PARTNER.CERTSTOR.SPONSOR.RECIP(R )') -ENCRYTION_METHOD(AES256) PARTNER.INPUT.DATAFILE A partner s ZIP job must include a RECIPIENT command that points to the appropriate SPONSOR.RECIP PDS(member) and an INCLUDE_CMD statement that identifies the proper certificate store. The RECIPIENT parameter is required during ZIP processing and encrypts the data for a designated sponsor (sponsor ID 1234 in the sample above). The PDS member (PLINK.PARTNER.CERTSTOR.SPONSOR.RECIP(R ) specifies which SDP to use for encryption and secures the data with the sponsor s public keys contained within the SDP. The INCLUDE_CMD parm (PLINK.USER.PROFILES(PARTNER) directs the SecureZIP Partner to the appropriate certificate store where the sponsor s SDP has been installed. The ENCRYPTION_METHOD will default to AES128 unless another value is specified in the job stream. The archive is encrypted with the sponsor s public key from the SDP. The partner will not be able to test or extract the data from the archive because only the sponsor has the private key needed to decrypt. 162 PKZIP/SecureZIP for z/os 11.1 System Administrator s Guide

171 7 Cryptographic Facility Utility - PKCRYUTL SecureZIP only The SecureZIP for z/os IBM Cryptographic Facilities Integration feature enables the selection of locally activated IBM cryptographic facilities to complete cryptographic service requests for data encryption and digital signature processing. (See SecureZIP ICSF Operations in the System Requirements section of chapter 1.) Cryptographic Facility Categories SecureZIP for z/os automatically determines which facilities are available for use when a cryptographic service is required. It also selects which facility to use based on configurable preference lists specified through either the defaults module or a command. Facilities are organized into sets of similar cryptographic functionality. For example, all symmetric data encryption methods, such as DES and AES, fall into the ENCRYPTDATA facility category. Digital signature creation or authentication requires a cryptographic HASH facility. (See also the FACILITY_ENCRYPTDATA, FACILITY_HASH, and FACILITY_RANDOM commands in the SecureZIP for z/os User s Guide). Assessing a System s Cryptographic Capabilities with PKCRYUTL Available ICSF APIs and underlying facilities (hardware or software emulation) vary across system configurations (see the table ICSF feature/facility requirements in chapter 1). The PKCRYUTL utility program provided with the product can help the administrator or user select the most appropriate facility settings when planning to employ cryptographic features of SecureZIP for z/os. The simplest choice for facility settings is to allow SecureZIP to choose a facility based on the default settings distributed with product. As distributed, SecureZIP gives preference first to ICSF hardware services, then to ICSF software emulation, and finally to software cryptographic facilities native to the SecureZIP product. This order of precedence generally provides the best performance when used in conjunction with the default ENCRYPTION_METHOD and SIGN_HASHALG algorithm settings and ensures that at least one facility can be selected to complete the processing request. Chapter 7 Cryptographic Facility Utility - PKCRYUTL 163

172 PKCRYUTL can also be used to verify that alternative facility preference or algorithm settings will run on a target system. PKCRYUTL Execution The SecureZIP product provides sample batch JCL in INSTLIB(PKCRYUTL) that will execute a report step for each cryptographic category. The SecureZIP Administration Services ISPF dialog has a Cryptographic Services Utility selection that provides an options panel for foreground execution. Online help is also accessible in the dialog. PKCRYUTL Reporting The utility is intended to be run once for a facility category to be assessed. Multiple processing phases are performed by the utility during the run to: Report on the basic operating environment Report active ICSF facilities Report which API facilities are available for SecureZIP to use Run timing tests for available facilities Report throughput rates for various algorithm/facility combinations Indicate which facility would be selected for a properly licensed SecureZIP product PKCRYUTL Sample Report ZPEN350I PKCRYUTL 1.4 Cryptographic API Review Utility ZPEN350I Copyright (C) PKWARE, Inc. All rights reserved. ZPEN350I Program and Output used by permission only. PKWARE, Inc. ZPEN378I Testing with Bytes Active ZPEN336I CSRSI Query IBM Type(2066) Mod(0A2) #( A) ZPEN300I OSname<z/OS> OS Ver(01) Rel(06) Mod( ) HWclass<Z/X00 > ZPEN307I ICSF is Active/CCVTACT ZPEN308I ICSF is at a proper level for CSFIQF ZPEN309I z/architecture Hardware Available -Z/X00 ZPEN313I CSNBSYE (AES) System Capable with ICSF when available. ZPEN314I AES Software Only Available -Z/X00 ZPEN320I CryptoAPI Facilities HW SW SecureZIP ZPEN321I 96 Bit Encryption PKW ZPEN321I AES 128 Encryption --- SYE BSAFE ZPEN321I AES 192 Encryption --- SYE BSAFE ZPEN321I AES 256 Encryption --- SYE BSAFE ZPEN321I 3DES Encryption ENC --- BSAFE ZPEN321I DES Encryption ENC --- BSAFE ZPEN321I RC4 Encryption BSAFE ZPEN321I CRC32 Hashing PKW ZPEN321I SHA1 Hashing OWH --- BSAFE ZPEN321I MD5 Hashing --- OWH BSAFE ZPEN321I SHA256 Hashing ZPEN321I Random Data Gen RNG --- PKW ZPEN322I Facility Encryptdata Seq: IBMHW(1) IBMSW(2) PKW(3) ZPEN322I Facility Hash (Signature) Seq: IBMHW(1) IBMSW(2) PKW(3) ZPEN322I Facility Randomdata Seq: IBMHW(1) IBMSW(2) PKW(3) 164 PKZIP/SecureZIP for z/os 11.1 System Administrator s Guide

173 ZPEN340I / Encryptdata Matrix (01) / ZPEN341I 0001(96 Bit Encryption ) Select (10/10) SecureZIP ZPEN342I Status-IBMHW(-NotCap-) IBMSW(-NotCap-) PKW( PKW ) ZPEN341I 6801(RC4 Encryption ) Select (10/10) SecureZIP ZPEN342I Status-IBMHW(-NotCap-) IBMSW(-NotCap-) PKW( BSAFE ) ZPEN341I 660E(AES 128 Encryption) Select (20/70) IBM Software ZPEN342I Status-IBMHW( -NoAPI-) IBMSW(SYE/SYD ) PKW( BSAFE ) ZPEN341I 660F(AES 192 Encryption) Select (20/70) IBM Software ZPEN342I Status-IBMHW( -NoAPI-) IBMSW(SYE/SYD ) PKW( BSAFE ) ZPEN341I 6610(AES 256 Encryption) Select (20/70) IBM Software ZPEN342I Status-IBMHW( -NoAPI-) IBMSW(SYE/SYD ) PKW( BSAFE ) ZPEN341I 6603(3DES Encryption ) Select (40/70) IBM Hardware ZPEN342I Status-IBMHW(ENC/DEC ) IBMSW( -NoAPI-) PKW( BSAFE ) ZPEN341I 6601(DES Encryption ) Select (40/70) IBM Hardware ZPEN342I Status-IBMHW(ENC/DEC ) IBMSW( -NoAPI-) PKW( BSAFE ) ZPEN370I ********************************************** *************Start of Testing***************** *************Nbr of Bytes= ************* *************Nbr of MEG= 1******************** Test Summary Results CPU Usage ZPEN383I Crypto Facilities HW SW BSAFE/PKW ZPEN384I 96 Bit Encryption N/A N/A N/A ZPEN384I AES 128 Encryption * ZPEN384I AES 192 Encryption * ZPEN384I AES 256 Encryption * ZPEN384I 3DES Encryption 0.058* ZPEN384I DES Encryption 0.042* ZPEN384I RC4 Encryption * Test Summary Results Megabytes/CP Second ZPEN383I Crypto Facilities HW SW BSAFE/PKW ZPEN384I 96 Bit Encryption N/A N/A N/A ZPEN384I AES 128 Encryption * 5.98 ZPEN384I AES 192 Encryption * 5.23 ZPEN384I AES 256 Encryption * 4.60 ZPEN384I 3DES Encryption 17.19* ZPEN384I DES Encryption 23.74* ZPEN384I RC4 Encryption * ZPEN385I-Testing Completed Total CPU Seconds(2.625) Total Elapsed Seconds(3) ZPEN374I-Completing with rc= PKCRYUTL Interpretation Report lines are generated in standard SecureZIP message format. This section includes basic explanatory information for the majority of the messages. Additional information for each message, including system and user response, can be found in the SecureZIP Messages Guide as well as in the online Message section of the SecureZIP ISPF Dialog. ZPEN300I OSname<oooo> OS Ver(vv) Rel(rr) Mod(mm) HWclass<cccccccc> A request was made to report on the available cryptographic facilities for the current operating Chapter 7 Cryptographic Facility Utility - PKCRYUTL 165

174 environment. The operating system level and hardware platform govern which cryptographic facilities may be available for use. Classification of hardware. S/390 Pre-zArchitecture, possibly with G5/G6 Z/X00 zarchitecture z800/z900, possibly with CCF Z/X90 zarchitecture z890/z990, with CPACF Z9 zarchitecture z9-109 or equivalent, with CPACF ZPEN301E-AMUTCQRY Error Occurred: A request was made to report on the available cryptographic facilities for the current operating environment. An attempt was made to determine what cryptographic facilities are available through ICSF, but required ICSF and/or hardware facilities are not operative. ZPEN320I The CCVT is not built by ICSF. The Cryptographic Communications Vector Table is the major control block used in the operating system to govern ICSF service requests. It appears that ICSF has not been started in the operating environment. ZPEN303I Either ICSF is not up, or it is up in PCF mode. It appears that ICSF is not currently running, or an older PCF service is running. ZPEN304I There are no valid cryptographic units ACTIVE. Although ICSF is operating, there are no active hardware cryptographic components in the system. Although one or more may show as ONLINE, they are not usable by ICSF due to configuration settings. ZPEN305E-Unknown ICSF Error Code: +2+H+ A request was made to report on the available cryptographic facilities for the current operating environment. An attempt was made to determine what cryptographic facilities are available through ICSF, but required ICSF and/or hardware facilities are not operative. ZPEN306I State Error Found <State=%02X/Error=%02X> The Cryptographic Communications Vector Table is the major control block used in the operating system to govern ICSF service requests. 166 PKZIP/SecureZIP for z/os 11.1 System Administrator s Guide

175 When ICSF environmental conditions are determined to be inappropriate to ICSF operations through SecureZIP this message may be issued. State Flags: x'80' - An error has been detected (See Error Flags) x'40' - ICSF is active in the system x'20' - The ICSF level supports CSFIQF x'10' - z/architecture hardware is present x'08' - CPACF Crypto Assist Hardware is present x'04' - CSNBSYE/CSNBSYD API services are available Error Flags: x'80' - The CCVT has never been initialized by ICSF x'40' - ICSF is not up in an appropriate mode x'20' - There are no hardware crypto devices available Sample State/Error codes: State=80/Error=80 - ICSF was never started. No other info is available (no CCVT) State=B4/Error=40 - ICSF is in the process of starting but has not completed initialization. State=B4/Error=60 - ICSF has been shut down. ZPEN307I ICSF is [not] Active/CCVTACT A request was made to report on the available cryptographic facilities for the current operating environment. ICSF (which is required for IBMHARDWARE and IBMSOFTWARE cryptographic facility use) is active in the system. ZPEN308I ICSF is [not] at a proper level for CSFIQF A request was made to report on the available cryptographic facilities for the current operating environment. ICSF (which is required for IBMHARDWARE and IBMSOFTWARE cryptographic facility use) is at a release level that supports the ICSF Query Facility CSFIQF. This is necessary to determine whether more advanced cryptographic services (such as Hardware-based AES) are available for use. ZPEN309I z/architecture Hardware Available %s The Cryptographic Communications Vector Table is the major control block used in the operating system to govern ICSF service requests. The hardware classification is also shown. - CCF (Cryptographic Coprocessor Feature) may be available with Z/X00 or S/390 systems. - CPACF (CP Assist for Cryptographic Functions) may be active on Z/X90 or Z9 systems ZPEN310I CP Assist For Cryptographic Functions Available The Cryptographic Communications Vector Table is the major control block used in the operating system to govern ICSF service requests. Chapter 7 Cryptographic Facility Utility - PKCRYUTL 167

176 CPACF hardware acceleration is available for select service requests. ZPEN313I CSNBSYE (AES) System capable with ICSF when available. ICSF AES symmetric data encryption can be performed on this system if the IBM Hardware Cryptographic feature is enabled. The CSNBSYE API will be used to access the IBMSOFTWARE or IBMHARDWARE facility depending on the system hardware available. ZPEN314I AES Software Only Available [system_classification] Some systems (hardware) do not support hardware-based AES processing. ICSF will provide CSNBSYE API software emulation. Classification of hardware. S/390 Pre-zArchitecture, possibly with G5/G6 Z/X00 zarchitecture z800/z900, possibly with CCF Z/X90 zarchitecture z890/z990, with CPACF Z9 zarchitecture z9-109 or equivalent, with CPACF ZPEN320I Crypto Facilities HW SW SecureZIP A request was made to report on the available cryptographic facilities for the current operating environment. A list of supported cryptographic algorithms follows indicating which API facilities are available for use by SecureZIP. The cryptographic API facilities are categorized into one of the following groups: HW - IBM Cryptographic Hardware SW - IBM Cryptographic Software SecureZIP - Software algorithms ZPEN321I [crypto_algorithm] [hw_api] [sw_api] [SecureZIP_API] A request was made to report on the available cryptographic facilities for the current operating environment. A separate report line is listed for each algorithm to indicate which (if any) API is available for use by SecureZIP before dynamic evaluation. A subsequent check of each algorithm will be performed based on run-time options and environmental characteristics. [crypto_algorithm] The [crypto_algorithm] name will also identify the use type for the algorithm. Symmetric Data Encryption algorithms: 96 Bit Encryption AES 128 Encryption AES 192 Encryption AES 256 Encryption 3DES Encryption DES Encryption 168 PKZIP/SecureZIP for z/os 11.1 System Administrator s Guide

177 RC4 Encryption Data Integrity and Digital Signature algorithms: CRC32 Hashing SHA1 Hashing MD5 Hashing SHA256 Hashing [hw_api] [sw_api] The IBM Cryptographic facilities are accessed through one if the following ICSF APIs (hardware and software). ENC- CSNBENC/CSNBDEC Encipher/Decipher SYE- CSNBSYE/CSNBSYD Symmetric Key Encrypt/Decrypt OWH- CSNBOWH One way hash RNG- CSNBRNG Random Number Generation [SecureZIP_API] SecureZIP provides software algorithms using one of the following services. BSAFE-RSA BSAFE CryptoC PKW -PKWARE internal routine "------" indicates that no service facility could be identified under the API service category for the algorithm. ZPEN322I [Facility Category] Seq: IBMHW(x) IBMSW(x) PKW(x) As part of the CryptoAPI report (see also ZPEN320I), the specified FACILITY sequence is displayed. [x] - The preferred facility order of choice. 0 - Not included in the FACILITY list 1 - First selection if available for use 2 - Second selection if available for use 3 - Third selection if available for use [Facility Category] Encryptdata Algorithms associated with symmetric data encryption. HASH (Signature) Algorithms associated with hashing. Uses include digital signature creation and authentication. RandomData Algorithms associated with creating random data for encryption extensions (such as Cipher Block Chaining) ZPEN340I / [Facility_Category] Matrix ([type_code]) / A request was made to report on the available cryptographic facilities for the current operating environment. A separate report is listed for each category of cryptographic service. All associated algorithms are included in the report along with resulting selection results. [Facility_Category] Chapter 7 Cryptographic Facility Utility - PKCRYUTL 169

178 Encryptdata Algorithms associated with symmetric data encryption. HASH (Signature) Algorithms associated with hashing. Uses include digital signature creation and authentication. ZPEN341I [alg_id]([algorithm_name]) Select ([code]) [Facility Category] A request was made to report on the available cryptographic facilities for the current operating environment. A separate report line is listed for each algorithm to indicate which (if any) API is selected for use by PKWARE after dynamic evaluation. Each algorithm is validated against requested FACILITY settings, licensing and facilities reported by ICSF. [Facility Category] The final facility chosen is shown. NONE FOUND No viable facility could be identified for use. This algorithm cannot be serviced with the current configuration. IBM Hardware The CryptoAPI identified in ZPEN321I (HW) will be used IBM Software The CryptoAPI identified in ZPEN321I (SW) will be used SecureZIP The CryptoAPI identified in ZPEN321I (PKW) will be used ZPEN342I Status-IBMHW([APIstate]) IBMSW([APIstate]) PKW([APIstate]) A request was made to report on the available cryptographic facilities for the current operating environment. A separate report line is listed for each algorithm to indicate which (if any) API is available for use by SecureZIP after dynamic evaluation. Each algorithm is validated against requested FACILITY settings, licensing and facilities reported by ICSF. [APIstate] The state of each facility type is reported for the algorithm reported in the preceding ZPEN341I message. State definitions are as follows: -NotCap- The facility category is not capable of servicing this algorithm, and is therefore not available for use. -NoAPI- No API could be identified as being available for use in the current run-time environment. 170 PKZIP/SecureZIP for z/os 11.1 System Administrator s Guide

179 -NoFacil- This facility was not listed in the associated FACILITY setting, and is not available for use. -NoLic- The product does not have the appropriate SecureZIP feature license code enabled to make use of this facility category. -NotSup- This algorithm is not supported under the current release of SecureZIP. BSAFE BSAFE(r) CryptoC routines included with the SecureZIP product has been identified as being viable for use. ENC/DEC For the system platform being executed on, the ICSF CSNBENC(encipher) and CSNBDEC(decipher) API calls were identified as viable for use. SYE/SYD For the system platform being executed on, the ICSF CSNBSYE(symmetric key encipher) and CSNBSYD(symmetric key decipher) API calls were identified as viable for use. PKW A PKWARE proprietary routine was identified as viable for use. OWH For the system platform being executed on, the ICSF CSNBOWH(One Way Hash) API call was identified as viable for use. ZPEN383I Crypto Facilities HW SW SecureZIP A request was made to produce a timing report for supported cryptographic facilities in the current operating environment. A list of supported cryptographic algorithms follows indicating which API facilities are available for use by SecureZIP. A list of supported cryptographic algorithms follows showing timing test values for each. A preceding header line will indicate whether this report is for raw TCB CPU time, or a computed throughput rate in megabytes per CP Second. ZPEN384I [crypto_algorithm] [hw_api] [sw_api] [SecureZIP_API] A request was made to produce a timing report for supported cryptographic facilities in the current operating environment. A value will be listed for each facility category associated with the correlated facility API listed in ZPEN321I. An "*" following a timing value indicates that the corresponding API will be selected based on the facility preference list shown in ZPEN322I. A preceding header line will indicate whether this report Chapter 7 Cryptographic Facility Utility - PKCRYUTL 171

180 is for raw TCB CPU time, or a computed throughput rate in megabytes per CP Second. Note: The "96 bit encryption" algorithm will not have timings run. The SecureZIP(PKW) facility API will always be selected for use when ENCRYPTION_METHOD(STANDARD) is specified. 172 PKZIP/SecureZIP for z/os 11.1 System Administrator s Guide

181 8 SMF Record Formats SecureZIP only The activation procedure for SMF recording is covered in chapter 2 in the section Enable SMF Recording. This chapter provides record format descriptions that can be used in auditing operational activities of SecureZIP. The standard SMF record header for records with subtypes is used (ref. z/os MVS System Management Facility, Standard SMF Record Header ). The SecureZIP product distribution library INSTLIB(PKSMFREC) contains assembler maps of each record type. Individual DSECT maps are referenced in the following formats; the following record subtypes may be written: Subtype * Description 1 (1) Session Start One per ZIP UNZIP invocation 2 (2) Session Settings One per ZIP UNZIP invocation (optional) 3 (3) File Activity One per file process completion (optional) 99 (63) Session Summary One per ZIP UNZIP invocation * Offsets and numerical references are shown in decimal and (hexadecimal) form. The following format definitions map the various possible record sections. Before each subtype record listing, commonly used record segments are shown. A Common Header is used for all Subtypes. Each unique subtype description follows with offsets continuing from the end of the Common Header. The general format is for each subtype to begin with a fixed length portion that includes control flags, to be followed by optional variable length data fields. Variable length portions may be provided with either unformatted or declared formats. Layouts for special data areas such as Certificate List elements are also provided. Chapter 8 SMF Record Formats 173

182 Table 2: SMF Record Format - Common Header Offset Name Len Format Description Mapped by PKSMFHDR DSECT 0 (0) PKSMFLEN 2 Binary Length, including data 2 (2) PKSMFSEG 2 Binary X 0000 Records are non-spanned 4 (4) PKSMFFLG 1 Binary Flags X'40' Subtypes valid X'1E' MVS Level 5 (5) PKSMFREC 1 Binary SMF Record Type value 6 (6) PKSMFTIM 4 Binary Time 10 (A) PKSMFDAT 4 Packed Date (0CYYDDDF) 14 (E) PKSMFSID 4 Char SYSTEM IDENTIFICATION 18 (12) PKSMFSS 4 Binary SUBSYS ID (not set) 22 (16) PKSMFSTY 2 Binary RECORD SUB-TYPE value X'0001' - ZIP session start X'0002' - Session parms X'0003' - FILE process X'0099' - ZIP session summary 24 (18) REC_VERSION 2 Binary VERSION-ID (FORMAT dependent) value X 0001 for initial release 26 (1A) JOBNAME 8 Char JOBNAME, STCNAME OR TSU ID (see Note 1) 34 (22) JOBID 8 Char JES JOBID/STCID/TSUID 42 (2A) SESSIONID 16 Binary UNIQUE ZIP SESSION ID 58 (3A) FLAG1 1 Binary bits Flag1 Common for all subtypes X 80 VARIABLE SECTION fields exist (Check RELCNT) X 40 Variable section is in SUBVAR_FIELD format X 01 Some records filtered (Subtype 99 only) 59 (3B) FLAG2 1 Binary bits FLAG # 2 (Subtype specific) -- Flags for subtype 1 - NONE Flags for subtype 2 - NONE Flags for subtype 3 File Process Control x'80' Add x'40' Freshen x'20' Copy -- Flags for subtype 99 - NONE PKZIP/SecureZIP for z/os 11.1 System Administrator s Guide

183 Offset Name Len Format Description 60 (3C) FLAG3 1 Binary bits 61 (3D) FLAG4 1 Binary RESERVED Mapped by PKSMFHDR DSECT -- Flags for subtype 1 - NONE Flags for subtype 2 - NONE Flags for subtype 3 File Process Indicators X'40' Variable data for encrypt exists X'01' Digital Signature indicated X'02' Authenticate succeeded X'04' AUTHCHK attempt failed -- Flags for subtype 99 - NONE (3E) RELOFF 2 Binary Offset to first relocate section from the beginning of the record header, represented as PKSMFxxxx_SXS. The total length of the relocate section is provided in the SXS field of the subtype map. 64 (40) RELCNT 2 Binary Count of the number of relocate sections. This field will be x 0000 if no variable data exists. 66 (42) Beginning of unique subtype fields Note 1: The combination of JOBNAME/JOBID/SESSIONID is used to correlate all SMF records from a particular session together. The Variable Section Elements are conditionally placed into the VARIABLE SECTION of a unique subtype. The precise location depends upon the length of information that precedes each variable entry. For that reason, offsets are provided relative to the current location in the record. The offset to the first entry of the relocate section is defined in the RELOFF field of the common header. Chapter 8 SMF Record Formats 175

184 Offset From current position Table 3: SMF Record Format Variable Relocate Section Element Map Name Len Format Description +0 (0) VAR_ID 2 Binary Unique field Identifier +2 (2) VAR_FIELDFMT 1 Binary value +3 (3) VAR_LEN 2 Binary Length of following data +5 (5) VAR_INFO (FIELDFMT) Var Mapped by PKSMF_VAR_ELEMENT DSECT When FLAG1 SMF1_SUB_FORMAT is ON, this is formatted data in accordance with the VAR_FIELDFMT definition. A unique value will be present: X 01 Binary Undeclared binary X 02 Binary value X 03 Character X 04 Char_ASCII X 05 Certificate List When VAR_FIELDFMT is in effect, this starts the beginning of the format-dependent data. It applies to Binary, Binary value, Character and Char_ASCII +5 (5) CERTLIST_ COUNT +7 (7) Certificate List Extension Fields 2 Binary Value Var When VAR_FIELDFMT x 05 Certificate List is indicated, a numeric count of Certificate List Extension fields that follow is provided. See Subtype 0002 Session Settings Certificate List Extension The Certificate List Extension maps special field data relating to digital certificates within a VAR_FIELDFMT section of a Variable Section Element. One or more entries may exist as reflected in the CERTLIST_COUNT field. 176 PKZIP/SecureZIP for z/os 11.1 System Administrator s Guide

185 Offset From current position Table 4: SMF Record Format Certificate List Extension Name Len Format Description Mapped by PKSMF2VA DSECT +0 (0) Use_code 1 Binary Certificate Usage Indicator +1 (1) PrFlag1 1 Binary Processing Flag x'.1' Used for Encryption x'.2' Used for File Signing x'.4' Used for Archive Signing x.a Used for AUTHCHK (Files) x.c Used for AUTHCHK (Archive)x'1.' Certificate Required Flag (may be used with others) X 80 Found and processed By File X 40 Found and processed By LDAP X 20 Found and processed By SAF/RACF +2 (2) PrFlag2 1 Binary Processing Flag X'01' Not Found in File System. X'02' Not Found in LDAP System. X'04' Cert Was Required but failed X'08' Cert Found but failed to open X'10' Cert Requires Password. X'40' Not Found in SAF +3 (3) PrFlag3 1 Binary Processing Flag X 01 Private key found in request X 02 SAF Error was encountered +4 (4) LCERTSRC 2 Binary Length of the following field (non inclusive) +6 (6) CERTSRC Var Char Certificate Source Reference Chapter 8 SMF Record Formats 177

186 Table 5: SMF Record Format Subtype 0001 Session Start Offset Name Len Format Description FIXED SECTION Continues from the end of the Common Header 66 (42) STEPNAME 8 Char STEPNAME from SCTSNAME 74 (4A) PROCSTEP 8 Char PROC STEPNAME from SCTSCLPC 82 (52) USERID 8 Char UserID from ASXBUSER 90 (5A) PRODUCTID 2 Char PKWARE Product Identifier PK PKZIP SZ SecureZIP PL PartnerLink 92 (5C) VERSION 8 Char Product version info 100 (64) LEVEL 8 Char Refresh/Build Level 108 (6C) CALLMODE 8 Char CALLMODE setting BATCH ISPF API-B TSO 116 (74) ACTION 1 Char Representation of basic ACTION request (See User s Guide) VARIABLE SECTION See Variable Section Element Map for the layout of each field following the SXS 117 (7D) SXS 2 Binary Size of extended information segment (size of all sections that follow). Pointed to by RELOFF offset in the common header. Each variable segment is described as a 'triplet' with a field ID, a data type descriptor, a length, and variable information depending upon the section type. Field order is not implied. dependent Field ID 2 Binary X Input Archive Written when an input archive is used for processing. Datatype 1 Binary X 03 Field Length 2 Binary Total length of this field including length and Field ID Char Input Archive File Name (MVS DSN or UNIX 178 PKZIP/SecureZIP for z/os 11.1 System Administrator s Guide

187 Offset Name Len Format Description PATH) dependent Field ID 2 Binary X Output Archive Datatype 1 Binary X 03 Written during ZIP processing when an output archive is used for processing. Field Length 2 Binary Total length of this field including length and Field ID Char Output Archive File Name (MVS DSN or UNIX PATH) Table 6: SMF Record Format Subtype 0002 Session Settings Offset Name Len Format Description FIXED SECTION Continues from the end of the Common Header VARIABLE SECTION See Variable Section Element Map for the layout of each field following the SXS 66 (42) SXS 2 Binary Size of extended information segment (size of all sections that follow). Pointed to by RELOFF offset in the common header. Each variable length portion is described as a 'quartet' with a section type code, a sub-field format descriptor, a format-dependent variable length descriptor and the associated variable information. Field order is not implied. Trailing blanks for character fields may be removed. dependent Field ID Binary X 00C9 - ENCRYPTION_METHOD Condition: ZIP with any encryption. Sub-Field Format 1 Binary X 03 Character Field Length 2 Binary Length of the following data Var Char ENCRYPTION_METHOD value dependent Field ID Binary X 00CA - FILENAME_ENCRYPTION Condition: ZIP with any encryption. Chapter 8 SMF Record Formats 179

188 Offset Name Len Format Description Sub-Field Format 1 Binary X 03 Character Field Length 2 Binary Length of the following data Value Var Char FILENAME_ENCRYPTION value dependent Field ID Binary X 00CB - KEY_PROTECT_LEVEL Sub-Field Format 1 Binary X 03 Character Condition: ZIP with ENCRYPTION_METHOD other than STANDARD. Field Length 2 Binary Length of the following data Value Var Char KEY_PROTECT_LEVEL value dependent Field ID Binary X 00CC - SECURE_OPT_MSK3DES Sub-Field Format 1 Binary X 03 Character Condition: ZIP with ENCRYPTION_METHOD other than STANDARD. Field Length 2 Binary Length of the following data Value Var Char SECURE_OPT_MSK3DES value dependent Field ID Binary X 00CD CKDS Passphrase Key Request Sub-Field Format 1 Binary X 03 Character Condition: ZIP or UNZIP with a CKDS based Key Label reference Field Length 2 Binary Length of the following data Value Var Char PASSWORD CKDS_xxx reference dependent Field ID Binary X 00CE Digital Signature Request list Condition: ZIP with SIGN_ARCHIVES or SIGN_FILES Sub-Field Format 1 Binary X 05 Certificate list; count; var-list Field Length 2 Binary Length of the following data CertCount 2 Binary Unsigned count of cert-list extension fields that follow List Extensions Var Cert-list A list of certificate request descriptors as mapped by the Certificate List Extension 180 PKZIP/SecureZIP for z/os 11.1 System Administrator s Guide

189 Offset Name Len Format Description dependent Field ID Binary X 00CF Signature Authentication Request list Condition: ZIP or UNZIP with AUTHCHK for Files or Archive with specific AUTHCHK certificates. Sub-Field Format 1 Binary X 05 Certificate list; count; var-list Field Length 2 Binary Length of the following data CertCount 2 Binary Unsigned count of cert-list extension fields that follow List Extensions Var Cert-list A list of certificate request descriptors as mapped by the Certificate List Extension dependent Field ID Binary X 00D0 Recipient Certificate Request list Condition: ZIP or UNZIP with RECIPIENT certificate requests Sub-Field Format 1 Binary X 05 Certificate list; count; var-list Field Length 2 Binary Length of the following data CertCount 2 Binary Unsigned count of cert-list extension fields that follow List Extensions Var Cert-list A list of certificate request descriptors as mapped by the Certificate List Extension dependent Field ID Binary X 00D1 - FACILITY_ENCRYPTDATA Condition: ZIP or UNZIP (conditional use in run) Sub-Field Format 1 Binary X 03 Character Field Length 2 Binary Length of the following data Value Var Char FACILITY_ENCRYPTDATA value dependent Field ID Binary X 00D2 - FACILITY_HASH Condition: ZIP or UNZIP (conditional use in run) Sub-Field Format 1 Binary X 03 Character Field Length 2 Binary Length of the following data Value Var Char FACILITY_HASH value dependent Field ID Binary X 00D3 - FACILITY_RANDOM Condition: ZIP or UNZIP (conditional use in run) Sub-Field Format 1 Binary X 03 Character Field Length 2 Binary Length of the following data Value Var Char FACILITY_RANDOM value Chapter 8 SMF Record Formats 181

190 Offset Name Len Format Description dependent Field ID Binary X 00D4 - LDAP_ENCRYPT_CERT_SELECT Condition: ZIP with RECIPIENT LDAP: requests Sub-Field Format 1 Binary X 03 Character Field Length 2 Binary Length of the following data Value Var Char LDAP_ENCRYPT_CERT_SELECT value dependent Field ID Binary X 00D5 - FIPSMODE Condition: ZIP or UNZIP (conditional use in run) Sub-Field Format 1 Binary X 03 Character Field Length 2 Binary Length of the following data Value Var Char FIPSMODE value dependent Field ID Binary X 00D6 - HFS_SAF_CHECK Condition: ZIP or UNZIP (conditional use in run) Sub-Field Format 1 Binary X 03 Character Field Length 2 Binary Length of the following data Value Var Char HFS_SAF_CHECK value dependent Field ID Binary X 00D7 - ARCHIVE_PATHMODE Condition: ZIP using UNIX filesystem archive (conditional use in run) Sub-Field Format 1 Binary X 03 Character Field Length 2 Binary Length of the following data Value Var Char ARCHIVE_PATHMODE value dependent Field ID Binary X 00D8 - OUTFILE_PATHMODE Condition: UNZIP using UNIX filesystem output file (conditional use in run) Sub-Field Format 1 Binary X 03 Character Field Length 2 Binary Length of the following data Value Var Char OUTFILE_PATHMODE value dependent Field ID Binary X 00D9 - SVC Condition: ZIP & UNZIP 182 PKZIP/SecureZIP for z/os 11.1 System Administrator s Guide

191 Offset Name Len Format Description Sub-Field Format 1 Binary X 03 Character Field Length 2 Binary Length of the following data Value Var Char SVC value dependent Field ID Binary X 00DA - SMF_SUBTYPES Condition: ZIP & UNZIP Sub-Field Format 1 Binary X 03 Character Field Length 2 Binary Length of the following data Value Var Char SMF_SUBTYPES value dependent Field ID Binary X 00DB Certificate Services Policy Buffer Condition: ZIP & UNZIP Sub-Field Format 1 Binary X 03 Character Field Length 2 Binary Length of the following data Value Var Char A buffer containing process settings such as: {VALENCRYPT...} {VALSIGN } {AUTHENTICATE } {CSPUB } {SAFSET } Table 7: SMF Record Format Subtype 0003 Files Offset Name Len Format Description FIXED SECTION Continues from the end of the Common Header 66 (42) FILEIDENT 8 Binary Unique File Identifier (within Archive) 74 (4A) GPBIT_FLAGS 2 Binary ZIP File format General Purpose Bit Flags (Note 2) 76 (4C) IFILE 2 Binary IFILE Attributes (Note 2) X'x1xx' - File marked as TEXT X'x2xx' - Records have ZDW prefix 78 (4E) PROCESS_RC 4 Binary Processing return code for this file Chapter 8 SMF Record Formats 183

192 Offset Name Len Format Description 82(52) File Type 4 Char General z/os File Type 'JES ' JES 'PO ' Partitioned Organization 'PO-E' PDSE 'PS ' Physical Sequential 'UNIX' UNIX (HFS, zfs...) 'VS ' VSAM 86 (56) Compress Method 2 Binary ZIP Compression Method used (Note 2) VARIABLE SECTION See Variable Section Element Map for the layout of each field following the SXS 88 (58) SXS 2 Binary Size of extended information segment (size of all sections that follow). Pointed to by RELOFF offset in the common header. Each variable segment is described as a 'triplet' with a field ID, a data type descriptor, a length, and variable information depending upon the section type. Field order is not implied. dependent Field ID Binary X 012D ZOSFILENAME Sub-Field Format 1 Binary X 03 Character Field Length 2 Binary Length of the following data var Char Local system file name (MVS DSN or UNIX PATH) dependent Field ID Binary X 012E ZIPFILENAME Sub-Field Format 1 Binary X 03 Character Field Length 2 Binary Length of the following data var Char Filename representation from ZIP Archive (translated to EBCDIC) dependent Field ID Binary X 012F Data Encryption Information Comprised of three 2-byte fields that follow Sub-Field Format 1 Binary X 03 Character Field Length 2 Binary Length of the data fields that follow (total) 184 PKZIP/SecureZIP for z/os 11.1 System Administrator s Guide

193 Offset Name Len Format Description 2 Binary Encryption Algorithm Identifier '0166' DES '0168' RC4 '0366' 3DES '0966' 3DES(112) '0E66' AES128 '0F66' AES192 '1066' AES256 '1166' AES - GENERIC (Ref Key Length) 2 Binary Key Length (Little Endian - #bits) (Note 2) 2 Binary Encryption Control Flags Flags '.1..' Passphrase used '.2..' Digital Certificate(s) used '.3..' COMBO Passphrase/Certificate Note 2 - Annotated fields represent data in the format consistent with the ZIP File Format Specification "Appnote", which can be obtained by request from PKWARE, Inc. Table 8: SMF Record Format Subtype 0099 (0063) End Session Offset Name Len Format Description FIXED SECTION Continues from the end of the Common Header 66 (42) MAX_RC 4 Binary Final Session Return Code (Condition Code) 70 (46) #ADDED 4 Binary Count of files processed for the ACTION indicated in subtype 1. (Ref. message ZPAM140I) Applies to ADD and UPDATE 74 (4A) #FRESHENED 4 Binary File Count Applies to FRESHEN 78 (4E) RESERVED 4 Binary RESERVED 82 (52) #COPIED 4 Binary File Count Applies to ADD, FRESHEN, UPDATE, COPY, DELETE 86 (56) #DELETED 4 Binary File Count Applies to DELETE 90 (5A) #EXTRACTED 4 Binary File Count Applies to EXTRACT Chapter 8 SMF Record Formats 185

194 94 (5E) #TESTED 4 Binary File Count Applies to TEST 98 (62) #VIEWED 4 Binary File Count Applies to VIEW* 102 (66) #SKIPPED 4 Binary Count of files skipped (typically based on EXCLUDE processing) 106 (6A) #BYPASSED 4 Binary Count of files bypassed (Ref. message ZPAM140I) 110 (6E) #ERROR 4 Binary Count of files in error (Ref. message ZPAM140I) 114 (72) FLAG1 1 Binary X 80 - Input archive directory signature detected 115 (73) FLAG2 1 RESERVED 116 (74) FLAG3 1 RESERVED 117 (75) FLAG4 1 RESERVED 118 (76) RESERVED 4 RESERVED 122 (7A) RESERVED 4 RESERVED X 40 Input archive directory File Name Encryption was detected. X 08 - Output Archive directory signature was created. 126 (80) VARIABLE SECTION RESERVED 126 (80) SXS 2 Binary Size of extended information segment (size of all sections that follow). Pointed to by RELOFF offset in the common header. Each variable segment is described as a 'triplet' with a field ID, a data type descriptor, a length, and variable information depending upon the section type. Field order is not implied. 186 PKZIP/SecureZIP for z/os 11.1 System Administrator s Guide

195 Glossary This glossary provides definitions for items that may have been referenced in the SecureZIP z documentation. It is not meant to be exhaustive. There are excellent sources of documentation for computing terms on the Internet. For example: IBM s Terminology Web Site Absolute Path Name A string of characters that is used to refer to an object, starting at the highest level (or root) of the directory hierarchy. The absolute path name must begin with a slash (/), which indicates that the path begins at the root. This is in contrast to a Relative Path Name. Access Method A technique that is used to read a record from, or to write a record into, a file. Usually either: SAM (Sequential Access Method - where records are processed one after another in the order in which they appear in the file), or random (the individual records can be processed in any order) such as VSAM ). AES The Advanced Encryption Standard is the official US Government encryption standard for customer data. Alternate Index An index of a file based on a key different from the base. It allows the file to be processed in a secondary key order. American Standard Code for Information Interchange (ASCII) The ASCII code (American Standard Code for Information Interchange) was developed by the American National Standards Institute for information exchange among data processing systems, data communications systems, and associated equipment, and is the standard character set used on Windows and many UNIX-based operating systems. In a ZIP archive, ASCII is used as the normal character set for compressed text files. The ASCII character set consists of 7-bit control characters and symbolic characters, plus a single parity bit. Since ASCII is used by most microcomputers and printers, Glossary 187

196 text-only files can be transferred easily between different kinds of computers and operating systems. While ASCII code does include characters to indicate backspace, carriage return, etc., it does not include accents and special letters that are not used in English. To accommodate those special characters, Extended ASCII has additional characters ( ). Only the first 128 characters in the ASCII character set are standard on all systems. Others may be different for a given language set. It may be necessary to create a different translation tables (see Translation Table) to create standard translation between ASCII and other character sets. American National Standards Institute (ANSI) An organization sponsored by the Computer and Business Equipment Manufacturers Association for establishing voluntary industry standards. Application Programming Interface (API) An interface between the operating system (or systems-related program) that allows an application program written in a high-level language to use specific data or services of the operating system or the program. The API also allows you to develop an application program written in a high-level language to access SECZIP data and/or functions of the SECZIP system. Application System/400 (iseries) A family of general purpose computing systems from IBM which run Operating System/400 (OS/400). Archive (1) The act of transferring files from the computer into a long-term storage medium. Archived files are often compressed to save space. (2) An individual file or group of files which must be extracted and decompressed in order to be used. (3) A file stored on a computer network, which can be retrieved by a file transfer program (FTP) or other means. (4) The SECZIP file that holds the compressed/zipped data file. Batch Job A unit of work defining one or more execution steps submitted to the Job Entry Subsystem (JES) with a JOB statement. Big ENDIAN A binary (hexadecimal) representation of numeric data in which the most significant byte is on the left. In the context of bit flags, the most significant bit is on the left. Binary File A file that is to be handled in its native form without text translation. 188 PKZIP/SecureZIP for z/os 11.1 System Administrator s Guide

197 Block (1) A group of records that are recorded or processed as a unit. (2) A set of adjacent records stored as a unit on a disk, diskette, or magnetic tape. Cipher Block Chain (CBC) Cipher Block Chaining refers to a method of encryption of blocks of data that involves an initialization vector that is put together with the first block of data and the encryption key. This method of encryption makes sure that each block of data thereafter is uniquely modified, further protecting the data from fraudulent access. Code Page A specification of code points for each graphic character set or for a collection of graphic character sets. Within a given code page, a code point can have only one specific meaning. A code page is also sometimes known as a code set. Command Line Interface An operating environment interface where a textual command and its associated parameters may be entered. Configuration File (1) A file that specifies the way a program functions. (2) In SECZIP, the file that contains the default values needed for the system to run. These can usually be respecified to meet local user requirements. Contingency Key An ordinary cryptographic key from a digital certificate that is designated as a master recipient for use, in addition to any other recipients, whenever SecureZIP does strong encryption. Including a master recipient contingency key in a list of recipients ensures that the organization that owns the key can decrypt the encrypted files. CP Assist for Cryptographic Functions (CPACF) A set of cryptographic instructions available on all central processors. These are available in varying degrees on zseries z/890, z/990, and System z9 platforms. Cryptographic Coprocessor Feature (CCF) A method of protecting data. Cryptographic services include data encryption and message authentication. These are available on systems supporting the G5/G6 chipsets, including MP2000, MP3000, 9672, as well as z-architecture systems z800 and z900. Cryptography (1) A method of protecting data. Cryptographic services include data encryption and Glossary 189

198 message authentication. (2) In cryptographic software, the transformation of data to conceal its meaning; secret code. (3) The transformation of data to conceal its information content, to prevent its undetected modification, or to prevent its unauthorized use. Cyclic Redundancy Check (CRC) A Cyclic Redundancy Check is a number derived from a block of data, and stored or transmitted with the data in order to detect any errors in transmission. This can also be used to check the contents of a ZIP archive. It is similar in nature to a checksum. A CRC may be calculated by adding words or bytes of the data. Once the data arrives at the receiving computer, a calculation and comparison is made to the value originally transmitted. If the calculated values are different, a transmission error is indicated. The CRC information is called redundant because it adds no significant information to the transmission or archive itself. It is only used to check that the contents of a ZIP archive are correct. When a file is compressed, the CRC is calculated and a value is calculated based upon the contents and using a standard algorithm. The resulting value (32 bits in length) is the CRC that is stored with that compressed file. When the file is decompressed, the CRC is recalculated (again, based upon the extracted contents), and compared to the original CRC. Error results will be generated showing any file corruption that may have occurred. Data Compression The reduction in size (or space taken) of data volume on the media when performing a save or store operation. Data Integrity (1) The condition that exists as long as accidental or intentional destruction, alteration, or loss of data does not occur. (2) Within the scope of a unit of work, either all changes to the database management systems are completed or none of them are. The set of change operations are considered an integral set. Delimiter A character or sequence of characters that marks the beginning or end of a unit of data. This is commonly used in non-record data streams in workstation and UNIXbased systems. Double-byte Character Set (DBCS) A set of characters in which each character is represented by 2 bytes. Languages such as Japanese, Chinese, and Korean, which contain more symbols than can be represented by 256 code points, require double-byte character sets. Because each character requires 2 bytes, the typing, displaying, and printing of DBCS characters requires hardware and programs that support DBCS. Four double-byte character sets 190 PKZIP/SecureZIP for z/os 11.1 System Administrator s Guide

199 are supported by the system: Japanese, Korean, Simplified Chinese, and Traditional Chinese. See also the Single-Byte Character Set (SBCS). Dump In problem analysis and resolution, to write, at a particular instant, all or part of the contents of main or auxiliary storage onto another data medium (such as tape, printer, or spool) for the purpose of protecting the data or collecting error information. Dynamic Allocation (DYNALLOC) Dynamic Allocation (DYNALLOC) is a facility utilizing the SVC99 function which allows a program to directly access a dataset without the need for corresponding JCL statements. Encryption The transformation of data into an unintelligible form so that the original data either cannot be obtained or can be obtained only by decryption. Enqueue The Enqueue macro (ENQ) is used to restrict access to a resource, so that only the appropriate number of users with the appropriate mode gain access to the resource at one time. It is commonly used to "lock" a resource to prevent modifications from multiple sources to cancel out each other. Extended Attribute Information attached to an object that provides a detailed description about the object to an application system or user. Extended Binary Coded Decimal Interchange Code (EBCDIC) The Extended Binary Coded Decimal Interchange Code a coded character set of bit characters. EBCDIC is similar in nature to ASCII code, which is used on many other computers. When ZIP programs compress a text file, they translate data from EBCDIC to ASCII characters within a ZIP archive using a translation table. FIPS Federal Information Processing Standards defining information processing standards for use within government agencies. Information regarding specific standards definitions are available online from the Computer Security Resource Center at csrc.nist.gov using keyword FIPS. Fixed-Length A dataset or data definition characteristic in which all of the records are the same length. See also Variable Length. Glossary 191

200 GDG Generation Data Groups. GNU A recursive acronym for the name of the Free Software Foundation's freely distributable replacement for UNIX. Greenwich Mean Time (GMT) A synonym for Universal Time Coordinated (UTC) which is the mean solar time of the meridian of Greenwich, England, and is the prime basis of standard time throughout the world. GZIP GZIP (also known as GNU zip) is a compression utility designed to use a different standard for handling compressed file data in an Archive. ICF Integrated Catalog Facility. IDCAMS The utility program used by IBM s Access Method Services to create and manage VSAM datasets. Installation Verification Procedure (IVP) A sample application, script, or jobstream provided to verify successful installation of a product (may be either software or hardware). iseries AS400 Operating environments. JCL Job Control Language is a command language for mainframes and minicomputers, used for launching applications. Job Entry Subsystem (JES) An IBM licensed program that receives jobs into the system and processes all output data produced by the jobs. Commonly known as JES2 or JES3 Julian Date A date format that contains the year in positions 1 and 2, and the day in positions 3 through 5. The day is represented as 1 through 366, right-adjusted, with zeros in the 192 PKZIP/SecureZIP for z/os 11.1 System Administrator s Guide

201 unused high-order positions. For example, the Julian date for April 6, 1987 is Kanji Characters originating from the Chinese characters used in the Japanese written language. Keyed Sequence An order in which records are retrieved based on the contents of key fields in records. For example, a bank name and address file might be in order and keyed by the account number. Keyword (1) A mnemonic (abbreviation) that identifies a parameter in a command. (2) A user-defined word used as one of the search values to identify a document during a search operation. (3) In COBOL, a reserved word that is required by the syntax of a COBOL statement or entry. (4) In DDS, a name that identifies a function. (5) In REXX, a symbol reserved for use by the language processor in a certain context. Keywords include the names of the instructions and ELSE, END, OTHERWISE, THEN, and WHEN. (6) In query management, one of the predefined words associated with a query command. (7) A name that identifies a parameter used in an SQL statement. Also see parameter. LBI (Large Block Interface) The set of BSAM, BPAM, and QSAM interfaces that deal with block sizes in 4-byte fields instead of 2-byte fields. This mode of operation is device and system-dependent. Lempel-Ziv (LZ) A technique for compressing data. This technique replaces some character strings, which occur repeatedly within the data, with codes. The encoded character strings are then kept in a common dictionary, which is created as the data is being sent. Library Lookaside An operating system facility intended to improve the performance of module fetching through the LLA started task. Related terms include LNKLST, Link List. Linkage Editor A system-related program that resolves cross-references between separately compiled object modules and then assigns final storage addresses to create a single load Glossary 193

202 module. Little ENDIAN A binary (hexadecimal) representation of numeric data in which the least significant byte is on the left. In the context of bit flags, the least significant bit is on the left. MVS Multiple Virtual Storage is the generic name for the portion of the z/os operating systems which runs non Unix-System-Services workloads such as batch and TSO/E. It is in this environment that SecureZIP z executes. New ZIP Archive A New ZIP archive is the archive created by a compression program when either an old ZIP archive is updated or when files are compressed and no ZIP archive currently exists. It may be thought of as the receiving archive. Also see Old ZIP Archive. NIST National Institute of Standards and Technology is a part of the U.S. Department of Commerce, formerly called the National Bureau of Standards, that defines standards for voice, data, and video transmissions, encryption, and other kinds of technology. Null Value A parameter which has no value assigned. Old ZIP Archive An Old ZIP archive is an existing archive which is opened by a compression program to be updated or for its contents to be extracted. It may be thought of as the sending archive. Also see New ZIP Archive. Packed Decimal Format A decimal value in which each byte within a field represents two numeric digits except the far right byte, which contains one digit in bits 0 through 3 and the sign in bits 4 through 7. For all other bytes, bits 0 through 3 represent one digit; bits 4 through 7 represent one digit. For example, the decimal value +123 is represented as (or 123F in hexadecimal). Parameter (1) A value supplied to a command or program that is used either as input or to control the actions of the command or program. (2) In COBOL, a variable or a constant that is used to pass values between calling and called programs. (3) In the Integrated Language Environment (ILE), an identifier that defines the types 194 PKZIP/SecureZIP for z/os 11.1 System Administrator s Guide

203 of arguments that are passed to a called procedure. (4) In REXX, information entered with a command name to define the data on which a command processor operates and to control the execution of the command. (5) In DB2 UDB for iseries SQL, the keywords and values that further define SQL precompiler commands and SQL statements. Also see keyword. Parameter List A list of values in a calling program that corresponds exactly to a list in a called program for the purposes of providing addressability and data exchange. It contains parameter names and the order in which they are to be associated in the calling and called program. Partitioned Dataset A Partitioned Dataset (PDS) is a dataset in direct access storage that is divided into partitions (which are called members), each of which can contain a program, part of a program, JCL, parameters, or other forms of data. When a compression program is compressing a PDS, each member is treated as a separate file within the resultant ZIP archive. When an archive is decompressed to a PDS, each file within the archive creates a separate member within the PDS. Path Name (1) A string of characters used to refer to an object. The string can consist of one or more elements, each separated by a slash (/), and may begin with a slash. Each element is typically a directory or equivalent, except for the last element, which can be a directory or another object (such as a file). (2) A sequence of directory names followed by a file name, each separated by a slash. Programming Language/I (PL/I) A programming language designed for use in a wide range of commercial and scientific computer applications. Program Temporary Fix (PTF) A temporary solution to (or a bypass of) a problem that is necessary to provide a complete solution to correct a defect in a current unaltered release of a program. May also be used to provide an enhancement to a product before a new release of the product is available. Generally, PTFs are incorporated in a future release of the product. RDW Record Descriptor Word. Record A group of related data, words, or fields treated as a single unit, such as a name, Glossary 195

204 address, and social security number. Record Format A document or display that names each part of a file and provides specific information for each field such as length and type of information contained within the field. Relative Path Name A string of characters that is used to refer to an object, starting at some point in the directory hierarchy other than the root. A relative path name does not begin with a slash (/). The starting point is frequently a user's current directory. This is in contrast to an absolute path name and path name. Return Code A value generated by operating system software to a program to indicate the results of an operation by that program. The value may also be generated by the program and passed back to the operator. Rijndael The combined name of the two researchers that developed the Advanced Encryption Standard (AES) for the US Government (Dr. Joan Daemen and Dr. Vincent Rijmen). Sequential Dataset A sequential dataset holds a single file of records which are organized on the basis of their successive physical positions, such as on magnetic tape. Single-Byte Character Set (SBCS) A coded character set in which each character is represented by a one-byte code point. A one-byte code point allows representation of up to 256 characters. Languages that are based on an alphabet, such as the Latin alphabet (as contrasted with languages that are based on ideographic characters) are usually represented by a single-byte coded character set. For example, the Spanish language can be represented by a single-byte coded character set. Also see the Double-Byte Character Set (DBCS). Spanned Record A logical record that is stored across more than one block. This is commonly used to get around system limitations that blocks cannot be larger than x number of bytes. With spanned records, one record spans two or more blocks. Translation Table Translation tables are used by the SECZIP and SECUNZIP programs for translating characters in compressed text files between the ASCII character sets used within a ZIP archive and the EBCDIC character set used on IBM-based systems. These tables may be created and modified by you as documented in the user's guide. 196 PKZIP/SecureZIP for z/os 11.1 System Administrator s Guide

205 Truncate To cut off or delete the data that will not fit within a specified line width or display. This may also be attributed to data that does not fit within the specified length of a field definition. Universal Time Coordinated (UTC) A synonym for Greenwich Mean Time (GMT) which is the mean solar time of the meridian of Greenwich, England, and is the prime basis of standard time throughout the world. Variable-Length A characteristic of a file in which the individual records (and/or the file itself) can be of varying length. Also see Fixed-Length. Virtual Storage Access Method The Virtual Sequential Access Method (VSAM) is an access method for the direct or sequential processing of fixed-length and variable-length records on direct access devices. The records in a VSAM dataset or file can be organized in logical sequence by a key field (key sequence dataset or KSDS), in the physical sequence in which they are written on the dataset or file (entry-sequence or PS), or by relative-record number (RR). The datasets are managed by the IDCAMS utility program and is used by commands and macros from within application programs. ZIP Archive A ZIP archive is used to refer to a single dataset that contains a number of files compressed into a much smaller physical space by SecureZIP z software. Glossary 197

206 Index $ $INSTLIC, DES, 29 A Activating the ISPF Interface, 60 ACZDFLT, 42 AES, 29 ARCHIVE_STORCLASS, 42 ARCHIVE_UNIT, 42 ARCHIVE_VOLUMES, 42 ASMDFLT, 42 ASMSAFE, 43 authentication, 22, 24 B BASIC, 49 C CAPACITY, 49 certificate authority, 24 certificate stores, 28 certificate validation policies, 82 certificates, 24, 25, 28 root, 26 Conditional Use, 56 cryptographic services, 163 Current Use License, 53 D Defaults Module, 42 DEMO, 49 DES, 29 DISASTER RECOVERY, 49 E EBCDIC, 44 encryption, 22, 31, 163 algorithms, 29 certificate-based, 32 password, 31 enhanced tape processing, 18 ENTERPRISE, 49 F facilities, 163 FACILITY_ENCRYPTDATA, 74, 75 FEATURES, 49 FIPS, 29 H HFS, 15 Hierarchical File System, 15 I IBM Cryptographic Facilities Integration, 163 IBM s Terminology Web Site, 187 ICSF, 10 Installation Overview, 34 Integrated Cryptographic Service Facility. See ICSF ISPF Main Menu, 61 ISR@PRIM, 61 K keys, 22, 24, 31 L Library Lookaside, 61 LICENSE_HLQ, 42 Licensed Types, 49 Licensing and Initializing the Demo, 45, 56 LICPRINT, 54 LICSHSYS, 56 LICxxxx, 42 M Media Distribution for Installation, 34 O OUTFILE_STORCLASS, 42 OUTFILE_UNIT, 42 OUTFILE_VOLUMES, 42 P PartnerLink, 21, 91, 152 passwords, 31 PEM, PKZIP/SecureZIP for z/os 11.1 System Administrator s Guide

207 PKCRYUTL, 163 PKCS#12, 28 PKCS#7, 28 PKI, 23, 24 PKZALLOC, 61 private key, 24, 25, 32 Protecting Files with the SAFETYEX Module, 43 public key, 24, 25 R RC4, 30 Reporting, 54 Running a Disaster Recovery Test, 59 S SAF, 82, 84 SAFETYEX, 43 SAFETYEX Module, 43 SecureZIP Partner, 21, 48, 91, 122, 152 Self-Extracting ZIP File, 35 Show System Information, 55 signing, 24, 25 Specific Changes, 41, 42 sponsor, 152 Sponsor Distribution Package, 153 SYSEXEC, 60 SYSPROC, 60 System Access Facility security server. See SAF T Tailoring Site Specific Changes, 41, 42 TEMP_STORCLASS, 42 TEMP_UNIT, 42 TEMP_VOLUMES, 42 TIME-DELIMITED, 49 translation controls, 44 Trial Period, 45 Triple DES, 29 Type of Media Distribution for Installation, 34 U UNIX, 15 V VSAM_STORCLASS, 42 VSAM_VOLUMES, 42 X X.509,