IBM i Security - Best Practices Jeffrey Uehling IBM i security development [email protected]

Transcription

1 IBM i Security - Best Practices Jeffrey Uehling IBM i security development [email protected]

2 Best Practices - Outline Security Policy Physical Security System security levels System value settings Security audit journal Resource security Network security 2

3 Security Policy and Physical Security 3

4 The Security PROCESS Initial Requirement: Create and Implement a Security Policy! Repeat Repeat Repeat 1. Assess Vulnerabilities 2. Plan Countermeasures 3. Deploy Countermeasures 4. Repeat 4

5 Determine your Security Policy Laws and Regulations: SOX, PCI DSS, HIPAA, GLBA, Basel II, FISMA, State and Federal Laws Organization-specific requirements Security Policy Security Implementation Details 5

6 Security Policy - Evaluating your Risk What is the scope of the risk? Depends on Type of data Who has access Cost to organization should the data be lost or stolen Seek out help in creating a security policy for your organization if necessary many qualified consultants for IBM i 6

7 Physical Security a Necessity Physical Security, Server Front panel Power, cabling Racks/Storage devices Physical Security, Networking Firewalls, routers, switches, cabling, power Prevent configuration changes and sniffing equipment Wireless poses a challenge, secure networks are necessary (WEP, WPA, etc) Physical Security, Peripherals Tape drives/cartridges, Printers/output, Fax, etc. SAN attached DASD 7

8 IBM i Server Security 8

9 System Value: QSECURITY System Security Levels 9

10 Security levels, why run at a high security level System security level Good reasons to run there. 1. Object Domain Checking 2. Hardware storage protection 3. Parameter validation NOTE: System security level controlled via QSECURITY system value 10

11 Security Level 30 Not a secure environment System interfaces perform appropriate authority checks but security exposures exist on this security level (examples will follow) *USE required by DSPDTAARA *CHANGE required by CHGDTAARA Security level 30 is NOT a secure security level! User written programs, running at security level 30, can gain write access to objects with minimal authority 11

12 Object Domain attributes - Object integrity Every object: *CMD, *FILE, *PGM, etc. has a domain Every program has a state (*SYSTEM or *USER) Program state is compared against object Domain Program run state: *SYSTEM or *USER (DSPPGM/DSPSRVPGM) Object Domain: *SYSTEM or *USER (DSPOBJD) Programs running *SYSTEM state can access both *USER and *SYSTEM domain. Programs running *USER state can only access *USER domain objects. Security level 30 ALLOWS access regardless of state/domain combination Security level 40 and 50 enforce domain checking 12

13 Object Domain, Program State Object Domain Program State 13

14 Hardware Storage Protection (HSP) - Object integrity Program state is compared against object HSP to determine allowable access. Every object has a HSP value. Object HSP attributes: Allow access from any state (no protection, *USRSPC, *USRQ, *USRIDX) Read only in any state (*PGM, *SRVPGM) No access in user state (Setting for most objects, 5.3 and prior) Enhanced storage protection (5.4 and beyond) Security level 30 ALLOWS access regardless of state/hsp combination NOTE: Some HSP violations can occur on all security levels Security level 40 and 50 enforce HSP checking 14

15 Object attributes Integrity Protection required MI object overview SYP SPP Encapsulated MI Object, available to LIC Object domain (Most objects are *SYSTEM domain) Object owner Public authority Hardware storage protection setting Encapsulated object data Associated space, byte addressable area for use by above MI (user and OS) programs. The associated space is used to store operating system and user data for objects, i.e. *CMD, *DTAARA, *JOBD, *USRSPC, *USRPRF, etc. The CHKOBJITG CL Command can be used to scan the system for suspect objects and programs 15

16 Authority checking and integrity support at level 40 & 50 User written programs, running at security level 40 or 50, MUST use system interfaces (commands and APIs) to gain access to the objects. Authority checking is enforced by the system interface Parameter Validation is performed Object Domain checking is performed Object Hardware storage protection is performed Direct access by user programs to system objects is not allowed at Security level 40 and 50 due to domain and hardware storage protection attributes. 16

17 Disclaimer This presentation contains programming examples ("Sample Code"). IBM grants you a nonexclusive copyright license to use the Sample Code to generate similar function tailored to your own specific needs. The Sample Code is provided by IBM for illustrative purposes only. The Sample Code has not been thoroughly tested under all conditions. IBM, therefore, cannot guarantee or imply reliability, serviceability, or function of the Sample Code. The Sample Code contained herein is provided to you "AS IS" without any warranties of any kind. THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGMENT ARE EXPRESSLY DISCLAIMED. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OF IMPLIED WARRANTIES, SO THE ABOVE EXCLUSIONS MAY NOT APPLY TO YOU. IN NO EVENT WILL IBM BE LIABLE TO ANY PARTY FOR ANY DIRECT, INDIRECT, SPECIAL OR OTHER CONSEQUENTIAL DAMAGES FOR ANY USE OF THE SAMPLE CODE INCLUDING, WITHOUT LIMITATION, ANY LOST PROFITS, BUSINESS INTERRUPTION, LOSS OF PROGRAMS OR OTHER DATA ON YOUR INFORMATION HANDLING SYSTEM OR OTHERWISE, EVEN IF WE ARE EXPRESSLY ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. 17

18 Example exposure at security level 30. Signon as a user with *ALLOBJ special authority Create a job description object CRTJOBD JOBD(QGPL\TEST) USER(QUSER) AUT(*USE) Display the job description object paying attention to the user. DSPJOBD JOBD(QGPL/TEST) Create and call the program using source on following slide. CRTBNDC PGM(TESTLIB/TESTPGM1) SRCFILE(QCSRC) JOBD User Signon as a user without *ALLOBJ special authority. Attempt to change the job description object. CHGJOBD JOBD(QGPL/TEST) USER(FRED) Not authorized to object error. Call the program Source next slide CALL PGM(TESTLIB/TESTPGM1) Display the job description object paying attention to the user. DSPJOBD JOBD(QGPL/TEST) 18

19 After running this program, display the job description object paying attention to the user in the JOBD. Note the *JOBD object was changed by a user with only *USE authority, to allow jobs to run as QSECOFR. #include <mih/rslvsp.h> #include <mih/setsppfp.h> #include <string.h> void main() { _SYSPTR jobd_sysptr; char * space_ptr; jobd_sysptr = rslvsp(wli_jobd, TEST, QGPL, _AUTH_NONE); space_ptr = setsppfp(jobd_sysptr); space_ptr=space_ptr +2; memcpy(space_ptr, QSECOFR, strlen( QSECOFR )); return; } Change the JOBD User No authority errors!!! 19

20 Example exposure at security level 30 Signon as a user with *ALLOBJ special authority Create a data area object CRTDTAARA DTAARA(QGPL/TEST) TYPE(*CHAR) VALUE('Test Data') AUT(*USE) Display the data area object paying attention to the data area value. DSPDTAARA DTAARA(QGPL/TEST) Create and call the program using source on following slide. CRTBNDC PGM(TESTLIB/TESTPGM2) SRCFILE(QCSRC) Change DTAARA value Signon as a user without *ALLOBJ special authority. Attempt to change the data area object. CHGDTAARA DTAARA(QGPL/TEST) VALUE( JUNK DATA ) Not authorized to object error. Call the program Source next slide CALL PGM(TESTLIB/TESTPGM2) Display the data area object paying attention to the data area value. DSPDTAARA DTAARA(QGPL/TEST) 20

21 After running this program, display the data area object paying attention to the data area value. Note the *DTAARA object was changed by a user with only *USE authority, to a new string for the VALUE parameter. #include <mih/rslvsp.h> #include <mih/setsppfp.h> #include <string.h> void main() { _SYSPTR dtaara_sysptr; char * space_ptr; dtaara_sysptr = rslvsp(wli_dtaara, TEST, QGPL, _AUTH_NONE); space_ptr = setsppfp(dtaara_sysptr); space_ptr=space_ptr + 3; memcpy(space_ptr, NEW DATA, strlen( NEW DATA )); return; } Change the DTAARA value No authority errors!!! 21

22 NOTE: The previous two programs, running on security level 40 or 50, will result in an MCH6801 exception being signaled during the running of the program. The object access, on 40 & 50, is denied due to Object Domain and Hardware Storage Protection attributes of the JOBD and DTAARA objects! 22

23 System Value Settings NOTE: Lock down system values via SST after setting 23

24 Integrity related system values QSECURITY - Run at level 50 QALWOBJRST - Consider value *ALWPTF QFRCCVNRST - Consider value 6 or 7 QVFYOBJRST - Consider value 5 24

25 Altered program description Altered programs are created by modifying a program object in an unsupported way. Program alterations include: Modifying the program to run in system state Modifying the program instruction stream Modifying the program validation value Several methods available to alter a program: Using the system service tools to alter program Save the program and modify it offline 25

26 System state "user" programs, why they are a threat A program altered to run system state can access system objects and change data on security level 40 and 50. They run with the same capabilities as OS programs. Altered programs can: Deliberately cause system crashes Modify objects so they cannot be recognized by the OS Bypass authority checking for objects Bypass system audit record creation Attack other aspects of system integrity 26

27 System values that control restore 1. QVFYOBJRST (Verify object restore) 2. QFRCCVNRST (Force conversion restore) 3. QALWOBJRST (Allow object restore) When an attempt is made to restore an object onto the system, three system values work together as filters to determine if the object is allowed to be restored, or if it is converted during the restore. 27

28 Raising the bar against altered programs Program validation value: A hash over security relevant parts of the program. The hash produces the same result on each system and is generated at program creation. Digital signing of program objects: Signing of program objects using a secure private key. The public key is distributed to systems that need to verify the signature. The entire SW stack from IBM, Firmware, LIC, OS, LPP s and PTF s are signed by an IBM private key and verifiable on your system.. NOTE: The validation value or signature can be created after an object is altered. 28

29 QVFYOBJRST system value The 5 QVFYOBJRST options (default is 3): 1. Do not verify signatures on restore. Restore all objects regardless of their signature. NOTE: Effectively trust everything 2. Verify signatures on restore. Restore unsigned user-state objects. Restore signed user-state objects, even if the signatures are not valid. 3. Verify signatures on restore. Restore unsigned user-state objects. Restore signed user-state objects only if the signatures are valid. 4. Verify signatures on restore. Do not restore unsigned user-state objects. Restore signed user-state objects, even if the signatures are not valid. 5. Verify signatures on restore. Do not restore unsigned user-state objects. Restore signed user-state objects only if the signatures are valid. NOTE: Effectively trust nothing 29

30 QFRCCVNRST system value The 8 QFRCCVNRST options (default is 0): 0. Do not convert anything. NOTE: Trust everything 1. Objects with validation errors will be converted. 2. Objects requiring conversion to be used on the current version of the operating system and objects with validation errors will be converted. 3. Objects suspected of having been tampered with, objects containing validation errors, and objects requiring conversion to be used by the current version of the operating system will be converted. 4. Objects that contain sufficient creation data to be converted and do not have valid digital signatures will be converted. 5. Objects that contain sufficient creation data will be converted or else not restored. 6. All objects that do not have valid digital signatures will be converted. 7. All objects will be converted or else not restored. NOTE: Trust nothing 30

31 QALWOBJRST system value The QALWOBJRST options (default is *ALL): *ALL - Allows all objects to be restored regardless of whether or not they have securitysensitive attributes or validation errors. NOTE: Effectively trust everything *NONE - Does not allow objects with security-sensitive attributes to be restored. NOTE: Effectively trust nothing *ALWSYSSTT - Allows programs, service programs, and modules with the system-state or inherit-state attribute to be restored. *ALWPGMADP - Allows programs and service programs with the adopt attribute to be restored. *ALWPTF - Allow system-state or inherit-state programs, service programs, modules, objects that adopt authority, objects that have the S_ISUID (set-user-id) attribute enabled, and objects that have the S_ISGID (set-group-id) attribute enabled to be restored to the system during a PTF install. *ALWSETUID - Allow restore of files that have the S_ISUID (set-user-id) attribute *ALWSETGID or the S_ISGID (set-group-id) enabled. *ALWVLDERR - Allow objects with validation errors or suspected of having been tampered with to be restored. When the setting of the QFRCCVNRST system value causes the object to be converted any validation errors it may have had will be corrected. 31

32 Controlling system interfaces The "RST" interfaces are shipped as PUBLIC(*EXCLUDE). Only trusted users should be authorized to use the restore interfaces. Note: BRMS interfaces are PUBLIC(*USE) but call the system "RST" interfaces which are PUBLIC(*EXCLUDE) Verify the list of users authorized to SAVE data Protect the use of the system service tools (SST/DST) and Service related commands (DMPxxx, TRCxxx, etc). 32

33 System Value Settings continued NOTE: Lock down system values via SST after setting 33

34 Auditing related system values QAUDCTL - Audit on/off switch QAUDLVL and QAUDLVL2 (new in 5.3) QAUDENDACN and QAUDFRCLVL - Use default values QCRTOBJAUD - Audit newly created objects 34

35 Auditing continued Create the QAUDJRN audit journal Set QAUDCTL to *OBJAUD, *AUDLVL and *NOQTEMP Set QAUDLVL to *AUDLVL2 (5.3) Set auditing values in QAUDLVL2 system value. Set audit values in QAUDLVL prior to 5.3. Turn on audit and save the audit journal receivers. You may need the audit data in the future! 35

36 Auditing continued Data Objects Security Audit provides who accesses what object A combination of security audit and data object journaling provides the complete audit trail IBM partners have great products for analyzing audit data Turn on journaling for *FILE and IFS *STMF sensitive objects to get the complete audit of changes, including data CRTJRNRCV JRNRCV(MYLIB/MYRCV0001) CRTJRN JRN(MYLIB/MYJRN) JRNRCV(MYLIB/MYRCV0001) STRJRNPF FILE(MYLIB/MYFILE) JRN(MYLIB/MYJRN) IMAGES(*BOTH) QSYS/STRJRN OBJ(('/mydir/dir1/stmf1' *INCLUDE)) JRN('/qsys.lib/mylib.lib/myjrn.jrn') 36

37 Password composition system values WRKSYSVAL SYSVAL(QPWD*) Set password composition rule system values Min/Max length, required characters, etc Consider using enhanced password support (QPWDLVL) Case sensitive long passwords (128 characters) Use the ANZDFTPWD command to check for default passwords 37

38 Additional security related system values QALWUSRDMN - Consider value QTEMP QINACTITV - Set to a reasonable number of minutes QINACTMSGQ - *ENDJOB/*DSCJOB QMAXSIGN - Consider setting to 3 QMAXSGNACN - Set to disable device and profile 38

39 Resource Security Resource Security - Protecting your objects 39

40 Resource Security Don't rely on menu security Exit programs, used to control system interfaces such as FTP, are very useful but must be used in combination with object authority. A combination of a network security product and resource security is required. Secure your sensitive objects with the appropriate level of authority at the object level! 40

41 Resource Security - protecting your objects EDTOBJAUT Interface to assign object level authorities Authority List Public AUT Owner Private AUT 41

42 Resource Security Restrict Powerful Users Keep the number of security officers and security administrators to a minimum *ALLOBJ, *SECADM, etc. special authority Service tool userids Audit the actions of the Powerful user CHGUSRAUD CL command *CMD action audit value, *SECURITY, etc. Make sure the security officer understands, procedurally, that audit cannot be turned OFF! 42

43 Resource Security - protecting your objects Protecting your objects with resource security is necessary to protect your data. Run at a security level 50 Secure your confidential data with *EXCLUDE public authority Objects that are not security sensitive (public objects) should be protected with *USE public authority. This gives good performance for read operations on the object. Additional authority can be given to users who must change the data but private auts should be used sparingly for best performance. 43

44 Encrypting sensitive data New set of APIs delivered in 5.3 that provide support for encrypting data in an application New set of APIs delivered in 5.4 that provide support to create, manage and protect encryption keys used to encrypt data in an application GUI and CL interfaces in 6.1 to manage encryption keys and keystore files DB2 Field Procedures in 7.1 to enable Column Level Encryption Protect encryption keys. Encrypting data, without protecting the encryption keys, does not protect the data Protect encryption keys with a master key 44

45 Encryption of data at Rest 6.1 enhancements SW Encrypted backup. Provides encryption support for tape/virtual tape via BRMS and tape management APIs (OS option 44) HW encrypted backup solutions via TS11x0 & LTO4 (HW available off release) Encrypted ASP. Provides disk level encryption support for all data written to disk (OS option 45) HW support for Disk level encryption (DS8000 and DS5000 series) Encryption key management is required (master keys and data encryption keys) 45

46 Securing Service Tools Controlling access to the Service Tools is necessary for a secure system. Create as few Service Tools User IDs as possible Create a Service Tool user with the same privileges as QSECOFR (QSECOFR can become disabled) Never use QSECOFR Service Tool USERID (save pwd in a secure location) Consider not allowing the OS/400 QSECOFR user to have a QSECOFR level Service Tools USERID 6.1 DSPSSTUSR (Display Service Tool User CL command) 46

47 Network Security Considerations 47

48 Firewall Building a Secure Network Install and maintain a firewall configuration A firewall examines all network traffic and blocks those transmissions that do not meet the specified security criteria. 48

49 Network-Based Intrusion Detection Firewalls: Intrusion Monitors: Internet Firewall Intrusion Monitor Corporate Network H/R System Development system Domino WWW Mail Location: Outside your internal company network Makes sense to let firewall filter what it can. 49

50 Network-Based Intrusion Detection What Intrusion Monitors Do: Perform "Signature Analysis" or "Pattern Matching" ƒpatterns: Looking for known "bad patterns" in IP flow. ƒsignature Analysis: Watch for "Trend Deviations" in network usage. ƒi.e. When someone successfully connects to a machine, packet activity is quite different when somebody randomly searching for open ports. Reaction to suspected malicious behavior: ƒsend or message to pager ƒshutdown network or routers 50

51 Network-Based Security Appliance Internet Security Systems (ISS) IBM company that produces network security HW & SW ISS Proventia Multi-Function Security HW Firewall Intrusion Detection and Prevention Anti-Virus Web Content Filtering VPN Monitoring/Reporting Network Configuration 51

52 What is a Demilitarized Zone (DMZ)? External facing network containing interfaces meant to be available externally: Web servers (supporting external applications) Product information, Sales, etc. servers Limited access to the internal corporate intranet 52

53 DMZ - Protecting & Isolating your internal network DMZ firewall firewall Internet 53

54 Host Based Intrusion Detection/Prevention 5.4 & 6.1 Enable Intrusion detection support on your host system. Detect internal attacks on your systems Real time notification enablement , messages, etc. (i.e., pagers, ISV solutions) in addition to IM records Numerous intrusion events audited well-known attacks such as Smurf, Fraggle, ACK storms, Address Poisoning (both IPv4 ARP poisoning, and IPv6 neighbor discovery poisoning), Ping-Of-Death and many more. Extrusions detected attacks, scans, traffic regualtion anomalies emanating from your host IPv6 support GUI inav Management of IDS policies Display of intrusion events as an alternative to viewing the audit journal 54

55 IBM Partner Network Security Products IBM Security Partners Many listed on the IBM i Security site Products that enhance the native security features available in the operating system Many are network based Apply additional security rules Enforcement of the rules IBM i Security website:

56 SSL/VPN connection For remote connections to your IBM i: Use Virtual Private Network Use SSL enabled versions of the client connection applications (Telnet, FTP, inavigator, etc) 56

57 General TCP/IP Security Tips Only start TCP/IP servers that are needed Prevent applications from using well-known ports Turn IP Source Routing off Allow IP Datagram Forwarding only when needed Don't leave PPP or SLIP lines waiting in answer state 57

58 IBM i Packet Security IP Packet Filtering can be used to PERMIT or DENY based on the packet characteristics Source and Destination IP Address Source and Destination IP Port Protocol Packet Direction Packet Fragments IP Network Address Translation (NAT) Can be used to hide private network behind a single public IP Interface (address) 58

59 IP filtering and network address translation... How Do You Use It: inavigator: (system)->network->ip Policies->Packet Rules Select Rules Editor from context menu. Wizards pull down has three selections. Many other features... 59

60 Client Device (workstation) Security 60

61 Client Security Most common client workstations today are: Microsoft Windows Windows XP Windows 7 Apple Some flavor of LINUX SUSE, Redhat, and others Smart Phones 61

62 Client Security What s required Antivirus Software & Client personal Firewall Norton McAfee Panda Trendmicro Lot s of others Plus many versions of free-ware Spyware & Adware prevention 62

63 Client Security Antivirus and Client Firewall Antivirus Software & Client personal Firewall Antivirus Software Analyze data files or attachments looking for known attacks live update of Antivirus Software loads the latest known attack patterns Personal firewall Prevents both unwanted inbound and outbound activity (traffic) to/from the network Most firewalls provide warnings when detected 63

64 Client Security Virtual Private Network Connection Many companies require a Virtual Private Network (VPN) connection to access the internal corporate network from external VPN Client Software A VPN provides a secure connection over the internet Network traffic is encrypted (scrambled) to prevent the ability for someone to view, thus steal, the data Two factor authentication To access the internal corporate network, often times a company will setup and require another form, beyond password, of authentication Time based keyfob, smartcards, biometrics (finger print scan, etc) 64

65 Secure Socket Layer (SSL) connection For remote connections to/from your system: Use SSL enabled versions of the client connection applications (Telnet, FTP, etc) What is SSL? Similar to a VPN but implemented at the application layer. Only the SSL enabled application flow will be encrypted. A mixture of SSL enabled and non-ssl enabled applications can be run from the system 65

66 Additional Things to Know 66

67 IBM i Security tools Many security reporting tools exist for the IBM i Run "GO SECTOOLS" from command entry Run the report generation security tools Security tool commands produce reports that can be used to manage security and look for security holes 67

68 IBM i Partners Numerous IBM i partners provide additional tools Reporting & Monitoring Security Configuration Encryption Network Security Authentication/Biometrics IBM i Security website:

69 Summary Run at security level 50 Set the security related System Values and lock them down Use the Security Audit Journal Protect your sensitive objects with object security Use Firewalls and intrusion monitors 69

70 70

71 Special notices This document was developed for IBM offerings in the United States as of the date of publication. IBM may not make these offerings available in other countries, and the information is subject to change without notice. Consult your local IBM business contact for information on the IBM offerings available in your area. Information in this document concerning non-ibm products was obtained from the suppliers of these products or other public sources. Questions on the capabilities of non-ibm products should be addressed to the suppliers of those products. IBM may have patents or pending patent applications covering subject matter in this document. The furnishing of this document does not give you any license to these patents. Send license inquires, in writing, to IBM Director of Licensing, IBM Corporation, New Castle Drive, Armonk, NY USA. All statements regarding IBM future direction and intent are subject to change or withdrawal without notice, and represent goals and objectives only. The information contained in this document has not been submitted to any formal IBM test and is provided "AS IS" with no warranties or guarantees either expressed or implied. All examples cited or described in this document are presented as illustrations of the manner in which some IBM products can be used and the results that may be achieved. Actual environmental costs and performance characteristics will vary depending on individual client configurations and conditions. IBM Global Financing offerings are provided through IBM Credit Corporation in the United States and other IBM subsidiaries and divisions worldwide to qualified commercial and government clients. Rates are based on a client's credit rating, financing terms, offering type, equipment type and options, and may vary by country. Other restrictions may apply. Rates and offerings are subject to change, extension or withdrawal without notice. IBM is not responsible for printing errors in this document that result in pricing or information inaccuracies. All prices shown are IBM's United States suggested list prices and are subject to change without notice; reseller prices may vary. IBM hardware products are manufactured from new parts, or new and serviceable used parts. Regardless, our warranty terms apply. Any performance data contained in this document was determined in a controlled environment. Actual results may vary significantly and are dependent on many factors including system hardware configuration and software design and configuration. Some measurements quoted in this document may have been made on development-level systems. There is no guarantee these measurements will be the same on generallyavailable systems. Some measurements quoted in this document may have been estimated through extrapolation. Users of this document should verify the applicable data for their specific environment. Revised September 26,

72 Special notices (cont.) IBM, the IBM logo, ibm.com AIX, AIX (logo), AIX 5L, AIX 6 (logo), AS/400, BladeCenter, Blue Gene, ClusterProven, DB2, ESCON, i5/os, i5/os (logo), IBM Business Partner (logo), IntelliStation, LoadLeveler, Lotus, Lotus Notes, Notes, Operating System/400, OS/400, PartnerLink, PartnerWorld, PowerPC, pseries, Rational, RISC System/6000, RS/6000, THINK, Tivoli, Tivoli (logo), Tivoli Management Environment, WebSphere, xseries, z/os, zseries, Active Memory, Balanced Warehouse, CacheFlow, Cool Blue, IBM Systems Director VMControl, purescale, TurboCore, Chiphopper, Cloudscape, DB2 Universal Database, DS4000, DS6000, DS8000, EnergyScale, Enterprise Workload Manager, General Parallel File System,, GPFS, HACMP, HACMP/6000, HASM, IBM Systems Director Active Energy Manager, iseries, Micro-Partitioning, POWER, PowerExecutive, PowerVM, PowerVM (logo), PowerHA, Power Architecture, Power Everywhere, Power Family, POWER Hypervisor, Power Systems, Power Systems (logo), Power Systems Software, Power Systems Software (logo), POWER2, POWER3, POWER4, POWER4+, POWER5, POWER5+, POWER6, POWER6+, POWER7, System i, System p, System p5, System Storage, System z, TME 10, Workload Partitions Manager and X-Architecture are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol ( or ), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. A full list of U.S. trademarks owned by IBM may be found at: Adobe, the Adobe logo, PostScript, and the PostScript logo are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States, and/or other countries. AltiVec is a trademark of Freescale Semiconductor, Inc. AMD Opteron is a trademark of Advanced Micro Devices, Inc. InfiniBand, InfiniBand Trade Association and the InfiniBand design marks are trademarks and/or service marks of the InfiniBand Trade Association. Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo, Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. IT Infrastructure Library is a registered trademark of the Central Computer and Telecommunications Agency which is now part of the Office of Government Commerce. Java and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates. Linear Tape-Open, LTO, the LTO Logo, Ultrium, and the Ultrium logo are trademarks of HP, IBM Corp. and Quantum in the U.S. and other countries. Linux is a registered trademark of Linus Torvalds in the United States, other countries or both. Microsoft, Windows and the Windows logo are registered trademarks of Microsoft Corporation in the United States, other countries or both. NetBench is a registered trademark of Ziff Davis Media in the United States, other countries or both. SPECint, SPECfp, SPECjbb, SPECweb, SPECjAppServer, SPEC OMP, SPECviewperf, SPECapc, SPEChpc, SPECjvm, SPECmail, SPECimap and SPECsfs are trademarks of the Standard Performance Evaluation Corp (SPEC). The Power Architecture and Power.org wordmarks and the Power and Power.org logos and related marks are trademarks and service marks licensed by Power.org. TPC-C and TPC-H are trademarks of the Transaction Performance Processing Council (TPPC). UNIX is a registered trademark of The Open Group in the United States, other countries or both. Other company, product and service names may be trademarks or service marks of others. Revised December 2,