Software Announcement September 27, 2005 IBM z/os, V1.1 helps to secure data stored to tape and other removable media Overview Businesses today are focused on the importance of securing customer and business data. Increasing regulatory requirements are driving the need for the security of data. is a powerful and widely used technology that helps protect data from loss and inadvertent or deliberate compromise. The IBM z/os can help address these requirements. The Facility consists of two priced optional features: the IBM feature and the IBM feature. The feature supports encrypting and decrypting certain file formats on z/os. This can allow you to transfer them to remote sites within your enterprise, transfer them to partners and vendors, and archive them. The feature enables the encryption of dump data sets. Both features are designed to support hardware-accelerated compression before encryption. Both features are intended to use state-of-the-art encryption and centralized key management capabilities provided by functions of z/os and features of IBM System z9 and zseries servers to help secure data stored to tape and other removable media. Also, a Java -based Web-downloaded program, the IBM z/os Client, is available. The separately licensed program can be used to decrypt the data encrypted by the feature running on z/os, and to encrypt data to be decrypted using the feature running on z/os. This can allow you to exchange encrypted data between z/os systems and other operating systems. Key prerequisites Refer to the Technical information section in the Supplemental information. Planned availability dates October 28, 2005: IBM feature December 2, 2005: IBM feature At a glance IBM can help you: Secure business and customer data Address regulatory requirements Protect data from loss and inadvertent or deliberate compromise Enable sharing of sensitive information across platforms with partners, vendors, and customers Enable decrypting and encrypting of data to be exchanged between z/os and non-z/os platforms IBM s world-class software support service for IBM Facility for z/os is available 24 hours a day, every day. For ordering, contact: Your IBM representative, an IBM Business Partner, or the Americas Call Centers at 800-IBM-CALL Reference: LE001 This announcement is provided for your information only. For additional information, contact your IBM representative, call 800-IBM-4YOU, or visit the IBM home page at: http://www.ibm.com. IBM United States IBM is a registered trademark of International Business Machines Corporation. 205-243
Description The z/os is designed to address the requirements of z/os customers to encrypt files for archive or for transfer purposes. z/os consists of two priced optional features: The feature supports encrypting and decrypting certain file formats on z/os. This can allow you to transfer them to remote sites within your enterprise, transfer them to partners and vendors, and archive them. This feature supports hardware-accelerated compression before encryption. The feature enables the encryption of dump data sets. This feature supports hardware-accelerated compression before encryption to tape. The z/os is supported on z/os and z/os.e releases V1.4, V1.5, V1.6, and V1.7 running on System z9 and zseries servers. Both features can use the state-of-the-art encryption and centralized key management capabilities provided by functions of z/os and features of System z9 and zseries servers to help secure data stored to tape and other removable media. feature The feature can allow you to encrypt data written to tape and other removable media. This can help you share sensitive information across platforms with partners, vendors, and customers. You can also use the feature to encrypt certain files for archival. This feature can use the z/os key management and access authentication capabilities provided within the Integrated Cryptographic Facility (ICSF) and the hardware compression and the hardware cryptographic capabilities of System z9 and zseries servers. The hardware cryptographic functions may require the configuration of one or more optional priced features on most IBM System z9 and zseries processors. The feature supports data encryption using TDES triple-length keys or 128-bit AES keys. RSA public/private keys can be specified to wrap and unwrap the AES and TDES data keys used to encrypt the file. The wrapped keys will be stored in a file header. With this technique, many files can be generated using different encryption keys, and each is expected to be able to be read even after years of archived storage. The feature also supports using a password key derivation scheme in place of RSA key wrapping. The feature supports inputs from physical sequential input files, from members of partitioned data sets (PDS) and partitioned data set extended (PDSE) data sets, and from files stored in z/os UNIX System file systems. It can optionally compress input files before encrypting them and writing the output files. Also, it can use the large block interface for output files written to tape, to help optimize performance and media space. The feature consists of two major functions, one to encrypt files, and the other to decrypt files. Both functions can leverage the centralized z/os key management and access authentication capabilities provided within the Integrated Cryptographic Facility (ICSF) and the hardware cryptographic and hardware compression capabilities of System z9 and zseries servers. Some hardware cryptographic functions require the configuration of one or more optional priced features on most IBM System z9 and zseries servers. Samples of JCL required to invoke each program will be provided. You can specify several options when using the Facility. The availability of some options depends on the hardware, hardware cryptographic features, and ICSF features installed. These options include: Description of input file Written to output file directly, bypassing encryption, to be used later, if needed, to help identify the source of encrypted data contained in the output file. type Information about the encrypting key to be generated, including 3-key TDES, clear 128-bit AES, and secure 3-key TDES. Key protection Information about the method to be used to generate and protect the data encrypting key, including RSA or password. Iteration count Specifies the number of iterations of SHA-1 hash performed in the generation of the data key and the initial chaining vector (ICV) for encryption when using a password. Compression Specifies whether or not to perform compression prior to encryption. (Note: The z/os Client will not process compressed tapes.) feature The feature can allow you to encrypt dump data sets written to tape and DASD. This feature is designed to use the z/os key management and access authentication capabilities provided within the Integrated Cryptographic Facility (ICSF) and the hardware cryptographic and compression capabilities of System z9 and zseries servers. The hardware cryptographic functions require the configuration of one or more optional priced features on most IBM System z9 and zseries processors. supports encryption of data using TDES triple-length keys or 128-bit AES keys. Like the feature, this feature supports the use of RSA public/private keys to wrap and unwrap the AES and TDES data keys used to encrypt files as well as AES and TDES key generation using a specified password. You can also specify that is to compress data before encrypting it. The feature includes two functions, one to encrypt data while processing DUMP commands, and the other to decrypt it while processing RESTORE commands. You can specify several options when using this feature. The availability of some options depends on the hardware, hardware cryptographic features, and ICSF features installed. These options include: type Information about the encrypting key to be generated, including 3-key TDES, clear 128-bit AES, and secure 3-key TDES Key protection Information about the method to be used to generate and protect the data encrypting key, including RSA or password Compression Specifies whether or not to perform compression prior to encryption DFSMShsm will exploit the encryption support provided by in the DFSMShsm full-volume dump 205-243 -2-
function and the associated restore functions, including both full-volume and data set-level restore. z/os Client The z/os Client, a separately licensed program (which is offered as is, with no warranty), is written in Java and can be used on multiple platforms. It is designed to enable the exchange of encrypted data between z/os systems that have the Facility installed and systems running on other platforms that provide the needed supported functions. The z/os Client is designed to: Decrypt data that was created on a z/os system using the Facility Encrypt data to be sent to a z/os system, where the file will be decrypted using the Facility Starting on October 28, 2005, you can download the z/os Client from http://www.ibm.com/servers/eserver/zseries/zos /downloads/ Note: Data that is to be processed using the Facility Client cannot be created using compression. Section 508 of the U.S. Rehabilitation Act z/os z/os, V1.1 is capable as of October 28, 2005, when used in accordance with IBM s associated documentation, of satisfying the applicable requirements of Section 508 of the Rehabilitation Act, provided that any assistive technology used with the product properly interoperates with it. A U.S. Section 508 Voluntary Product Accessibility (VPAT) can be requested via IBM s Web site at the following http://www-3.ibm.com/able /product_accessibility/index.html Product positioning Helping to protect data from loss and inadvertent or deliberate compromise is a critical concern for businesses. To help address this issue, IBM z/os extends the scope of IBM s mainframe encryption capabilities to removable media. You can leverage the robust centralized capabilities of z/os ICSF and mainframe cryptographic hardware to generate, maintain, and store key data. In addition, z/os Security Server (RACF ), or a comparable product, can provide highly secure access management and auditability for key management tasks. Together these elements create a powerful centralized encryption solution. Statement of direction IBM plans to provide an enhancement to the IBM System z9 109 Crypto Express2 feature in 2006 that will be designed to enable remote loading of initial keys for Automatic Teller Machines (ATMs), Point of Sale terminals, and other similar devices in which the distributed keys are protected using public-key cryptographic techniques. Remote loading of these keys may help provide a more secure and cost effective alternative to local loading of keys by couriers. This enhancement is planned to support public-key based distribution of initial cryptographic keys, which is intended to be similar to that which is expected to be defined in the new ANSI X9.24-2 standard currently under development. In addition, the enhancement is planned to provide improved methods for exchanging Data Standard (DES) and Triple-DES keys with non-ibm cryptographic systems. The following statement of direction was published in Hardware Announcement 105-241, dated July 27, 2005: IBM TotalStorage encryption: To address customers growing concern with data security, IBM is planning for the development, enhancement, and support of encryption capabilities within storage environments such that the capability does not require the use of host server resources (so called outboard encryption capabilities). This includes the intent to offer, among other things, capabilities for products within the IBM TotalStorage portfolio to support outboard encryption and to leverage the key management functions provided by the Integrated Cryptographic Facility (ICSF). All statements regarding IBM s plans, directions, and intent are subject to change or withdrawal without notice. Hardware and software support services SmoothStart /Installation IBM offers a number of remote and on-site IBM SmoothStart, Operational Support, Migration, and Installation designed to accelerate productive use of the IBM solution. These services are provided by IBM or an IBM Business Partner at an additional charge. For additional information, contact an IBM representative and ask for IGS for z/os. Reference information Software Announcement 205-167, dated July 27, 2005 (IBM z/os V1.7 delivers advances in business resiliency and security) Software Announcement 205-169, dated July 27, 2005 (IBM z/os.e V1.7 brings new levels of affordability to enterprise and Web-based applications) Business Partner information If you are a Direct Reseller - System Reseller acquiring products from IBM, you may link directly to Business Partner information for this announcement. A PartnerWorld ID and password are required (use IBM ID). BP Attachment for Announcement Letter 205-243 https://www.ibm.com/partnerworld/ mem/sla.jsp?num=205-243 Trademarks, System z9, DFSMShsm, and SmoothStart are trademarks of International Business Machines Corporation in the United States or other countries or both. z/os, zseries, RACF, and TotalStorage are registered trademarks of International Business Machines Corporation in the United States or other countries or both. Java is a trademark of Sun Microsystems, Inc. UNIX is a registered trademark of the Open Company in the United States and other countries. Other company, product, and service names may be trademarks or service marks of others. -3-205-243
IBM US Announcement Supplemental Information September 27, 2005 Technical information Specified operating environment Hardware requirements: The and the features of the Facility for z/os run on the following IBM servers: System z9 109 (z9-109), or equivalent zseries z900 or z990, or equivalent zseries z800 or z890, or equivalent The cryptographic options have the following requirements: For the PASSWORD option, use one of the following: CPACF only CCF For the Clear-TDES and Clear-AES128 (no ENCTDES), use one of the following: CPACF only, or CPACF with PCIXCC / CEX2C CCF, or CCF with PCICC For 2048-bit keys, use one of the following: CEX2C with Licensed Internal Code (LIC) at or above the January 2005 level PCIXCC with Licensed Internal Code (LIC) at or above the January 2005 level For RSA keys generated through RACF using ICSF or directly through ICSF, use one of the following: CEX2C PCIXCC PCICC For 1024-bit ME keys generated through RACF BSAFE and imported into ICSF, a CCF is required. Note: Performance for secure key (ENCTDES option) is much slower than clear key (CLEAR-TDES or CLEAR-AES128). This can be mitigated by overriding the ENCTDES option to use CLEAR-* options. Software requirements: The and the features of the Facility for z/os require the following: z/os (5694-A01) or z/os.e (5655-G52) V1.4 or higher. PTF for z/os DFSMS APAR OA09868. z/os Cryptographic Integrated Cryptographic Facility with z990 Cryptographic Support Web deliverable (FMID HCR770A) or later. Some hardware features require the z990 and z890 Enhancements to Cryptographic Support Web deliverable (FMID HCR770B). The optional PTF for APAR OA13030 is required to: Use the RACF RACDCERT command to allow the storage of RSA public keys in the ICSF PKDS Specify the PKDS labels to be used when storing public or private keys in the PKDS List the PKDS labels of existing certificates The feature requires one of the following: 1. The DFSMShsm/ combination priced feature of z/os V1.4 or z/os.e V1.4 or higher with: PTF for z/os APAR OA13300 and PTF for z/os DFSMShsm APAR OA13453 2. The priced feature of z/os V1.4 or z/os.e V1.4 or higher with: PTF for z/os APAR OA13300 Check the preventive service planning (PSP) bucket, ZOSEFV1R1, for additional planning information. The Facility Client requires the following: To run on z/os, one of the following is required: IBM SDK for z/os, Java 2 Technology Edition, 5655-I56, at PTF UQ90449 or higher (SDK1.4.2) IBM Developer Kit for OS/390, Java 2 Technology Edition, 5655-D35, at PTF UQ88094 or higher (SDK1.3.1) To run on other platforms, one of the following is required: Sun SDK 5.0. An IBM JVM at SDK1.4.2. A JVM with a JCE cryptographic provider installed that supports all the required algorithms. Refer to the Facility Client documentation for details on the algorithms, modes, and padding schemes needed. For information about Java on z/os, visit http://www.ibm.com/servers/eserver/zseries /software/java/ User group requirements: This announcement satisfies or partially satisfies the following requirements: MR0517052438 Provide for encryption of data sets at rest MR0609055721 Provide for encryption of data sets at rest MR0517054128 Provide for encryption of data sets at rest MR0824045419 Provide for encryption of data sets at rest This announcement is provided for your information only. For additional information, contact your IBM representative, call 800-IBM-4YOU, or visit the IBM home page at: http://www.ibm.com. IBM United States IBM is a registered trademark of International Business Machines Corporation. 205-243
MR0815032146 New function request of encryption and decryption IMS LOG and so forth MR0928042144 Requirement for IDCAMS to support Planning information Direct customer support: Direct customer support is provided by IBM Operational Support SoftwareXcel Enterprise Edition or SoftwareXcel Basic Edition. These fee services can enhance your productivity by providing voice and electronic access into the IBM support organization. IBM Operational Support SoftwareXcel Enterprise Edition or SoftwareXcel Basic Edition will help answer questions pertaining to usage, how-to, and suspected software defects for eligible products. Installation and technical support is provided by IBM Global. For more information on services, call 888-426-4343. To obtain information on customer eligibility and registration procedures, contact the appropriate support center. Security, auditability, and control The customer is responsible for evaluation, selection, and implementation of security features, administrative procedures, and appropriate controls in application systems and communication facilities. Ordering information Ordering z/os through the Internet ShopzSeries provides an easy way to plan and order your z/os ServerPac or CBPDO. It will analyze your current installation, determine the correct product migration, and present your new configuration based on z/os. Additional products can also be added to your order (including determination of whether all product requisites are satisfied). ShopzSeries is available in the U.S., Canada, and several countries in Europe. In countries where ShopzSeries is not available yet, contact your IBM representative (or IBM Business Partner) to handle your order via the traditional IBM ordering process. For more details and availability, visit the ShopzSeries Web site at http://www14.software.ibm.com/webapp /ShopzSeries/ShopzSeries.jsp New licensees Orders for new licenses can be placed now. Registered customers can access IBMLink for ordering information and charges. The IBM z/os, V1.1 (5655-P97) consists of the following orderable features: IBM z/os, V1.1, which will become generally available October 28, 2005 IBM z/os, V1.1 DSFMSdss, which will become generally available December 2, 2005 Shipment will not occur before the availability date. The IBM z/os, V1.1 product is shipped only via Customized Offerings (CBPDO, ServerPac, SystemPac, and ProductPac ). Basic license: To order a basic license, specify the IBM z/os program number (5655-P97). Parallel Sysplex License Charge (PSLC) basic license: To order a basic license, specify the program number and quantity of Service Units in Millions (MSUs). If there is more than one program copy in a Parallel Sysplex, the charge for all copies is associated to one license by specifying the applicable PSLC license options and quantity represented by the sum of the MSUs in your Parallel Sysplex. For all other program copies, specify the System Usage Registration No-Charge (SYSUSGREG NC) Identifier on the licenses. S01243R Basic MLC, PSLC below 3 MSU Basic MLC, PSLC AD SYSUSGREG NC, PSLC AD Note: Facil Encrypt Ser is the short name S01256T Basic MLC, PSLC below 3 MSU Basic MLC, PSLC AD SYSUSGREG NC, PSLC AD Note: Facil dss Encrypt is the short name Workload License Charge (WLC) basic license: If there is more than one program copy in a Parallel Sysplex, the charge for all copies is associated to one license by specifying the applicable WLC license options and quantity represented by the sum of the Service Units in Millions (MSUs) in your Parallel Sysplex. For all other program copies, specify the Workload Registration Variable WLC Identifier on the licenses. S01243R Basic MLC, Variable WLC Workload Registration, Variable WLC Note: Facil Encrypt Ser is the short name S01256T Basic MLC, Variable WLC Workload Registration, Variable WLC Note: Facil dss Encrypt is the short name 205-243 -2-
Entry Workload License Charge (EWLC) basic license: To order a basic license, specify the program number and the quantity of MSUs. S01243R Basic MLC, Entry WLC Note: Facil Encrypt Ser is the short name S01256T Basic MLC, Entry WLC Note: Facil dss Encrypt is the short name Growth Opportunity License Charge (GOLC): To order a basic license, specify the program number and the correct level. Specify the GOLC monthly license option. S01243R Basic MLC, GOLC Note: Facil Encrypt Ser is the short name S01256T Basic MLC, GOLC Note: Facil dss Encrypt is the short name zseries Entry License Charge (zelc): To order zelc software, specify the program number and z800 model. Specify the zelc monthly license option. S01243R Basic MLC, zelc Note: Facil Encrypt Ser is the short name S01256T Basic MLC, zelc Note: Facil dss Encrypt is the short name Basic machine-readable material Orderable Distribution supply ID Language medium Description S0123M5 U.S. English Refer to media type note Facility Note: Facil Encrypt Ser is the short name Note: The media type is chosen during customized offering ordering. Orderable Distribution supply ID Language medium Description S01256V U.S. English Refer to media type note Facility Note: Facil dss Encrypt is the short name Note: The media type is chosen during customized offering ordering. Customization options: Select the appropriate feature numbers to customize your order to specify the delivery options desired. These features can be specified on the initial or MES orders. Example: If publications are not desired for the initial order, specify feature number 3470 to ship media only. For future updates, specify feature number 3480 to ship media updates only. If, in the future, publication updates are required, order an MES to remove feature number 3480; then, the publications will ship with the next release of the program. Description Initial shipments Feature number Serial Number Only (suppresses shipment 3444 of media and documentation) Ship Media Only (suppresses initial 3470 shipment of documentation) Ship Documentation Only (suppresses 3471 initial shipment of media) -3-205-243
Description Update shipments Feature number Ship Media Updates Only (suppresses 3480 update shipment of documentation) Ship Documentation Only (suppresses 3481 update shipment of media) Suppress Updates (suppresses update 3482 shipment of media and documentation) Expedite shipments Local IBM Office Expedite 3445 (for IBM use only) Customer Expedite Process Charge 3446 ($30 charge for each product) Unlicensed documentation: A program directory and one copy of the following publications are supplied automatically with the basic machine-readable material: Title IBM z/os Program Directory IBM z/os Licensed Program Specification Publication number GI10-0771 GA76-0405 The following publications are available in softcopy at Title http://www.ibm.com/shop/publications/order IBM z/os User s Guide IBM z/os Licensed Program Specification Publication number SA23-1349 GA76-0405 Refer to the IBM Publications Center Web site for more information about publication ordering. http://www.ibm.com/shop/publications/order Customized offerings Most product media is shipped only via customized offerings (that is, CBPDO, ServerPac, SystemPac). Terms and conditions Agreement: IBM Customer Agreement Variable charges apply: No Indexed monthly license charge (IMLC) applies: No Location license applies: No Use limitation applies: No Educational allowance available: Yes, a 15% education allowance applies to qualified education institution customers. Volume orders: Not applicable Warranty applies: Yes Licensed program materials availability Restricted Materials of IBM: Some Non-Restricted Source Materials: Some Object Code Only (OCO): Some Program services Support Center applies: Yes Available until discontinued: 12 months written notice IBM Operational Support SupportLine: Yes IBM Electronic IBM Global has transformed its delivery of hardware and software support services to put you on the road to higher systems availability. IBM Electronic is a Web-enabled solution that provides you with an exclusive, no-additional-charge enhancement to the service and support on the IBM. You should benefit from greater system availability due to faster problem resolution and preemptive monitoring. IBM Electronic is comprised of two separate, but complementary, elements: IBM Electronic news page and IBM Electronic Service Agent. IBM Electronic news page provides you with a single Internet entry point that replaces the multiple entry points traditionally used by customers to access IBM Internet services and support. The news page enables you to gain easier access to IBM resources for assistance in resolving technical problems. The IBM Electronic Service Agent is no-additional-charge software that resides on your IBM system. It is designed to proactively monitor events and transmit system inventory information to IBM on a periodic, customer-defined timetable. The IBM Electronic Service Agent tracks system inventory, hardware error logs, and performance information. If the server is under a current IBM maintenance service agreement or within the IBM warranty period, the Service Agent automatically reports hardware problems to IBM. Early knowledge about potential problems enables IBM to provide proactive service that maintains higher system availability and performance. In addition, information collected through the Service Agent will be made available to IBM service support representatives when they are helping answer your questions or diagnosing problems. To learn how IBM Electronic can work for you, visit http://www.ibm.com/support/electronic Prices S01243R Basic MLC, GOLC Note: Facil Encrypt Ser is the short name 205-243 -4-
S01256T Basic MLC, GOLC Note: Facil dss Encrypt is the short name S01243R Basic MLC, zelc Note: Facil Encrypt Ser is the short name z800 models 110 001 0E1 0A2 0X2 002 0A1 003 0B1 004 0C1 S01256T Basic MLC, zelc Note: Facil dss Encrypt is the short name z800 models 110 001 0E1 0A2 0X2 002 0A1 003 0B1 004 0C1 S01243R Basic MLC, PSLC below 3 MSU Basic MLC, PSLC AD SYSUSGREG NC, PSLC AD Note: Facil Encrypt Ser is the short name Note: Facil dss Encrypt is the short name Variable Workload License Charges S01243R Basic MLC, Variable WLC Workload Registration, Variable WLC Note: Facil Encrypt Ser is the short name S01256T Basic MLC, Variable WLC Workload Registration, Variable WLC Note: Facil dss Encrypt is the short name Sub-capacity charges for VWLC products IBM z/os, V1.1 is eligible for sub-capacity WLC and EWLC pricing according to the terms in the Attachment for IBM System z9 and zseries Workload License Charges (Z125-6516) and the Attachment for IBM zseries 890 and 800 Software License Charges (Z125-6587). Entry Workload License Charge (EWLC) S01243R Basic MLC, Entry WLC Note: Facil Encrypt Ser is the short name S01256T Basic MLC, Entry WLC Note: Facil dss Encrypt is the short name S01256T Basic MLC, PSLC below 3 MSU Basic MLC, PSLC AD SYSUSGREG NC, PSLC AD -5-205-243
Order now To order, contact the Americas Call Centers, your local IBM representative, or your IBM Business Partner. To identify your local IBM representative or IBM Business Partner, call 800-IBM-4YOU (426-4968). Phone: 800-IBM-CALL (426-2255) Fax: 800-2IBM-FAX (242-6329) Internet: ibm direct@vnet.ibm.com Mail: IBM Americas Call Centers Dept: IBM CALL, 11th Floor 105 Moatfield Drive North York, Ontario Canada M3B 3R1 Reference: LE001 The Americas Call Centers, our national direct marketing organization, can add your name to the mailing list for catalogs of IBM products. Note: Shipments will begin after the planned availability date. Trademarks, System z9, DFSMShsm, IMS, IBMLink, and Electronic Service Agent are trademarks of International Business Machines Corporation in the United States or other countries or both. z/os, zseries, RACF, OS/390, eserver, ProductPac, SystemPac, and Parallel Sysplex are registered trademarks of International Business Machines Corporation in the United States or other countries or both. Java is a trademark of Sun Microsystems, Inc. Other company, product, and service names may be trademarks or service marks of others. 205-243 -6-