PKZIP SecureZIP for z/OS - CacheFly · SecureZIP for z/OS uses the widely-adopted ZIP format and...

PKZIP®/SecureZIP® for z/OS®

System Administrator’s Guide

SZZSA- V111R0002

PKWARE Inc.

PKWARE, Inc. 648 N Plankinton Avenue, Suite 220 Milwaukee, WI 53203 Main office: 888-4PKWARE (888-475-9273) Sales: 937-847-2374 (888-4PKWARE / 888-475-9273) Sales - E-Mail: [email protected] Support: 937-847-2687 Support - http://www.pkware.com/support/mainframe Web Site: http://www.pkware.com 11.1 Edition (2009) SecureZIP for z/OS, PKZIP for z/OS, SecureZIP for i5/OS®, PKZIP for i5/OS, SecureZIP for UNIX, and SecureZIP for Windows are just a few of the members of the PKWARE product family. PKWARE Inc. would like to thank all the individuals and companies—including our customers, resellers, distributors, and technology partners—who have helped make PKZIP the industry standard for trusted ZIP solutions. SecureZIP enables our customers to efficiently and securely transmit and store information across systems of all sizes, ranging from desktops to mainframes. This edition applies to the following PKWARE Inc. licensed programs: PKZIP for z/OS (Version 11, Release 1, 2009) SecureZIP for z/OS (Version 11, Release 1, 2009) SecureZIP Partner for z/OS (Version 11, Release 1, 2009) PKWARE, PKZIP, and SecureZIP are registered trademarks of PKWARE, Inc. z/OS, i5/OS, zSeries, and iSeries are registered trademarks of IBM Corporation. Other product names mentioned in this manual may be trademarks or registered trademarks of their respective companies and are hereby acknowledged. Any reference to licensed programs or other material, belonging to any company, is not intended to state or imply that such programs or material are available or may be used. The copyright in this work is owned by PKWARE Inc., and the document is issued in confidence for the purpose only for which it is supplied. It must not be reproduced in whole or in part or used for tendering purposes except under an agreement or with the consent in writing of PKWARE Inc., and then only on condition that this notice is included in any such reproduction. No information as to the contents or subject matter of this document or any part thereof either directly or indirectly arising there from shall be given or communicated in any manner whatsoever to a third party being an individual firm or company or any employee thereof without the prior consent in writing of PKWARE Inc. Copyright © 1989 - 2010 PKWARE Inc. All rights reserved. MVS/QuickRef Copyright © 1989-2010, Chicago-Soft, Ltd.

http://www.pkware.com/�

Contents iii

Contents

PREFACE............................................................................................................. 1

Notices.........................................................................................................................1

About This Manual......................................................................................................1

Conventions Used in This Manual ............................................................................1

Related Publications ..................................................................................................2

Related Information on the Internet..........................................................................4

User Help and Contact Information ..........................................................................4

1 SYSTEM PLANNING AND ADMINISTRATION............................................. 5

Planning for Administration Activities .....................................................................5

System Requirements................................................................................................7 Operating System .....................................................................................................7 Region Size and Storage ..........................................................................................8 Static Disk Space......................................................................................................9 Tape Device Considerations.....................................................................................9 UserID OMVS Segment..........................................................................................10 SecureZIP ICSF Operations ...................................................................................10 z/OS UNIX File System (HFS) ................................................................................15

Migration Considerations ........................................................................................17 Release History and Setting Changes....................................................................19

Distinctive Features of PKZIP and SecureZIP for z/OS ........................................20

Distinctive Features of SecureZIP for z/OS............................................................21

PKWARE PartnerLink: SecureZIP Partner for z/OS ..............................................21

Encryption .................................................................................................................22

Authentication...........................................................................................................22 Data Integrity...........................................................................................................22 Digital Signature Validation.....................................................................................23 Digital Signature Source Validation ........................................................................23

Public-Key Infrastructure and Digital Certificates ................................................24

iv PKZIP/SecureZIP for z/OS 11.1 System Administrator’s Guide

Public-Key Infrastructure (PKI) ...............................................................................24 x.509 .......................................................................................................................24 Digital Certificates ...................................................................................................25 Certificate Authority (CA) ........................................................................................25 Private Key..............................................................................................................25 Public Key ...............................................................................................................25 Certificate Authority and Root Certificates..............................................................26

Setting Up Stores for Digital Certificates on z/OS ................................................26 Setting Up the Certificate Stores.............................................................................26 Updating the Certificate Stores ...............................................................................28

Types of Encryption Algorithms .............................................................................28 Standard..................................................................................................................28 FIPS 46-3, Data Encryption Standard (DES)..........................................................29 Triple DES Algorithm (3DES)..................................................................................29 Advanced Encryption Standard (AES)....................................................................29 Comparison of the 3DES and AES Algorithms.......................................................29 RC4 .........................................................................................................................30

Key Management ......................................................................................................31

Passwords and PINS................................................................................................31

Recipient Based Encryption....................................................................................31

Random Number Generation...................................................................................32

Integrity of Public and Private Keys .......................................................................32

Data Encryption ........................................................................................................32

2 INSTALLATION, LICENSING, AND CONFIGURATION............................. 34

Installation Overview................................................................................................34

Type of Media Distribution for Installation.............................................................34

Installation from Downloaded File or CD ...............................................................35 Non-SMP/E Installation...........................................................................................35 SMP/E Installation...................................................................................................37

Installing from Tape..................................................................................................41

Tailoring Site-Specific Changes to the Defaults Module......................................42

Tailoring Site-Locking Commands .........................................................................43

Protecting Files with the SAFETYEX Module ........................................................43

Tailoring for Filename and Data Character Set Conversions ..............................44

SMS Dataclass Considerations...............................................................................44 Note for users of PKZIP for MVS and PKZIP for zSeries 5.6 .................................45 Considerations when Exporting Private Keys using RACDCERT..........................45

Evaluation Activity Log............................................................................................45 Activity Log Setup and Configuration......................................................................46

Licensing Requirements..........................................................................................48 Licensed Types .......................................................................................................49 Product Features.....................................................................................................50

Contents v

Evaluation Period....................................................................................................53 Release-Dependent Licensing................................................................................53 Current Use License ...............................................................................................53 Show System Information .......................................................................................55 Conditional Use.......................................................................................................56

Initializing the License .............................................................................................56 PKZIP and Full-Featured SecureZIP License Activation........................................57 SecureZIP Partner License Activation ....................................................................57 Reporting the PKZIP/SecureZIP for z/OS License .................................................58 PKZIP/SecureZIP for z/OS Grace Period ...............................................................59 Running a Disaster Recovery Test .........................................................................59

Activating the ISPF Interface...................................................................................60

ISPF Main Menu ........................................................................................................61

Running PKZIP/SecureZIP with Library Lookaside (LLA and LNKLST) .............61

Verifying the Installation..........................................................................................62

Run-time Performance Considerations..................................................................62 Main Tuning Ingredients .........................................................................................63 Initialization – JOBLIB/STEPLIB Elimination, LLA, VLF and/or LPA......................64 Initialization – SYSIN Command Records via Partitioned Members ......................66 Initialization – PARMLIB Commands via Partitioned Members..............................67

Enable SMF Recording.............................................................................................67 SMF Activation ........................................................................................................68 Install and Activate the PKWSVC Module ..............................................................68 Select a Unique SMF Record Type ........................................................................71 Activate SVC and SMF Settings in the SecureZIP Defaults Module ......................72 Default Module Settings Affecting SMF Recording.................................................74

3 SECURITY ADMINISTRATION OVERVIEW ............................................... 77

Accessing Certificates ............................................................................................77 Public Key Certificate..............................................................................................77 Private Key Certificates...........................................................................................78 Certificate Authority and Root Certificates..............................................................78

Configuration Profile ................................................................................................78 Contents of the Configuration Profile ......................................................................78 Data Base (DB) Profile (Local Certificate Store).....................................................79 LDAP Profile (Networked Certificate Store)............................................................79 Recipient Searches.................................................................................................80

Local Certificate Stores............................................................................................81 Access x.509 Public and Private Key Certificates ..................................................81 Authentication and Certificate Validation Policies...................................................82 Other Profile Commands ........................................................................................86

Passphrase Registration..........................................................................................87 Accessing the Passphrase Registration Dialogs ....................................................87

4 CERTIFICATE STORE MANAGEMENT...................................................... 89 SecureZIP Main Panel—Access to the Certificate Stores......................................89

vi PKZIP/SecureZIP for z/OS 11.1 System Administrator’s Guide

SecureZIP Certificate Store Administration and Configuration...............................89

Local Certificate Store Administration...................................................................90 SecureZIP Local Certificate Store...........................................................................91 Create a New Local Certificate Store DB ...............................................................92 Certificate Validation Options..................................................................................93 Generated JCL to Build the Initial Certificate Store ................................................94 View Data Base Certificate Entries .........................................................................95 List Certificate Entries ...........................................................................................100 Add a Certificate to the Local Store ......................................................................102 Add a New Certificate to the CA Store..................................................................104 Add a New Trusted Root Certificate to the Root Store .........................................104 Add a New Certificate via Batch Processing ........................................................106 Register Security Server Certificates in the Key Store Index ...............................106 Delete a Certificate from the Local Store..............................................................109 Synchronize the Index for the Local Certificate Store...........................................111 Generated JCL for Synchronization......................................................................113 CA, Root, and CRL Verification ............................................................................113 Report DB Statistics ..............................................................................................114 Edit Active DB Profile ............................................................................................116 Backup and Restore Process ...............................................................................120

Directory Certificate Store Configuration - LDAP ...............................................122 Create/Test LDAP Profile Statements ..................................................................123 Edit existing LDAP profile .....................................................................................123 Create/Test LDAP Link .........................................................................................123 Create New LDAP Profile Settings .......................................................................124 Load Existing LDAP Profile...................................................................................125 Testing the LDAP Connection...............................................................................125

Runtime Configuration...........................................................................................128 Zip/Unzip Runtime Configuration Panel................................................................128 SecureZIP Runtime Configuration Panel ..............................................................129 SecureZIP Runtime Configuration Panel Undefined ............................................129 SecureZIP Runtime Configuration Panel with DB Profile Defined........................130 SecureZIP Runtime Configuration Panel with Private Certificate Location ..........130

x.509 Certificate Utilities ........................................................................................131 The Options...........................................................................................................131 Certificate Revocation Lists ..................................................................................137

Filename Encryption ..............................................................................................141 How SecureZIP for z/OS Encrypts File Names ....................................................141 When SecureZIP for z/OS Encrypts File Names ..................................................141 Encrypting File Names When You Update an Archive .........................................141 Opening and Viewing an Archive that Has Encrypted File Names.......................142 Input required to View Recipients in a Filename Encrypted Archive ....................142 View of Recipients in a Filename Encrypted Archive ...........................................142 View Detail of an Archive that Has Encrypted File Names...................................143 Decrypting a Filename Encrypted Archive............................................................144

5 SECURITY QUESTIONS AND SOLUTIONS............................................. 146

Which encryption settings should be chosen?...................................................146

How is encryption activated?................................................................................147

Contents vii

How is ICSF hardware acceleration activated?...................................................147

What is the difference between an Encryption Method and an algorithm? .....147

How many recipients can be specified? ..............................................................147

What virtual storage is required for certificate-based encryption? ..................148

How does ENCRYPTION_METHOD affect certificate-based encryption? ........148

How does SecureZIP activate MASTER_RECIPIENT contingency keys? ........148

How does MASTER_RECIPIENT affect activation? ............................................149

How do I copy a local certificate store?...............................................................149

How do I remove a local certificate store?...........................................................150

How can the contents of an x.509 certificate file be determined? ....................150

6 PKWARE PARTNERLINK: SECUREZIP PARTNER ................................ 152

About SecureZIP Partner for z/OS ........................................................................152 If You Are a Sponsor: Sign the Central Directory .................................................153

Terms and Acronyms Used in This Chapter........................................................153

PKWARE PartnerLink Program: Overview...........................................................153 Decrypting and Extracting Sponsor Data (Read Mode)........................................154 Creating an Archive for a Sponsor........................................................................154 Getting Started ......................................................................................................154

Co-existence with Other PKWARE Products.......................................................155 Recommendations ................................................................................................155

PartnerLink Certificate Store Administration and Configuration ......................156 Choosing a Configuration Model...........................................................................156 Installing a Sponsor Distribution Package ............................................................158 Updating a Sponsor Distribution Package ............................................................160 Removing a Sponsor Distribution Package ..........................................................160 Providing a Sponsor Configuration for Execution .................................................160

7 CRYPTOGRAPHIC FACILITY UTILITY - PKCRYUTL.............................. 163 Cryptographic Facility Categories .........................................................................163

Assessing a System’s Cryptographic Capabilities with PKCRYUTL................163 PKCRYUTL Execution ..........................................................................................164 PKCRYUTL Reporting ..........................................................................................164 PKCRYUTL Sample Report..................................................................................164 PKCRYUTL Interpretation.....................................................................................165

8 SMF RECORD FORMATS ......................................................................... 173

GLOSSARY...................................................................................................... 187

INDEX............................................................................................................... 198

viii PKZIP/SecureZIP for z/OS 11.1 System Administrator’s Guide

Preface 1

Preface

SecureZIP for z/OS, like PKZIP for z/OS, is a member of the PKWARE family of products providing high-performance data compression and data protection across multiple operating systems and platforms.

PKZIP for z/OS provides powerful, easy-to-use data compression on the mainframe. PKZIP for z/OS Enterprise Edition additionally includes support for password-based decryption of encrypted files, powered by trusted RSA® BSAFE. Files created by PKZIP for z/OS use the widely-adopted ZIP format and can be accessed on all major platforms throughout the enterprise—from mainframe to PC.

SecureZIP for z/OS provides powerful, easy-to-use data compression and data protection on the mainframe. SecureZIP for z/OS protects data with digital signatures and several encryption choices. Both trusted RSA BSAFE encryption or IBM ICSF are offered, either password- or certificate-based, and with key lengths of up to 256 bits. Like PKZIP for z/OS, SecureZIP for z/OS uses the widely-adopted ZIP format and creates files that can be accessed on all major platforms throughout the enterprise.

Notices

Licensing requirements have changed for this release. See chapter 2 for current information.

About This Manual

This manual provides information to help a system administrator install and use PKZIP for z/OS or SecureZIP for z/OS in an operational environment on supported IBM releases of z/OS. It is assumed that anyone using this manual has a good understanding of JCL and dataset processing.

Conventions Used in This Manual

Throughout this manual, the following conventions are used:

SecureZIPz (bold-italicized) is used as a shorthand to refer to both SecureZIP for z/OS and PKZIP for z/OS. Statements made about SecureZIPz apply to both products. Information given specifically for SecureZIP for z/OS or PKZIP for z/OS applies specifically to that product.

2 PKZIP/SecureZIP for z/OS 11.1 System Administrator’s Guide

The terms ZIP and UNZIP are used to refer to the respective overall processes of operating on an archive.

The term PKZIP is often used generically to refer to any of the underlying executable programs that process archives in PKZIP for z/OS and SecureZIP for z/OS. These include programs PKZIP and SECZIP, to ZIP archives, and programs PKUNZIP and SECUNZIP, to UNZIP them. PKZIP is also more narrowly used to refer to either the PKZIP or SECZIP program, and PKUNZIP is often used to refer to either the PKUNZIP or SECUNZIP program.

The use of the Courier font indicates text that may be found in job control language (JCL), parameter controls, or printed output.

The use of italics in a command line indicates a value that must be substituted by the user, for example, a data set name. Italics are also used in body text to quote command names and so forth or to indicate the title of a manual or other publication.

The use of <angle brackets> in a command definition indicates a mandatory parameter.

The use of [square brackets] in a command definition indicates an optional parameter.

A vertical bar (|) in a command definition is used to separate mutually exclusive parameter options or modifiers.

When sample JCL is shown, or references to the SecureZIPz libraries are made, the high-level qualifier PKWARE.MVS may be used generically. The high-level qualifier specifically for the packaged product SecureZIP for z/OS is SECZIP.MVS. The high-level qualifier specifically for the packaged product PKZIP for z/OS is PKZIP.MVS. Note that the actual high-level qualifiers installed on your system may be different.

Program examples may show either SecureZIP for z/OS or PKZIP for z/OS constructs, for backward compatibility. In general, examples apply to both programs unless the examples appear in sections of the manual that relate exclusively to SecureZIP features. Such sections are marked like this:

SecureZIP only

Related Publications

IBM Manuals relating to the SecureZIPz products include:

System Codes - Documents the completion codes issued by the operating system when it terminates a task or an address space. Describes the wait state codes placed in the program status word (PSW) when the system begins a wait state. Describes the causes of loops.

System Messages - Documents the messages issued by the z/OS operating system. The descriptions explain why the component issued the message, give the actions of the operating system, and suggest responses by the applications programmer, system programmer, and/or operator.

JES2 Messages - Documents the messages issued by the JES2 subsystem. The descriptions explain why the component issued the message, give the actions of the

Preface 3

operating system, and suggest responses by the applications programmer, system programmer, and/or operator.

JCL User's Guide - Describes the job control tasks needed to enter jobs into the operating system, control the system's processing of jobs, and request the resources needed to run jobs. To perform the tasks, programmers code job control statements. The user's guide assists in deciding how to perform job control tasks.

JCL Reference - Describes the job control tasks needed to enter jobs into the operating system, control the system's processing of jobs, and request the resources needed to run jobs. To perform the tasks, programmers code job control statements. The reference guide; is designed to be used while coding the statements.

Access Methods Services - Documents the functions that are available with Virtual Storage Access Method (VSAM) and describes the IDCAMS commands that can be issued to control VSAM datasets.

DFSMS Using Data Sets – Reference materials regarding z/OS file systems and their usage.

DFSMS Macro Instructions for Data Sets – Reference material regarding I/O handling and diagnostics.

ICSF Application Programmers Guide – Describes how to use the callable services provided by the Integrated Cryptographic Service facility.

ICSF Administrators Guide – Describes how to manage cryptographic keys by using the z/OS Integrated Cryptographic Service facility.

ICSF Overview – Contains overview and planning information for the z/OS Integrated Cryptographic Service facility.

ISPF bookshelf – Reference materials regarding run-time environments supporting, and used by SecureZIPz.

Language Environment bookshelf – Reference materials regarding run-time environments supporting, and used by SecureZIPz.

TSO/E Command Reference - Documents the functions of the TRANSMIT and RECEIVE Command Facility used for the distribution and allocation of SecureZIPz installation libraries.

TSO/E Rexx Reference – Reference materials regarding run-time environments supporting, and used by SecureZIPz.

z/OS XL C/C++ bookshelf – Reference materials regarding run-time environments supporting, and used by SecureZIPz.

z/OS Unix System Services User’s Guide – Provides information that is fundamental to working with UNIX File Systems (also known as the hierarchical file system).

MVS/QuickRef 6.3 (Chicago-Soft, Ltd.) - Includes both messages and command reference material for SecureZIPz.


Related Information on the Internet

PKWARE, Inc.

www.pkware.com

FTP site

Product manuals - ftp://bigiron.pkware.com/pub/manuals/zOS

Product downloads - ftp://bigiron.pkware.com/pub/products

o PKZIP for z/OS - ftp://bigiron.pkware.com/pub/products/pkzip/zOS

o SecureZIP for z/OS - ftp://bigiron.pkware.com/pub/products/securezip/zOS

o SecureZIP Partner for z/OS - ftp://bigiron.pkware.com/pub/products/partnerlink/zOS

National Institutes of Standards and Technology

Computer Security Resource Center - http://csrc.ncsl.nist.gov

Information on the AES development - http://csrc.nist.gov/encryption/aes

Information on Key Management - http://csrc.nist.gov/CryptoToolkit/tkkeymgmt.html

RSA BSAFE® Content Library – http://www.rsasecurity.com/content_library.asp

User Help and Contact Information

For licensing, please contact Sales at 937-847-2374 (888-4PKWARE / 888-475-9273) or email [email protected].

For technical assistance, contact Technical Support at 937-847-2687 or visit the support web site: http://www.pkware.com/support/mainframe

http://www.pkware.com/�

ftp://bigiron.pkware.com/pub/manuals/zOS�

ftp://bigiron.pkware.com/pub/products�

ftp://bigiron.pkware.com/pub/products/pkzip/zOS�

ftp://bigiron.pkware.com/pub/products/securezip/zOS�

ftp://bigiron.pkware.com/pub/products/partnerlink/zOS�

http://csrc.ncsl.nist.gov/�

http://csrc.nist.gov/encryption/aes�

http://csrc.nist.gov/CryptoToolkit/tkkeymgmt.html�

http://www.rsasecurity.com/content_library.asp�

mailto:[email protected]�

http://www.pkware.com/business_and_developers/support�

Chapter 1 System Planning and Administration 5

1 System Planning and Administration

SecureZIPz contains two main programs: PKZIP (or SECZIP in SecureZIP) and PKUNZIP (or SECUNZIP in SecureZIP). The ZIP program is used to compress or store files into a ZIP format archive, while the UNZIP program is used to extract data compressed into ZIP-compatible archives. Processing control is available through the use of customized option modules, shared command lists, and individual job inputs. In addition to file selection, features such as compression levels and performance selections can be specified.

To guarantee data integrity, a 32-bit cyclic redundancy check (CRC) is a standard feature. A ZIP archive is platform-independent; therefore, data compressed (zipped) on one platform, such as UNIX or Windows, can be decompressed (unzipped) on another platform, such as z/OS, by using a compatible version of the UNZIP program.

With its advanced password and certificate-based security features, SecureZIP for z/OS offers multiple methods of encryption and is an excellent choice for securing data and data transfers. However, it is important that system administrators carefully plan in advance the design, development, and testing tasks required to successfully integrate SecureZIP for z/OS as a secure solution into a production environment.

The following sections chart the production and pre-production planning activities for administration and discuss SecureZIPz model environments and important concepts for the systems administrator. They also describe encryption, types of algorithms in use, information about specific mandates requiring the use of secure data, and how SecureZIPz will secure that data.

Planning for Administration Activities

The SecureZIPz software is often installed and maintained by a single party within an installation’s system programming staff. However, there are several system interface components that may require attention from other departments relating to the administration of SecureZIP operation.

Use the following installation and feature configuration checklist to help plan out the installation and operational use of SecureZIPz.


Feature or Activity Resources

Base software installation; includes:

Licensing

Tailoring of the installation defaults module

Translate table selection

SAFETYEX module tailoring

Migration Considerations

Activating the TSO ISPF Interface

Initial Tuning

Optional LLA, VLF and LPA

Ref. chapter 2

Required: System Programmer

Optional: Data transfer architect for Translate Tables

Optional: Storage administrator for related defaults module settings

Optional: Security policy manager for related defaults module settings.

Required: Security Administrator to define data set protection for supporting software libraries.

Configure Cryptographic Services for data Encryption, Digital Signing and Authentication with SecureZIP for z/OS

Use of ICSF Cryptographic Facilities

CLASS(CSFSERV) service profiles

Ref. chapter 1, “SecureZIP ICSF Operations”

Ref. SecureZIP Security Administrator’s Guide; “ICSF Service Controls”

Required: ICSF Administrator, Security Server Administrator

Define the SecureZIP for z/OS Key Store Index and Certificate Store

Ref. chapter 1, “Setting Up Stores for Digital Certificates on z/OS”

Administer Digital Certificates to the SecureZIP for z/OS Key Store for use in RECIPIENT, SIGN_FILES, SIGN_ARCHIVE or AUTHCHK processing.

DATASET update access to SecureZIP Key Store components

Ref. chapter 1, “Public-Key Infrastructure and Digital Certificates”

Ref. chapter 4

Administer Digital Certificates to the Security Server for use in RECIPIENT, SIGN_FILES, SIGN_ARCHIVE or AUTHCHK processing with SecureZIP for z/OS.

Certificate and Key Ring controls

Required: Security Server Administrator, SecureZIP Key Administrator

Ref. SecureZIP Security Administrator’s Guide

Ref. IBM z/OS Security Server RACF Administration

Ref. IBM z/OS Security Server RACF Command Reference (RACDCERT)

Ref. IBM z/OS Security Server Callable Services (R_datalib)

Administer Passphrase Registration to the ICSF CKDS for use with SecureZIP for z/OS.

CLASS(CSFSERV,CSFKEYS) service profiles

Required: Security Server Administrator, SecureZIP Key Administrator, ICSF CKDS Administrator

Ref. SecureZIP for z/OS Security Administrator’s Guide, chapter 5 (“SAF-protected Passphrase Feature”)

Enable and Administer SecureZIP for z/OS Policy Lockdown features

Required: Security Server Administrator

Ref. SecureZIP for z/OS Security Administrator’s Guide, “Policy Lockdown” chapter


Feature or Activity Resources

Enable and Administer Contingency Keys for use with SecureZIP for z/OS

Generate and install certificates

Define Contingency Key Ring(s)

Administer Key Rings and PROFILEs (by JOB)

Required: Security Server Administrator, Operations JOB Planner

Ref. SecureZIP for z/OS Security Administrator’s Guide, chapter 2, section “Contingency Key Enforcement”

Enable and tailor the SMF recording feature used with SecureZIP for z/OS

Required: z/OS System Programmer

Use SMF data for audit controls Required: SMF Administrator, SMF Data Reduction Programmer, Security Auditor

Ref. SecureZIP for z/OS Security Administrator’s Guide, “Security Auditor’s Guide” chapter

Configuring jobs for operational use of the z/OS UNIX File Systems

Archives and/or files in the UNIX File System

Application Integration with FIFO Special File (named pipes)

Ref. chapter 1, “HFS Operational Knowledge

Configuring for operations as a PartnerLink Sponsor or Partner

Sponsor Distribution Packages

Ref. PKWARE PartnerLink

System Requirements

This section describes the system requirements for SecureZIPz.

Operating System The minimum operating system levels supported are:

A release of z/OS supported by IBM

For installations intending to use digital certificates residing in the RACF Security Server, maintenance associated with APAR OA26639 is recommended to avoid spurious ICH408I messages.

To extract files greater than 2 gigabytes or to create archives greater than 2 gigabytes in a PDSE, operating system maintenance associated with APAR BW57702 is required.

z/OS installations intending to use ICSF cryptographic services should ensure that RACF maintenance associated with APAR OA11874 is installed.

System requirements for ICSF apply to facility settings of IBMHARDWARE and IBMSOFTWARE associated with ENCRYPTDATA, HASH, and RANDOM.

Installations intending to use AES 128-bit ICSF hardware-based encryption/decryption on a System-z9 (2094 or 2096) with ICSF FMID HCR7730 should ensure that PTF UA22474 is applied. (Reference PKWARE HIPER TT3686 and IBM APAR OA13766).


Installations intending to use SHA-256 ICSF hardware-based hashing in support of digital signature creation will require a minimum ICSF level of HCR7730 while operating on a System z9-109, z9, or z10.

Language Environment release-dependent runtime options modules are supplied with the product and are dynamically selected for use at the release levels shown in the following table. If higher levels of Language Environment are encountered, informational system messages may be issued (CEE3611I, CEE3615I, CEE3627I). These have no functional impact on product operations.

Operating System Release Language Environment FMID Language Environment Options Release

OS/390 2.10 HLE7703 1.3

z/OS 1/1 HLE7703 1.3

z/OS 1.2 HLE7704 1.5

z/OS 1.3 HLE7705 1.5

z/OS 1.4 HLE7706 1.5

z/OS 1.5 HLE7708 1.5

z/OS 1.6 HLE7709 1.6

z/OS 1.7 HLE7720 1.6

z/OS 1.8 HLE7730 1.7

z/OS 1.9 HLE7740 1.8

z/OS 1.10 HLE7750 1.9

For installations using Security Server RACF and requiring RSA public or private keys to

be stored in the ICSF PKDS, the PTF associated with APAR OA13030 must be installed.

Region Size and Storage See the section “Region Size and Storage” in chapter 3 of the PKZIP/SecureZIP for z/OS User’s Guide for information relating to minimum virtual storage requirements.


Static Disk Space Product data set allocations are approximately as follows:

Tracks %Used XT Device CEXEC 90 87 1 3390 HELP 60 93 2 3390 INSTLIB 75 81 1 3390 INSTLIB2 30 70 1 3390 LICENSE 1 100 1 3390 LOAD 555 99 1 3390 MACLIB 15 80 1 3390 SPKZCLIB 90 96 1 3390 SPKZMLIB 15 13 1 3390 SPKZPLIB 45 100 1 3390 SPKZSLIB 15 20 1 3390 SPKZTLIB 15 50 6 3390

SecureZIP certificate store data set allocations are approximately as follows:

Tracks %Used XT Device CERTSTOR.DBX.DATA 150 ? 1 3390 CERTSTOR.DBX.INDEX 1 ? 1 3390 CERTSTOR.DBXCN.DATA 15 ? 1 3390 CERTSTOR.DBXCN.INDEX 1 ? 1 3390 CERTSTOR.DBXEM.DATA 15 ? 1 3390 CERTSTOR.DBXEM.INDEX 1 ? 1 3390 CERTSTOR.DBXPUBK.DATA 15 ? 1 3390 CERTSTOR.DBXPUBK.INDEX 1 ? 1 3390 CERTSTOR.PRIVATE 150 6 1 3390 CERTSTOR.PUBLIC 150 6 1 3390 CERTSTOR.P7CA 150 1 1 3390 CERTSTOR.P7CRL 150 1 1 3390 CERTSTOR.P7ROOT 150 1 1 3390 CERTSTOR.SPONSOR.AUTH 15 6 1 3390 CERTSTOR.SPONSOR.INFO 15 6 1 3390 CERTSTOR.SPONSOR.RECIP 15 6 1 3390

Tape Device Considerations The following notes apply when ZIP archives may be directed to a tape or cartridge device.

Do not use DCB option TRTCH=COMP when specifying a non-STORE form of ZIP compression.

If Large Block Interface (LBI) tape processing is to be used (ARCHIVE_ZIPFORMAT= FULL_LBI or XTAPE_LBI) and there is any restriction on maximum block size for tape cartridges, review the setting for SMS Dataclass “Block Size Limit”, or PARMLIB(DEVSUPxx) TAPEBLKSZLIM, and set the ZIP defaults (or pre-defined command sets) for ARCHIVE_BLKSIZE accordingly.

IECIOSxx parmlib parameter MIH:

If your site does not specify an IOS= member in the IEASYSxx member, then a default value of 3:00 minutes for 3490 missing tape device interrupts is used. This value is too low for PKZIP tape processing. IBM 3490 Planning and Migration Guide recommends a value of 20 minutes for missing interrupts associated with 3490E tape drives. Set a temporary increase to the MIH values for tape by using the following MVS console


command:

SETIOS MIH,TAPE=20:00

To change parmlib, place the following in member IECIOSxx:

MIH TIME=20:20,DEV=nnnn

where nnnn is the device address.

For devices configured as 3590s, the control unit controls both the primary and secondary MIH values. The primary MIH governs most commands, and the second MIH governs a small group of long-running commands, such as LOCATE and FORWARD SPACE FILE.

UserID OMVS Segment The following features of SecureZIP require the executing UserID to have a valid OMVS segment:

SecureZIP for z/OS Certificate Store administration and digital certificate usage

Unix File System operations

SecureZIP ICSF Operations This section pertains to system-supplied cryptographic facilities that are supplemental to inherent SecureZIP cryptographic services. An appropriate SecureZIP license is required to access these facilities.

The system-supplied cryptographic facilities available for SecureZIP for z/OS to use depend on the hardware configuration and controlling system software. ICSF callable services are utilized by SecureZIP to facilitate access to system-supplied cryptographic facilities for selected system configurations. For planning purposes, the following checklist may be used to ensure that the operating environment is activated appropriately to support the desired cryptographic feature through SecureZIP:

Refer to the “ICSF Feature/Facility Requirements Table” later in this section to identify the desired cryptographic feature and associated facility requirements

Ensure that the correct hardware feature codes are installed for the target platform

Ensure that the ICSF Program Product is installed at the proper release level

Use the TSO/ISPF ICSF dialog to determine if ICSF is active and the necessary components are operative. Select option 1 and press Enter. If ICSF is not available, you will receive the message shown in the upper right portion of the screen below.

HCR7730 -------------- Integrated Cryptographic Serv ICSF IS NOT ACTIVE OPTION ===> Enter the number of the desired option. 1 COPROCESSOR MGMT - Management of Cryptographic Coprocessors 2 MASTER KEY - Master key set or change, CKDS/PKDS Processing 3 OPSTAT - Installation options 4 ADMINCNTL - Administrative Control Functions 5 UTILITY - ICSF Utilities 6 PPINIT - Pass Phrase Master Key/CKDS Initialization


7 TKE - TKE Master and Operational Key processing 8 KGUP - Key Generator Utility processes 9 UDX MGMT - Management of User Defined Extensions Licensed Materials - Property of IBM 5694-A01 (C) Copyright IBM Corp. 1989, 2004. All rights reserved. US Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. Press ENTER to go to the selected option. Press END to exit to the previous menu.

If ICSF is active, you will see screens like the following. These may or may not identify coprocessors, but they can be used by SecureZIP for z/OS. The coprocessor status is based on the hardware configuration of your environment.

System with no coprocessors available

------------------------- ICSF Coprocessor Management ------------------------- COMMAND ===> SCROLL ===> PAGE Select the coprocessors to be processed and press ENTER. Action characters are: A, D, E, K, R and S. See the help panel for details. COPROCESSOR SERIAL NUMBER STATUS ----------- ------------- ------ ******************************* Bottom of data ********************************

System with coprocessors available

------------------------- ICSF Coprocessor Management ------------- Row 1 of 4 COMMAND ===> SCROLL ===> PAGE Select the coprocessors to be processed and press ENTER. Action characters are: A, D, E, R, and S. See the help panel for details. COPROCESSOR MODULE ID/SERIAL NUMBER STATUS ----------- --------------------------------- ------ . C0 04100000000043FD 04100000000043FD ACTIVE . C1 04100000000041A2 04100000000041A2 ACTIVE . P00 94E04777 ACTIVE . P01 94E04781 ACTIVE

System with coprocessors online but not initialized for use

------------------------- ICSF Coprocessor Management -------- Row 1 to 1 of 1 COMMAND ===> SCROLL ===> PAGE Select the coprocessors to be processed and press ENTER. Action characters are: A, D, E, K, R and S. See the help panel for details. COPROCESSOR SERIAL NUMBER STATUS ----------- ------------- ------ . E01 95000276 ONLINE ******************************* Bottom of data *******************************


If necessary, perform some or all of the following system configuration activities in accordance with the z/OS ICSF Administrators Guide and the z/OS Cryptographic Services System Programmer’s Guide:

o Ensure that the system (or LPAR) is configured for the hardware cryptographic facility

o Perform Hardware Management Console (HMC) activities to enable cryptographic usage through ICSF

o Perform Power On Reset to activate HMC settings

o Prepare ICSF run-time environment (e.g. allocation of control data sets)

o Start ICSF in update mode to establish passphrases

Ensure that ICSF is started with production run-time parameters

Conditionally update RACF (or equivalent security product) to permit access to the following CSFSERV Resource classes (if CSFSERV is desired to be an active class) for READ access:

o CSFCKM

o CSFIQF

o CSFOWH

o CSFRNG

o CSFRNGL

Consult the SecureZIP Security Administrator’s Guide to identify additional Security Server rules that may require definition or adjustments.

The following tables show the levels of system hardware and operating software required by various cryptographic features.

ICSF Feature/Facility Requirements Table

SecureZIP only

This table provides an overview of system facilities required to access a specific cryptographic feature. For each supported Service within a platform configuration, three pieces of information are shown.

The minimum Hardware facility required

The Software callable service used

A minimum ICSF release level (referenced by FMID)


Table 1: ICSF feature/facility requirements

Cryptographic Service

z/800 & z/900

z/890 & z/990

z9-109 System z9 System z10

DES/3DES Hardware Acceleration

CCF

CSNBENC

HCR7704

CPACF

CSNBSYE

HCR7720

CPACF

CSNBSYE

HCR7720

CPACF

CSNBSYE

HCR7720

CPACF

CSNBSYE

HCR7720

DES/3DES Secure Key Operations

(FIPS 140 Compliant)

CCF

CSNBENC

HCR7704

CEX2C

CSNBENC

HCR7720

CEX2C

CSNBENC

HCR7720

CEX2C

CSNBENC

HCR7720

CEX2C

CSNBENC

HCR7720

AES ICSF Software CCF

CSNBSYE

HCR7706

CPACF

CSNBSYE

HCR7720

CPACF

CSNBSYE

HCR7720

CPACF

CSNBSYE

HCR7720

CPACF

CSNBSYE

HCR7720

AES128 Hardware Acceleration

Not available Not available CPACF

CSNBSYE

HCR7730

CPACF

CSNBSYE

HCR7730

CPACF

CSNBSYE

HCR7730

AES192, AES256 Hardware Acceleration

Not available Not available Not available Not available

CPACF

CSNBSYE

HCR7750

AES Secure Key Operations (all AES key lengths)

(FIPS 140 Compliant)

Not available Not available Not available CEX2C

CSNBSAE

HCR7751

*requires MCL update

CEX2C

CSNBSAE

HCR7751

*requires MCL update

SHA-1 Hardware Acceleration

CCF

CSNBOWH

HCR7704

CPACF

CSNBOWH

HCR7720

CPACF

CSNBOWH

HCR7720

CPACF

CSNBOWH

HCR7720

CPACF

CSNBOWH

HCR7720

MD5 ICSF Software CCF

CSNBOWH

HCR7704

CPACF

CSNBOWH

HCR7720

CPACF

CSNBOWH

HCR7720

CPACF

CSNBOWH

HCR7720

CPACF

CSNBOWH

HCR7720

SHA-256 Hardware Acceleration

Not available CPACF

CSNBOWH

HCR7750

CPACF

CSNBOWH

HCR7750

CPACF

CSNBOWH

HCR7750

CPACF

CSNBOWH

HCR7750

SHA-384/512 Hardware Acceleration

Not available Not available Not available Not available

CPACF

CSNBOWH

HCR7751


Cryptographic Service

z/800 & z/900

z/890 & z/990

z9-109 System z9 System z10

Pseudo Random Data Generation

CCF

CSNBRNG

HCR7704

CPACF

CSNBRNG

HCR7720

CPACF

CSNBRNG

HCR7720

CPACF

CSNBRNG

HCR7720

CPACF

CSNBRNG

HCR7720

Pseudo Random Data Generation-Long

CCF

CSNBRNGL

HCR7750

PCIXCC/

CEX2C

CSNBRNGL

HCR7750

CEX2C

CSNBRNGL

HCR7750

CEX2C

CSNBRNGL

HCR7750

CEX2C

CSNBRNGL

HCR7750

Notes:

ICSF is assumed to be running in non-PCF mode, and FMIDs are listed at the minimum supported level. SMP/E and ICSF settings should be checked to verify the ICSF operating level and configuration. (Note that HCRP220 and prior FMIDs were for PCF.)

Some ICSF levels may be required to be at a higher level than those shown due to IBM system configuration requirements.

Through the callable service, ICSF directs which hardware/software facility to use based on the call request and the available configuration.

IBM technical support documents and maintenance buckets should be reviewed to determine a complete set of system feature enablement requirements to activate the necessary level of ICSF and associated system-provided services.

Distributed Operating System ICSF Levels The following table is provided as a convenience for planning purposes to show ICSF levels typically provided with a given level of the operating system. System-specific planning and requirements review should be performed for an installation.


Operating System

Distributed ICSF Level

Enabled Feature as Used by SecureZIP

OS/390 2.10 HCR7703 Base ICSF for CSNBENC

z/OS 1.2 HCR7704

z/OS 1.3 HCR7706 CSNBSYE CPACF (z/x90, z9)

z/OS 1.4 HCR7706 or HCR7708

z/OS 1.5 HCR7708

z/OS 1.6 HCR770A

z/OS 1.7 HCR7720 or

HCR7730

CSNBSYE CPACF for DES/3DES

CSNBSYE AES128 hardware (z9)

z/OS 1.7 HCR7730 SHA-256 hashing (software only)

z/OS 1.8 HCR7731

z/OS 1.9 HCR7740

z/OS 1.10 HCR7750 HCR7751 may be installed as an upgrade to access advanced AES capabilities available through hardware.

Note that many of the ICSF release levels can be installed on earlier releases of the operating system.

For z/OS 1.7, z/OS 1.8 and z/OS 1.9, HCR7750 is available for upgrades, providing for CSNBSYE AES192, AES256 hardware (z9 model dependent) and SHA-256 hashing hardware (z9).

z/OS UNIX File System (HFS)

In the context of this section, “Hierarchical File System” (HFS) refers to the entire z/OS UNIX file system architecture unless otherwise noted.

SecureZIPz does not require any special configuration to operate with the HFS (Hierarchical File System). However, working with archives and data files located in the HFS in the z/OS environment requires some setup. In particular:

The run-time user’s OMVS segment information must be associated with a HOME directory for that user

Permissions need to be set to correspond with the run-time user’s ownership of directories and files to be accessed (see PATHMODE for directory and file objects within the HFS)

Group permissions for directories and files in the HFS need to support the GROUPs that the run-time user will connect to

If the SAFETYEX module has been modified from releases prior to release 10.0, a fresh source copy (from INSTLIB) should be used and updated. HFS PATH entries can be added in a new section provided for this purpose in the release 10.0 version of the module.


HFS Operational Knowledge To operate SecureZIPz with the HFS, you need a basic understanding of how the HFS works. For information specific to using SecureZIPz, see section “z/OS UNIX File System (Hierarchical File System)” in chapter 9 (“File Processing”) of the PKZIP/SecureZIP for z/OS User’s Guide. For more general information, you will find the IBM documentation listed in the following table helpful.

Resource Chapter/Section Description

IBM z/OS UNIX System Services Guide

Chapter 14: An Introduction to the hierarchical file system

Mountable File Systems

Directories

Files

Path and Pathname

Using commands to work with directories and files

Using the Network File System


Chapter 16: Working with directories

The working directory

Creating and removing a directory


Chapter 17: Working with files Naming files

Deleting a file

Identifying a file by its inode number

Creating and deleting links

Renaming a file or directory

Simultaneous access to a file


Chapter 18: Handling security for your file

Default permissions set by the system

Changing permissions

Displaying file and directory permissions

Setting the file mode creation mask

Displaying extended attributes


Chapter 21: Copying data between the HFS and MVS

Examples and requirements for various data types


Chapter 22: Transferring file between systems

File Transfer Protocol (FTP)

IBM z/OS JCL Reference FILEDATA Parameter describe the organization of a hierarchical file so that the system can determine how to process the file

IBM z/OS JCL Reference PATH Parameter specify the name of the HFS file.

IBM z/OS JCL Reference PATHMODE Parameter file access attributes when the system is creating the HFS file named on the PATH parameter

IBM z/OS JCL Reference PATHMODE Parameter specify the file access attributes when the system is creating the HFS file


Resource Chapter/Section Description

IBM z/OS JCL Reference PATHOPTS Parameter specify the access and status for the HFS file named in the PATH parameter

IBM z/OS SecureWay Security Server RACF Security Administrator’s Guide

The OMVS segment in User Profiles

The z/OS UNIX Identifier (UID)

The initial directory path name (HOME)

The maximum number of active or open files the user can have (FILEPROCMAX)

The maximum number of processes the user can have (PROCUSERMAX)

Migration Considerations

Release 11.1 provides enhanced volume count control with MULTIVOL command specifications (e.g. ARCHIVE_SPACE_MULTIVOL). With the added capability for specifying a numeric volume count value, the default volume count associated with xxxx_SPACE_MULTIVOL=Y is changed from 59 to 5. If default volume count values greater than 5 are required, modifications to the defaults module may be performed.

Release 11.1 provides segregated control of temporary data compression work space from other temporary work files. See the new TEMPDATA_xxx settings for additional information. If enabled, adjustments to existing TEMP_xxx settings should be considered to reduce overall work file allocation requirements.

SecureZIP for z/OS Release 11 provides the ability for an installation to logically move digital certificates from the SecureZIP Certificate Store to the installation’s Security Server (for example, RACF). The SecureZIP Key Store Index component of the SecureZIP Certificate Store provides a redirection capability that permits existing jobs accessing digital certificates through the “DB:” syntax to reference certificates installed to the Security Server so that run-time JCL and parameters do not require modification. The administrative process of reindexing Security Server certificates for existing DB: entries is accomplished through the “Add Certificates (or Register KeyRing Certificates)” option under the “Local Certificate Store Administration” dialog.

SecureZIP for z/OS Release 11 includes a change to the Certificate Store references. If a Certificate Store configuration is not specified, DUMMY will be used as the default. To maintain upgrade continuity, Certificate Store configurations may be included with the INCLUDE_CMD or added to INSTLIB(ACZDFLT).

Release 10 renamed the DATA_DELIMITER setting to ZIPFILE_RECORD_DELIMITER for the purpose of distinguishing it from new HFS ZOSFILE_RECORD_DELIMITER setting. Processing message references will now be made to ZIPFILE_RECORD_DELIMITER instead of DATA_DELIMITER. To maintain upgrade continuity for existing job streams, the DATA_DELIMITER command and the MCZDFLTS DATA_DELIMITER= keyword designator for the defaults module will continue to be supported as mapping entries to ZIPFILE_RECORD_DELIMITER.

Release 10 renamed the PATH setting to USE_SOURCE_PATH to eliminate ambiguity with respect to HFS PATH names and PATH catalog entries. To maintain upgrade continuity for existing job streams, the PATH command and the MCZDFLTS PATH=


keyword designator for the defaults module will continue to be supported as mapping entries to USE_SOURCE_PATH.

Release 10 introduced newer forms of self-extractor (ref. INCLUDE_SFX for details) programs which support ZIP64 processing and Strong Decryption. Although the older versions of the self extractors are still available, they are specified with different names. Jobs coded with the previous names will include the newer form of the self-extraction programs in the archive.

Release 10 introduced the command OUTFILE_LONGREC to support optional wrapping of extracted data (rather than truncating them). This command replaces a maintenance option PROC_OPT3=W setting (with alias command LONGREC_WRAP) introduced with TT3392. Although PROC_OPT3=W is still supported in this release, it is recommended that commands and default module settings be changed to use OUTFILE_LONGREC=WRAP instead. The LONGREC_WRAP alias command will now be assigned to OUTFILE_LONGREC and continue to be supported.

Note: When changing the defaults module to use OUTFILE_LONGREC=W, PROC_OPT3= should be removed from the ACZDFLT source to avoid possible conflicts. When either setting is found to be “W/WRAP”, the record will be wrapped.

Release 10 and higher permits the use of CRLF=’Y,NOEOFDELIM’ and FILE_TERMINATOR= in the defaults module to prevent unwanted delimiter and terminator characters from being placed at the end of a file as it is added to an archive. This approach replaces old techniques of adding the commands –CRLF(C) –FILE_TERMINATOR() in the command stream.

Release 10.0 introduced a new format for the SAFETYEX module, from INSTLIB. Transfer to a copy of the new module any installation entries you have made in the SAFETYEX that you have been using. The new version of the module has a separate section for HFS PATH entries.

Installations using GZIP=Y in customized default modules should convert to ARCHIVE_ZIPFORMAT=GZIP. The GZIP setting is no longer honored when defined in the defaults module.

Installations activating ARCHIVE_ZIPFORMAT Enhanced Tape Processing (XTAPE, XTAPE_LBI or FULL_LBI) should be aware that there are back-level release sharing considerations. ARCHIVE_ZIPFORMAT=FULL is recommended if a tape archive created by the current release is to be accessed by an older release of SecureZIPz. However, toleration maintenance change TT2741 is available for PKZIP for zSeries (releases 5.6 & 8.2) and SecureZIP for zSeries (releases 8.1 & 8.2) to provide restricted UNZIP processing capabilities. For information, refer to the ARCHIVE_ZIPFORMAT and ARCHIVE_BLKSIZE commands in the PKZIP/SecureZIP for z/OS User’s Guide.

Installations suppressing the //SYSIN PDS member verification for performance reasons with PROC_OPT1=N (available with PKZIP for MVS 5.0.10 maintenance) in ACZDFLT should change to CHECK_SYSIN_MEMBER=N in the assembly of ACZDFLT. PROC_OPT1 is no longer used for this purpose in PKZIP for MVS Release 5.5 or SecureZIP for z/OS.

Installations controlling the //SYSPRINT DCB attributes with PROC_OPT2 (available with PKZIP for MVS 5.0.10 maintenance) in ACZDFLT should change to SYSPRINT_DCB in the assembly of ACZDFLT. PROC_OPT2 is no longer used for this purpose in PKZIP for MVS Release 5.5 or SecureZIP for z/OS.


Installations utilizing the filename case-insensitivity feature with PROC_OPT3=U (available with PKZIP for MVS 5.5.0 maintenance) in ACZDFLT should change to FILENAME_SELECT_CASE=U in the assembly of ACZDFLT. PROC_OPT3 is no longer used for this purpose in SecureZIP for z/OS.

Upgrade note: Installations previously using text translation tables other than EBC#8859 for TRANSLATE_TABLE_DATA or TRANSLATE_TABLE_FILEINFO should review the data translation characters used. The newer default tables in EBC#8859 use the IBM ICONV standard character sets for IBM-1047 EBCDIC and ISO-8859-1 ASCII. In general, the newer default table is better for general-purpose text translation than the older ASCIIUS, ASCIIUSE, ASCIIUK, and ASCIIUKE tables. However, the older tables are still provided for compatibility in case installation-dependent processing requires translation of specialized character sets.

The command ZIP_UNMOVABLE_CHKPT replaces functional fix TT1825 using PROC_OPT5 in earlier releases of the product. Installations previously using PROC_OPT5 are encouraged to use ZIP_UNMOVABLE_CHKPT. PROC_OPT5 is still active in this release, with differences in message notification (see command Usage Notes in the User’s Guide for more information).

The command GZIPCRC_IGNORE replaces functional fix TT2367 using PROC_OPT6 in earlier releases of the product. Installations previously using PROC_OPT6 are encouraged to use the new command. PROC_OPT6 is still active in this release, but may be removed in the future.

Encryption features associated with the Advanced Encryption Module of PKZIP for zSeries releases 5.5 and 5.6 are now only available with SecureZIP for z/OS. However, PKZIP for z/OS Enterprise Edition does include decryption capabilities allowing access to ZIP files created by earlier releases.

SecureZIP installations previously using MASTER_RECIPIENT commands for contingency key processing will find a difference in processing if multiple MASTER_RECIPIENT command settings are provided in an execution. Whereas release 8.1 used the last command value, now all MASTER_RECIPIENT settings are cumulatively added to the run to provide support for multiple contingency keys.

Installations using password-based encryption with passphrases greater than 95 characters should reference information from PKWARE HIPER fix TT3057. Contact the PKWARE Support team at 937-847-2687 with any questions related to this HIPER.

Release History and Setting Changes A historical list of release changes is documented in the User Guide, Chapter 3, in the sections “Release Summary” and “New Commands and Defaults”. It is highly recommended that this section be reviewed to identify changes that may require attention for your installation’s current operating environment.


Distinctive Features of PKZIP and SecureZIP for z/OS

Distinctive features available for both PKZIP and SecureZIP include:

Ability to process execution from ISPF Panels, as a TSO/E command, within TSO/E REXX EXECs or CLISTs, from an application program, or a stand-alone batch utility

A robust ISPF panel interface that displays the ZIP archive directory in a table format and enables selection of individual archived (zipped) files for browsing, viewing, extracting, or deleting

Compression and extraction of datasets of the following types on DASD:

o Sequential files

o PDS and PDSE members

o VSAM files (KSDS, ESDS, RRDS)

o JES2 subsystem input files (for example, //ddname DD *)

Command extensions allowing greater flexibility in file selection

Unique filename translation to and from MVS DSNAME conventions and the UNIX-style names typically found in zip archives

Compressing and extracting of datasets of the following types on tape:

o Sequential files

o Compressing and extracting of files to z/OS Load Libraries

o Compressing and extracting of files to Generation Data Groups (GDGs)

o GDG files can be used as a ZIP archive

Retention of dataset allocation information, such as dataset organization, device type, and DCB/Cluster attributes. Preservation of this information allows for duplication of the file with the same characteristics during the UNZIP process. Support of ZIP archives within the following dataset organizations:

o Sequential files (DASD, Tape, or Cartridge)

o PDS and PDSE members

o VSAM ESDS

o HFS (Hierarchical File System) UNIX files residing in mounted FILESYSTYPEs of HFS, NFS, TFS and ZFS.

Selection of datasets for processing based upon user-specified control statements, DD JCL specifications, or user-defined filtering lists

Execution in AMODE 31, using storage primarily above the 16-Mb line. However, certain operating system control blocks and system services require virtual storage below the 16-Mb line. The amount of virtual storage available within each of these areas of an address space will limit the use of some performance options (for example, multi-tasking and temporary files in storage) and capabilities.

Defaults are customizable during installation. Multiple defaults modules may be created for use for a variety of application needs. Commands can be locked in the default


modules, precluding their use in a ZIP or UNZIP run with values or settings other than the locked ones.

Use of pre-defined command files saved in a place selected by the user or system administrator. These can be referenced by multiple jobs or users, thus eliminating the need for individual JCL command streams. They can also be used in combination with individual job inputs to provide a consistent set of processing controls.

Certain features of PKZIP for z/OS are separately licensed.

Distinctive Features of SecureZIP for z/OS

Distinctive features of SecureZIP for z/OS include:

Incorporation of the IBM Integrated Cryptographic Service Facility (ICSF) APIs, enabling the use of hardware acceleration on a variety of hardware platforms for data encryption/decryption and digital signature creation/authentication.

Dynamic run-time selection of a cryptographic facility appropriate to the current operating environment. This allows the same SecureZIP configuration to perform data encryption and signature hash operations under different system cryptographic profiles and also to take advantage of newly activated cryptographic hardware.

Ability to access certificates in directory servers through an LDAP-compliant interface. SecureZIP can look for certificates in LDAP certificate stores and automatically search these stores for recipients to whom you are sending an email message so that you can use their keys when encrypting an attachment. (Requires the optional Directory Integration module.)

Use of digital certificates located in the z/OS security server

Registration of passphrases to eliminate exposed run-time passphrase values

Policy control through security server general resource rules

Encryption Contingency Key adherence

SMF recording in support of audit trails

Certain features of SecureZIP for z/OS are separately licensed.

PKWARE PartnerLink: SecureZIP Partner for z/OS

SecureZIP for z/OS is also available in a special version—SecureZIP Partner for z/OS—through the PKWARE PartnerLink program. The PKWARE PartnerLink program provides a straightforward, secure way for an organization to exchange sensitive information with outside partners who perhaps do not have SecureZIP.

SecureZIP Partner for z/OS differs from the full SecureZIP for z/OS in that it only extracts archives from, and only creates and encrypts archives for, a PartnerLink sponsor.

See chapter 6 for information about SecureZIP Partner for z/OS. Contact PKWARE for more information about the PKWARE PartnerLink program.


Note: SecureZIP Partner for z/OS was called SecureZIP for z/OS Reader/SecureLink prior to release 9.0 of SecureZIP for z/OS.

Encryption

Encryption provides confidentiality for data. Unencrypted data is called plaintext. Encryption transforms the plaintext data into an unreadable form, called ciphertext, using an encryption key. Decryption transforms the ciphertext back into plaintext using a decryption key.

PKZIP for z/OS provides limited support for passphrase encryption and decryption using a traditional 96-bit key (ENCRYPTION_METHOD=STANDARD). In addition, a licensable feature is available to decrypt passphrase-encrypted files that had been encrypted with SecureZIP with more advanced encryption methods.

SecureZIP only

Several algorithms have been approved in FIPS for the encryption of general purpose data. Each of these algorithms is a symmetric key algorithm, where the encryption key is the same as the decryption key. SecureZIP for z/OS uses symmetric key algorithms when encrypting user data.

In order to maintain the confidentiality of the data encrypted by a key, the key must be known only by the entities that are authorized to access the data. These symmetric key algorithms are commonly known as block cipher algorithms because the encryption and decryption processes each operate on blocks (chunks) of data of a fixed size.

FIPS 46-3 and FIPS 197 have been approved for the encryption of general-purpose data. The protection of keys is discussed below under “Key Management.”

Authentication

SecureZIP only

Authentication is the process of validating digital signatures that may be attached to files in an archive or to an archive’s central directory.

Authentication is a separate operation from data encryption. Whereas encryption is concerned with preventing parties from accessing sensitive data (such as private medical or financial information), authentication confirms that information actually comes unchanged from the purported source.

Authenticating digitally signed data both verifies the signature and validates the signed data.

Data Integrity SecureZIPz uses a Cyclic Redundancy Check (CRC) to ensure that data is successfully transferred into and out of a ZIP archive. The CRC process creates a unique hash value “thumbprint” from the original data stream. The thumbprint is regenerated at the receiving end and compared with the hash of the source for equality. The thumbprint value is stored


independently of the data stream and is used during UNZIP processing to complete validation of the data.

SecureZIP for z/OS extends the concept of the CRC in two ways for the purpose of providing a tamper-resistant container within the ZIP archive. First, more rigorous HASH algorithms (MD5 and SHA-1) are used (as specified by the SIGN_HASHALG command) in addition to the 32-bit CRC to accurately reflect the uniqueness of the data stream. Second, the hash value is encrypted within a digital signature using a private-key certificate for the purpose of tamper detection at the completion of file extraction.

For more information regarding SHA-1 (Secure Hash Algorithm), see FIPS PUB 180-1, describing the Secure Hash Standard, at http://www.itl.nist.gov/fipspubs/fip180-1.htm.

SecureZIP for z/OS provides two commands, SIGN_ARCHIVE and SIGN_FILES, to initiate the creation of digital signatures within the ZIP archive. The AUTHCHK command is used to perform a tamper check operation using the digital signature and hash.

Digital Signature Validation

SecureZIP only

SecureZIP for z/OS makes use of certificate-based encryption within the public key infrastructure (PKI) to generate and validate digital signatures. PKI provides an authentication chain for certificates to guarantee that the signature was created by the purported source. SecureZIP supports the certificate chain authentication process by including necessary identification information within the ZIP archive. Subsequently, the certificate(s) used for signing can be authenticated through a complete chain of trust.

To complete the chain of trust, a root (or self-signed) certificate representing the certificate’s issuing organization is installed on the authenticating system. This provides the receiving organization with the authority to declare how the final trust sequence should be treated. Signatures based on certificates from certificate authorities (CA) that are not authorized or trusted are declared as being untrusted by SecureZIP.

Additional facets of validating a certificate’s viability for use include a defined range of dates within which a certificate may be used and whether the certificate has been declared to have been revoked. Configurable SecureZIP policies (EXPIRED and REVOKED attributes) provide support to ensure that the certificates involved in authentication also adhere to these restrictions.

SecureZIP for z/OS provides a means to install and access the certificates necessary for signing and authentication. The AUTHCHK command, along with configured policy settings governs the type (archive directory or data files) and level of authentication that is to be performed.

Digital Signature Source Validation

SecureZIP only

A final step in the authentication process is to ensure that the archive and/or file data was sent from a particular source. The previous steps verified that the archive directory and/or

http://www.itl.nist.gov/fipspubs/fip180-1.htm�


files were signed with a private-key certificate that came from a trusted source (CA) and that the data stream has not been tampered with since it was placed into the ZIP archive. However, these steps alone do not guarantee that a different party under the same root/CA chain did not perform the signing operation.

SecureZIP for z/OS provides an optional parameter in the AUTHCHK command to declare the specific party from whom the data is expected.

Public-Key Infrastructure and Digital Certificates

SecureZIP only

Public-Key Infrastructure (PKI) Use of digital certificates for encryption and digital signing relies on a combination of supporting elements known as a public-key infrastructure (PKI). These elements include software applications such as SecureZIP that work with certificates and keys as well as underlying technologies and services.

The heart of PKI is a mechanism by which two cryptographic keys associated with a piece of data called a certificate are used for encryption/decryption and for digital signing and authentication. The keys look like long character strings but represent very large numbers. One of the keys is private and must be kept secure so that only its owner can use it. The other is a public key that may be freely distributed for anyone to use to encrypt data intended for the owner of the certificate or to authenticate signatures.

How the Keys Are Used With encryption/decryption, a copy of the public key is used to encrypt data such that only the possessor of the private key can decrypt it. Thus anyone with the public key can encrypt for a recipient, and only the targeted recipient has the key with which to decrypt.

With digital signing and authentication, the owner of the certificate uses the private key to sign data, and anyone with access to a copy of the certificate containing the public key can authenticate the signature and be assured that the signed data really proceeds unchanged from the signer.

Authentication has one additional step. As an assurance that the signer is who he says he is—that the certificate with Bob’s name on it is not fraudulent—the signer’s certificate itself is signed by an issuing certificate authority (CA). The CA in effect vouches that Bob is who he says he is. The CA signature is authenticated using the public key of the CA certificate used. This CA certificate too may be signed, but at some point the trust chain stops with a self-signed root CA certificate that is simply trusted. The PKI provides for these several layers of end-user public key certificates, intermediate CA certificates, and root certificates, as well as for users’ private keys.

x.509 X.509 is an International Telecommunication Union (ITU-T) standard for PKI. X.509 specifies, among other things, standard formats for public-key certificates. A public-key certificate


consists of the public portion of an asymmetric cryptographic key (the public key), together with identity information, such as a person’s name, all signed by a certificate authority. The CA essentially guarantees that the public key belongs to the named entity.

Digital Certificates A digital certificate is a special message that contains a public key and identity information about the owner, usually including name and perhaps email address. An ordinary, end-user digital certificate is digitally signed by the CA that issued it to warrant that the CA issued the certificate and has received satisfactory documentation that the owner of the certificate is who he says he is. This warrant, from a trusted CA, enables the certificate to be used to support digital signing and authentication, and encryption of data uniquely for the owner of a certificate.

For example, Web servers frequently use digital certificates to authenticate the server to a user and create an encrypted communications session to protect transmitted secret information such as Personal Identification Numbers (PINs) and passwords.

Similarly, an email message may be digitally signed, enabling the recipient of the message to authenticate its authorship and that it was not altered during transmission.

To use PKI technology in SecureZIP for z/OS for encryption and to attach digital signatures, you must have a digital certificate.

Certificate Authority (CA) A certificate authority (CA) is a company (usually) that, for a fee, will issue a public-key certificate. The CA signs the certificate to warrant that the CA issued the certificate and has received satisfactory documentation that the owner of the new certificate is who he says he is.

Private Key A digital certificate contains both private and public portions of an asymmetric cryptographic key together with identity information, such as a person's name and (possibly) email address. The private portion of the key is called the private key and is used to decrypt data encrypted with the associated public key and to attach digital signatures.

A private key must be accessible solely by the owner of the certificate because it represents that person and provides access to encrypted data intended only for the owner.

SecureZIP for z/OS may use a private key maintained in x.509 PKCS#12 format. To access such keys, a password must be entered for each SecureZIP request. When the private key is held in the z/OS Security Server (such as RACF) or the ICSF PKDS, access permission to the private key is governed by the security server, and a password is not required.

Public Key A public key consists of the public portion of an asymmetric cryptographic key in a certificate that also contains identity information, such as the certificate owner’s name.

The public key is used to authenticate digital signatures created with the private key and to encrypt files for the owner of the key’s certificate.


Certificate Authority and Root Certificates End entity certificates and their related keys are used for signing and authentication. They are created at the end of the trust hierarchy of certificate authorities. Each certificate is signed by its CA issuer and is identified in the “Issued By” field in the end certificate. In turn, a CA certificate can also be issued by a higher level CA. Such certificates are known as intermediate CA certificates. At the top of the issuing chain is a self-signed certificate known as the root.

SecureZIP for z/OS uses public-key certificates in PKCS#7 format. The intermediate CA certificates are maintained independently from the ROOT certificates.

Setting Up Stores for Digital Certificates on z/OS

SecureZIP only

To use certificates for encryption/decryption or digital signing/authentication, SecureZIP needs to access the keys in the certificates.

An installation may choose any combination of the following options for storing digital certificates in a repository:

Security Server (for example, RACF) key rings with public and private keys suitable for signing, authentication, encryption, and decryption. If the system is appropriately equipped with a cryptographic coprocessor supporting asymmetric keys, private keys may optionally be stored in the ICSF PKDS.

SecureZIP Certificate Store with public and private keys suitable for signing, authentication, encryption, and decryption.

LDAP server with public key certificates suitable for encryption.

Regardless of the certificate repositories chosen, it is recommended that you create and configure a SecureZIP certificate store. The key store index component of the SecureZIP certificate store can be used for other features, such as providing a cross-reference lookup of decryption recipients in a ZIP archive, or registering passphrases in the ICSF CKDS.

Setting Up the Certificate Stores The PKWARE utility used to administer the local certificate store is accessed through an ISPF dialog. The CREATE option assists you in setting up the store and imports certificates you want SecureZIP to use. For detailed instructions on creating certificate stores on z/OS, refer to chapter 4.

The utility procedure maintains the stores listed in the following table.


Store Description

Public

A store for end-entity certificates used to identify encryption recipients or for authentication of digital signatures. Certificate files in this store contain only public keys; they do not contain private keys. SecureZIP for z/OS represents these certificates held in the local certificate store through the ISPF interface as “CER” entries. Other system types may refer to this store as “Other People” or “Address Book”

Private A store for end-entity certificate files with their respective private keys. Private keys are used to decrypt files or perform digital signing. SecureZIP for z/OS represents these certificates held in the local certificate store through the ISPF interface as “PFX” entries.

(Private keys in this store are encrypted using PKCS#8 format and PKCS#5 version 2.)

Other system types may refer to this store as “Personal” or “MY Store”

Intermediate Certificate Authority

A store of issuing certificates files associated with the end-entity certificates. These certificates are used to authenticate the validity of an end-entity digital signature on a receiving system. They are also included in a SecureZIP archive when a signing operation is performed.

Other system types may refer to this store as “CA”

Trusted Root Certificate Authority

A store of issuing certificates that are classified as “self signed,” meaning that each one is at the top of a hierarchy of issuing CAs. These certificates are used to authenticate the validity of an end-entity digital signature on a receiving system. They are deemed to be “trusted” by virtue of their installation on an authenticating system. They are also included in a SecureZIP archive when a signing operation is performed.

Other system types may refer to this store as “ROOT”

The local certificate store administrative utility sets up the certificate stores as physical files containing X.509 certificates, with a VSAM index structure providing search and selection capabilities.

A SecureZIP for z/OS “create” dialog is provided to lead a systems administrator through the steps needed to allocate and prime a new local certificate store. Sample test certificates are installed to each store type, making it ready for use. In addition, a configuration file is generated that should be made accessible for SecureZIP users for use in encryption, decryption, signing, and authentication requests. The configuration file may be included explicitly through an INCLUDE_CMD command, or implicitly by activating it through the PARMLIB configuration of the SecureZIP defaults module.

A set of high-level qualifiers is used to control the allocation of the physical store data sets and index components. This permits multiple distinct local certificate stores to be created, administered and accessed independently within a system. This is useful for segregating test from production, or other departmental separation. Data set protection may then be applied to various components to control update or read access as needed.

RACF ALTER authority (or equivalent) must be granted to the systems administrator responsible for creating a new certificate store. This authority is also required for creating


backups, performing recovery operations, or performing some synchronization tasks which re-allocate components.

Updating the Certificate Stores X.509 certificates may be added to the local certificate store through the SecureZIP local certificate store administration tool. These certificates are frequently obtained through another platform and transferred (binary) to the operational z/OS system for installation.

Important: All X.509 certificates should be transferred to the local z/OS environment in binary mode with no translation.

When certificates are added, the certificate administration tool determines the appropriate store location based on the certificate type specified and dynamically builds an index entry for future search and selection.

SecureZIP can import certificates and keys in the following file formats:

Format Description

PEM Contains a single end-entity public-key certificate. It may be in Base-64 encoded (ASCII text with ASCII headers) or DER-encoded binary format.

Common file extensions: .pem, .cer, .key

PKCS#12 Contains a single end-entity private-key certificate (which also contains its public keys). By definition, it is in binary format.

Common file extensions: .pfx, .p12

PKCS#7 Contains one or more CA (and or Root) certificates

Common file extension: .p7b

You must tell the certificate store administrative dialog what certificate file-type and key-type to import. The utility copies the existing certificates and keys from their specified location and adds them to the appropriate store locations. When transferring certificates to the z/OS environment in preparation for an import to the local certificate store, be sure to allocate the file they are stored in as sequential, with a DCB RECFM of F, FB, V or VB.

RACF UPDATE authority (or equivalent) must be granted to the systems administrator responsible for altering the certificate store. This authority is also required when performing the on-line Synchronize function.

Types of Encryption Algorithms

Standard PKZIP for z/OS provides support for password-based encryption and decryption using a 96-bit “Standard” encryption algorithm that is supported by older ZIP-compatible utilities. In


addition, PKZIP for z/OS Enterprise Edition supports the decryption of all password-based algorithms provided in SecureZIP for z/OS.

SecureZIP only

FIPS 46-3, Data Encryption Standard (DES) The FIPS (Federal Information Processing Standards) specification 46-3 formerly specified the DES algorithm for use in Federal government applications. In 2004, the specification was changed such that DES is no longer approved for Federal government applications.

Triple DES Algorithm (3DES) Triple DES is a more recent algorithm related to DES. Triple DES is a method for encrypting data in 64-bit blocks using three 56-bit keys by combining three successive invocations of the DES algorithm.

ANSI X9.52 specifies seven modes of operation for 3DES and three keying options: 1) the three keys may be identical (one key 3DES), 2) the first and third key may be the same but different from the second key (two key 3DES), or 3) all three keys may be different (three key 3DES). One key 3DES is equivalent to DES under the same key; therefore, one key 3DES, like DES, will not be approved after 2004. Two key 3DES provides more security than one key 3DES (or DES), and three key 3DES achieves the highest level of security for 3DES. NIST recommends the use of three different 56-bit keys in Triple DES for Federal Government sensitive/unclassified applications.

SecureZIP for z/OS uses three-key 3DES when Triple DES is selected as the data encryption algorithm.

Advanced Encryption Standard (AES) The Advanced Encryption Standard (AES) encryption algorithm specified in FIPS 197 is the result of a multiyear, worldwide competition to develop a replacement algorithm for DES. The winning algorithm (originally known as Rijndael) was announced in 2000 and adopted in FIPS 197 in 2001.

The AES algorithm encrypts and decrypts data in 128-bit blocks, with three possible key sizes: 128, 192, or 256 bits. The nomenclature for the AES algorithm for the different key sizes is AES-x, where x is the size of the AES key. NIST considers all three AES key sizes adequate for Federal Government sensitive/unclassified applications.

Please see http://www.nist.gov/public_affairs/releases/g00-176.htm a press release recapping NIST’s position

SecureZIP for z/OS uses AES as the default encryption algorithm.

Comparison of the 3DES and AES Algorithms Both the 3DES and AES algorithms are considered to be secure for the foreseeable future. Below are some points of comparison:

http://www.nist.gov/public_affairs/releases/g00-176.htm�


3DES builds on DES implementations and is readily available in many cryptographic products and protocols. The AES algorithm is new; although many implementers are quickly adding the algorithm to their products, and protocols are being modified to incorporate the algorithm, it may be several years before the AES algorithm is as pervasive as 3DES.

The AES algorithm was designed to provide better performance (e.g., faster speed) than 3DES.

Although the security of block cipher algorithms is difficult to quantify, the AES algorithm, at any of the key sizes, appears to provide greater security than 3DES. In particular, the best attack known against AES-128 is to try every possible 128-bit key (i.e., perform an exhaustive key search, also known as a brute force attack)). By contrast, although three key 3DES has a 168-bit key, there is a “shortcut” attack on 3DES that is comparable, in the number of required operations, to performing an exhaustive key search on 112-bit keys. However, unlike exhaustive key search, this shortcut attack requires a lot of memory. Assuming that such shortcut attacks are not discovered for the AES algorithm, the uses of the AES algorithm may be more appropriate for the protection of high-risk or long-term data.

The smallest AES key size is 128 bits; the recommended key size for 3DES is 168 bits. The smaller key size means that fewer resources are needed for the generation, exchange, and storage of key bits.

The AES block size is 128 bits; the 3DES block size is 64 bits. For some constrained environments, the smaller block size may be preferred; however, the larger AES block size is more suitable for cryptographic applications, especially those requiring data authentication on large amounts of data.

See http://www.nist.gov/public_affairs/releases/g00-176.htm for a press release describing NIST’s position on the two algorithms.

With a block cipher algorithm, the same plaintext block will always encrypt to the same ciphertext block whenever the same key is used. If the multiple blocks in a typical message were to be encrypted separately, an adversary could easily substitute individual blocks, possibly without detection. Furthermore, data patterns in the plaintext would be apparent in the ciphertext. Cryptographic modes of operation have been defined to alleviate these problems by combining the basic cryptographic algorithm with a feedback of the information derived from the cryptographic operation.

FIPS 81, DES Modes of Operation, defines four confidentiality (encryption) modes for the DES algorithm specified in FIPS 46-3: the Electronic Codebook (ECB) mode, the Cipher Block Chaining (CBC) mode, the Cipher Feedback (CFB) mode, and the Output Feedback (OFB) mode.

SecureZIP for z/OS uses Cipher Block Chaining for data encryption.

RC4 The RC4 algorithm is a stream cipher designed by Rivest for RSA Security. It is a variable key-size stream cipher with byte-oriented operations. The algorithm is based on the use of a random permutation. Analysis shows that the period of the cipher is overwhelmingly likely to be greater than 10100. Eight to sixteen machine operations are required per output byte, and

http://www.nist.gov/public_affairs/releases/g00-176.htm�


the cipher can be expected to run very quickly in software. Independent analysts have scrutinized the algorithm and it is considered secure.

RC4 is used for secure communications, as in the encryption of traffic to and from secure web sites using the SSL protocol.

Key Management

The proper management of cryptographic keys is essential to the effective use of cryptography for security. Keys are like the combination of a safe. If the combination becomes known to an adversary, the strongest safe provides no security against penetration. Similarly, poor key management can easily compromise strong algorithms. Ultimately, the security of information protected by cryptography directly depends on the strength of the keys, the effectiveness of mechanisms and protocols associated with keys, and the protection afforded the keys.

Cryptography can be rendered ineffective by the use of weak products, inappropriate algorithm pairing, poor physical security, and the use of weak protocols. All keys need to be protected against modification, and secret and private keys need to be protected against unauthorized disclosure. Key management provides the foundation for the secure generation, storage, distribution, and destruction of keys.

Further information is available on key management at the NIST Computer Security Resource Center web site, http://csrc.nist.gov/CryptoToolkit/tkkeymgmt.html

Passwords and PINS

FIPS 112, Password Usage, provides guidance on the generation and management of passwords used to authenticate the identity of a system user and, in some instances, to grant or deny access to private or shared data. This standard recognizes that passwords are widely used in computer systems and networks for these purposes, although passwords are not the only method of personal authentication, and the standard does not endorse the use of passwords as the best method.

The password used to encrypt a file with SecureZIPz may be from 1 to 250 characters in length. Different passwords may be used for various files within a ZIP archive, although only one password may be specified per run.

The password is not stored in the ZIP archive and, as a result, care must be taken to keep passwords secure and accessible by some other source.

Recipient Based Encryption

SecureZIP only

Password-based encryption depends on both the sender and receiver knowing, and providing intellectual input (the password) in clear text. The password is used to derive a binary master session key for each decryption run. No key information is kept within the ZIP archive, therefore both parties must retain the password in an external location.

http://csrc.nist.gov/CryptoToolkit/tkkeymgmt.html�


Recipient-based encryption provides a means by which the master session key (MSK) information can be hidden, protected, and carried within the ZIP archive. This is done by using a technique known as digital enveloping with public key encryption. The technique requires that the creating process have a copy of the recipient's public key digital certificate, which is used to protect and store the MSK. In addition, the receiving side must have a copy of the recipient's private key digital certificate. With these two pieces of information in place, there is no need for users to retain or recall a password for decryption.

Random Number Generation

SecureZIP only

Random numbers are used within many cryptographic applications, such as the generation of keys and other cryptographic values, the generation of digital signatures, and challenge response protocols. Some approved algorithms to produce random numbers have been specified in FIPS 186-2, Digital Signature Standard. An effort is in progress by the Financial Services Committee of ANSI to develop a random number generation standard.

Integrity of Public and Private Keys

SecureZIP only

Public and private keys must be managed properly to ensure their integrity. The key owner is responsible for protecting private keys. The private signature key must be kept under the sole control of the owner to prevent its misuse. The integrity of the public key, by contrast, is established through a digital certificate issued by a certification authority (CA) that cryptographically binds the individual’s identity to his or her public key. Binding the individual’s identity to the public key enables the key to be reliably used, for example, to authenticate signatures created with the corresponding private key.

A PKI includes the ability to recover from situations where an individual’s private signature key is lost, stolen, compromised, or destroyed. This is done by revoking the digital certificate that contains the private signature key’s corresponding public key (discussed further below). The user then creates or is issued a new public/private signature key pair and receives a new digital certificate for the new public key.

Data Encryption

SecureZIP only

SecureZIP for z/OS security functions include strong encryption tools using RSA BSAFE and IBM ICSF. SecureZIP for z/OS provides symmetric data encryption through these facilities using the RC4, DES, 3DES or AES algorithms.


RSA High-Quality Security - RSA Security submits its Crypto-C products for FIPS 140 testing and validation. FIPS 140-1 and FIPS 140-2 are U.S. Government standards which specify the security requirements to be satisfied by a cryptographic module. RSA Security supports this testing and certification with over 20 years of experience in the security industry.

IBM z/OS Integrated Cryptographic Service Facility (ICSF) provides several callable services to access both hardware and software implementations of the DES, 3DES and AES algorithms. With access to FIPS-validated hardware (such as the CEX2C), SecureZIP for z/OS provides FIPS 140-2 compliant encryption and decryption services.

SecureZIP for z/OS uses a multi-layer key generation process based on a user-specified password of up to 250 characters, and/or a user’s digital certificate, that creates a unique internal key for each file being processed. The same password will result in a different system-generated key for each file.

SecureZIP for z/OS also implements the use of cipher block chaining (CBC) to further enhance industry standard encryption algorithms. This feature ensures that each block of data is uniquely modified, further protecting the data from fraudulent access.

SecureZIP for z/OS encryption is activated through the use of the PASSWORD and/or RECIPIENT commands. If a value is present for either setting, whether through commands or default settings, then encryption will be attempted in accordance with other settings (for example, ENCRYPTION_METHOD). However, if ENCRYPTION_METHOD=NONE is specified, then encryption will be bypassed.


2 Installation, Licensing, and Configuration

Installation Overview

The installation of SecureZIPz is accomplished by following the steps summarized below:

Select the media to be used in installing SecureZIPz.

Install from downloaded file, CD or tape.

Review the README.TXT file for recent information updates.

Evaluate system requirements.

Edit the supplied job control (JCL) with appropriate parameter changes for your data center.

Review the present chapter on installation, license, and configuration in this manual and proceed accordingly.

Run the installation verification jobs and test product features by modifying the sample JCL supplied in PKWARE.MVS.INSTLIB.

Begin using the product.

Details of these summarized instructions may be found below.

Type of Media Distribution for Installation

The SecureZIPz program may be received and installed from a variety of media types:

Downloaded from the PKWARE web site http://www.pkware.com/download-software

Received from PKWARE on compact disc (CD).

Received from PKWARE on magnetic cartridge.

http://www.pkware.com/download-software�

Chapter 2 Installation, Licensing, and Configuration 35

Installation from Downloaded File or CD

Non-SMP/E Installation If you have downloaded SecureZIPz from PKWARE’s Web site, ftp site, or have received the product on CD, then the file you need to start with is the self-extracting zip file called PKZIPzOS.exe (PKZIP), SecureZIPzOS.exe (SecureZIP) or PartnerLinkzOS.exe (SecureZIP Partner). The self-extracting file contains the binary XMIT files needed for installation along with various other supporting text and documentation.

The files extracted include:

Text Files

GLOBAL CONTACTS.TXT How to contact domestic and international resellers

LICENSE.TXT PKWARE's license agreement

README.TXT Installation and Configuration Instructions

ALLOC.JCL Allocation JCL (IEFBR14)

RECEIVE.JCL Receive the transmitted files

WHATSNEW.TXT A text file documenting product changes

Product Binaries

PKZIP Data Set SecureZIP Data Set PartnerLink Data Set Distribution Library

PKZIP.XMIT.CEXEC SECZIP.XMIT.CEXEC PLINK.XMIT.CEXEC Compiled REXX Library

PKZIP.XMIT.HELP SECZIP.XMIT.HELP PLINK.XMIT.HELP Help Library

PKZIP.XMIT.INSTLIB SECZIP.XMIT.INSTLIB PLINK.XMIT.INSTLIB Install Library

PKZIP.XMIT.INSTLIB2 SECZIP.XMIT.INSTLIB2 PLINK.XMIT.INSTLIB2 Install Library 2

PKZIP.XMIT.LOAD SECZIP.XMIT.LOAD PLINK.XMIT.LOAD Common Load Module

PKZIP.XMIT.MACLIB SECZIP.XMIT.MACLIB PLINK.XMIT.MACLIB Macro Library

PKZIP.XMIT.SPKZCLIB SECZIP.XMIT.SPKZCLIB PLINK.XMIT.SPKZCLIB REXX Exec Library

PKZIP.XMIT.SPKZMLIB SECZIP.XMIT.SPKZMLIB PLINK.XMIT.SPKZMLIB Message Library

PKZIP.XMIT.SPKZPLIB SECZIP.XMIT.SPKZPLIB PLINK.XMIT.SPKZPLIB Panel Library

PKZIP.XMIT.SPKZSLIB SECZIP.XMIT.SPKZSLIB PLINK.XMIT.SPKZSLIB Skeleton Library

PKZIP.XMIT.SPKZTLIB SECZIP.XMIT.SPKZTLIB PLINK.XMIT.SPKZTLIB Table Library


Available Documentation (distributed in Adobe® Acrobat® .PDF format)

PKZIP and SecureZIP for zOS V11.0 SYSTEM ADMINISTRATORS GUIDE.PDF

PKZIP and SecureZIP for zOS V11.0 MESSAGES GUIDE.PDF

PKZIP and SecureZIP for zOS V11.0 SECURITY ADMINISTRATORS GUIDE.PDF

PKZIP and SecureZIP for zOS V11.0 USERS GUIDE.PDF

PKZIP and SecureZIP for zOS V11.0 APPLICATION INTEGRATION GUIDE.PDF

PKZIP and SecureZIP for zOS V11.0 SEARCHABLE INDEX.PDX

Review the installation instructions found below if you are installing from download or CD. If the software was received on magnetic cartridge, please see “Installing from Tape”, below, for the installation JCL, or download the JCL from our Web site. In either case, follow the instructions applicable to your installation method before continuing through this document.

Below are the step-by-step non-smp/e installation instructions.

I. TRANSFERRING THE TEXT FILES TO THE HOST 1. Transfer the text file "ALLOC.JCL" to the host. You may transfer the file into an existing

PDS, or you may use the allocation in step 2 below:

o Convert the data from ASCII to EBCDIC

o Insert CR/LF's

2. A suitable allocation for "ALLOC.JCL" is as follows:

SPACE UNITS: TRKS BLKS: 1 (PRI) 1 (SEC) DIRBLKS: 0 RECFM: FB LRECL: 80 BLKSIZE: 6160 DSORG: PS (or BASIC; release dependent)

3. Follow the same procedure for the "RECEIVE.JCL" provided file.

II. RUNNING THE ALLOC JCL The “ALLOC” job contains JCL that will perform an IEFBR14 for the eleven (11) binary dataset allocations. You will need to edit the ALLOC JCL with the appropriate variables in order to achieve a RC=00.

1. Before you submit the ALLOC JCL (ALLOC.JCL), you will need to supply a job card. You will also need to modify the job variables. As an example:

// CEXEC DD DSN={pkware}.XMIT.CEXEC,DISP=(NEW,CATLG), // UNIT={sysda},VOL=SER={volume1},SPACE=(CYL,(2,2)), // DCB=(RECFM=FB,LRECL=80,BLKSIZE=3120)

2. {pkware} is the name of the pre-allocated dataset that is being created by this job. These are the target datasets that you transfer the binary files into.

3. {sysda} is the unit where SecureZIPz files will reside.

http://download.pkzip.com/pub/pkware/products/zseries/copycart.txt�


4. {volume1} is the volume where the SecureZIPz files reside

5. Submit the job, and review and correct any non-zero return codes.

6. Your eleven (11) target datasets have successfully been allocated.

III. TRANSFERRING THE BINARY FILES TO THE HOST Before you transfer the files to the host, it is imperative that you do not perform any kind of translation of the data from ASCII to EBCDIC or append CR/LF's. If you do, your uploaded datasets will be corrupted.

1. Transfer the binary files (PKWARE.XMIT.*) from your PC into the target datasets that you created in Step II:

o Do not translate the data

o Do not insert CR/LF's

2. Be sure to transfer all eleven binaries, and then move onto the next step.

IV. RUNNING THE RECEIVE JCL The “RECEIVE” job contains JCL that will perform an IKJEFT01 for the eleven binary datasets. You will need to edit the RECEIVE JCL with the appropriate variables in order to achieve a RC=00.

1. Before you submit the RECEIVE JCL, you will need to supply a job card. You will also need to modify the job variables. As an example:

RECEIVE INDSN('{xmitdsn}.XMIT.CEXEC') DSNAME('{dsnhlq}.CEXEC')

2. INDSN {xmitdsn} is the high-level qualifier of the XMIT'd dataset you transferred from the PC to the host.

3. DSNAME {dsnhlq} is the DSN that gets created by this job. It’s what you want to call the installed SecureZIPz product libraries.


5. Your eleven binary datasets have successfully been converted to a trial-ready version of SecureZIPz.

V. Licensing PKZIP/SecureZIP for z/OS Please refer to “Initializing the License,” later in this chapter, for information and instructions on how to license your copy of SecureZIPz.

This ends the installation of SecureZIPz if you are installing from PKZIPzOS.exe or SecureZIPzOS.exe. If you are performing an SMP/E installation or installing from a tape cartridge, then continue on to the next section.

SMP/E Installation The installation and software management of SecureZIPz can also be accomplished with SMP/E. Although the product requires no operating system modifications or authorized routines, the ability to manage the software is enhanced using IBM’s SMP/E facilities.


The PKZIPzOSSMP.exe (PKZIP), SecureZIPzOSSMP.exe (SecureZIP) or PartnerLinkzOSSMP.exe (PartnerLink) file contains the binary XMIT files needed for installation, along with text files, a README.TXT, and other files that have sample JCL to process the files for implementation. The files are listed in the following tables.

Text Files

GLOBAL CONTACTS.TXT How to contact domestic and international resellers

LICENSE.TXT PKWARE's license agreement

README.TXT Installation and Configuration Instructions

RECEIVE.JCL Receive the transmitted files

ALLOC.JCL Allocation JCL (IEFBR14)

SMPALCSI.TXT This job allocates the VSAM files needed to build a new SMP/E environment. If SecureZIPz is being installed in an existing SMP/E CSI, this job will not be needed.

SMPALPDS.TXT This job allocates the Partitioned Data Set files needed to build an SMP/E environment.

SMPAPPLY.TXT This job applies the elements of the FUNCTION PKZIP82. A return code of four (RC=4) is expected in the listings from IEBCOPY for z/OS load modules.

SMPRECV.TXT This job receives the FUNCTION PKZIP82. All of the ++ MCS elements are in the input file PKWARE.MVS.SMP.MCS.

SMPUCLIN.TXT This job updates the SMP/E CSI environment to prepare for the install of SecureZIPz.

WHATSNEW.TXT A text file documenting product changes

Product Binaries

PKZIP Data Set SecureZIP Data Set PartnerLink Data Set Distribution Library

PKZIP.XMIT.SMP.DCEXE SECZIP.XMIT.SMP.DCEXE PLINK.XMIT.SMP.DCEXE Compiled REXX Library

PKZIP.XMIT.SMP.DHELP SECZIP.XMIT.SMP.DHELP PLINK.XMIT.SMP.DHELP Help Library

PKZIP.XMIT.SMP.DINST SECZIP.XMIT.SMP.DINST PLINK.XMIT.SMP.DINST Install Library

PKZIP.XMIT.SMP.DINST2 SECZIP.XMIT.SMP.DINST2 PLINK.XMIT.SMP.DINST2 Install Library 2

PKZIP.XMIT.SMP.DLOAD SECZIP.XMIT.SMP.DLOAD PLINK.XMIT.SMP.DLOAD Common Load Module

PKZIP.XMIT.SMP.DMACL SECZIP.XMIT.SMP.DMACL PLINK.XMIT.SMP.DMACL Macro Library

PKZIP.XMIT.SMP.DCLIB SECZIP.XMIT.SMP.DCLIB PLINK.XMIT.SMP.DCLIB REXX Exec Library

PKZIP.XMIT.SMP.DMLIB SECZIP.XMIT.SMP.DMLIB PLINK.XMIT.SMP.DMLIB Message Library

PKZIP.XMIT.SMP.DPLIB SECZIP.XMIT.SMP.DPLIB PLINK.XMIT.SMP.DPLIB Panel Library

PKZIP.XMIT.SMP.DSLIB SECZIP.XMIT.SMP.DSLIB PLINK.XMIT.SMP.DSLIB Skeleton Library

PKZIP.XMIT.SMP.DTLIB SECZIP.XMIT.SMP.DTLIB PLINK.XMIT.SMP.DTLIB Table Library

PKZIP.XMIT.SMP.MCS SECZIP.XMIT.SMP.MCS PLINK.XMIT.SMP.MCS SMP MCS Control Cards


Documentation (distributed in Adobe® Acrobat® .PDF format)

PKZIP and SecureZIP for z/OS SYSTEM ADMINISTRATOR’S GUIDE.PDF

PKZIP and SecureZIP for z/OS MESSAGES AND CODES.PDF

PKZIP and SecureZIP for z/OS SECURITY ADMINISTRATOR’S GUIDE.PDF

PKZIP and SecureZIP for z/OS USER’S GUIDE.PDF

PKZIP and SecureZIP for z/OS APPLICATION INTEGRATION GUIDE.PDF

INDEX.PDX

You should have downloaded or copied a file on your PC called PKZIPzOSSMP.exe (PKZIP), SecureZIPzOSSMP.exe (SecureZIP) or PartnerLinkzOSSMP.exe (PartnerLink). These are self-extracting ZIP files. Double-click on the file to extract the files inside to a pre-defined folder on your PC.

Below are step-by-step SMP/E installation instructions.

I. TRANSFERRING THE TEXT FILES TO THE HOST 1. Transfer the text file "ALLOC.JCL" to the host. You may transfer the file into an existing

PDS or you may use the allocation in step "2" below:

o Convert the data from ASCII to EBCDIC

o Insert CR/LF's

2. A suitable allocation for "ALLOC.JCL" is as follows:

SPACE UNITS: BLKS BLKS: 5 (PRI) 1 (SEC) DIRBLKS: 0 RECFM: FB LRECL: 80 BLKSIZE: 3120 DSORG: PS

3. Follow the same procedure for the "RECEIVE.JCL" provided file.

II. RUNNING THE ALLOC JCL The “ALLOC” job contains JCL that will perform an IEFBR14 for the twelve binary dataset allocations. You will need to edit the ALLOC JCL with the appropriate variables in order to achieve a RC=00.

1. Before you submit the ALLOC JCL (ALLOC.JCL), you will need to supply a job card. You will also need to modify the job variables. As an example:

// CEXEC DD DSN={pkware}.XMIT.SMP.DCEXE,DISP=(NEW,CATLG), // UNIT={sysda},VOL=SER={pkware1},SPACE=(CYL,(2,2)), // DCB=(RECFM=FB,LRECL=80,BLKSIZE=3120)

2. {pkware} is the name of the preallocated dataset that is being created by this job.


These are the target datasets that you transfer the binary files into.

3. {sysda} is the unit where SecureZIPz files will reside.

4. {volume1} is the volume where the SecureZIPz files reside


6. Your twelve target datasets have successfully been allocated.

III. TRANSFERRING THE BINARY FILES TO THE HOST Before you transfer the files to the host, it is imperative that you do not perform any kind of translation of the data from ASCII to EBCDIC or append CR/LF's. If you do, your uploaded datasets will be corrupted.

1. Transfer the binary files (PKWARE.XMIT.*) from your PC into the target datasets that you created in step IV.

o Do not translate the data

o Do not insert CR/LF's

2. Be sure to transfer all twelve binaries, and then move onto the next step.

IV. RUNNING THE RECEIVE JCL The "RECEIVE" job contains JCL that will perform an IKJEFT01 for the twelve binary datasets.

You need to edit the RECEIVE JCL with the appropriate variables in order to achieve a RC=00.

1. Before you submit the RECEIVE JCL, you will need to supply a job card. You will also need to modify the job variables. As an example:

RECEIVE INDSN('{xmitdsn}.XMIT.SMP.DCEXE') DSNAME('{dsnhlq}.SMP.DCEXE')

2. INDSN {xmitdsn} is the high level qualifier of the XMIT'd dataset you transferred from the PC to the host.

3. DSNAME {dsnhlq} is the DSN that gets created by this job.


5. Your twelve binary datasets have successfully been converted to a distribution package for the SMP installation.

V. SMP/E INSTALLATION: The installation and software management of SecureZIPz can be accomplished with SMP/E. Although the product requires no operating system modifications or authorized routines, the ability to manage the software is enhanced using IBM’s SMP/E facilities.

The file PKWARE.MVS.SMP.MCS is the SMPPTFIN DD file for the RECEIVE processing. This file contains all of the control information to build the SecureZIPz environment. After running the RECEIVE JCL, all of the necessary files that you need to start the SMP process have been allocated on your system. The included five (SMP*.JCL files) jobs allocate, define, and build SecureZIPz and must be run in the following sequence:


SMPALPDS.JCL SMPALCSI.JCL SMPUCLIN.JCL SMPRECV.JCL SMPAPPLY.JCL

Please note that user-specific customization may be required if you choose to install SecureZIPz in an existing SMP/E CSI. Consideration has been given to this possibility, but it is up to each individual site to verify that there are no problems with duplicate DDDEF, library structures, or utility definitions that may prevent these job streams from completing successfully.

VI. Licensing PKZIP for z/OS and SecureZIP for z/OS Please refer to the section “Tailoring Site-Specific Changes to the Defaults Module,” below, for required information and procedures to properly license your copy of SecureZIPz.

This ends the SMP/E installation of SecureZIPz. If you are installing from a tape cartridge, then continue on to the next section.

Installing from Tape

If you have received SecureZIPz on a magnetic cartridge, the installation is as simple as an IEBCOPY of the SecureZIPz libraries from tape to DASD.

The screen below shows the first step of the IEBCOPY, one of the steps needed to complete the installation of SecureZIPz from tape.

//JS010 EXEC PGM=IEBCOPY //* //SYSUT1 DD DSN=PKWARE.MVS.CEXEC, // UNIT=tape,LABEL=(,SL), <=== // DISP=OLD,VOL=(,RETAIN,,,SER=seczip1) <=== //* //SYSUT2 DD DSN=pkware.mvs.CEXEC, <=== // DISP=(NEW,CATLG,DELETE), // SPACE=(CYL,(2,1,52)), // UNIT=disk, <=== // VOL=SER=volume <=== //* //SYSUT3 DD UNIT=sysda,SPACE=(CYL,(5,5)) <=== //SYSUT4 DD UNIT=sysda,SPACE=(CYL,(5,5)) <=== //* //SYSPRINT DD SYSOUT=* //* //SYSIN DD * COPY INDD=SYSUT1,OUTDD=SYSUT2 /*

If you prefer not to type this entire job stream, you may download the COPYCART.TXT JCL from our website and upload it to a data set or member. Remember to perform an ASCII or TEXT transfer to convert the data from ASCII to EBCDIC, modify the JCL, and submit.

http://download.pkzip.com/pub/pkware/products/zseries/copycart.txt�


Tailoring Site-Specific Changes to the Defaults Module

The configuration defaults module, *.MVS.LOAD(ACZDFLT), is provided with the product. It is coded to allow for execution in a generic MVS environment. However, to make changes to the defaults, you will need to modify the *.MVS.INSTLIB(ACZDFLT) module. YOU MUST MODIFY THIS MODULE BEFORE YOU PROCEED TO USE SecureZIPz. It is recommended that the values defined in the module be reviewed before running in a production setting.

Upgrade note: Installations suppressing the //SYSIN PDS member verification for performance reasons with PROC_OPT1=N (available with 5.0.10 maintenance and above) in ACZDFLT should change to CHECK_SYSIN_MEMBER=N in the assembly of ACZDFLT. PROC_OPT1 will no longer be used for this purpose in Release 5.5 and above.

MCZDFLTS TYPE=CSECT, * LICENSE_HLQ=PKWARE.MVS, * == Change this to reflect your installation ACTIVITY_LOG=PKWARE.ACTIVITY.LOG, * == Change this to reflect your installation PARMLIB_DSNAME_ZIP=NULLFILE * PARMLIB_DSNAME_UNZIP=NULLFILE, *

Once you have, at minimum, modified the LICENSE_HLQ statement to reflect your installation, you will need to assemble these changes via the ASMDFLT member in the *.MVS.INSTLIB to assist in creating a customized defaults module.

You may modify the other values in this module, or you may add to it. At minimum, the above four lines need to be modified or validated.

The table below represents the contents of the SecureZIPz defaults module. This table explains, in brief, the default parameters of the ACZDFLT’s member and their relevance.

LICENSE_HLQ The high-level qualifiers of the xxx.LICENSE dataset. LICENSE_HLQ= is generally set to the same qualifier used during installation of SecureZIPz The default qualifier is PKWARE.MVS.

See also: $INSTLIC and LICxxxx members.

ARCHIVE_UNIT

OUTFILE_UNIT

TEMP_UNIT

Device types to use during dynamic allocation request for non-VSAM files.

ARCHIVE_STORCLASS

OUTFILE_STORCLASS

TEMP_STORCLASS

VSAM_STORCLASS

In DF/SMS environment, dynamic allocation information in lieu of volume allocation specifications.

ARCHIVE_VOLUMES

OUTFILE_VOLUMES

TEMP_VOLUMES

VSAM_VOLUMES

Dynamic allocation target volumes for non-DF/SMS datasets. These are optional for non-VSAM datasets but are required for VSAM DEFINE CLUSTER control cards.


Tailoring Site-Locking Commands

Commands may be locked in the defaults module by adding a MCZLOCKS macro preceding the MCZDFLTS macro. This forces the use of the MCZDFLTS value in all executions regardless of the commands entered for the run.

MCZLOCKS accepts the same list of commands as MCZDFLTS, and expects ZIP, and/or UNZIP as the parameter. ZIP locks the command during ZIP runs. UNZIP locks the command during UNZIP runs. If both are specified the command is locked in both modes.

Usage notes:

Only one MCZLOCKS macro should be coded with all keyword options requiring a lock specification.

Specifying a setting to be locked with MCZLOCKS will lock the keyword even if a default value is taken for the MCZDFLTS macro.

If a locked command is encountered in a ZIP or UNZIP run, message ZPCM101W is issued, the command is ignored, and the return code is set to 4. The return code may be overridden by using the command –PKSUPPRC(ZPCM101W), but the message will always be issued, and the command ignored.

Commands for locked settings are blocked from usage regardless of the command source (SYSIN, INCLUDE_CMD, PARMLIB, EXEC parm).

The following example forces the License HLQ to PKWARE.MVS, and COMPRESSION_LEVEL to FAST.

MCZLOCKS LICENSE_HLQ=(ZIP,UNZIP), * == Forces use of the MCZDFLTS value on all runs COMPRESSION_LEVEL=ZIP == Forces use of the MCZDFLTS value on all runs MCZDFLTS TYPE=CSECT, * LICENSE_HLQ=PKWARE.MVS, * == Change this to reflect your installation ACTIVITY_LOG=PKWARE.ACTIVITY.LOG, * == Change this to reflect your installation COMPRESSION_LEVEL=FAST, * == Change this to reflect your installation PARMLIB_DSNAME_ZIP=NULLFILE * PARMLIB_DSNAME_UNZIP=NULLFILE, *

Protecting Files with the SAFETYEX Module

As delivered, the SAFETYEX module will protect SECUNZIP from overwriting SYS1. dataset names. If you would like to remove this restriction or add additional restrictions, you will need to edit the SAFETYEX source member in *.MVS.INSTLIB, make and save your changes, and run the ASMSAFE member of the *.MVS.INSTLIB to protect any files you specify from UNZIP overwrite processing.

There are two sections to the table. The first is for MVS Data Set names, and the second is for Hierarchical File System PATH names. Entries are case-sensitive; HFS entries can be up to 255 characters in length.

If you do not want to make any changes to this module, then there is nothing that you need to do.


Tailoring for Filename and Data Character Set Conversions

SecureZIPz provides cross-platform character set conversion capabilities. This affects both the data stream (such as converting EBCDIC to ASCII to represent text data on a work station) and the file names shown in the ZIP archive.

The character translation controls use assembled control tables. These are referenced by the settings for TRANSLATE_TABLE_DATA and TRANSLATE_TABLE_FILEINFO, as described in the User’s Guide. You should confirm that the default translation tables are appropriate for the intended cross-platform processing environment(s).

When a different default translation table for either aspect of processing is required (the settings may also be specified with commands), the respective setting can be modified in the defaults module and re-assembled, or additional defaults modules can be assembled for selection by the user.

When code page translation requirements exist that are not covered by those tables provided with SecureZIPz, additional tables can be created. INSTLIB contains sample JCL members MAKETRT and ASMTRTS to complete this process. See the appendix “Making Code Page Translate Tables” in the User’s Guide for more information.

SMS Dataclass Considerations

SecureZIPz parameters overlap with several SMS Data Class parameters. In general, SMS Data Class specifications will provide default values in place of SecureZIPz default settings. Explicit SecureZIPz commands (SYSIN, PARMLIB, included command streams and EXEC PARM values) will be presented to Dynamic Allocation as overrides for any default setting.

Due to the way DFSMS handles override requests, sub-groups of parameters are defined in SecureZIP to assist with control of where default values should come from. These subgroups are:

Allocation SPACE

Directory Blocks

Volume Count

DCB Attributes

Output archive block size extensions

DFSMS Data Classes may or may not contain values for all of the attribute sets above. SecureZIPz provides a means of identifying which sets of attributes should be expected to be handled by SMS Data Classes so that SecureZIPz does not specify its own default values. (DFSMS receives control after SecureZIPz has built its list and does not provide a means by which SecureZIPz can systematically pre-determine which values will be provided by SMS).

DFSMS groups allocation type (Cylinders, Tracks, etc.), primary space, and secondary space into a category. If even one of these values is provided in an allocation request, then SMS will not provide its default values for the remaining entries. For example, if ARCHIVE_SPACE_PRIMARY is provided as a command, then SecureZIPz needs to supply the TYPE and SECONDARY default values even if a DATACLASS is specified.


DFSMS treats the Directory Block allocation value separately from other space parameters. In the previous example, SecureZIP will not provide its default ARCHIVE_DIRBLKS value even though it provides the other allocation attributes. This is consistent with SMS Data Class operations.

SecureZIPz makes use of temporary files during various phases of processing that have very specific DCB attribute requirements. For this reason, SecureZIPz will specify the necessary overrides regardless of TEMPFILE_DATACLASS usage.

Output archive block size control extensions are provided with SecureZIPz to work in conjunction with existing system controls, for both LBI (Large Block Interface) and non-LBI processing. Configurable default settings for ARCHIVE_BLKSIZE and ARCHIVE_ZIPFORMAT should be reviewed for applicability. Details regarding block size selection are documented in the User’s Guide under the ARCHIVE_BLKSIZE command. LBI processing has a specific tie to the DFSMS Dataclass Block Size Limit (BLKSZLIM).

Note for users of PKZIP for MVS and PKZIP for zSeries 5.6 Previous levels of maintenance for release 5.6 specified a volume count even if it was 1. The maintenance level associated with fix TT1777 eliminated VOLCNT=1 from the allocation request. In addition, the maximum number specified for any of the MULTIVOL=Y commands is now 59 to be consistent with system limitations for DASD devices. If a unit type other than DASD is assigned (either explicitly or indirectly through SMS), and a volume count greater than 59 is desired, then MULTIVOL=N should be specified in PKZIP, and an SMS Data Class should be designated which can assign the desired volume count.

Considerations when Exporting Private Keys using RACDCERT

SecureZIP only

If X.509 certificate information is to be obtained through RACDCERT for subsequent import processing to the SecureZIP Local Certificate Store, then PTF UW94302 associated with APAR OW56418 must be installed prior to the RACDCERT EXPORT action. (OW56418: RACDCERT EXPORT CREATING PKCS#12 PACKAGES THAT DO NOT CONFORM TO ASN.1 STANDARD THEREFORE CANNOT BE IMPORTED.)

Evaluation Activity Log

During your evaluation period of SecureZIPz, a PKWARE sales support associate will contact you and request the PKACTLOG “Analyze” command be executed, at which point we ask that you relay the information to us so that we may fully understand your usage of the SecureZIPz product. When a demonstration license key is active for the product, certain activities are written to a pre-allocated sequential data set specified by this setting.

The following is the sequence of events necessary to initiate the Evaluation Activity Log.

1. First, before applying your demo license key for SecureZIPz, an ACTIVITY_LOG data set must be pre-allocated using the PKACTLOG dialog command (shown in screen samples below).


2. Next, modify the ACZDFLT member, specifying the ACTIVITY_LOG= target data set name. Once the ACZDFLT member has been modified, you must re-assemble the defaults by submitting the ASMDFLT member under the INSTLIB. The ACTIVITY_LOG command is specified in the defaults module only.

3. Finally, after the defaults are modified, apply the demo license key you have received from PKWARE to the license data set before attempting to use other PKACTLOG options.

Note: Users of SecureZIPz must be given update authority to the log data set within the installation security software. A failure to write to the log data set will cause SecureZIPz to terminate without completing the requested operation. Messages will be issued to indicate the reason for the termination.

Concurrent SecureZIPz operations are permitted while the ACTIVITY_LOG feature is active. However, the log data set will be serialized through normal operating system ENQ/DEQ actions associated with Data Set Allocation. The data set is only allocated by SecureZIPz when brief write operations are required. It is released during long-running processes such as compression and encryption.

When a permanent license key is applied, SecureZIPz will cease to allocate and write to the ACTIVITY_LOG Data Set. At this time, the ACTIVITY_LOG data set may be migrated/deleted from the system, and the ACTIVITY_LOG= setting in ACZDFLT may be removed. These actions are discretionary to the installation and are not required for SecureZIPz operation.

The PKACTLOG ISPF dialog command is accessible from the main SecureZIPz User Interface panel although the command is not listed on the menu.

Activity Log Setup and Configuration If you do not use the high-level qualifier PKWARE.MVS, you must change module ACZDFLT supplied in INSTLIB to define the License high-level qualifier and the ACTIVITY LOG data set name.

Once ACZDFLT is set up, enter the command PKACTLOG on the product's main panel.

SecureZIP Version 10.0 Option ===> C Config Modify Run-time Configuration Settings ZD Zip Defaults Modify Default ZIP Command Settings UD Unzip Defaults Modify Default UNZIP Command Settings U Unzip Decompress, Decrypt, Authenticate File(s) in an Archive V View Display the Contents of a Zip Archive Z Zip Compress, Encrypt, Sign File(s) into a Zip Archive S Sysprint Browse Log of Last Foreground Execution M Messages Message ID lookup A Administration Administration Services and Reference Information W Wizard List For HELP Press PF1 Release Date: 09/13/2007 11.47 LVL(Q1)


SecureZIP Version 10.0 Option ===> Evaluation Activity Log Options Log Dataset: PKWARE.ACTIVITY.LOG C Config Modify Evaluation Activity Log Settings A Analyze Analyze Evaluation Activity Log B Browse Browse Evaluation Activity Log file X EXIT ******************************************************************************** * * * This panel will be disabled when a permanent license is applied. * * * ******************************************************************************** For HELP Press PF1

Configuration Option Select option 'C' to execute the Activity Log Configuration and allocate the data set whose name you placed in ACZDFLT.

-----------------------ALLOCATE EVALUATION ACTIVITY LOG----------------------- Command ===> Data Set Name . . . : 'PKWARE.ACTIVITY.LOG' Management class . . . SUPPORT (Blank for default management class) Storage class . . . . SUPPORT (Blank for default storage class) Volume serial . . . . SUP004 (Blank for system default volume) ** Device type . . . . . (Generic unit or device address) ** Data class . . . . . . **NONE** (Blank for default data class) Space units . . . . . CYLS (BLKS, TRKS, CYLS, KB, MB) Primary quantity . . 50 (In above units) Secondary quantity 20 (In above units) Directory blocks . . (Zero for sequential data set) * Record format . . . . VB Record length . . . . 27994 Block size . . . . . 27998 (Zero for SMS default)

Analysis Option Select option ‘A’ to initiate the “Analyze” routine which reads the Activity Log and presents a summation of all activities.

PKZIP Version 10.0 Command ===> Activity Log Summary Log Dataset: PKWARE.ACTIVITY.LOG Invocation Summary File Compression Summary ZIP Calls : 2037 Total Number of Files : 27843 Add . . . . : 374 Total Input Size . . . : 21.036GB Update . . . : 1644 Total Compressed Size . . : 6.108GB Freshen. . . : 19 Compression Ratio . . . . : 70.9 Copy . . . . : 4 Number Files > 4 Gig. . . : 3 Delete . . . : 6 Number of Files by Type


UNZIP Calls : 3370 Sequential . . . . . . . : 4767 View . . . . : 1627 Partitioned members . . : 23046 Test . . . . : 171 VSAM . . . . . . . . . . : 30 Extract. . . : 1562 Number of Files by Data Type Mode of Operation Binary . . . . . . . . . : 11081 Batch. . . . : 4167 Text . . . . . . . . . . : 16762 ISPF . . . . : 14 Applic. Call : 1152 Archive Type Summary PKZIP Format . . . . . . : 2006 GZIP Format . . . . . . : 31

Browse Option Selecting option ‘B’ uses ISPF Browse to look at the raw Activity Log data. Character fields will be visible in normal browse mode. Some fields are stored in binary and will only be visible in HEX mode.

CAUTION: During Browse, the Activity Log file is allocated DISP=SHR and will cause batch jobs to wait for DISP=MOD access to the file.

Menu Utilities Compilers Help ----------------------------------------------------------------------------------------------------------------------------------- BROWSE PKWARE.ACTIVITY.LOG Line 00000000 Col 001 132 Command ===> Scroll ===> CSR *********************************************************** Top of Data ************************************************************ OPENDVPGNL010105201F09582107BAZSZIP.IVP.ASM.FIRST ..................... FILEDVPGNL010105201F09584188BAZSZIP.IVP.ASM.FIRST SZIP.IVP.IN.ASM($LCGL FILEDVPGNL010105201F09584188BAZSZIP.IVP.ASM.FIRST SZIP.IVP.IN.ASM($COPY FILEDVPGNL010105201F09584188BAZSZIP.IVP.ASM.FIRST SZIP.IVP.IN.ASM($QZGL FILEDVPGNL010105201F09584188BAZSZIP.IVP.ASM.FIRST SZIP.IVP.IN.ASM(ACAMN FILEDVPGNL010105201F09584188BAZSZIP.IVP.ASM.FIRST SZIP.IVP.IN.ASM(ACAMH

Licensing Requirements

PKZIP for z/OS, SecureZIP for z/OS and the PartnerLink SecureZIP Partner are licensed products. Without proper licensing the products can only be used to view archives. Product features can be licensed separately as the user needs dictate. The license key will contain all of the elements necessary to validate a customer’s use of SecureZIPz.

SecureZIPz provides a set of processes that update the current use license data set, allow reporting of the license information, allow conditional use of the product during a disaster recovery, and allow conditional use during a modification of the customer’s physical environment.

The licensing process is comprised of several key elements that are described in the following sections.


Licensed Types The following table contains the parameters, and a brief description, used to determine licensing:

Type Description Use

BASIC The BASIC license type is the base line. It represents a license for which there are no restrictions, other than time. In contrast, all the other license types define restrictions within which the application is licensed and the customer is to abide.

Customer will receive a predetermined set of product features.

CAPACITY The CAPACITY license type compares the capacity of the operating environment (as defined by the machine serial number) along with a predefined table; for instance, to assure the application is running in a machine whose computing capacity is not larger than that for which the product is licensed.

Customer will designate the serial number of the processor(s).

DEMO A DEMO license is typically restricted to a certain time period, number of executions, or limited set of functions. These licenses may allow any of the other types of use. This license is also known as “Try and Buy” or “Supply before Buy.” These terms and conditions can be an added restriction to any of the license types.

Trial period.

DISASTER RECOVERY A DISASTER RECOVERY license is granted by the vendor to allow a specified product to execute under conditions defined as “disaster recovery” for a specified period of time or for a specified number of occurrences. These terms and conditions can be an added restriction to any of the license types.

Implemented with a 5-day grace period to allow the customer to contact PKWARE to update the license. The grace period will never expire on a weekend.

ENTERPRISE An ENTERPRISE license is assigned to an enterprise; which may be comprised of multiple sites, complexes, nodes, and/or serial numbers. It is an all-encompassing license to a single entity. These terms and conditions are derived from any of the license types.

Allows a customer full access to all features of SecureZIPz on all systems.

FEATURES A packaging and enablement option. An optional feature of a product can be packaged, licensed, and enabled at the discretion of the software publisher. Features can be licensed in the same manner as software products and can, therefore, be of any license type.

See product options below.

TIME-DELIMITED Each license type is modifiable by time. Each license will have a finite time period.


Product Features The license key contains codes to reflect the product features available with the Edition selected by the customer.

PKZIP for z/OS PKZIP for z/OS contains the following features:

Compression

Decompression

Traditional Decryption

Cross Platform Interoperability

32-bit CRC Error Checking

Automatically Converts from EBCDIC to ASCII/ASCII to EBCDIC

Multiple Compression Formats

Includes International Translation Tables

Integrated Help Feature

Multi-Volume Archive Support

Enhanced File Handling that supports up to 17 different RECFMs

Supports GDGs and GDG Base Groups

Simulate Mode

Automatic Device Detection

Cataloged Tape Datasets

Customizable configuration and Installation

SEQ File Handlers

PDS File Handlers

VSAM File Handlers

UNIX File System handlers

Magnetic Tape Handlers

User Exits

Application Callable

PDS/E File Handlers

Command Line Interface

Decrypts password-based strongly encrypted ZIP files from SecureZIP

Decrypts password-based filename encryption from SecureZIP

Provides GZIP-compatibility support


Provides foreground ZIP/UNZIP processing using an ISPF dialog

Enhanced tape processing

Provides the ability to create self-extracting archives for selected platforms

Provides ZIP64 large file support, which includes processing for:

o Archives with more than 65,535 files

o File sizes of 4 gigabytes or greater

o Archives with a total size of 4 gigabytes or greater

SecureZIP for z/OS SecureZIP for z/OS includes all features found in the PKZIP for z/OS. In addition to the PKZIP compression features, SecureZIP for z/OS provides access to the following security-related features:

Advanced encryption/decryption (AES, DES, 3DES and RC4 algorithms) with passphrase and/or PKI Certificate-based key control.

Certificate-based digital signing and signature authentication.

Filename encryption

IBM Cryptographic Facilities Integration. Provides support to use ICSF cryptographic service APIs for supported data encryption and digital signature hash algorithms. Both hardware acceleration and ICSF software emulation are supported.

FIPS 140-1 and 140-2 Compliance

Passphrase key registration with the ICSF CKDS

Integrated use of digital certificates located in the z/OS Security Server (RACF, CA-ACF2 or CA-Top Secret Security)

Secure key operations

Cryptographic policy lockdown control through Security Server resource rules

SecureZIP for z/OS Standard Edition contains the following features:

Compression

Decompression

Traditional Decryption

Cross Platform Interoperability

32-bit CRC Error Checking

EBCDIC to ASCII/ASCII to EBCDIC Conversion

Multiple Compression Formats

Includes International Translation Tables

Integrated Help Feature

Multi-Volume Archive Support


Enhanced File Handling that supports up to 17 different RECFMs

Supports GDGs and GDG Base Groups

Simulate Mode

Automatic Device Detection

Cataloged Tape Datasets

Customizable configuration and Installation

SEQ File Handlers

PDS File Handlers

VSAM File Handlers

UNIX File System Handlers

Magnetic Tape Handlers

User Exits

Application Callable

PDS/E File Handlers


Provides GZIP-compatibility support

Provides foreground ZIP/UNZIP processing using an ISPF dialog

Enhanced tape processing

File name encryption

Provides the ability to create self-extracting archives for selected platforms

Provides ZIP64 large file support, which includes processing for:

o Archives with more than 65,535 files

o File sizes of 4 gigabytes or greater

o Archives with a total size of 4 gigabytes or greater

FIPSMODE FIPS 140-1 and 140-2 Compliance

IBM Cryptographic Facilities Integration

RSA BSAFE strong passphrase encryption

Certificate Based Decryption

Signing

Authentication


SecureZIP for z/OS Enterprise Edition includes the following features. These may also optionally be licensed to Standard Edition:

Advanced Encryption - Provides public/private key PKI certificate-based encryption and digital signing (Integrated with SecureZIP Partner)

Directory Integration - Enables access to certificates residing on an LDAP server (Not available with SecureZIP Partner)

Contingency key

Application Integration

Heirarchical File Support

The following features are also available to be licensed with SecureZIP for z/OS:

SAF Certificates

Policy Lockdown

Secured Passphrase Management

SecureZIP Partner PartnerLink SecureZIP Partner is a software activation license provided with the product package. This license activates a predefined set of features when operating in this mode. Operational capabilities are defined by the PartnerLink program with distributed sponsor- exchange authorizations.

Evaluation Period You can obtain a trial license that allows full use of the product for a specified evaluation period. Contact Sales for a key to generate a trial license.

For Technical Support, please contact the Product Services Division or visit the Support Web site.

Release-Dependent Licensing Each release of SecureZIPz requires that a new license key be obtained from Customer Service and that a new license record be generated. The new release fails with the message ZPLI901E Product License is Invalid if the license data set is used from a previous release.

Current Use License When you receive the license control card information from PKWARE, you build the license data set using the Build License program (there is a sample job stream in member LICUPDAT in the Installation Data set (INSTLIB)). Executing this job stream deletes any existing LICENSE data set, builds a new LICENSE data set and produces a report that reflects the state of SecureZIPz at your location.

Following is a sample of the output:

http://www.pkware.com/business_and_developers/support/�

http://www.pkware.com/business_and_developers/support/�


ZPLI230I CONTROL CARD INPUT TO THE LICENSE RECORD 57 HRM3QB2K 000012805 PKWARE, INC 66 MD688PXB 24000228 00FECE2096O04 1 AD6FCPXR 24000228 00FECE2096O04 2 CD6C0PX1 24000228 00FECE2096O04 11 LD689PX3 24000228 00FECE2096O04 ZPLI235I The license record will be updated for SecureZIP (R) for z/OS in **********************************************************************************

To report on the status of the license at your location, run the sample job stream in member LICPRINT in the Installation Data set (seczip.mvs.INSTLIB).

Sample Full-feature product license report

ZPLI200I A license report has been requested on 09/15/08 AT 2:28pm VER: 11.0 ZPLI200I For Technical Support assistance, please contact Product Services Division ZPLI200I at 937-847-2687 or go on-line at http://www.pkware.com/support/mainframe ZPLI001I Portions copyright (C) 1989-2009 PKWARE, Inc. All rights reserved. ZPLI200I Reg. U.S. Pat. and Tm. Off. Patent No. 5,051,745 ZPLI200I Other U.S. and international patent applications pending. ZPLI200I Portions of this software include RSA BSAFE(R) cryptographic ZPLI200I or security protocol software from RSA Security Inc. ********************************************************************************* ZPLI200I SecureZIP (R) IS LICENSED TO CUSTOMER # 000012805 ZPLI200I - CUSTOMER NAME - PKWARE, INC ********************************************************************************* ZPLI200I The CPU type is 2096. ZPLI200I The CPU model number is O04. ZPLI200I The number of online CPUs is 4. The maximum number of CPUs is 4. ZPLI200I The LPAR Name is SYS3 ZPLI200I The LPAR Number is 03 ZPLI200I The Serial # for Licensing is FECE ZPLI200I The service units per second per online CPU is 6015.04. ZPLI200I The approximate total MIPS (SUs/SEC / 48.5 * # general CPUs) is 496.09. ********************************************************************************* ZPLI200I The OS version is z/OS 01.09.00 - FMID HBB7740 (SP7.0.9). ZPLI200I The SMF system id (SID) is PKW1. ZPLI200I Model from CPC SI ********************************************************************************* ********************************************************************************* ZPLI200I SAF Certificates are licensed on the following processors ZPLI200I Serial# 00FECE processor type 2096 version/model O04 - expiration ZPLI200I Policy Lockdown is licensed on the following processors ZPLI200I Serial# 00FECE processor type 2096 version/model O04 - expiration ZPLI200I Hardware CRYPTO is licensed on the following processors ZPLI200I Serial# 00FECE processor type 2096 version/model O04 - expiration ZPLI200I Application Integration is licensed on the following processors ZPLI200I Serial# 00FECE processor type 2096 version/model O04 - expiration ZPLI200I HFS file handler is licensed on the following processors ZPLI200I Serial# 00FECE processor type 2096 version/model O04 - expiration ZPLI200I Compression / Decompression is licensed on the following processors ZPLI200I Serial# 00FECE processor type 2096 version/model O04 - expiration ZPLI200I Enhanced tape processing is licensed on the following processors ZPLI200I Serial# 00FECE processor type 2096 version/model O04 - expiration ZPLI200I Decryption is licensed on the following processors ZPLI200I Serial# 00FECE processor type 2096 version/model O04 - expiration ZPLI200I GZIP supported files licensed on the following processors ZPLI200I Serial# 00FECE processor type 2096 version/model O04 - expiration ZPLI200I ISPF is licensed on the following processors ZPLI200I Serial# 00FECE processor type 2096 version/model O04 - expiration ZPLI200I Secured Passphrase Management is licensed on the following processors ZPLI200I Serial# 00FECE processor type 2096 version/model O04 - expiration ZPLI200I Advanced Encryption is licensed on the following processors ZPLI200I Serial# 00FECE processor type 2096 version/model O04 - expiration


ZPLI200I Directory Integration is licensed on the following processors ZPLI200I Serial# 00FECE processor type 2096 version/model O04 - expiration ZPLI200I ZIP64 large file support is licensed on the following processors ZPLI200I Serial# 00FECE processor type 2096 version/model O04 - expiration ZPLI200I Self extraction creator is licensed on the following processors ZPLI200I Serial# 00FECE processor type 2096 version/model O04 - expiration ZPLI200I FIPS Mode is licensed on the following processors ZPLI200I Serial# 00FECE processor type 2096 version/model O04 - expiration **********************************************************************************

Sample Evaluation (Demo) product license report

ZPLI220I A demo license has been requested on 03/18/04 AT 9:12am ZPLI220I Please contact PKWARE Sales at 937-847-2374 to receive an evaluation license. ********************************************************************************* CPU model 2066 with 1 online CPU serial number for CPU 0 is 04263B2066 (4263B), version code 00. Service units per second per online CPU is 5612.07 Approximate total MIPS (SUs/SEC / 48.5 * #CPUs) is 115.71 Central Processing Complex (CPC) Node Descriptor: CPC ND = 002066.0B1.IBM.02.00000001263B CPC ID = 00 Type(002066) Model(0B1) Manufacturer(IBM) Plant(02) Seq Num(00000001263B) *********************************************************************************

Sample SecureZIP Partner Product License Report

ZPLI200I A license report has been requested on 09/15/08 AT 2:31pm VER: 11.0 ZPLI200I For Technical Support assistance, please contact Product Services Division ZPLI200I at 937-847-2687 or go on-line at http://www.pkware.com/support/mainframe ZPLI001I Portions copyright (C) 1989-2009 PKWARE, Inc. All rights reserved. ZPLI200I Reg. U.S. Pat. and Tm. Off. Patent No. 5,051,745 ZPLI200I Other U.S. and international patent applications pending. ZPLI200I Portions of this software include RSA BSAFE(R) cryptographic ZPLI200I or security protocol software from RSA Security Inc. ********************************************************************************* ZPLI200I PKWARE PartnerLink SecureZIP(R) IS LICENSED TO CUSTOMER # 575304644 ZPLI200I - CUSTOMER NAME - PKWARE PartnerLink SecureZip ********************************************************************************* ZPLI200I The CPU type is 2096. ZPLI200I The CPU model number is O04. ZPLI200I The number of online CPUs is 4. The maximum number of CPUs is 4. ZPLI200I The LPAR Name is SYS3 ZPLI200I The LPAR Number is 03 ZPLI200I The Serial # for Licensing is FECE ZPLI200I The service units per second per online CPU is 6015.04. ZPLI200I The approximate total MIPS (SUs/SEC / 48.5 * # general CPUs) is 496.09. ********************************************************************************* ZPLI200I The OS version is z/OS 01.09.00 - FMID HBB7740 (SP7.0.9). ZPLI200I The SMF system id (SID) is PKW1. ZPLI200I Model from CPC SI ********************************************************************************* ********************************************************************************* ZPLI200I This is a SecureZIP (R) Partner for z/OS License **********************************************************************************

Show System Information When establishing a valid license with PKWARE for your system, specific operating information is required. To display hardware and software information at your location, run the sample job


stream in member LICSHSYS in the Installation Data set (seczip.mvs.INSTLIB). Executing this job stream displays a Show System Information report.

Following is a sample of the report:

ZPLI210I PKZIP - Display System Information - Version 11.0 ********************************************************************************* SecureZIP (R) is a registered trademark of PKWARE (R), Inc. PKZIP (R) is a registered trademark of PKWARE (R), INC. Portions copyright (C) 1989-2009 PKWARE, Inc. All rights reserved. Reg. U.S. Pat. and Tm. Off. Patent No. 5,051,745 Other U.S. and international patent applications pending. Portions of this software include RSA BSAFE(R) cryptographic or security protocol software from RSA Security Inc. *************************************************************************************** For Licensing, please contact the Sales Division at 937-847-2374 or email [email protected] For Technical Support assistance, please contact the Product Services Division at 937-847-2687 or go online at http://www.pkware.com/support/mainframe Wednesday 08/01/2007 (2007.213) 09:27:14 *************************************************************************************** ZPLI210I The CPU type is 2096. ZPLI210I The CPU model number is O04. ZPLI210I The number of online CPUs is 4. The maximum number of CPUs is 4. ZPLI210I The LPAR Name is SYS1 ZPLI210I The LPAR Number is 01 ZPLI210I The Serial # for Licensing is FECE *************************************************************************************** Service units per second per online CPU is SUSEC. Approximate total MIPS (SUs/SEC / 48.5 * #CPUs) is MIPS. CEC MSU per hour capacity is 67 - LPAR MSU per hour capacity is 67 *************************************************************************************** The OS version is z/OS 01.08.00 - FMID HBB7730 (SP7.0.8). JES2 z/OS 1.8 DFSMS z/OS 1.8.0 Model from CPC SI READY

Conditional Use PKWARE recognizes that there may be periods where the licensing environment established by the customer is no longer valid. Circumstances such as disaster recovery processing or the installation or upgrade of new processors will affect the environment.

See “SecureZIP for z/OS Grace Period” later in this chapter for more information.

Initializing the License

The SecureZIP Partner for z/OS product comes with a predefined software activation license for use on any z/OS system. For more information, see “SecureZIP Partner License Activation,” later in this chapter.

For all other products, each release of SecureZIPz requires that a new license key be obtained from Customer Service and that a new license record be generated. The new release


will fail with ZPLI901E Product License is Invalid message if the License dataset is used from a previous release.

PKZIP and Full-Featured SecureZIP License Activation Transfer the license file provided by PKWARE from the PC to the host. Be sure to

convert the data from ASCII to EBCDIC and insert CR/LF’s. Copying the authorization code from the text file and pasting it to the LICENSE member of the INSTLIB is an acceptable alternative.

After the file has been transferred or copied to the host, edit the INSTLIB(LICUPDAT) member, supply a job card, and modify the following line of JCL:

000400 //LICENSE PROC HLVL=SECZIP.MVS,URUNIT=SYSDA,URVOL=WORK01

“SECZIP.MVS” is your high level qualifier for your installation. URUNIT and URVOL are the target unit and volume for the installed SecureZIPz product.

SecureZIP Partner License Activation A software license is provided with the SecureZIP Partner for z/OS package for the purpose of activating, configuring and verifying the installation of the software. A Sponsor Distribution Package must also be obtained independently through the PKWARE PartnerLink program to activate data interchange capabilities with a PartnerLink sponsor.

The SecureZIP Partner software license enables a pre-defined set of features to be run on any system. Because of this, you are not required to identify your specific processor to be used to run the products.

The PKWARE PartnerLink SecureZIP Partner license is created by member LICRPLKB in INSTLIB.

Executing this job stream creates the LICENSE dataset and produces a report that reflects the state of PKWARE PartnerLink SecureZIP at your location.

The JCL in INSTLIB for the sample jobs contains the symbolic parameter HLVL. HLVL is used as the high level qualifier for the REXX EXEC libraries and as the high level qualifier for the LICENSE dataset. By default, they both point to the same high level qualifier. If you use more than one high level qualifier, you must use override JCL.

Edit the INSTLIB(LICRPLKB) member, supply a job card, and modify the following line of JCL:

000400 //LICENSE PROC HLVL=SECZIP.RPLK,URUNIT=SYSDA,URVOL=WORK01

“SECZIP.MVS” is the high-level qualifier for your installation. URUNIT and URVOL are the target unit and volume for the installed SecureZIPz product.

In addition, you must change the value "license hlq" in the UPDATE SYSIN control cards to reflect the high level qualifier of the license dataset.

//UPDATE.SYSTSIN DD * RECEIVE INDDN(LICIN) DSNAME('license hlq.LICENSE')


Reporting the PKZIP/SecureZIP for z/OS License The procedures below describe how to obtain the license report.

Edit the *.INSTLIB(LICPRINT) member, supply a job card, and substitute the following default line:

000400 //LICENSE PROC HLVL=SECZIP.MVS

“SECZIP.MVS” represents the high-level qualifier for your installation.

When you submit this job, the output should give you a return code of zero (RC=00) and the following additional lines.

ZPLI200I A license report has been requested on 09/15/08 AT 2:28pm VER: 11.0 in ZPLI200I For Technical Support assistance, please contact Product Services Division ZPLI200I at 937-847-2687 or go on-line at http://www.pkware.com/support/mainframe ZPLI001I Portions copyright (C) 1989-2009 PKWARE, Inc. All rights reserved. ZPLI200I Reg. U.S. Pat. and Tm. Off. Patent No. 5,051,745 ZPLI200I Other U.S. and international patent applications pending. ZPLI200I Portions of this software include RSA BSAFE(R) cryptographic ZPLI200I or security protocol software from RSA Security Inc. ********************************************************************************* ZPLI200I SecureZIP (R) IS LICENSED TO CUSTOMER # 000012805 ZPLI200I - CUSTOMER NAME - PKWARE, INC ********************************************************************************* ZPLI200I The CPU type is 2096. ZPLI200I The CPU model number is O04. ZPLI200I The number of online CPUs is 4. The maximum number of CPUs is 4. ZPLI200I The LPAR Name is SYS3 ZPLI200I The LPAR Number is 03 ZPLI200I The Serial # for Licensing is FECE ZPLI200I The service units per second per online CPU is 6015.04. ZPLI200I The approximate total MIPS (SUs/SEC / 48.5 * # general CPUs) is 496.09. ********************************************************************************* ZPLI200I The OS version is z/OS 01.09.00 - FMID HBB7740 (SP7.0.9). ZPLI200I The SMF system id (SID) is PKW1. ZPLI200I Model from CPC SI ********************************************************************************* ********************************************************************************* ZPLI200I SAF Certificates are licensed on the following processors ZPLI200I Serial# 00FECE processor type 2096 version/model O04 - expiration ZPLI200I Policy Lockdown is licensed on the following processors ZPLI200I Serial# 00FECE processor type 2096 version/model O04 - expiration ZPLI200I Hardware CRYPTO is licensed on the following processors ZPLI200I Serial# 00FECE processor type 2096 version/model O04 - expiration ZPLI200I Application Integration is licensed on the following processors ZPLI200I Serial# 00FECE processor type 2096 version/model O04 - expiration ZPLI200I HFS file handler is licensed on the following processors ZPLI200I Serial# 00FECE processor type 2096 version/model O04 - expiration ZPLI200I Compression / Decompression is licensed on the following processors ZPLI200I Serial# 00FECE processor type 2096 version/model O04 - expiration ZPLI200I Enhanced tape processing is licensed on the following processors ZPLI200I Serial# 00FECE processor type 2096 version/model O04 - expiration ZPLI200I Decryption is licensed on the following processors ZPLI200I Serial# 00FECE processor type 2096 version/model O04 - expiration ZPLI200I GZIP supported files licensed on the following processors ZPLI200I Serial# 00FECE processor type 2096 version/model O04 - expiration ZPLI200I ISPF is licensed on the following processors ZPLI200I Serial# 00FECE processor type 2096 version/model O04 - expiration ZPLI200I Secured Passphrase Management is licensed on the following processors ZPLI200I Serial# 00FECE processor type 2096 version/model O04 - expiration ZPLI200I Advanced Encryption is licensed on the following processors ZPLI200I Serial# 00FECE processor type 2096 version/model O04 - expiration


ZPLI200I Directory Integration is licensed on the following processors ZPLI200I Serial# 00FECE processor type 2096 version/model O04 - expiration ZPLI200I ZIP64 large file support is licensed on the following processors ZPLI200I Serial# 00FECE processor type 2096 version/model O04 - expiration ZPLI200I Self extraction creator is licensed on the following processors ZPLI200I Serial# 00FECE processor type 2096 version/model O04 - expiration ZPLI200I FIPS Mode is licensed on the following processors ZPLI200I Serial# 00FECE processor type 2096 version/model O04 - expiration **********************************************************************************

PKZIP/SecureZIP for z/OS Grace Period PKWARE recognizes that there may be periods where the licensing environment established by the customer is no longer valid. Circumstances such as disaster recovery processing or the installation or upgrade of new processors will affect the environment.

To accommodate the installation, SecureZIPz has a process that will allow you to continue to use the product for a grace period of five days when the established licensing environment is no longer valid. Note that the user must have write authority on the license dataset to invoke the grace period. This authority is only required the first time PKZIP/PKUNZIP is run after a CPU change has occurred; it is not required after the grace period has been successfully invoked (this is one time per CPU, not one time per IPL).

During the grace period, error messages will be displayed on the console (and the printout) for each execution of SecureZIPz. At the end of the period, if the license is not updated, the product will no longer function for the new CPUs except to VIEW an archive. The five-day grace period is designed so that the program will not cease to function on a weekend or the Monday following the five-day grace period. You must contact PKWARE at [email protected] during the grace period to obtain licensing to allow extended use.

Note: The SecureZIP Partner for z/OS software activation license does not require or support grace period processing.

Running a Disaster Recovery Test There are no special procedures necessary in order for you to use SecureZIPz during a disaster recovery test. Because SecureZIPz licensing allows for such contingencies, the user can perform the following process to have SecureZIPz run at the DR site with a RC=00.

1. First, copy the production image of SecureZIPz from the production system over to the Disaster Recovery system.

2. Once the image is on the system, simply run SecureZIPz from the CPU you want, and SecureZIPz will run conditionally for five days with a RC=0. (This time limit does not apply to SecureZIP Partner for z/OS.) If operation beyond this time frame is required, contact PKWARE [email protected].

If operating SecureZIP Partner for z/OS, you can rerun the predefined license job from INSTLIB (LICRPLKB) if necessary.




Activating the ISPF Interface

The ISPF interface requires a PKZIP Enterprise Edition or SecureZIP license. Activation of the SecureZIPz ISPF interface is accomplished as follows:

During product installation, the SecureZIPz ISPF libraries are loaded to disk. The high level qualifiers (dsnhlq) are selected by the user during the installation process.

To configure the SecureZIP Certificate Store Processing and ISPF Panels, the user will need to make a few modifications to the PKWARE.MVS.INSTLIB(PKISPF) and PKWARE.MVS.INSTLIB(PKZSTART) members. Optionally, a shortcut EXEC to run the ZIP archive VIEW dialog from an ISPF 3.4 data set list may be installed from PKWARE.MVS.INSTLIB(PKV).

For certificate store processing you must edit the PKISPF member and make the following changes to reflect your installation:

Change the value of ‘HLVL' to reflect the high level qualifier for your installation.

Change the value of 'ISP' to reflect the high level qualifier for your system ISPF files. This defaults to 'ISP'.

ISP=ISP

Change the value of 'SYSDA' to indicate the unit type for temporary files. The default is 'SYSDA'.

SYSDA=SYSDA

To prepare the SecureZIPz ISPF panels you must edit the PKZSTART member and make the following changes to reflect your installation:

If the user environment can not support compiled REXX, change the value of ’env’ to 'EXEC'. If your environment does support compiled REXX, then you do not have to change anything on this line. This defaults to 'CEXEC'.

env = 'CEXEC'

Change the value of 'ispfhlq' to reflect the high level qualifier for your installation.

Change the value of 'llib' to indicate the name of the installed load library.

Now save your changes to the PKZSTART member.

To quickly test whether the user configuration has worked, simply type "EXEC" next to the PKZSTART member. If everything has gone accordingly during the installation, after typing in “EXEC”, the user should be prompted to enter the configuration screen for SecureZIPz.

You may choose to add the PKZSTART member to a REXX exec in your SYSEXEC or SYSPROC concatenation that will initialize the ISPF interface. If the user prefers to activate the SecureZIPz ISPF from your ISPF main menu, add an entry that will activate SecureZIPz. Both methods are explained in the following paragraphs. Significant performance improvements can be achieved by using the compiled REXX exec.

To install the optional PKV line command EXEC (for use with ISPF 3.4 Data Set List Utility):

Copy PKWARE.MVS.INSTLIB(PKV) to an active SYSPROC or SYSEXEC library and modify it to execute the PKZSTART member installed in the previous step.


ISPF Main Menu

To execute SecureZIPz from an ISPF menu panel you must add an entry to the main menu for ISPF. This is normally a panel named (ISR@PRIM). Add the following line (or whatever the user deems appropriate) to the BODY section of the panel definition:

P SecureZIP for z/OS 11.0 ISPF

Add the following line to the PROC section:

P,'CMD(%PKZSTART)'

Replace the ‘P’ with whatever main menu option you added in the BODY section of the panel definition. The user will notice that the PKZSTART exec has an argument passed to it. The argument ‘CEXEC’ causes the libraries containing the compiled REXX routines to be allocated. The user will gain significant increases in performance by using these libraries. If your operating system release or any other reason might prevent you from using the compiled REXX, then call PKZSTART with the argument of ‘EXEC’ and the normal interpreted REXX libraries will be used.

PKZSTART is the initial exec that starts the interface and it also allocates the necessary ISPF application libraries. Consequently, it must be modified to reflect the installed library names (as it was documented in the previous section).

Running PKZIP/SecureZIP with Library Lookaside (LLA and LNKLST)

This section applies only if SecureZIPz is to be executed from Library Lookaside.

To install SecureZIPz into Library Lookaside for the purpose of eliminating JOBLIB and STEPLIB DD statements for execution, follow your installation’s standards for implementing LNKLST for the SecureZIPz LOAD library. See the IBM z/OS Initialization and Tuning publications for more information.

To access SecureZIPz from the system LNKLST while running ISPF, enter the Configuration panel (option C from the menu panel). In the field labeled “Execution load library,” enter the string: “*LNKLST” (no quotes) in the Execution load library field. In this mode of operation, the ISPF EXEC procedures call SecureZIPz programs from the system link list instead of from a particular library. In addition, ISPF-generated background jobs will not include a STEPLIB.

Be sure to perform a MODIFY LLA REFRESH or UPDATE operation for the SecureZIPz data set when adding or maintaining tailored SecureZIPz modules. Doing this causes Library Lookaside to rebuild its directory indexes and enables future executions to access new copies of the modules. (For more information regarding LLA commands, see the IBM z/OS MVS Commands manual.)

Tailored SecureZIPz modules include:

Defaults modules

Translation tables for TRANSLATE_TABLE_DATA and TRANSLATE_TABLE_FILEINFO

The SAFETYEX load module


Verifying the Installation

To ensure proper design and implementation has taken place, it is crucial for the system administrator to run the installation verification procedures that ship with SecureZIPz. Once the product has completed installation and is properly licensed, you can run the pre-defined IVP streams. Instructions for customizing these jobs to the standards of your facility are included in comments at the beginning of each job’s JCL stream.

The pre-packaged IVP streams located under the *.INSTLIB dataset are as follows:

IVPBASIC – Demonstrates the compression, viewing, testing, and decompression of a catalog listing to an archive contained in a PDS member.

IVPLMOD – Compresses LOAD module members and then views, tests, and rebuilds the LOAD library from the archive.

IVPSECUR – Sample strong encryption jobs to compress 1MB, 10MB, 100MB, and 1GB data files and to test and decompress the files from the archives. SecureZIP for z/OS users only.

IVPVSAM – Demonstrates the compression, viewing, testing, and decompression of a VSAM KSDS to a VSAM archive. (Non-VSAM files and archives can be mixed with VSAM. This job simply shows that VSAM can be used for either.)

IVPVSPAN – Sample job to IEBCOPY-Unload a PDS, ZIP it, and reload it to verify the operation of variable spanned files.

Recipient-based encryption, signing and authentication can also be tested from the Local Certificate Store main menu. Option 8, Option 2 (Run Installation Verification Job) prompts the user with the IVP JCL stream that has been customized for the signing and authentication standards of your facility. This job demonstrates the compression, encryption, signing, and authentication of an archive using SecureZIP for z/OS. The expected return code is zero for each of the IVP job runs.

To report any unexpected job results when running the various IVP streams, contact PKWARE Technical Support.

Users of SecureZIP Partner for z/OS should not run the IVP jobs detailed above, as they are intended only for the full-featured PKZIP and SecureZIP for z/OS products. The pre-packaged PartnerLink IVP job is located under the *.INSTLIB dataset:

PLIVPZIP – Demonstrates the successful configuration of the PKWARE, Inc., test Sponsor Distribution Package. A pre-signed archive is provided in INSTLIB2(PLIVPZIP) for SecureZIP Partner access.

Run-time Performance Considerations

The product is configured with default settings to enable full functionality and operate effectively for many environments. However, there are some installation, configuration, and run-time controls that may improve installation-defined performance objectives, depending on the local operating profile.

Improving performance may involve taking steps to identify the best configuration and settings profile for a specific workload. When SecureZIPz is used for different applications, each should be examined to determine the mix of settings that will achieve the desired


performance objective for that workload. In addition, it is recommended that benchmark information be retained between performance tests so that a basis of comparison exists when changes are introduced, either for the product or the operating environment.

Variations in the operating environment may also affect SecureZIPz performance. For example, when data sets being accessed for ZIP or UNZIP processing are dynamically allocated in a SYSPLEX, the GRS serialization for the data sets (or Partitioned members) may introduce delays in processing.

Main Tuning Ingredients Meeting an acceptable level of performance involves balancing the consumption of system resources with the functional objectives for the workload. Because of the number of variables to consider in tuning, it is helpful to organize them into categories to quickly identify which aspects of processing to focus on. Inasmuch as system resources are rarely unconstrained, it is also important to rank the importance for each category, as in the order suggested below, so that a reasonable trade-off may be decided upon when two or more items appear to conflict.

1. Qualify the performance objectives

As settings are being considered for evaluation, it is important to understand which performance measurements are important, and in what rank if not all can be easily met. Typical measurements include:

o Elapsed Time

o CPU Time

o Archive size

2. Resource Constraints

The following resources are involved in various phases of ZIP processing. Making adjustments to either reduce the processing requirement of constrained resources or to provide additional resources to achieve the functional processing requirement may significantly affect the measurement objectives.

o Processor Time

o I/O

o File Allocation (serialization)

o Virtual Storage

o Temporary DISK work space

3. Feature Processing Requirements

The SecureZIPz products provide multiple processing features, many of which provide flexibility for setting levels within a category of functionality. For example, there are multiple levels of compression available to meet constraints associated with an archive’s size. Some of the major processing phases associated with SecureZIPz features include:


o Run-time initialization

o File Selection

o File data handling

o Compression/Inflation

o Encryption/Decryption

o Digital Signature/Authentication

o Archive access (Read and Write)

The following table assists in relating the above categories to actions that can lead to performance improvement.

Processing Phase Configuration/Setting Resources Metrics

Initialization Use case: Quick ZIP/UNZIP runs or calls

JOBLIB/STEPLIB Elimination with LLA and/or LPA

I/O for Program Fetch

Elapsed Time

I/O (EXCP)


SYSIN records via Partitioned library

- CHECK_SYSIN_MEMBER=N setting

I/O for PDS directory search

Elapsed Time

I/O (EXCP)


PARMLIB commands via Partitioned library

- PARMLIB_DSNAME_UNZIP

- PARMLIB_DSNAME_ZIP

- INCLUDE_CMD

I/O for PDS directory search

Elapsed Time

I/O (EXCP)

DYNALLOC

Initialization – JOBLIB/STEPLIB Elimination, LLA, VLF and/or LPA Several programs are loaded through Program Fetch during initialization. (Different load modules are obtained based on the processing options that are requested, as well as the run-time operating environment). Two levels of I/O are required to complete the program fetch for each module: 1) Directory Search and 2) Load module read.

z/OS defines a selection order for locating modules. Each LOAD request done by SecureZIPz initialization results in a search being done in the following order shown below:

1. JOBLIB or STEPLIB

o If only a JOBLIB is used, all libraries in the JOBLIB concatenation are searched. If the SecureZIPz load library containing the modules is not first in the concatenation, then other library directories will have I/O (and directory processing analysis) performed for each LOAD request.

o If present, STEPLIB supersedes a JOBLIB. By introducing STEPLIB for the SecureZIPz programs, extraneous library directory search processing will be eliminated.


o JOBLIB or STEPLIB will be searched before LPA or Library Lookaside (LLA).

o Recommendation: If multiple libraries are used in a JOBLIB concatenation to locate SecureZIPz modules, use a STEPLIB override for the SecureZIPz step to eliminate unnecessary searching of other libraries. Alternatively, place the SecureZIPz load library at the beginning of the concatenation.

o Recommendation: If more significant reductions are necessary, to eliminate directory search for SecureZIPz modules, as well as the elimination of LOAD module fetch for reentrant modules, substitute STEPLIB for JOBLIB for other program steps in the job, eliminate STEPLIB for SecureZIPz and activate the SecureZIPz load library in LLA and VLF with the “FREEZE” option.

2. Link Pack Area (LPA) – JOBLIB and STEPLIB elimination

A sample job in the SecureZIPz INSTLIB(LPACOPY) member is provided to copy eligible LPA modules from the SecureZIPz load library to a valid LPA-loadable data set.

o Assuming that JOBLIB search was completed (or eliminated completely), LPA will be searched for qualifying modules. Only reentrant/refreshable modules may be placed into LPA. These modules are loaded into system storage and retained for jobs to access directly.

o No directory search I/O is required for LPA modules.

o No read time is required for LPA modules.

o Note: If a JOBLIB is active (for other job libraries), and there is no STEPLIB for SecureZIPz, then the JOBLIB concatenation will be searched before LPA, thereby introducing I/O and elapsed time delays. For this search technique to be effective in eliminating directory search, there should be no active JOBLIB.

o Activation note: Not all SecureZIPz modules qualify for LPA. It is recommended that a separate library be created that contains SecureZIPz modules marked with RENT/REFR. You may also leave them in the original library. Be sure to include ALIAS entries associated with LOAD module members (for example, PKZIP is an ALIAS for ACZMAIN).

o Activation note: The use of LPA is intended for use in conjunction with LLA. It is not required for LLA, but LLA usage is required for the LPA technique to be effective.

o Maintenance note: Modules loaded into LPA must be manually synchronized with SecureZIPz maintenance through the appropriate systems programming facility used in the operating environment.

o LPA Modules may be administered in accordance with IBM z/OS management facilities. LPA modules may be activated in the system by any of the following means (Ref. IBM z/OS MVS Initialization and Tuning Guide, and z/OS MVS Commands):

Dynamic LPA via system PARMLIB PROGxx or SETPROG LPA command

Fixed LPA (FLPA) via system PARMLIB IEAFIXxx

Modified LPA (MLPA) via system PARMLIB IEALPAxx

Pageable LPA (PLPA) via system PARMLIB LPALSTxx or PROGxx


SETPROG LPA,ADD,DSNAME=USER.PKZIP.LPALIB,MASK=* IEF196I IEF237I 2820 ALLOCATED TO SYS00194 IEF196I IEF285I USER.PKZIP.LPALIB IEF196I IEF285I VOL SER NOS= Z8SYS1. CSV551I 15.32.28 LPA ADD 040 SUCCESSFUL: 20 UNSUCCESSFUL: 0 NOT PROCESSED: 0 MODULE RESULT ACAMHLQ SUCCESSFUL ACCOMAIN SUCCESSFUL ACCOZIPC SUCCESSFUL ACFMBSAM SUCCESSFUL ACFMGR SUCCESSFUL ACZMAIN SUCCESSFUL CCCOZIP SUCCESSFUL CL16UT01 SUCCESSFUL CL16UT02 SUCCESSFUL CL16UT03 SUCCESSFUL CL17UT01 SUCCESSFUL CL17UT02 SUCCESSFUL CL17UT03 SUCCESSFUL CSBSHASH SUCCESSFUL CSBSPRNG SUCCESSFUL PKCRYMTX SUCCESSFUL PKUNZIP SUCCESSFUL PKZIP SUCCESSFUL SECUNZIP SUCCESSFUL SECZIP SUCCESSFUL

3. Library Lookaside (LLA) – JOBLIB and STEPLIB elimination

o LLA may be used independently from, or in conjunction with LPA to speed the directory search process for module LOAD.

o To have full effect, other libraries must be eliminated from the JOBLIB/STEPLIB search sequence.

o VLF, along with “FREEZE” (see CSVLLAxx and COFVLFxx z/OS PARMLIB member specifications in the IBM z/OS Initialization & Tuning Guide/Reference manuals for more information) is recommended to eliminate additional module fetch I/O.

o LLA has no effect on the actual program read time associated with program fetch, only on the directory search portion.

o LLA members may be administered in accordance with IBM z/OS management facilities. LLA libraries may be activated in the system by any of the following means (Ref. IBM z/OS MVS Initialization and Tuning Guide and z/OS MVS Commands):

SETPROG LNKLST

PARMLIB PROGxx (with SET PROG=xx command, or IPL)

Initialization – SYSIN Command Records via Partitioned Members A common means for specifying utility control cards is to store them in a partitioned data set and reference the member through JCL.

SecureZIPz initialization processing includes a default setting of CHECK_SYSIN_MEMBER=Y. This setting is intended to act as a protection mechanism to avoid S013 abends when a member name is referenced, but does not exist in the partitioned data set. SecureZIPz


performs a preliminary search of the partitioned data set directory to verify that the member exists before attempting to OPEN the SYSIN DD.

The validation process involves an independent DYNALLOC for the partitioned dataset to access the directory and (without the member name) an OPEN/CLOSE and read operations for the directory. When the directory of the partitioned dataset is large, as when a common application parameter library is used, the directory search can require several input operations to determine whether the member exists.

Recommendation: Assuming that the member is correctly specified, and an analysis for an abend S013-18 is acceptable in the event that the corresponding member is deleted or renamed, the ACZDFLT setting of CHECK_SYSIN_MEMBER=N may be specified to bypass this procedure.

Initialization – PARMLIB Commands via Partitioned Members SecureZIPz initialization processing includes the capability of including commands through dynamically allocated PDS members (other than for SYSIN). The settings for PARMLIB_DSNAME_UNZIP and PARMLIB_DSN_ZIP in the defaults module (ACZDFLT), as well as the use of –INCLUDE_CMD activate this functionality.

Each specification induces an independent DYNALLOC for the partitioned dataset to access the member, an OPEN/CLOSE and read operations for the statements. DYNALLOC causes system GRS serialization activities, while access method time for each additional data set introduces elapsed time delay.

Recommendations: Determine whether a different means of grouping common commands together can be done to eliminate excessive PDS allocation processing.

Consolidate commands into SYSIN and eliminate PARMLIB_DSNAME_UNZIP/ZIP and INCLUDE_CMD where practical (specifying NULLFILE for the associated defaults module settings).

Use ACZDFLT module settings in lieu of external data sets that house commands. (See also –DM to select one of many tailored defaults modules).

Place override commands into the EXEC PARM to eliminate control card I/O handling if operational limits permit. (The EXEC PARM in z/OS is restricted to 100 characters).

Use //PARMLIB DD in lieu of the defaults module settings to eliminate the DYNALLOC overhead. This is the DD statement name that is used internally to dynamically allocate the PARMLIB_DSNAME_UNZIP/ZIP data sets.

Enable SMF Recording

The SecureZIP for z/OS Policy Lockdown feature is required for this feature to operate.

SecureZIP for z/OS provides a configurable option to record operational events in SMF for use by third-party reporting tools. The SMF record number and recording level are configurable through settings in the default module. The types of information that can be recorded include:


ZIP/UNZIP session startup and shutdown records, with correlation fields to existing SMF type 30 records.

Operational setting values that can be useful in auditing security-related facilities.

File correlation information describing the flow of files in and out of SecureZIP archives and the corresponding z/OS files used in the process.

When activated for SMF recording, SecureZIP for z/OS requests the writing of subtype records for various phases of processing. (See chapter 8, on SMF record formats; also reference IBM z/OS MVS System Management Facility, “Standard SMF Record Header with Subtypes.”)

Record Filtering SecureZIP provides the SMF_SUBTYPES setting to manage the levels of subtype records generated. To prevent the creation of ‘noise’ records, SMF recording is automatically disabled when early initialization failures such as command syntax errors are encountered, or SIMULATE=Y processing is requested.

If additional record filtering is required, z/OS SMF processing controls may be employed with facilities such as:

PARMLIB(SMFPRMxx) parameters

IEFU84 SMF installation exit

IFASMFDP utility during the SMF offload process

Post-offload processes defined by the installation.

SMF Activation The following steps must be performed for SecureZIP to actively perform SMF recording. Each step is described in the sections that follow.

1. Install and activate the PKWSVC module under z/OS

2. Select a unique SMF record type and activate it within the System Management Facility

3. Activate SVC and SMF settings in the SecureZIP defaults module.

The following IBM reference publications may be consulted for details regarding the installation steps.

z/OS MVS System Management Facilities (SMF)

z/OS Initialization and Tuning Reference

Install and Activate the PKWSVC Module

The installation of an SVC should be performed by a qualified and authorized z/OS system programmer. Appropriate backup and recovery procedures should be followed for all components critical to system IPL and operations.


The SMF recording facility requires that a program using the SMFEWTM macro service either be APF-authorized or run in supervisor state. Because SecureZIP for z/OS executes in a non-APF authorized state, an SVC module is provided to invoke the service.

SecureZIP for z/OS provides the SVC routine in load module IGC00PKW (with ALIAS PKWSVC) for installation as a type(3) SVC. The following operating characteristics may be noted:

No record-tailoring work is performed in the PKWSVC module. The record is passed to the SVC for invocation of the SMFEWTM macro service.

The SVC routine is intended for use only with the SecureZIP for z/OS product.

The SecureZIP for z/OS defaults module setting SVC= governs which SVC # SecureZIP for z/OS should attempt to use.

SecureZIP for z/OS covers the use of the SVC with an ESTAEX recovery routine. A partial or incorrect installation of the SVC should not interfere with SecureZIP for z/OS functionality.

The following procedure provides guidance for activation of the PKWSVC through an IPL. SVC number 201 will be used in all illustrations. Alternative SVC activation procedures adopted by an installation may also be used.

1. Choose an available SVC number for the system(s) on which SecureZIP for z/OS will operate.

2. In the installation’s system PARMLIB(IEASVCxx) member, add a line that defines the desired SVC number and relates it to the PKWSVC module to be identified at the next IPL.

In the sample below, SVC 201 has been chosen, along with the ALIAS name PKWSVC that will be assigned to the corresponding SVC load module (to be defined in a subsequent step).

SVCPARM 201,REPLACE,TYPE(3),EPNAME(PKWSVC) /* PKWARE SVC */

Ref. IBM z/OS Initialization and Tuning Reference – “Statements/Parameters for IEASVCxx”

3. Identify a target LPALIB for the PKWARE SVC to be installed to. This may either be an existing library used by the installation for LPA/MLPA modules, or a newly defined one. If a new library is to be used, be sure to configure the system LPALSTxx or IEALPAxx PARMLIB members to use the new library during the next IPL.

Ref. IBM z/OS Initialization and Tuning Reference – “LPALSTxx (LPA Library List)”

Ref. IBM z/OS Initialization and Tuning Reference – “IEALPAxx (modified LPA List)”

4. Position the SVC load module and ALIAS PKWSVC into the target LPA library that will be used during an IPL to load the Link Pack Area, either with CLPA or MLPA. This process requires that the module IGC00PKW be renamed to support the SVC number selected while retaining the ALIAS PKWSVC (Ref. z/OS MVS Authorized Assembler Services Guide, user-written SVC routines).


Per IBM naming conventions for type 3 SVCs, “… must be named IGC00nnn; nnn is the signed decimal number of the SVC routine. For example, SVC 251 would be IGC0025A and SVC 245 would be IGC0024E”

Using our example of SVC 201, the SVC Load module name is IGC0020A. A two-step process is described below.

o First, using ISPF option 3.3 (Move/Copy), copy members IGC00PKW and PKWSVC from the SecureZIP LOAD library to the target LPA library to be used. Be sure to copy both members with a single selection so that member PKWSVC is retained as an ALIAS of IGC00PKW.

o Using ISPF option 3.1 (Library) with Member List display, verify that PKWSVC shows as an Alias-of IGC00PKW.

Menu Functions Confirm Utilities Help ------------------------------------------------------------------------------ LIBRARY MAS.TESTLPA Row 00001 of 00002 Command ===> Scroll ===> CSR Name Prompt Alias-of Size TTR AC AM RM _________ IGC00PKW 00000230 000109 00 31 ANY _________ PKWSVC IGC00PKW 00000230 000109 00 31 ANY **End**

o Next, use ISPF option 3.1 (Library) against the target LPA library and RENAME IGC00PKW to IGC0020A.

Menu Functions Confirm Utilities Help ------------------------------------------------------------------------------ LIBRARY MAS.TESTLPA Row 00001 of 00002 Command ===> Scroll ===> CSR Name Prompt Alias-of Size TTR AC AM RM R________ IGC00PKW IGC0020A 00000230 000109 00 31 ANY _________ PKWSVC IGC00PKW 00000230 000109 00 31 ANY **End**

<ENTER>

Menu Functions Confirm Utilities Help ------------------------------------------------------------------------------ LIBRARY MAS.TESTLPA Row 00001 of 00002 Command ===> Scroll ===> CSR Name Prompt Alias-of Size TTR AC AM RM _________ IGC00PKW *Renamed _________ PKWSVC IGC00PKW 00000230 000109 00 31 ANY **End**


o Finally, verify that the rename is complete with PKWSVC as an Alias-of the target SVC load module name by ending the prior display and re-entering the Display Member List as shown below.

Menu Functions Confirm Utilities Help ------------------------------------------------------------------------------ LIBRARY MAS.TESTLPA Row 00001 of 00002 Command ===> Scroll ===> CSR Name Prompt Alias-of Size TTR AC AM RM _________ IGC0020A 00000230 000109 00 31 ANY _________ PKWSVC IGC0020A 00000230 000109 00 31 ANY **End**

5. Review system PARMLIB members LPALSTxx or IEALPAxx to ensure that the module will be correctly loaded to LPA.

6. IPL using CLPA, MLPA or other means appropriate to the operating environment to activate the SVCPARM and load the PKWSVC module. This task may be deferred until preparations are complete for SMF recording with the selected SMF record type identified in the next section.

Select a Unique SMF Record Type

The activation of SMF recording should be performed by a qualified and authorized z/OS system programmer. Appropriate backup and recovery procedures should be followed for all components critical to system IPL and operations.

The SMFEWTM system macro is used within the PKWARE SVC with BRANCH=YES and is not in cross memory mode.

Installation exit IEFU84 will be given control before the record is written to SMF.

SecureZIP setting SMF_RECORD#= designates which SMF record type will be issued.

For error conditions encountered other than IEFU84 record filtering, SMF recording is suspended for the remainder of the ZIP/UNZIP run.

The following procedure provides guidance for activating the use of a designated SecureZIP SMF record through an IPL. SMF record number 250 will be used in all illustrations. Alternative SMF record activation procedures adopted by an installation may also be used.

1. Choose an available SMF record number for the system(s) on which SecureZIP for z/OS will operate. This SMF record number must be unique and should be coordinated with other SMF record types used in the environment.

2. Conditionally Modify (or create a new) system PARMLIB(SMFPRMxx) with appropriate SYS and SUBSYS statements that will permit the correct level of SMF records to be written for the operating environments where SecureZIP will be executing.

When SecureZIP builds the SMF record header for subtypes, it does not fill in the SMFxSSI Subsystem Identifier field.

Ref. z/OS MVS System Management Facility:

o “Chapter 4. Customizing SMF”


o “Entering SMFPRMxx in SYS1.PARMLIB”

o “Preserving SMF Data”

3. Conditionally review the logic of any active SMF installation exits (IEFU84) that may affect the recording of the designated SMF record. Optional filtering logic may be employed by the installation to further restrict the volume of records that are written.

4. Activate related SMFPRMxx changes through an IPL or other means available to the installation.

Activate SVC and SMF Settings in the SecureZIP Defaults Module The administrative tasks of activating the supporting SVC and SMF system parameters are covered in separate sections. Although these tasks may be performed prior to the SVC activation, some overhead will be incurred by ESTAEX recovery management when an incomplete SVC activation is encountered. Therefore, it is recommended that the system administrative tasks be completed first.

The SecureZIP defaults module (ref. ACZDFLT) provides three settings that govern an attempt to engage SMF recording.

SVC=sss Corresponds with the PKWSVC installation used to write the SMF records. See “Install and Activate the PKWSVC Module,” above.

SMF_RECORD#=rrr Corresponds with the SMF record number to be written by SecureZIP

See “Select a Unique SMF Record Type,” above

SMF_SUBTYPES= Controls which subtype records should be attempted to be written by SecureZIP. Possible values include:

'START,SUMMARY' (This is the default)

'START,SETTINGS,SUMMARY'

'START,FILES,SUMMARY'

'START,SETTINGS,FILES,SUMMARY'

Both SVC= and SMF_RECORD#= must be declared to trigger SecureZIP SMF processing. For testing purposes, these settings may be placed into a SecureZIP command stream to verify that the SVC is correctly installed and activated.

The levels of recording should be selected in accordance with the enterprise requirements for auditing. See the chapter 8 for information regarding the frequency and type of information recorded for each subtype to assist in selecting the correct levels.

In order to keep the volume of recording down, an installation exit such as IEFU84 may also be considered to filter out unnecessary SecureZIP SMF recording events.

1. Before changing the run-time defaults module, execute a test SecureZIP run on the target system(s) to ensure that the SVC and SMF system parameters are correctly activated.


For example:

-SVC=201 -SMF_RECORD#=250 –TRACE_CSERV=1 ZPCM082I SMF recording is ACTIVE to record type 250 {START,SUMMARY } . . . SMF RECORD ADDRESS=20301FFC,LENGTH=000083 20301FFC 000000 00830000 5EFA0000 00000000 0000D7D2 |.c..;.........PK| 2030200C 000010 E6F10000 00000001 D4C1E2F4 F5F9F8C8 |W1......MAS4598H| 2030201C 000020 00C347FA B39E0AFB 40000000 01040001 |.C...... .......| 2030202C 000030 00008000 0000E9C9 D7C9E340 40404040 |......ZIPIT | 2030203C 000040 40404040 4040D1D6 C2F3F5F9 F4F4D4C1 | JOB35944MA| 2030204C 000050 E2404040 4040E2E9 F1F14BF0 C485A540 |S SZ11.0Dev | 2030205C 000060 D3E5D34D F05D4040 C2C1E3C3 C8404040 |LVL(0) BATCH | 2030206C 000070 C1001200 100002D4 C1E24BE3 C5D4D74B |A......MAS.TEMP.| 2030207C 000080 E9C9D700 00000000 00000000 00000000 |ZIP.............| TRCM002T <ACCMGR> PKWSVC RC R14-R1: 0000030F 00000000

o The trace setting TRACE_CSERV=1 will cause selected internal processing messages to be issued so that SMF recording events may be reviewed without dumping the live SMF data sets.

o R15 in the TRCM002T message shows RC = 00000000 indicating that the SMF record was successfully written.

During SecureZIP startup, if LOGGING_LEVEL=VERBOSE is active, one of the following messages will be issued to indicate whether SMF recording will be attempted:

ZPCM081I SMF recording is INACTIVE - OR – ZPCM082I SMF recording is ACTIVE to record type +3+C+ {+30+C+}

When ZPCM082I is issued, the SMF_RECORD# being used is shown along with the SMF_SUBTYPE information levels requested.

The levels START and SUMMARY are the minimal levels of recording that may be specified once an SMF_RECORD# is activated for use.

o When an error condition is raised in writing the SMF record, message ZPCS001I will be issued to the SYSPRINT with an indication as to why the record could not be written.


ZPCS001I SMF rc= +8+H+ +80+C+ Explanation: SMF recording was configured for operation. The requested record(s) may not have been written. The rc = value generally corresponds to the SMFEWTM macro return codes as documented in the z/OS MVS System Management Facilities manual. An rc = value of the form 00000Fxx indicates that an error associated with the supporting SVC for SMF recording has been detected. "xx" corresponds to the hexadecimal representation of the SVC number. For example, 00000FF0 corresponds to SVC 240 (x'F0') The most common cause of this type of failure is an incomplete or incorrect activation of the PKWSVC module for SVC processing.

2. Using instructions in the SecureZIP System Administrators Guide, the section entitled “Tailoring Site-specific Changes to the Defaults Module,” make a backup copy of the ACZDFLT source module used in the installation process, add the lines SVC=, SMF_RECORD#= and SMF_SUBTYPES= to match the desired parameters, and re-assemble the defaults module.

o Optionally, these parameters may be specified on the MCZLOCKS macro in the defaults module to ensure that users do not attempt to override the specifications.

o Ensure that all copies of the defaults modules are distributed to all live run-time libraries, including those included in LNKLST, if any.

4. Execute a test job without the –SVC or -SMF_RECORD# commands to verify operation. (Ref. ZPCM082I above)

Default Module Settings Affecting SMF Recording

SMF_RECORD#

Synonyms Include: none

SecureZIP only

SMF_RECORD#=nnn

This defaults module setting specifies the SMF record type value that SecureZIP should use when SMF recording is activated. The value specified should be coordinated with the use of other SMF records in an installation to prevent record type overlap between products or systems.

The value corresponds to the SMFxRTY field as described in the SMF Standard Header in the IBM z/OS MVS System Management Facility manual.

The use of this setting, along with SVC=, activates SMF recording in SecureZIP for z/OS.


SMF_SUBTYPES


SecureZIP only

SMF_SUBTYPES= 'START,SETTINGS,FILES,SUMMARY'

This defaults module setting indicates the level of recording that should be attempted by SecureZIP when SMF recording is activated.

START – Create a subtype 1 record for the beginning of the SecureZIP session.

SETTINGS – Create a subtype 2 record following the START record to describe critical process settings to be used for the session.

FILES – Create a subtype 3 record for each file that is processed for ADD, FRESHEN, UPDATE, or EXTRACT processing.

SUMMARY – Create a subtype 99 record for the end of the SecureZIP session to track final status information (e.g. final return code).

The values START and SUMMARY are the distributed default values. The use of this combination will result in two records for each session of SecureZIP.

Detail record information may be found in the SMF Record Formats chapter.

Usage notes

The use of FILES may result in a high volume of SMF records being written unless it is controlled through filtering techniques.

See “Record Filtering” in the section “Enable SMF Recording,” above, for information about on record volumes.

SVC


SecureZIP only

SVC=nnn

This defaults module setting specifies the SVC number that was used to install PKWSVC. (See Install and Activate the PKWSVC module topic for more information). This SVC is used to perform the SMF record write requests.

The use of this setting, along with SMF_RECORD#, activates SMF recording in SecureZIP for z/OS.


Usage notes

In order to avoid unnecessary processing overhead in SecureZIP operations, it is preferable that this setting not be used until the PKWSVC module has been properly activated in the system.

Chapter 3 Security Administration Overview 77

3 Security Administration Overview

SecureZIP only

This chapter discusses how to utilize SecureZIP for z/OS to secure your data. Elements that are required to make a SecureZIP for z/OS archive are discussed in detail. These elements, when selectively used, combine to create a SecureZIP for z/OS archive or allow the extraction of a file or files from a SecureZIP for z/OS archive.

A series of ISPF panels assists you in building and maintaining the SecureZIP for z/OS Certificate Store, where digital certificates used by SecureZIP for z/OS are kept. These panels are not part of the separately licensed feature “ISPF”. They are standard with SecureZIP for z/OS. The ISPF screens and SecureZIP for z/OS commands used to work with them are shown in this chapter, along with notes and comments.

Beginning with SecureZIP for z/OS 11.0, digital certificates can be used from the system Security Server (for example, RACF). The present chapter applies for the initialization of the SecureZIP key store index components and for defining policy controls for the use of all certificates. Administration of Security Server certificates is covered in the SecureZIP for z/OS Security Administrator’s Guide.

Accessing Certificates

SecureZIP for z/OS provides access to certificates held within the z/OS Security Server, local data sets, and VSAM index paths when control card requests are present.

In addition, RECIPIENT(LDAP"...) requests are resolved through configured network definitions.

Public Key Certificate Certificate-based encryption allows the exchange of encrypted data without the exposure of also exchanging or retaining a password. This form of encryption uses a public-key digital certificate when creating and it then uses a corresponding private-key certificate by the


recipient to decrypt. Digital certificates may be identified and selected by naming information, such as “Common Name,” or email address.

When encrypting data for specified public-key recipients, SecureZIP for z/OS uses digital certificates in a process called digital enveloping. See the Secure .ZIP Envelopes whitepaper at the PKWARE Web site.

A public-key certificate consists of the public portion of an asymmetric cryptographic key (the "public key"), together with identity information, such as a person's name, all signed by a certificate authority (CA). The CA essentially guarantees that the public key belongs to the named entity.

Private Key Certificates To UNZIP a file that has been encrypted with a public-key certificate, the receiver must supply a matching private-key certificate. This is done by including RECIPIENT commands that specify the location of the private-key certificate along with its associated access password. Note this password is not a password used to encrypt a file, but rather a password that is used to access the private-key certificate.

RECIPIENT commands may be included in the command input stream directly or be included through the INCLUDE CMD command. A Private-Cert profile designates a saved repository of the private-key certificates. The RECIPIENT commands are automatically included when SecureZIP for z/OS dialogs prepare batch JCL or UNZIP call streams and File Decryption is requested.

Certificate Authority and Root Certificates End entity certificates and their related keys are used for signing and authentication. They are created at the end of the hierarchy of certificate authorities. Each certificate is signed by its CA issuer and is identified in the “Issued By” field in the end certificate. In turn, a CA certificate can also be issued by a higher level CA. Such certificates are known as intermediate CA certificates. At the top of the issuing chain is a self-signed certificate known as the root.

SecureZIP uses the certificates for signing and authentication operations. SecureZIP for z/OS makes use of these certificates in PKCS#7 format. The intermediate CA certificates are maintained independently from the ROOT certificates.

Configuration Profile

A configuration profile is a collection of SecureZIP for z/OS commands that describe the necessary environment. At execution time this profile is read to locate the appropriate stores and index. SecureZIP for z/OS provides various means by which the configuration information can be supplied. Contact your technical support staff for instructions regarding access to the configuration.

Contents of the Configuration Profile Execution configuration values may be supplied in any of the following ways. It is highly recommended that the command sources be coordinated in logical groups (Local Cert Store settings, or LDAP settings) so that overrides are not overly complex.

http://www.pkware.com/business_and_developers/downloads/white_papers/form.php?type=bd_wps&selected_wp=sze�

http://www.pkware.com/business_and_developers/downloads/white_papers/form.php?type=bd_wps&selected_wp=sze�


Direct commands in the SYSIN stream

When accepted, these commands take precedence over other sources.

INCLUDE_CMD indirect reading of profile commands

This is the method employed when you specify a file location through the SecureZIP Active DB Profile: field. When accepted, these commands take precedence over profiles read by the Defaults module, but may be overridden by SYSIN commands.

Defaults module indirect reading of profile commands

This is the method employed when you specify UNDEFINED in the SecureZIP Active DB Profile: field.

Data Base (DB) Profile (Local Certificate Store) During SecureZIP for z/OS processing that requires encryption intended for a RECIPIENT, associated public-key certificate(s) must be located. One way of designating which public-key recipients to include is through the DB: form of the RECIPIENT command. This allows for recipient selection based on name or email address through a configured database of certificates on the system that is executing SecureZIP for z/OS.

Your technical support staff is responsible for configuring the local certificate store and should provide you with information on which profile dataset, typically a member of a partitioned data set, to use. Below is a sample of the contents of the data base profile.

* ------------------------------------------------- * * Local zSeries development certificate store * * ------------------------------------------------- * -{CSPUB=4;1;SECZIP.CERTSTOR.PUBLIC} -{CSPRVT=4;1;SECZIP.CERTSTOR.PRIVATE} -{CSCA=1;1;SECZIP.CERTSTOR.PUBLIC(CAP7)} -{CSROOT=1;1;SECZIP.CERTSTOR.PUBLIC(ROOTP7)} -{CSPUB_DBX=SECZIP.CERTSTOR.PUBLIC.DBX} -{CSPUB_DBX_PATH_CN=SECZIP.CERTSTOR.PATHCN} -{CSPUB_DBX_PATH_EM=SECZIP.CERTSTOR.PATHEM} -{CSPUB_DBX_PATH_PUBKEY=SECZIP.CERTSTOR.PATHPUBK}

LDAP Profile (Networked Certificate Store) During SecureZIP for z/OS processing that requires encryption intended for a RECIPIENT, the associated public-key certificate(s) must be located.

One way of designating which public-key recipients to include is through the LDAP interface to a directory server: form of the RECIPIENT command. This allows for recipient selection based on name, email address or other installation-configured LDAP fields. One or more LDAP compliant servers may be configured for searching.

The technical support staff responsible for configuring the LDAP compliant directory that stores certificates will provide you with information of which profile dataset, which is typically a member of a Partitioned Data Set, to use. Below is a sample of the contents of the file.


* ------------------------------------------------- * * zSeries LDAP access * * ------------------------------------------------- * * --- * Primary LDAP * --- -{LDAP=1;192.168.9.12;389;0;0;;;*EMAIL;| o=pkware,c=US,cn=user,dc=cosmos,dc=securezip,dc=com} * ---

Recipient Searches When RECIPIENT requests are made for either the local certificate store (DB:), an LDAP store (LDAP:), or both, (SYSTEM:), a set of search criteria are provided. The search criteria of Email address (EM= or mail=) and Common Name (CN=) are accepted by both the DB: and LDAP: service providers.

When multiple RECIPIENT requests are made, it is possible that two or more search criteria may resolve to the same recipient certificate. For example, if both EM= and CN= are used in different RECIPIENT (or MASTER_RECIPIENT) requests, then the same public key certificate may be found. The first entry found will be used, and any duplicate copies of the same certificate will be ignored, resulting in only one representation of that certificate.

A search for an individual by name or e-mail address may result in multiple digital certificates being located, whether from the same certificate store source or not. This means that more than one representation of an individual can be included in the run.

LDAP searching can be accomplished with direct RECIPIENT requests via RECIPIENT(LDAP:search_criteria) or implicitly with RECIPIENT(*system:search_criteria). In both cases, the Certificate Store Configuration settings define the order in which the LDAP servers are to be searched. However, in the case of using "*system", local certificate stores are searched prior to any of the configured LDAPs.

When multiple stores are to be searched (*system: or LDAP:), all RECIPIENT requests are searched in one store before the next store is referenced. If a RECIPIENT request has one or more entries found in one Store, then subsequent stores are not searched for that request. This means that it is possible for generic LDAP search criteria to bypass entries defined in subsequent LDAP servers. RECIPIENT requests that were not satisfied at all by the higher-level Store search will continue to be searched for.

Example: Search LDAP’s for RECIPIENT matches

LDAP #1 0 entries 0 matches


Add entry LDAP #1 has an entry added matching RECIPIENT

LDAP #1 1 entry 1 match



Local Certificate Stores

Access x.509 Public and Private Key Certificates SecureZIP for z/OS introduces a new subtask, CSERV, that utilizes RSA’s BSAFE Cert-C Toolkit to access X.509 Public and Private key certificates. The access to the various certificate stores by this task is governed by various forms of the RECIPIENT, SIGN_ARCHIVE, SIGN_FILES and AUTHCHK commands, as well as by a suite of configuration commands.

The configuration commands are read either through SYSIN, INCLUDE_CMD(parmlib) or SECUREZIP_CONFIG specifications.

The syntax of the commands is -{ ... }. The semi-colon (;) is used as a parameter delimiter.

-{CSPUB=type;Seq;string PUB} -{CSPRVT=type;Seq;string Prvt} -{CSCA=type;Seq;string CA} -{CSROOT=type;Seq;string Root} -{CSPUB_DBX=vsam_cluster_base_index} -{CSPUB_DBX_PATH_CN=vsam_path_through_AIX_for_Common_Name} -{CSPUB_DBX_PATH_EM=vsam_path_through_AIX_for_Email_address} -{CSPUB_DBX_PATH_PUBKEY=vsam_path_through_AIX_for_PublicKey} -{AUTHENTICATE=TRUSTED,EXPIRED,REVOKED,TAMPERCHECK} -{VALSIGN=TRUSTED,EXPIRED,NOTREVOKED} -{VALENCRYPT=TRUSTED,EXPIRED,NOTREVOKED} -{RESET}

Where:

type (*PATH 0) (FILE 1) (*DB 2) (*LDAP 3) (*PDS 4)

Seq 0 through 9 (Cert Store search order)

LDAP - timeout of 0 results in system settings

user of NULL or ";;" will use "anonymous" login

Certificate Store References –{CSxxx}

If not supplied through configuration changes, the defaults are:

{CSPUB=1;9;DUMMY} {CSPRVT=1;9;DUMMY} {CSCA=1;9;DUMMY} {CSROOT=1;9;DUMMY} {CSPUB_DBX=DUMMY} {CSPUB_DBX_PATH_CN=DUMMY} {CSPUB_DBX_PATH_EM=DUMMY} {CSPUB_DBX_PATH_PUBKEY=DUMMY}

The local zSeries certificate store for public key certificates (configuration settings for {CSPUB_...}), can be built as a PDS[E] indexing scheme for common name and email address


searches. This is accomplished through a VSAM base cluster and a set of alternate index paths to access the appropriate field types.

The PDS[E] and the VSAM suite are managed as a unit and should not be manipulated independently from the supplied SecureZIP utilities. When no Public Key Store (CSPUB=) PDS[E] is specified, then the indexing (CSPUB_DBX...) files are not accessed.

The CSCA (Certificate Authority) and CSROOT (Trusted Root Certificate Authority) certificates are maintained in respective sequential files in X.509 PKCS#7 format.

Overrides to {CSxxx…} or {LDAP…} configuration commands can be done through input command streams or included members. However care must be taken to coordinate overrides so that intermixed PATHS do not result in different databases or indexes being used when resolving the various search criteria.

Authentication and Certificate Validation Policies Certificate validation may be done when activities in the following functional areas are performed:

Recipient based encryption

Archive or file signing

Authentication of digital signatures for files and/or archive directory

Validation policies are passed to SECZIP and SECUNZIP to govern various aspects of certificate validation at execution time. The policies are defined in configuration profile settings, and may also be included as override commands for individual executions of SECZIP and SECUNZIP.

The policy command settings are coded in the same format as other certificate store profile commands, with the syntax -{...}

Each functional area supports a single policy statement with its associated settings. The CERTSTORE Policy Setup panel generates a policy statement for each functional area for use in the certificate store profile.

-{AUTHENTICATE=...}

-{VALENCRYPT=...}

-{VALSIGN=...}

When SAF (System Access Facility security server) based certificates are used with the certificate store type specification of SAF: in the recipient, signing, and authentication commands, an additional policy setting is used:

-{SAFSET=…}

{AUTHENTICATE} Policy

The {AUTHENTICATE} setting can be used within an include member that contains configuration commands, or within the standard command stream. It defines the level of processing that AUTHCHK commands will perform. The last AUTHENTICATE command found in the input stream will be used for processing and fully defines the signature authentication elements to be verified. The default settings may be changed by the SecureZIP administrator


at any time. However, if this command is not supplied, all supported elements default to being checked. Elements include:

[NO]TAMPERCHECK – The signature associated with the archive or file(s) involved will be used to verify that the content has not been altered since the archive was built.

[NOT]EXPIRED – The digital certificates used to originally perform the signing operation contain internal date ranges of validity. The AUTHCHK operation will fail if any of the certificates in the trust chain are not found to be within their stated data range. Note that an end-certificate may have expired at the time that the archive is being accessed, and NOTEXPIRED may be used to continue processing.

[NOT]REVOKED – A certificate owner may request that the issuing certificate authority declare a certificate to be revoked and thereby no longer consider that certificate to be valid. The AUTHCHK operation will fail if any of the certificates in the trust chain are found to have been revoked or if the revocation status could not be determined.

[NOT]TRUSTED – Each end-certificate used in the signature must be traced back to a trusted root certificate. The CACA and CSROOT stores on the local system performing the authentication check will be accessed to determine if the entire certificate chain can be trusted. Although the Root (“self-signed”) certificate may be included within the archive, it MUST also exist in the CSROOT store to complete the TRUSTED state.

{VALSIGN} Policy

The {VALSIGN} setting can be used within an include member that contains configuration commands, or within the standard command stream. It defines the level of processing that SIGN_FILES and SIGN_ARCHIVE commands will perform during SECZIP execution. The last VALSIGN command found in the input stream will be used for processing and fully defines the signing certificate elements to be verified. The default settings may be changed by the SecureZIP administrator at any time. However, if this command is not supplied, all supported elements default to being checked. Elements include:




{VALENCRYPT} Policy

The {VALENCRYPT} setting can be used within an include member that contains configuration commands, or within the standard command stream. It defines the level of processing that


RECIPIENT-based encryption requests will perform during SECZIP execution. The last VALENCRYPT command found in the input stream will be used for processing and fully defines the signing certificate elements to be verified. The default settings may be changed by the SecureZIP administrator at any time. However, if this command is not supplied, all supported elements default to being checked. Elements include:




Be aware there are some conditions under which a certificate validation will fail because superfluous certificates are selected during a DB: search request. By marking a certificate entry in the local certificate store as "Suspended", DB: search requests will filter out the suspended entry from the request.

For example, assume the following:

A recipient command has been used with "DB:CN=Joe Smith,R", thereby requiring the certificate to be available for use for ZIP encryption.

VALENCRYPT=EXPIRED is active

The original certificate for Joe Smith is about to expire, and a new certificate for the same common name is acquired and installed to the certificate store

The older certificate may remain in the certificate store to resolve references to that recipient when viewing older archives. However, the sample DB: search request will return both certificates in the search for new encryption requests. Since the request is marked as “Required,” the older certificate will fail the validation and the ZIP encryption will fail.

By marking the older certificate as “Suspended” when the newer certificate is installed, subsequent DB: requests will only return the currently active certificate. The older one will still be available for VIEW processing of older archives that used it as a recipient.

{SAFSET} Policy

The {SAFSET} settings govern how certificates obtained from the System Access Facility Security Server should be treated.

First, the Security Server may introduce its own designation of TRUST. So an installation may choose to adopt that indication without performing the trust chain processing normally performed for non-SAF certificates.


Secondly, the Security Server provides its own repository support for holding Certificate Authority (and Trusted Root CA) certificates. -{SAFSET=NO*AUTH*|*AUTH*} specifies whether SecureZIP should perform SAF requests to load TRUSTED CA certificates from that store location in addition to those loaded from the configured SecureZIP Certificate Store. An installation may administer the certificates into whichever store suits its certificate processing needs.

Table: -{SAFSET} Controls

SAFSET= Setting Description Notes

NO*AUTH*,TRUSTSAF Do not access the Security Server Certificate Authority pool.

Adopt the TRUST status returned by the Security Server without processing the CA chain.

Default value used when a -RECIPIENT(SAF:…) command is encountered. When SAF trust is adopted for recipients, there is no need to search the CERTAUTH trust chain.

*AUTH*,TRUSTSAF Access the Security Server Certificate Authority pool when required for CA chain processing

Adopt the TRUST status returned by the Security Server without processing the CA chain.

Default value used when a –SIGN_ARCHIVE, -SIGN_FILES or AUTHCHK “SAF…” command is encountered. The Security Server CERTAUTH certificate pool will be used to resolve and include the CA chain.

Note: During signing operations, the CA chain is included in the ZIP archive for ease of trust chain analysis on the receiving system.

*AUTH*,NOTTRUSTED Access the Security Server Certificate Authority pool when required for CA chain processing

Do not Adopt the TRUST status returned by the Security Server. Rather perform the TRUST chain analysis in accordance with the affiliated policy setting.

This combination may be of use when signature/authentication operations are to be performed and SecureZIP TRUST chain policy is desired, including CA certificates from the Security Server CERTAUTH pool.

NO*AUTH*,NOTTRUSTED Do not access the Security Server Certificate Authority pool.

Do not Adopt the TRUST status returned by the Security Server. Rather perform the TRUST chain analysis in accordance with the affiliated policy setting.

This combination may be of use when SecureZIP TRUST chain policy is desired, and the CA certificates are held in the configured SecureZIP Certificate Store instead of in the Security Server.

SAFSET Processing Notes

The use of a –{SAFSET=…} command overrides any default SAFSET settings.

The placement of –{SAFSET=…} within the command stream is independent of the functional commands (for example, –RECIPIENT).

The final –{SAFSET=…} command encountered in the command processing stream takes effect.


Any specification of the –{SAFSET=…} command resets both the *AUTH* and TRUST sub-parameters. That is, previous sub-parameter values are not retained.

If the –{SAFSET=…} command is provided without a sub-parameter, the default values are NO*AUTH* and NOTTRUSTED.

If no –{SAFSET=…} command is provided, and combinations of functions (for example, RECIPIENT and SIGN_FILES) are used, the default SAFSET for SIGN_ARCHIVE, SIGN_FILES, and AUTHCHK all override the default for RECIPIENT. That is, *AUTH*,TRUSTSAF is used as the default for all processing.

For signing and authentication processes, -{SAFSET=*AUTH*…} may be used to resolve certificate authority certificates from the Security Server CERTAUTH pool even if SAF: designations are not used in the signing and AUTHCHK commands.

Other Profile Commands

{RESET} Clearing the Active Configuration

The {RESET} command can be used at the beginning of an include member that contains configuration commands, or within the standard command stream to “clear” all existing {CSxxx…} and {LDAP…} configuration commands that may have been previously loaded. This will help avoid mixed entries if an incomplete set of overrides is present. Remember that the defaults module may include settings for the configuration commands even if commands are not explicitly coded at run-time. The default settings may be changed by the SecureZIP administrator at any time.

Execution Time SecureZIP for z/OS is commonly run as a batch job step utility to place one or more files into a SecureZIP container (archive) prior to subsequent processing (such as transporting to an off-board system). Processing considerations when utilizing Recipient-based Encryption include:

Using INCLUDE_CMD to reference the Local Certificate Store configuration control records (created by the initial setup in Certificate Store Administration) in the SYSIN command stream

Using the RECIPIENT command to trigger certificate-based encryption. (Optionally, the RECIPIENT command used for extraction (decryption) may be referenced via INCLUDE_CMD to protect the password information contained within it).

Having dataset-level READ authority (via RACF or equivalent product) to the private-key certificate and referenced command files necessary to access the certificate

Performing JCL return code checking within the job stream after the SECZIP program has completed to test the success of Encryption/Decryption processing

Security Considerations To ensure the continued integrity of private-key certificates within an organization, special attention should be paid to protecting access to them.

The X.509 PKCS#12 certificate format supported by SecureZIP has an inherent security mechanism designed to protect the private keys within the transportable certificate by way of


an access password. This means that without the appropriate password, the private keys cannot be accessed from the private-key PKCS#12 digital certificate (on any system or location).

RACF READ authority (or equivalent) must be granted to the job accessing certificate store, X.509 certificate file and the referenced input stream containing the command having the certificate request (and password for a private-key certificate).

To perform a decryption operation, SecureZIP for z/OS requires read access to the PKCS#12 private-key certificate (file or PDS member), as well as a command (RECIPIENT) containing the corresponding password. Similarly, the signing and authentication commands (SIGN_ARCHIVE, SIGN_FILES and AUTHCHK) may reference private keys. The following should be considered when using SecureZIP to access private keys:

Password information will be masked out in SecureZIP SYSPRINT output.

If jobstream inputs can be viewed by operational staff members, then an indirect reference to the command(s) containing the password should be considered.

Read protection of command files containing passwords

Read protection of PKCS#12 certificate files

Optionally use ECHO=N within the command sequence to eliminate the command from showing in the SYSPRINT output.

SecureZIP administrative certificate files are located within the INSTLIB2 dataset and must be available for some administrative functions. Read access should be provided to the SecureZIP administrator for this library as the create and verification processes will fail if the library is not accessible.

Passphrase Registration

SecureZIP for z/OS provides a feature that allows an installation to register encryption and decryption passphrase values in ICSF for controlled use in SecureZIP jobs, thereby eliminating the use of exposed passphrase values in the operational environment. Through the use of ICSF APIs, the registration process generates keys from the passphrase provided by the administrator and stores them in the ICSF CKDS (Cryptographic Key Data Set). Each key has a unique CKDS reference label defined for subsequent access by SecureZIP invocations.

As documented in the SecureZIP User’s Guide, new CKDS reference forms of the PASSWORD command are made available so that a SecureZIP job may reference the required keys through a LABEL or TITLE reference assigned during registration, rather than by providing the passphrase value in the clear.

Accessing the Passphrase Registration Dialogs To administer passphrase registrations, access the SecureZIP Administration panel and select option CKDS as shown below.


PKZADM01 SecureZIP Administration Option ===> CS Cert Store Certificate Store Administration and Configuration CU Crypto Utility Cryptographic Services Utility ICSF IBM ICSF Integrated Cryptographic Service Facility Dialog CKDS ICSF CKDS Passphrase Registration Service L License Display License Information M Messages Message ID lookup

Once selected, the passphrase registration dialog will be presented.

PKCS14 SecureZIP ICSF CKDS Passphrase Registration Option ===> More: + ---------------------------------------------------------------------------- ICSF Facilities supporting the CKDS must be operationally active ---------------------------------------------------------------------------- Select One of the Following 1 Register a Passphrase Key in the active CKDS 2 List Registered Entries 3 Delete a Key set from the active CKDS 4 CKDS and SecureZIP Key Store Index Reporting Q Query the ICSF CKDS operational status Active Store Configuration: 'SECZIP.MVS.PROFILES(member)' -{CSPUB=4;1;prefix.CERTSTOR.PUBLIC} -{CSPRVT=4;1; prefix.CERTSTOR.PRIVATE} -{CSPUB_DBX= prefix.CERTSTOR.DBX}

Detailed information regarding the use of this set of dialogs is covered in the SecureZIP for z/OS Security Administrator’s Guide. See the chapter titled “SAF-protected Passphrase Feature,” section “Registering Passphrases.”

Chapter 4 Certificate Store Management 89

4 Certificate Store Management

SecureZIP only

The ISPF panels in this chapter are used to build and maintain the SecureZIP for z/OS certificate store. These panels are not part of the separately licensed feature “ISPF”. They are standard with SecureZIP for z/OS.

SecureZIP Main Panel—Access to the Certificate Stores

SecureZIP Version 10.0 Option ===> C Config Modify Run-time Configuration Settings ZD Zip Defaults Modify Default ZIP Command Settings UD Unzip Defaults Modify Default UNZIP Command Settings U Unzip Decompress, Decrypt, Authenticate File(s) in an Archive V View Display the Contents of a Zip Archive Z Zip Compress, Encrypt, Sign File(s) into a Zip Archive S Sysprint Browse Log of Last Foreground Execution M Messages Message ID lookup A Administration Administration Services and Reference Information W Wizard List For HELP Press PF1 Release Date: 09/13/2007 11.47 LVL(Q1)

To access the certificate store administration and configuration, enter “A” in the Option field from the main SecureZIP panel; then enter “CS” from the main SecureZIP Administration panel.

SecureZIP Certificate Store Administration and Configuration Local certificate store

SecureZIP for z/OS provides access to both public and private key certificates


through a set of local files, either PDS or PDSE, and VSAM index paths. The composite of these elements is known as recipient database access.

LDAP certificate store

SecureZIP for z/OS also provides access to public key certificates located in an external LDAP (Light Weight Directory Access Protocol) server via a TCPIP network connection.

x.509 certificate information

SecureZIP for z/OS also provides identification of and simulation with certificates prior to including them in your local certificate store.

Each certificate store is described in detail below.

Local Certificate Store Administration

This section assists with allocating the components necessary to support the local DB, as well as administer the certificates within it.

SecureZIP for z/OS provides access to both public and private key certificates through a set of local files, PDS or PDSE, and index paths. The files and VSAM indexing components (Cluster, Alternate Indexes and Paths) must be allocated and synchronized.

The following administration phases should be planned for:

Initial Setup: A one-time initialization of the local certificate store datasets. This is initiated through the SecureZIP ISPF Dialogs and is performed by a generated batch job stream. Certificate store datasets are allocated and initialized for future use. In addition, a set of run-time configuration control records is generated for run-time access by SecureZIP.

Certificate Administration: The addition of new certificates to be used for encryption must be periodically performed as new exchange partners are identified. Installation of the certificates may be performed either through ISPF dialog foreground (manual) processing, or via a batch job stream. The following certificate administration actions must be accounted for:

One or more public-key certificates must be available for use when a RECIPIENT encryption operation is performed (when updating an archive). These digital certificates may either be placed into MVS datasets (or PDS members) on the system that will be used to perform the encryption.

A private-key certificate must be available for use when a decryption operation is performed (either during extract processing, or when accessing an archive that has been protected with Filename Encryption). Corresponding RECIPIENT command instructions with the associated private-key certificate password must also be prepared for run-time access.

In order to complete the above tasks, digital certificate data must be made available to the activating system in the form of sequential files:

o Private-key certificates in PKCS#12 format (.PFX DSN suffix)

o Certificate Authority and Root Certificates in DER or B64 format (.CER DSN suffix)


PartnerLink SecureZIP Partner: Supplemental administration activities unique to SecureZIP Partner for z/OS are covered in the section “PartnerLink Certificate Store Administration and Configuration” in chapter 6.

A configuration profile is a collection of SecureZIP for z/OS commands that describe the collection of components. At execution time this profile is read to locate the appropriate stores and index.

SecureZIP Certificate Store Administration Option ===> Select one of the following options and press Enter: 1 Local Certificate Store Administration 2 LDAP Certificate Store Configuration 3 x.509 Certificate Utilities 4 ICSF CKDS Passphrase Registration Service

To access the local certificate store administration and configuration, enter “1” in the Option field.

SecureZIP Local Certificate Store

SecureZIP Local Certificate Store Option ===> Local Certificate Store Administration 1 View Certificate Entries (ISPF Table) 2 List Certificate Entries 3 Add new Certificates 4 Delete a Certificate 5 Synchronize/Verify Local Store Certificates 6 Report Statistics 7 Edit Active Profile 8 Supplemental Administration Utilities Create Define and Initialize a New Local Certificate Store CRL Work with Certificate Revocation Lists Active Store Configuration: 'PKWARE.MVS.JCL(DBPROF)' -{CSPUB=4;1;SECZIP.CERTSTOR.PUBLIC} -{CSPRVT=4;1;SECZIP.CERTSTOR.PRIVATE} -{CSPUB_DBX=SECZIP.CERTSTOR.DBX} -{CSPUB_DBX_PATH_CN=SECZIP.CERTSTOR.PATHCN} -{CSPUB_DBX_PATH_EM=SECZIP.CERTSTOR.PATHEM} -{CSPUB_DBX_PATH_PUBKEY=SECZIP.CERTSTOR.PATHPUBK}

This is the main local certificate store panel. It will guide you in establishing your local cert-store environment. To create a new local certificate store database, enter “CREATE” in the Option field.


Create a New Local Certificate Store DB

SecureZIP Local Certificate Store Option ===> Create and Prime New Local Certificate Store Fill in the required information below using the DOWN PFK to complete all fields, including storage management options if necessary. Then Press ENTER to generate the create JCL. Batch Job Card information: //SECZIP81 JOB 'SEZIP82',CLASS=A,REGION=8M, // MSGCLASS=H,MSGLEVEL=(1,1),NOTIFY=&SYSUID //* High-Level Qualifier(s): PKWARE.MVS (up to 20 characters) A set of PDS/PDSE datasets, VSAM Clusters, Alternate Indexes and PATHs will be allocated by the JOB. All components of the store must be allocated in the form: hlqs...CERTSTOR.type New Store Configuration Profile: 'PKWARE.MVS.JCL(DBPROF)' For example: 'PKWARE.MVS.PARMLIB(CERTCFG1)' Specify the PDS and member where the run-time configuration commands are to be placed for SecureZIP. The PDS dataset and/or member will be allocated if they do not already exist. If the PDS member already exists, it will be overwritten. This member is to be referenced in SecureZIP runs requiring requests from the Local Certificate Store via -RECIPIENT=DB This may be achieved in one of the following ways: 1. Use -INCLUDE_CMD=dsname(member) in the command stream for an individual run. 2. Specify this dataset in the DB Profile field of each user's SecureZIP Runtime Configuration panel. 3. Specify this dataset in the SECUREZIP_CONFIG= parameter of the SecureZIP defaults module (ACZDFLT) to make it effective as a default for all users. Specify SMS/non-SMS allocation parameters Management class . . . (Blank for default management class) Storage class . . . . (Blank for default storage class) Data class . . . . . . (Blank for default data class) Volume serial . . . . (Specify for NON sms volume) Device type . . . . . (Specify for NON sms volume)

This panel will set up the job stream to create the public, private, CA and root certificate stores, the data base, all corresponding paths, and the data base profile.

The public, private, CA and root certificate stores, and the DB profile are PDS files. The data base is a VSAM cluster with alternate index paths. The certificate stores are initialized with 1 CA, 1 root, four public and four private certificates in their respective stores. The password for those private certificates is PKWARE.

New Data Base Profile The profile is used to read the configuration commands to allow access to the certificates during execution of SecureZIP for z/OS in either ZIP or UNZIP operations. If the data base profile does not exist, one will be dynamically allocated. If it exists you will see the message “Profile Exists” in the upper right corner of the screen.


The data base profile follows the standard PDS dataset name format: datasetname(membername).

High-Level Qualifier The high-level qualifier (hlq) is used to prefix the certificate stores as well as all components of the database. Multiple nodes are acceptable.

For the certificates, the PDS names are:

hlq.CERTSTOR.PUBLIC hlq.CERTSTOR.PRIVATE

For the Data Base, the names are:

hlq.CERTSTOR.DBX hlq.CERTSTOR.DBXCN hlq.CERTSTOR.DBXEM hlq.CERTSTOR.DBXPUBK hlq.CERTSTOR.PATHCN hlq.CERTSTOR.PATHEM, hlq.CERTSTOR.PATHPUBK hlq.CERTSTOR.P7CA hlq.CERTSTOR.P7ROOT hlq.CERTSTOR.P7CRL

Batch Job Card information This is the JOB Card to be used for the batch run.

Certificate Validation Options When you are satisfied with the parameters you have entered, press ENTER and enter Y or N into the associated certificate validation fields.

SECUREZIP CERTSTORE Policy Setup Command ===> Specify whether certificate validation should be performed for each phase of processing ( Y or N ). Press PF1 for detailed information. Encryption: Y Trusted Y Expired Y Revoked Signing: Y Trusted Y Expired Y Revoked Authentication: Y Trusted Y Expired Y Revoked Y Tampercheck The configuration profile for certificate store access also defines default policy settings to be used for certificate validation. Certificates may be validated for use during RECIPIENT selection for Encryption, Signing Certificate selection (SIGN FILES/SIGN ARCHIVE), and Authentication (AUTHCHK) processing.


Generated JCL to Build the Initial Certificate Store When you are satisfied with the parameters you have entered you would then press ENTER. An Edit session will be created for you to review and submit to generate the certificate store.

File Edit Edit_Settings Menu Utilities Compilers Test Help -------------------------------------------------------------------------------- ****** ********************************* Top of Data **************** 000001 //FPDCS1 JOB 'ACCOUNTING INFO',CLASS=A,REGION=8M, 000002 // MSGCLASS=H,MSGLEVEL=(1,1),NOTIFY=&SYSUID 000003 //* 000004 //****************************************************************** 000005 //* PLEASE BE SURE PROCEDURE PKISPF IN INSTLIB HAS BEEN TAILORED * 000006 //* TO MEET YOUR SITES SPECIFICATIONS. * 000007 //****************************************************************** 000008 // JCLLIB ORDER=PKWARE.MVS.INSTLIB 000009 //JOBLIB DD DISP=SHR,DSN='PKWARE.MVS.LOAD' 000010 //* 000011 //* GENERATED JCL TO BUILD INITIAL CERTIFICATE STORE 000012 //* DELETE OLD CERTIFICATE STORE 000013 //DELCERT EXEC PGM=IEFBR14 000014 //DPUB DD DISP=(MOD,DELETE,DELETE),SPACE=(TRK,(0)), 000015 // DSN=PKWARE.MVS.CERTSTOR.PUBLIC 000016 //DPRV DD DISP=(MOD,DELETE,DELETE),SPACE=(TRK,(0)), 000017 // DSN=PKWARE.MVS.CERTSTOR.PRIVATE 000018 //* CREATE PUBLIC CERTIFICATE STORE 000019 //COPYIN EXEC PGM=IEBCOPY ……………………………………. ………………………………….

After you have SUBmitted the JOB and then pressed PF3 to end the Edit session, the following screen appears.

****************************** Top of Data ******************************* *** * LOCAL CERTIFICATE STORE CONFIGURATION CONTROL * * Include this member in SecureZIP runs requiring Local Certificate * Store RECIPIENTS, SIGN_ARCHIVE, SIGN_FILES and AUTHCHK signatories. *** -{CSPUB=4;1;PKWARE.MVS.CERTSTOR.PUBLIC} -{CSPRVT=4;1;PKWARE.MVS.CERTSTOR.PRIVATE} -{CSPUB_DBX=PKWARE.MVS.CERTSTOR.DBX} -{CSPUB_DBX_PATH_CN=PKWARE.MVS.CERTSTOR.PATHCN} -{CSPUB_DBX_PATH_EM=PKWARE.MVS.CERTSTOR.PATHEM} -{CSPUB_DBX_PATH_PUBKEY=PKWARE.MVS.CERTSTOR.PATHPUBK} -{CSCA=1;0;PKWARE.MVS.CERTSTOR.P7CA} -{CSROOT=1;0;PKWARE.MVS.CERTSTOR.P7ROOT} -{CSCRL=1;0;PKWARE.MVS.CERTSTOR.P7CRL} -{AUTHENTICATE=TRUSTED,EXPIRED,REVOKED,TAMPERCHECK} -{VALSIGN=TRUSTED,EXPIRED,REVOKED} -{VALENCRYPT=TRUSTED,EXPIRED,REVOKED} ****************************** Bottom of Data ****************************

This is the data base profile that will be saved in the dataset and member you specified. It is used to read the configuration commands to allow access to the certificates during execution of SecureZIP for z/OS in either ZIP or UNZIP operations.


View Data Base Certificate Entries You can view details about a certificate.

SecureZIP Local Certificate Store Option ===> View Data Base Certificate Entries Active Store Configuration: 'PKWARE.MVS.JCL(DBPROF)’ Select one or more types for viewing: (Default is all) Public Private Certificate-Authority Root Optional Search Criteria: Search String: Search Fields: ALL (CN/EM/ALL) Case Sensitive: N (Y/N) Filters: Exclusion - Do not show certificates with the following characteristics. Revoked Suspended Expired Not Trusted Inclusion - Show certificates only having the specific indicators. Encryption Signing

This panel will create a data base table display using the criteria entered in the fields. The table view will provide an opportunity to select individual entries for various actions.

Active Store Configuration The data base to be operated upon.

Select Types: This is a report filter that you can use to select the types of certificates to report on. You may report on all certificates in the store by pressing Enter (Default) or selecting a specific type(s).

Public key (CER) end-entity certificates will be included from the certificate store index.

Private key (PFX) end-entity certificates will be included from the certificate store index.

Certificate-authority (P7B) intermediate issuing certificates will be displayed from the active x.509 CA store data set.

Root (P7B) self-signed issuing certificates will be displayed from the active x.509 root store data set.

Search String Enter a string of characters to be used as a filter, listing only those certificates containing a match for the string. Leave this field blank if no filtering is desired.

Search Fields Enter ALL, CN (common name) or EM (Email address).

Case Sensitive Specify whether the search string should be case sensitive.


Filters Filters can be useful in viewing qualified certificates in the local certificate store. The filters may be used in combination with other type and search criteria to further restrict the number of entries returned.

The Exclusion filters will eliminate entries known to have failed the specified characteristic (based on the information held in the index). For example, index entries marked as “Revoked” by the System Administration Validate function will fail the “Revoked” policy test when an attempt is made to use them for signing or encryption. This filter will assist in locating certificate entries that are known to have never failed the Validation test. However, it does not guarantee that the trust chain is currently intact within the certificate store configuration. (The system administrator may not have run the Validate service request against the certificate).

The Inclusion filters will assist in identifying certificates issued for a specific purpose. However, certificates issued without the designated use flag will be eliminated from the display. Your enterprise must obtain certificates specific to the qualifications from a certificate authority for this filter to be of use.

Be aware that when a certificate validation policy is set for a given SecureZIP action such as Encryption, Signing or Authentication, a dynamic check against the live certificate store is performed in lieu of the database index record settings. This means that multiple certificates identified by a CN= or EMAIL= search may still be identified at run-time and be flagged as unusable based on the policy in force. When records are no longer desired to be referenced at run-time because they are Expired, Revoked, or Not Trusted, the system administrator should mark the entries as Suspended.

PKCSV001 SecureZIP View Certificate Store Row 1 to 10 Command ===> SCROLL ===> CSR Certificate Database: 'SECZIP.NEWDB.CERTSTOR.DBX' Primary commands: LOCATE , SORT and SAVE. Scroll RIGHT or LEFT for more information. Enter line command or '/' for list of valid line commands. Cmd Type Common Name ------------------------------------------------------------------- /_ CER Al Smith __ CER Bill Jones __ CER Kevin Johnson __ CER Mark Arrow __ CER Matt Brewster __ CER Michael Stanley __ CER PKWARE Test1 __ PFX PKWARE Test1 __ CER PKWARE Test2 __ PFX PKWARE Test2


Valid Line Commands

SecureZIP Certstore Line Commands Command ==> Action: I D Delete Certificate I Detailed Certificate Information EX Edit Certificate Index information VAL Validate Certificate RC Generate -RECIPIENT command based on Common Name RE Generate -RECIPIENT command based on Email Address SAC Generate -SIGN_ARCHIVE command based on Common Name SAE Generate -SIGN_ARCHIVE command based on Email Address SFC Generate -SIGN_FILES command based on Common Name SFE Generate -SIGN_FILES command based on Email Address AAC Generate -AUTHCHK archive command based on Common Name AAE Generate -AUTHCHK archive command based on Email Address AFC Generate -AUTHCHK files command based on Common Name AFE Generate -AUTHCHK files command based on Email Address SUS Suspend a certificate from use The Generate option(s) will place the commands to a memory clipboard for a subsequent SAVE command.

Specifying “D” to delete the certificate will remove the specified certificate from your local store. Please be aware that deleting certificate authority and/or root certificates will prevent authentication processing from completing a TRUST check operation.

Before permanently removing the certificate from the local store, SecureZIP will prompt the user with the following screen:

Confirm Certificate Delete Active DB Profile: 'PKWARE.MVS.PROFILE(CERTCFG1)' Certificate to be deleted: Location= 1 Name = Class 3 Public Primary Certification Authority Serial #= 02CDBA356FFDWE4BC54FE22ACBA72A325 Note: Certificates that are issued by the certification authorities or any lower level certification authorities will no longer be trusted. Press ENTER to continue or PF3 to exit without deleting the certificate. Press ENTER to continue or PF3 to exit without deleting the certificate

By requesting “I” for additional information about the certificate, a report will be generated and displayed.

PKSCANCRT 005I scan(0) file is: //'PKWARE.MVS.CERTSTOR.PUBLIC(PUB1CERT)' PKSCANCRT 008I Certificate #1 found (924) //'PKWARE.MVS.CERTSTOR.PUBLIC(PUB1CERT)' --- Certificate 1 --- PKWARE Test1 Subject: C=US OU=Certification Services


CN=PKWARE Test1 [email protected] Issuer: C=US OU=Certification Services CN=PKWARE Test1 [email protected] SerialNumber: 00 NotBefore: Wed Apr 14 13:20:41 2004 NotAfter: Sat Apr 13 13:20:41 2024 SHA-1 Hash of Certificate(Thumbprint): DF 31 1E 8D DF 02 BD 0C 7C 4A 75 72 00 CA 03 6D 68 95 49 C9 Public Key Hash: 83 0A 0A E9 DB F0 49 69 54 76 38 62 12 6E CE 7A 34 BB 7A 56 Self Signed Certificate Authority

The following table explains fields of certificate details in the display.

Heading Description

Subject Information about the entity to whom the certificate was issued.

Issuer Information about the entity that issued the certificate

Serial Number Serial number of the certificate

NotBefore/NotAfter Date range for which the certificate is valid

SHA-1 Hash of Certificate The SHA-1 algorithm hash, or “thumbprint,” of the certificate

Public Key Hash The hash or “thumbprint,” of the public key

Key Usage Key usage flags that determine how the certificate was intended to be used.

The public key hash value is the prime key used in the local certificate store index.

The Issuer fields are composed of several x.509 subfields. The exact set varies; the following table describes some of the most commonly used.

Code Description

O Organization

OU Organizational Unit

CN Common Name

E Email address

C Country

ST State or Province

L Locality or City

The Common Name (CN) and Email (E) fields can be searched to identify Recipients.


By entering “EX” from the SecureZIP Line Commands panel, you may edit the certificate index information such as the certificate member name. See resulting screen below:

Edit Certificate Index Information Active DB Profile: 'PKWARE.MVS.PROFILE(CERTCFG1)' Certificate Path: //'PKWARE.MVS.CERTSTOR.PUBLIC(PUB4CERT)' Common Name: PKWARE Test4 Email Address: [email protected] Certificate PDS member name: PUB4CERT The member name may be changed here. The Certificate Store index will be updated to reflect the new location. Press ENTER to process, or END to return.

If you request “VAL” SecureZIP will look to validate the certificate by using the current -{VALENCRYPT=...} setting in the profile. It validates the certificate by generating a -RECIPIENT(...,R,PASSWORD=pppppp) command, and running SecureZIP for both ZIP and TEST. Please be aware that, if -{VALENCRYPT=} is not active, the certificate will always pass the validation check.

You may also generate and save commands for the RECIPIENT, SIGN_ARCHIVE, SIGN_FILES and AUTHCHK (archive and/or file) parameters. For example, by selecting RC, you will see the –RC appear on the far right of the screen (see below):

Command ===> SCROLL ===> PAGE Certificate Database: 'PKWARE.MVS.CERTSTOR.DBX' Selection Mode: Administration Primary commands: LOCATE , SORT and SAVE. Scroll RIGHT or LEFT for more info. Enter line command or '/' for list of valid line commands. Cmd Type Common Name ------------------------------------------------------------------------- CER PKWARE Test4 -RC

Enter SAVE on the command line to save the command string to a PDS member where you will decide if the saved command is to be used for ZIP or UNZIP processing (see below):

Command ===> Select (/) the recipient list type you wish to use: ZIP UNZIP/View

Press ENTER to process - Enter END or press PF3 to exit

Upon selecting the appropriate data set and member name, insert a forward slash “/” next to the desired options (see below):


Save a Recipient List Command ===> Save Recipient List in: Data set name ==> 'SECZIP.PKWARE.PROFILE' Member Name ==> $ZRECIPS Enter / for Edit/Member List/Data Set List/New Data Set Enter / to make this list your active list. Press ENTER to process - Enter END or press PF3 to exit

Once you’ve made your selection(s), press ENTER, and you will have successfully saved the RECIPIENT command to a PDS member:

BROWSE SECZIP.PKWARE.PROFILE($RECIPS) - 01.01 Command ===> ****** ******************************* Top of Data ************************************ 000001 -RECIPIENT(DB:CN=PKWARE Test4) ****** ****************************** Bottom of Data **********************************

By requesting SUS, you effectively suspend a certificate from use. As discussed above, if certificates are no longer desired to be referenced at run-time because they are expired, revoked, or not trusted, the system administrator should mark the entries as “Suspended.”

To re-enable or “unsuspend” the certificate, enter “UNS” next to the appropriate certificate.

Please note that a suspended certificate is still available for VIEW processing of older archives that used it as a recipient.

List Certificate Entries

SecureZIP Local Certificate Store Command ===> List Certificate Entries Active DB Profile: 'PKWARE.MVS.STORE.PROFILES(SAG)' PKWARE.MVS.CERTSTOR.DBX PKWARE.MVS.CERTSTOR.PUBLIC PKWARE.MVS.CERTSTOR.PRIVATE PKWARE.MVS.CERTSTOR.P7CA PKWARE.MVS.CERTSTOR.P7ROOT Select the following types for listing: (Default is all) Public Private Certificate-Authority Root Sort Options for Public and Private Certificates CN (CN-common name, EM-email, PA-path)

This panel will run the data base report of the selected data base using the criteria entered in the fields. The report will be run in foreground and an ISPF browse session will be invoked to allow you to review the report.

Active Data Base Profile The data base to be reported upon.


List Public, Private or Both This is a report filter that you can use to select the type of report. You may report on all certificates in the store by simply hitting ‘enter’, only the private certificates by selecting “PRIVATE”, only the public certificates by selecting “PUBLIC”, only the certificate authority certificates by selecting “Certificate-Authority”, or only the root certificates by specifying “Root”.

Sort Report The report can be sorted by common name, email, path, or be allowed to default to public hash, in which case no actual sort takes place. The commands can be abbreviated as follows: Common Name - CN, Email - EM, Path - PA.

Example of a report in physical order (no sort)

000001 IDC0005I NUMBER OF RECORDS PROCESSED WAS 4 000002 Certificate Data Base Report for 'PKWARE.MVS.CERTSTOR.DBX' 000003 --------------------------------------------------------------------- 000004 Public Certificate 000005 Public Key Hash 39A01D5F31B3455B69195AE3A1AF81BED3B28C51 000006 Common Name PKWARE Test2 000007 Common Name Hash 6DE947807CDCFF6B2996BEA359BF39FEB009958B 000008 Email [email protected] 000009 Email Hash 1C6D2FBA039AE4B91E4199E0F9A71B4F46D30AF1 000010 Path //'PKWARE.MVS.CERTSTOR.PUBLIC(PUB2CERT)' 000011 --------------------------------------------------------------------- 000012 Public Certificate 000013 Public Key Hash 830A0AE9DBF0496954763862126ECE7A34BB7A56 000014 Common Name PKWARE Test1 000015 Common Name Hash F8D28D6D8291BBB2BC69561188EADAC9DCE01858 000016 Email [email protected] 000017 Email Hash A236B17D27B439CAB2EBB8FCE98500D10332E157 000018 Path //'PKWARE.MVS.CERTSTOR.PUBLIC(PUB1CERT)' 000019 --------------------------------------------------------------------- 000020 Private Certificate 000021 Public Key Hash 39A01D5F31B3455B69195AE3A1AF81BED3B28C51 000022 Common Name PKWARE Test2 000023 Common Name Hash 6DE947807CDCFF6B2996BEA359BF39FEB009958B 000024 Email [email protected] 000025 Email Hash 1C6D2FBA039AE4B91E4199E0F9A71B4F46D30AF1 000026 Path //'PKWARE.MVS.CERTSTOR.PRIVATE(PVT2CERT)' 000027 --------------------------------------------------------------------- 000028 Private Certificate 000029 Public Key Hash 830A0AE9DBF0496954763862126ECE7A34BB7A56 000030 Common Name PKWARE Test1 000031 Common Name Hash F8D28D6D8291BBB2BC69561188EADAC9DCE01858 000032 Email [email protected] 000033 Email Hash A236B17D27B439CAB2EBB8FCE98500D10332E157 000034 Path //'PKWARE.MVS.CERTSTOR.PRIVATE(PVT1CERT)' 000035 ---------------------------------------------------------------------


Example of a report in order by Email address

****** ******************************************************* Top of Da 000001 IDC0005I NUMBER OF RECORDS PROCESSED WAS 4 000002 Certificate Data Base Report for 'PKWARE.MVS.CERTSTOR.DBX' 000003 ----------------------------------------------------------------- 000004 Public Certificate 000005 Public Key Hash 830A0AE9DBF0496954763862126ECE7A34BB7A56 000006 Common Name PKWARE Test1 000007 Common Name Hash F8D28D6D8291BBB2BC69561188EADAC9DCE01858 000008 Email [email protected] 000009 Email Hash A236B17D27B439CAB2EBB8FCE98500D10332E157 000010 Path //'PKWARE.MVS.CERTSTOR.PUBLIC(PUB1CERT)' 000011 ----------------------------------------------------------------- 000012 Private Certificate 000013 Public Key Hash 830A0AE9DBF0496954763862126ECE7A34BB7A56 000014 Common Name PKWARE Test1 000015 Common Name Hash F8D28D6D8291BBB2BC69561188EADAC9DCE01858 000016 Email [email protected] 000017 Email Hash A236B17D27B439CAB2EBB8FCE98500D10332E157 000018 Path //'PKWARE.MVS.CERTSTOR.PRIVATE(PVT1CERT)' 000019 ----------------------------------------------------------------- 000020 Private Certificate 000021 Public Key Hash 39A01D5F31B3455B69195AE3A1AF81BED3B28C51 000022 Common Name PKWARE Test2 000023 Common Name Hash 6DE947807CDCFF6B2996BEA359BF39FEB009958B 000024 Email [email protected] 000025 Email Hash 1C6D2FBA039AE4B91E4199E0F9A71B4F46D30AF1 000026 Path //'PKWARE.MVS.CERTSTOR.PRIVATE(PVT2CERT)' 000027 --------------------------------------------------------------------- 000028 Public Certificate 000029 Public Key Hash 39A01D5F31B3455B69195AE3A1AF81BED3B28C51 000030 Common Name PKWARE Test2 000031 Common Name Hash 6DE947807CDCFF6B2996BEA359BF39FEB009958B 000032 Email [email protected] 000033 Email Hash 1C6D2FBA039AE4B91E4199E0F9A71B4F46D30AF1 000034 Path //'PKWARE.MVS.CERTSTOR.PUBLIC(PUB2CERT)' 000035 ---------------------------------------------------------------------

Add a Certificate to the Local Store The following instructions detail how to add new public and private keys to the local certificate store. Please note that when performing certificate administration add or delete activities, SecureZIP will write change activity messages to the ISPF LOG if it is active. If an historical record of certificate store changes is desired, be sure to set the ISPF log data set defaults in the Log/List Settings panel to allocate and retain the LOG data set.

Add New Certificate to the Local Store SecureZIP Local Certificate Store Option ===> Add new Certificate to the Local Store Active Store Configuration: 'SECZIP.FPD.PROFILES(DBPROF)' Specify Certificate sub-store to be updated: 1 - Public Certificate Store - "CER" 2 - Private Certificate Store - "PFX" 3 - Intermediate Certificate Authorities - "CER" or "P7B" 4 - Trusted Root Certificate Authorities - "CER" or "P7B"


5 - Register SAF certs in the SecureZIP Key Index Press ENTER to identify the certificate source file. The Local Certificate Store is organized into 4 sub-stores. When importing new certificates, you must indicate which section is to be updated based on the type of x.509 certificate file is being used as input. The annotated suffixes are provided as a guide to help identify the type of source file being imported. The suffix of the data set name is not required, nor is it analyzed during the import process.

SAF Certificates may be registered in the Local Certificate Store to make them available using the DB: keyword on SecureZIP commands.

Use option 5 to manage SAF Certificate registration.

This panel is used to select the type of certificate to be added to the local certificate store.

Specify Certificate sub-store to be updated Enter the number representing the certificate to be added.

SecureZIP Local Certificate Store Option ===> Add new Public Key Certificate to the Local Store Active Store Configuration: 'SECZIP.FPD.PROFILES(DBPROF)' Input Certificate PDS/File: Enter the full PDS/Sequential file name of the source certificate. Certificate PDS member name: Enter an optional member name for ease of reference, such as 3 initials plus the year that the certificate was issued in. If left blank, a name will be generated of the form GENnnnnn. Press ENTER to continue.

This panel is for adding public key certificates to the local cert store and Data Base.

Input Certificate PDS or File A sequential file or member of a PDS can be used as input. All members of a PDS can be copied by entering (*) for the member name.

For private Certificate(s), enter password Password is required for private certificate store.

Output Certificate PDS member name For a sequential file or a single PDS member addition, the certificate store member name can be chosen; otherwise the store member name will be generated. If an entire PDS is used as input then the inputted PDS member names will be used.


Add a New Certificate to the CA Store This panel is for adding certificate authority certificates to the store.

SecureZIP Local Certificate Store Option ===> Add new Certificate Authority to the Local Store Active Store Configuration: 'PKWARE.MVS.STORE.PROFILES(SAG)' Input Certificate File: 'SECZIP.CERT.CMS.ENCRYPT.P7B' Enter the full file name of the source certificate(s). For example: your.instlib2.library(castore) Input Certificate Type : Enter the file type to be imported. Either CER or P7B Backup Copy . . . : N ( Y - Copy Store Before Update, N - No Copy) Backup DSN. . . : 'SEG.PKWARE.BACKUP.CERTSTOR' Press ENTER to continue or PF3 to exit without adding the certificate

Add a New Trusted Root Certificate to the Root Store This panel is for adding trusted root certificates to the store.

Add new Trusted Root to the Local Store More: + Warning: The certificates are from a certification authority (CA) claiming to represent the organizations that will be displayed on the next screen. Once you install the certificate, SecureZIP will use it to complete future certificate Trust Chain validation processing associated with the certification authority. Note: Before you install the certificate you must verify that the certificate is actually from the certification authority and can be trusted. You should install the certificate only once you have confirmed its authenticity. To do this, you should contact the CA listed to verify the certificate authenticity. To help you in your verification please use the Thumbprint HASH. If you install this certificate without confirming the authenticity you may be creating a security risk. Input Certificate File: 'SECZIP.FPD.SEC.PKTICAF.CRT' Enter the full Sequential file name of the source certificate(s). For example: your.instlib2.library(rtstore) Input Certificate Type : Enter the file type to be imported. Either CER or P7B Backup Copy . . . : N ( Y - Copy Store Before Update, N - No Copy) Backup DSN. . . : 'FPD.PKWARE.BACKUP.CERTSTOR' Press ENTER to continue or PF3 to exit without adding the certificate

The following message will appear prior to adding any root certificate:

Warning: The certificates are from a certification authority (CA) claiming to represent the organizations that will be displayed on the next screen. Once you install the certificate, SecureZIP will use it to complete future certificate Trust Chain validation processing associated with the certification authority.

Review the warning and enter the source file of the root certificate along with the type of certificate.


If you would like to backup your existing root store, place a Y+ in the Backup Copy field and enter a dataset to be used to hold the root store.

After reviewing the data presented on the next screen, you will then enter SAVE to process the root certificate.

A table of certificates to be added will be displayed. You will use this information to verify the authenticity of the certificates. Once that has been completed, enter SAVE on the command line, or press PF3 to stop the add.

Certificate Source: CA Store : ROOT Store : If you install the certificate(s) without confirming the authenticity you may be creating a security risk. Enter SAVE to continue adding the ROOT Certificate, Else PF3 to end Scroll RIGHT or LEFT for more info. Type Friendly Name -------------------------------------------------------------------------

Please note that once all certificate chain components for a private-key certificate are installed to the local certificate store, a verification of the trust chain should be performed to ensure that future signing operations will carry the necessary certificate store information for authentication processing. This can be accomplished by performing the following steps:

1. Perform a ZIP SIGN_ARCHIVE run with the private-key certificate

2. Perform an UNZIP VIEWDETAIL run against the archive from the previous step with the following command settings:

-AUTHCHK(ARCHIVE) -VERBOSE -{AUTHENTICATE=ALL}

3. Perform a manual check on the reported signature certificates saved in the archive to ensure that the root certificate is in the list.

4. Review the messages to ensure that the authentication check passed with message ZPEN035I

ZPEN035I Archive Directory Authentication Succeeded ZPAM700I Archive was digitally signed by PKWARE Test3 ZPAM329I 3 Signature Certificates were saved in the archive: ZPAM321I Cert Name: PKWARE Test3 ZPAM323I Email: [email protected] ZPAM325I Valid: 12/20/2004-12/13/2024 ZPAM326I Issuer: PKWARE, Inc. ZPAM321I Cert Name: PKTESTDB Root ZPAM323I Email: [email protected] ZPAM325I Valid: 12/20/2004-12/19/2024 ZPAM326I Issuer: PKWARE, Inc. ZPAM321I Cert Name: PKWARE Test Intermediate Cert ZPAM323I Email: [email protected]


ZPAM325I Valid: 12/20/2004-12/14/2024 ZPAM326I Issuer: PKWARE, Inc.

To assist in performing this process, the Local Certificate Administration "View Certificate Entries" table display provides a VAL line command. Selecting this command line option will cause a ZIP/UNZIP sequence to run in the foreground and will analyze the results for display.

Add a New Certificate via Batch Processing The ISPF panel interface provides a fast and easy method of adding new certificates to the local store. Although the panel interface is fine for adding a few certificates, navigating through the various panels can be repetitive and cumbersome if the user needs to add certificates for every employee in his or her company, for example. Therefore, SecureZIP for z/OS provides functionality to add certificates to the local stores through a JCL job submitted in batch processing mode.

The JCL member PKCSADD in the PKWARE.MVS.INSTLIB library provides the user with a sample program to add a certificate to the local store. The JCL calls program PKCS023 which adds the certificate to the local store. There are five parameters that allow the user to specify the certificate store location, the dataset containing the certificate to be added to the store and the other data necessary to add the certificate. The comments in the PKCSADD member fully explain the purpose of each parameter to the PKCS023 program.

After the PKCSADD member is customized for the user’s system, the job can be submitted to add a new certificate to the local store. By using the PKCSADD job as a model, the user can automate the process of adding certificates to the local store. In this way, any number of certificates can be added to a certificate store without repeatedly navigating through the ISPF panels.

Register Security Server Certificates in the Key Store Index Security Server certificates that are to be used by SecureZIP can be registered in the SecureZIP Certificate Index. This allows access to SAF certificates through historic SecureZIP DB: references, as well as providing VIEWDETAIL query capabilities to display encryption recipient common name and email address information.

SAF certificates are generally referenced by Key Ring and/or LABEL name under a UserID or SITE repository identifier.

Three types of rings are used to house encryption, decryption and signing certificates:

User REAL Rings are named key rings defined under a UserID, to which certificates (not necessarily installed under that UserID are connected)

User VIRTUAL Ring is an unnamed key ring representing all trusted certificates installed under a UserID

SITE VIRTUAL Ring is an unnamed key ring representing all trusted certificates installed under SITE

The registration process provides a "bridge" between the traditional SecureZIP commands and SAF Rings by placing entries in the SecureZIP Key Store Index that cross-reference the traditional index fields to a SAF Certificate Label.


The panels that register certificates work on a "table" basis, where a list of SAF certificates to be registered is generated, then applied by:

1. Registering the certificates online: Requires Write access to the SecureZIP Certificate Index

2. Generating a batch job to register the certificates in the background

3. Saving the certificate list in a data set, and processing it later

Options 2 and 3 would normally be used when a user needs to register SAF certificates, but does not have write access to the SecureZIP Certificate index. The list data set can be created, and the SecureZIP administrator can load and process it. The Batch job can be saved in a data set, and the administrator can submit it under the proper userid.

SAF Certificate Candidate List The first panel displays a list of candidate SAF certificates available to be registered in the Local Store. When it is initially displayed, it is shown with an empty list.

You can load a saved list using the Load command, or locate SAF ring entries using the Search command. Each time you issue a Load or Save command the results are added to the current list.

No updates to the Certificate Store are made unless the Update command is issued. Attempts to exit after modifying a candidate list result in a confirmation prompt.

PKCS026B SecureZIP Local Certificate Store Empty list Command ===> Register SAF Ring Certificates in the SecureZIP Key Index Active Store Configuration : 'PKWARE.MVS.STORE.PROFILES(DEVCERT1)' Commands: Search for certificates Load a saved list. Submit a batch job Update the SecureZIP Index Reset the list. Save the list in a file. Line commands: I Display info X Exclude the certificate from the list. Press PF3 to exit without further processing. Certificates in list: 2 ACTION/Common Name SAF Label/Email ADD 1 SAF:DEV1/MyRing,LABEL='Eng_TMPContKey_01_2008' Eng TMPContKey 01 PK [email protected] CONVERT 3 SAF:CWB1/MyRing,LABEL='JOHNADAMS' John Adams [email protected]

Note that, when a certificate is marked as CONVERT, as in the sample just above, a SAF certificate was found that matches a certificate already residing in the Cert Store data base. If the certificate is “converted” to SAF, the source for the original certificate in the Cert Store will be deleted. If you need to retain the certificate store copy, make a backup copy before issuing the Update or Submit commands.


Commands

Search Search SAF rings for certificates. See “Searching for SAF Certificates,” below.

Submit Submit a batch job to perform the Certificate Store update

Update Online update of the Certificate Store

Load Load a saved list from a file

Save Save the list in a file

Reset Clear the list

Use the X (exclude) line command to remove any entries that you do not wish to update in the Cert Store.

Use the I (info) line command to display details about that certificate.

Searching for SAF Certificates You can search:

All SITE certificates

A user “virtual” ring

All rings associated with a User ID

A specific ring associated with a User ID

When the Search command is entered on panel PKCS026B, the following panel is displayed. Fill in the appropriate fields, and press Enter. Any SAF certificates that are located are added to the list, and panel PKCS026B is redisplayed with the result of the search added to the original list. Certificates that are already registered as SAF in the Cert Store are excluded from the search results.

The Search command displays a panel requesting filter parameters.

SITE Virtual Ring

Accesses the Site ring, which is generally available to all users. If this field is non-blank, all other fields are ignored.

USERID

The User whose rings will be searched. This field is required if SITE is not selected. It defaults to the active TSO userid.

ALL USERID REAL RINGS

If this field is non-blank, RACDCERT LISTRING is used to list all rings defined by SAF USERID. Then, each ring is searched for eligible certificates. When selected, SAF RING is ignored.

KEY RING NAME

The SAF User ring to be searched. “*” is valid to search the user “virtual” ring. Required if not using SITE and SAF USERID REAL RINGS is not selected.


PKCS026A SecureZIP Local Certificate Store Command ===> Register SAF ring certificates in the Cert Store. Active Store Configuration: ' PKWARE.MVS.STORE.PROFILES(DEVCERT1)' Certificates in list : SITE Virtual Ring ==> All other parms ignored if non-blank UserID ==> DEV1 All User Real Rings==> Key Ring below ignored if non-blank Key Ring Name ==> MyRing You may enter * for the Key Ring Name to access the UserID Virtual Ring) All trusted certificates found under the requested Key Ring will be added to the candidate list, and you will be given the choice of installing all of them, or selecting individual certificates. Press ENTER to continue or PF3 to exit.

Delete a Certificate from the Local Store

SecureZIP Local Certificate Store OPTION ===> Delete a Certificate from the Local Store Active Store Configuration: ' PKWARE.MVS.STORE.PROFILES(DBPSTD)' Specify Certificate sub-store to be updated: 1 - Public Certificate Store - "CER" 2 - Private Certificate Store - "PFX" - Intermediate Certificate Authorities - "CER" or "P7B" - Trusted Root Certificate Authorities - "CER" or "P7B" The Local Certificate Store is sub-divided into 4 sub-stores. When deleting certificates, you must indicate which section is to be updated based on the type of x.509 certificate file being used. The Intermediate Certificate Authorities and the Trusted Root Certificate Authorities must be deleted from the View Certificate Entries (ISPF Table) Panel - Option 1 Press ENTER to process.

This panel is used to select the type of certificate to be deleted from the local certificate store.


Specify Certificate sub-store to be updated Enter the number representing the certificate to be deleted.

SecureZIP Local Certificate Store OPTION ===> Delete a Public Certificate from the Local Store Active Store Configuration: ' PKWARE.MVS.STORE.PROFILES(DBPROF)' Certificate PDS member to Delete: PDS member in the certificate store to delete. This delete process will also delete the Database entry and all corresponding paths. Only the member name should be entered, which can be found by performing option 2 List DB Certificate Entries Press ENTER to continue.

This panel is for deleting a public certificate from the local certificate store and data base. Certificates are deleted individually.

Certificate PDS member to Delete Enter the PDS member name to be deleted from the certificate store. Contents of a particular certificate can be derived from the data base report.

SecureZIP Local Certificate Store OPTION ===> Delete a Private Certificate from the Local Store More: Active Store Configuration: 'PKWARE.MVS.STORE.PROFILES(SAG)' Certificate PDS member to Delete: TESTME PDS member in the certificate store to delete. This delete process will also delete the Database entry and all corresponding paths. Only the member name should be entered, which can be found by performing option 2 List DB Certificate Entries Display password text: N ( Y - To View) Hit enter and then type the password Enter the password for the Private Certificate: Password (up to 200 characters): ....5...10....5...20....5...30....5...40....5...50....5...60....5...70....5.. 160..5....0....5....0....5....0....5..200 Password entry indicates that a private-key certificate is to be deleted. WARNING: Files in archives that have been encrypted with only this private-key certificate cannot be opened if the private-key certificate

This panel is for deleting a private certificate from the local certificate store and data base. Certificates are deleted individually.

Enter password A password is required to delete a private certificate.


WARNING: Once a private certificate is deleted, any files that are in archives encrypted with only that certificate cannot be opened. The private-key certificate would need to be reinstalled from an external source.

Synchronize the Index for the Local Certificate Store

SecureZIP Local Certificate Store Command ===> Synchronize / Verify Certificates Active Store Configuration: 'PKWARE.MVS.STORE.PROFILES(SAG)' Specify Certificate store type: 1 - Public / Private Store 2 - CA / Root / Revocation List Store Press ENTER to continue.

This panel directs you to the types of stores to be processed. Select 1 or 2 and press “Enter”

SecureZIP Local Certificate Store Command ===> Synchronize the Index of the Local Store Active Store Configuration: 'PKWARE.MVS.STORE.PROFILES(SAG)' Batch processing options Enter / here if you want to reorganize the VSAM index components. This will take you to the Backup/Restore panel. Foreground processing options Enter / below to select certificate analysis processes Remove Unmatched Index Entries Index Unresolved Certificate Information Process Private-key Certificates (password prompting as required) Delete Duplicate-key Certificate members Refresh existing fields from certificate data

This panel (Option 1) serves two functions:

Rebuilds the Database index in batch from an existing public-key store.

Performs specific foreground index synchronization tasks.

Batch rebuild When selecting to rebuild the database in batch, all of the index components are deleted and redefined. The index entries are rebuilt by opening each certificate in the store and parsing the appropriate information.

A separate job step is required (see job step 'BUILD SEQ DATABASE FROM PRIVATE STORE') for each separate password represented in the private store.


Warning: Without the correct password for each private-key certificate, the index entries cannot be rebuilt and will be lost. The index entries may be restored by providing the correct password through a Foreground synchronization.

Foreground Operations In the event that individual certificates or index entries require synchronization, the following cleanup tools are available:

Remove unmatched index entries

Select this option to remove index entries for which there are no matching certificate (as, for example, when a certificate member is manually removed from the PDS). This feature removes the index entry if the associated PDS or member does not exist.

Index Unresolved Certificates

Select this option when certificates for which there is currently no index entry have been added manually to the PDS store. The certificate(s) will be identified from a member list and scanned as if a certificate Add function had been requested.

Process Private-key Certificates (password prompt when required)

A sub-option of "Index Unresolved Certificates": Select this option in conjunction with the previous option to index unresolved certificates. A password prompt will be presented for each private-key certificate that has not yet been indexed so that the certificate may be opened. An opportunity is given to bypass each certificate for which the password is not known.

Delete Duplicate-key Certificates

A sub-option of "Index Unresolved Certificates": Select this option to physically delete certificates for which there is already a matching index. (It is recommended that any potential orphan index entries first be deleted by using the option "Remove unmatched index entries" to avoid deleting certificates which do not have a true duplicate).

Refresh existing fields from certificate data

This option invokes a re-read of the certificate to parse field data and update the index record information. Updated field information includes:

o Valid Date Range

o Serial number

o Use Flags

o Trust Status (conditionally updated)

o Revocation Status (conditionally updated)


Generated JCL for Synchronization

****** ********************************* Top of Data **************************** 000001 //FPDCS1 JOB 'ACCOUNTING INFO',CLASS=A,REGION=8M, 000002 // MSGCLASS=H,MSGLEVEL=(1,1),NOTIFY=&SYSUID 000003 //* 000004 //****************************************************************** 000005 //* PLEASE BE SURE PROCEDURE PKISPF IN INSTLIB HAS BEEN TAILORED * 000006 //* TO MEET YOUR SITES SPECIFICATIONS. * 000007 //****************************************************************** 000008 // JCLLIB ORDER=PKWARE.MVS.INSTLIB 000009 //JOBLIB DD DISP=SHR,DSN='PKWARE.MVS.LOAD' 000010 //* 000011 //* GENERATED JCL TO BUILD DATA BASE FROM CERTIFICATE STORE 000012 //* BUILD SEQ DATABASE FROM PUBLIC STORE 000013 //PDS2DBPB EXEC PKISPF 000014 //STDOUT DD SYSOUT=* 000015 //STDERR DD SYSOUT=* 000016 //ISPF.SYSTSIN DD * 000017 ISPSTART CMD(%RMPDS2DB PKWARE.MVS.CERTSTOR.PUBLIC + 000018 FPD.CERT.SEQDBPUB.TEMP ) 000019 //* BUILD SEQ DATABASE FROM PRIVATE STORE 000020 //PDS2DBPV EXEC PKISPF 000021 //STDOUT DD SYSOUT=* ……………………….. …………………………….

Review and SUBmit the JOB.

CA, Root, and CRL Verification

SecureZIP Local Certificate Store Command ===> Verify CA / Root / Revocation List Store Active Store Configuration: 'SECZIP.FPD.PROFILES(DBPSTD)' Select Store for viewing: (Default is all) Certificate-Authority Root Revocation List Press ENTER to continue.

This panel (Option 2) is used to select the type of store.

Place a “Y” for CA, Root, or CRL or simply press “Enter” to verify the stores.

*********************************************************** Top of Data PKCSDEL - Verify CA / Root / CRL Store 2 Feb 2006 12:07:18 PKCSDEL - CA=SECZIP.FPDSTD.CERTSTOR.P7CA SUCCESS: CA Store '//'SECZIP.FPDSTD.CERTSTOR.P7CA'' verified successfully. 1 certificates found. PKCSDEL - ROOT=SECZIP.FPDSTD.CERTSTOR.P7ROOT SUCCESS: Root Store '//'SECZIP.FPDSTD.CERTSTOR.P7ROOT'' verified successfully. 1 certificates found.

The panel above is the output from the verify process.


Report DB Statistics

SecureZIP Local Certificate Store Option ===> Local Certificate Store Administration 1 View Certificate Entries (ISPF Table) 2 List DB Certificate Entries 3 Add new Certificates to the Local Store 4 Delete a Certificate from the Local Store 5 Re-synchronize the Index for the Local Store 6 Report DB Statistics 7 Edit Active DB Profile 8 Supplemental Administration Utilities

Option 6 – Report DB Statistics Generates a view of the local certificate store information. This view will contain details on the certificate datasets, the local store data base, and the path/alternate indexes to the local store data base.

000001 Public Certificate Dataset Information 000002 Data Set Name = PKWARE.MVS.CERTSTOR.PUBLIC 000003 Number of certificates = 2 000004 000005 Dataset Organization = PDS 000006 Record Format = VB 000007 Logical Record Length = 27994 000008 Block Size = 27998 000009 Space Type = CYLINDER 000010 Primary Allocation = 10 000011 Secondary Allocation = 1 000012 Total Allocated = 10 000013 Allocated extents = 1 000014 Used Extents = 1 000015 Directory Blocks 000016 Allocated = 400 000017 Used = 1 000018 000019 Private Certificate Dataset Information 000020 Data Set Name = PKWARE.MVS.CERTSTOR.PRIVATE 000021 Number of certificates = 2 000022 000023 Dataset Organization = PDS 000024 Record Format = VB 000025 Logical Record Length = 27994 000026 Block Size = 27998 000027 Space Type = CYLINDER 000028 Primary Allocation = 10 000029 Secondary Allocation = 1 000030 Total Allocated = 10 000031 Allocated extents = 1 000032 Used Extents = 1 000033 Directory Blocks 000034 Allocated = 400 000035 Used = 1 000036 000037 Public Certificate Store DataBase Information 000038 Data Set Name = PKWARE.MVS.CERTSTOR.DBX 000039 Cluster Name = PKWARE.MVS.CERTSTOR.DBX 000040


000041 Data Name = PKWARE.MVS.CERTSTOR.DBX.DATA 000042 Space Type = CYLINDER 000043 Primary Allocation = 1 000044 Secondary Allocation = 2 000045 Percent Free Space = 98 000046 Total Records = 4 000047 High Allocated RBA = 829440 000048 High Used RBA = 829440 000049 000050 Index Name = PKWARE.MVS.CERTSTOR.DBX.INDEX 000051 Space Type = TRACK 000052 Primary Allocation = 1 000053 Secondary Allocation = 1 000054 Total Records = 1 000055 High Allocated RBA = 33792 000056 High Used RBA = 1024 000057 000058 Public Certificate Store DataBase Alternate Indexes with Path 000059 Alternate Index Name = PKWARE.MVS.CERTSTOR.DBXCN 000060 Cluster Name = PKWARE.MVS.CERTSTOR.DBX 000061 000062 Data Name = PKWARE.MVS.CERTSTOR.DBXCN.DATA 000063 Space Type = CYLINDER 000064 Primary Allocation = 1 000065 Secondary Allocation = 1 000066 Percent Free Space = 98 000067 Total Records = 2 000068 High Allocated RBA = 829440 000069 High Used RBA = 829440 000070 000071 Index Name = PKWARE.MVS.CERTSTOR.DBXCN.INDEX 000072 Space Type = TRACK 000073 Primary Allocation = 1 000074 Secondary Allocation = 1 000075 Total Records = 1 000076 High Allocated RBA = 25088 000077 High Used RBA = 512 000078 000079 Path Name = PKWARE.MVS.CERTSTOR.PATHCN 000080 000081 Public Certificate Store DataBase Alternate Indexes with Path 000082 Alternate Index Name = PKWARE.MVS.CERTSTOR.DBXEM 000083 Cluster Name = PKWARE.MVS.CERTSTOR.DBX 000084 000085 Data Name = PKWARE.MVS.CERTSTOR.DBXEM.DATA 000086 Space Type = CYLINDER 000087 Primary Allocation = 1 000088 Secondary Allocation = 1 000089 Percent Free Space = 98 000090 Total Records = 2 000091 High Allocated RBA = 829440 000092 High Used RBA = 829440 000093 000094 Index Name = PKWARE.MVS.CERTSTOR.DBXEM.INDEX 000095 Space Type = TRACK 000096 Primary Allocation = 1 000097 Secondary Allocation = 1 000098 Total Records = 1 000099 High Allocated RBA = 25088 000100 High Used RBA = 512 000101 000102 Path Name = PKWARE.MVS.CERTSTOR.PATHEM 000103 000104 Public Certificate Store DataBase Alternate Indexes with Path 000105 Alternate Index Name = PKWARE.MVS.CERTSTOR.DBXPUBK 000106 Cluster Name = PKWARE.MVS.CERTSTOR.DBX 000107 000108 Data Name = PKWARE.MVS.CERTSTOR.DBXPUBK.DATA


000109 Space Type = CYLINDER 000110 Primary Allocation = 1 000111 Secondary Allocation = 1 000112 Percent Free Space = 98 000113 Total Records = 2 000114 High Allocated RBA = 829440 000115 High Used RBA = 829440 000116 000117 Index Name = PKWARE.MVS.CERTSTOR.DBXPUBK.INDEX 000118 Space Type = TRACK 000119 Primary Allocation = 1 000120 Secondary Allocation = 1 000121 Total Records = 1 000122 High Allocated RBA = 25088 000123 High Used RBA = 512 000124 000125 Path Name = PKWARE.MVS.CERTSTOR.PATHPUBK 000126

Edit Active DB Profile

Option 7 – Edit Active DB Profile SecureZIP for z/OS uses a set of configuration commands to determine the location of Public and Private Certificates via an index. The commands can be grouped together within a PDS or PDSE member as a Data Base profile.

Specify the dataset (and member) of a saved DB profile.

File Edit Edit_Settings Menu Utilities Compilers Test Help --------------------------------------------------------------------------------------- EDIT SECZIP.FPD.PROFILES(DBPROF) - 01.00 Columns 00001 00080 Command ===> Scroll ===> CSR ****** ********************************* Top of Data ********************************** 000001 *** 000002 * LOCAL CERTIFICATE STORE CONFIGURATION CONTROL 000003 * 000004 * Include this member in SecureZIP runs requiring Local Certificate 000005 * Store RECIPIENTS, SIGN_ARCHIVE, SIGN_FILES and AUTHCHK signatories. 000006 *** 000007 -{CSPUB=4;1;SECZIP.FPD.CERTSTOR.PUBLIC} 000008 -{CSPRVT=4;1;SECZIP.FPD.CERTSTOR.PRIVATE} 000009 -{CSPUB_DBX=SECZIP.FPD.CERTSTOR.DBX} 000010 -{CSPUB_DBX_PATH_CN=SECZIP.FPD.CERTSTOR.PATHCN} 000011 -{CSPUB_DBX_PATH_EM=SECZIP.FPD.CERTSTOR.PATHEM} 000012 -{CSPUB_DBX_PATH_PUBKEY=SECZIP.FPD.CERTSTOR.PATHPUBK} 000013 -{CSCA=1;0;SECZIP.FPD.CERTSTOR.P7CA} 000014 -{CSROOT=1;0;SECZIP.FPD.CERTSTOR.P7ROOT} 000015 -{AUTHENTICATE=TRUSTED,EXPIRED,NOTREVOKED,TAMPERCHECK} ****** ******************************** Bottom of Data ********************************

Option 8 – Supplemental Administration Utilities Included within the Supplemental Administration Utilities option you will see the ability to run report statistics (1), run the installation verification job (2) and the backup and restore process (3).

Report Statistics See Option 6 “Report Statistics” above.


Run Installation Verification Job By selecting this option SecureZIP for z/OS will validate your configuration. Submit the job and review the output.

File Edit Edit_Settings Menu Utilities Compilers Test Help -------------------------------------------------------------------------------- EDIT FPD.SPFTEMP4.CNTL Columns 00001 Command ===> Scroll ****** ********************************* Top of Data 000001 //FPDCS1 JOB 'ACCOUNTING INFO',CLASS=A,REGION=8M, 000002 // MSGCLASS=H,MSGLEVEL=(1,1),NOTIFY=&SYSUID 000003 //* 000004 //****************************************************************** 000005 //* PLEASE BE SURE PROCEDURE PKISPF IN INSTLIB HAS BEEN TAILORED * 000006 //* TO MEET YOUR SITE'S SPECIFICATIONS. * 000007 //****************************************************************** 000008 // JCLLIB ORDER=PKWARE.MVS.INSTLIB 000009 //JOBLIB DD DISP=SHR,DSN='PKWARE.MVS.LOAD' 000010 //* 000011 //*** 000012 //* CLEANUP RESIDUAL WORK ARCHIVE 000013 //* STORE. 000014 //*** 000015 //CLEAN1 EXEC PGM=IEFBR14 000016 //DEL DD DISP=(MOD,DELETE),DSN=FPD.IVPDB.ZIP,SPACE=(TRK,(0)) 000017 //*** 000018 //* ZIP A TEST FILE USING A -RECIPIENT FROM THE LOCAL CERTIFICATE 000019 //* STORE. 000020 //*** 000021 //SECZIP EXEC PGM=SECZIP

CS IVP Sample Output Portions of the output from SecureZIP for z/OS CS IVP steps.

ZPLI001I SecureZIP(R) for z/OS, Version 10.0 - 09/13/07 11.47 LVL(Q1) ZPLI001I Portions copyright (C) 1989-2007 PKWARE, Inc. All rights reserved. ZPLI001I SecureZIP(R) is a trademark of PKWARE, Inc. ZPLI001I Registered, Processor Type=2096 Processor Group=00 Serial Number=01FECE Model=O04 ZPLI001I OS Level: HBB7730 SP7.0.8 -INCLUDE_CMD=SECZIP.IVP.JCL(DEVCERT1) -ECHO=N -INFILE_DD(INFILE) -ARCHOUTDD(ARCHOUT) -RECIPIENT(DB:CN=PKWARE TEST1,R) -ENCRYPTION_METHOD(AES128) -VERBOSE -LOGGING_LEVEL(VERBOSE) -INCLUDE_CMD=PKWARE.MVS.JCL(DBPROF) ZPCM027I Including commands from PKWARE.MVS.JCL(DBPROF) *---------------------------------------------------------------------* * PROFILE PKWARE.MVS.JCL(DBPROF) * *---------------------------------------------------------------------* * DATABASE ACCESS CONTROL CARDS -{CSPUB=4;1;PKWARE.MVS.CERTSTOR.PUBLIC} -{CSPRVT=4;1;PKWARE.MVS.CERTSTOR.PRIVATE} -{CSPUB_DBX=PKWARE.MVS.CERTSTOR.DBX} -{CSPUB_DBX_PATH_CN=PKWARE.MVS.CERTSTOR.PATHCN} -{CSPUB_DBX_PATH_EM=PKWARE.MVS.CERTSTOR.PATHEM} -{CSPUB_DBX_PATH_PUBKEY=PKWARE.MVS.CERTSTOR.PATHPUBK} ZPCM011I Processing EXEC PARM parameters ZPCS200I Opening Common Name DB Index (//'PKWARE.MVS.CERTSTOR.PATHCN')


ZPEN110I Locating Digital Certificates ... ZPCM023I Digital Certificate Store Configuration {CSCA=1;1;PKWARE.MVS.CERTSTOR.PUBLIC(CAP7)} {CSROOT=1;1;PKWARE.MVS.CERTSTOR.PUBLIC(ROOTP7)} {LDAP=1;192.168.1.54;4389;1;0;CN=LDAP Administrator;secret;;O=PKWARE;} {CSPUB=4;1;PKWARE.MVS.CERTSTOR.PUBLIC} {CSPRVT=4;1;PKWARE.MVS.CERTSTOR.PRIVATE} {CSPUB_DBX=PKWARE.MVS.CERTSTOR.DBX} {CSPUB_DBX_PATH_CN=PKWARE.MVS.CERTSTOR.PATHCN} {CSPUB_DBX_PATH_EM=PKWARE.MVS.CERTSTOR.PATHEM} {CSPUB_DBX_PATH_PUBKEY=PKWARE.MVS.CERTSTOR.PATHPUBK} ZPCM023C --------------------------------------- ZPCM024I Digital Certificate Request List ZPCM024C Req'd Public Recipient //'PKWARE.MVS.CERTSTOR.PUBLIC(PUB1CERT)' ZPCM024C FILE FOUND *REQUIRED* ZPCM024C -------------------------------- ZPCM025I Digital Certificates Found: 1 ZPCM025C PKWARE Test1;[email protected]; ZPCM025C -------------------------------- ZPAP900I NO API REQUIRED ZPAM030I OUTPUT Archive opened: FPD.IVPDB.ZIP ZPCM017I A total of 1 ADD/UPDATE candidate file(s) were identified. ZPCO100I Compression Task { 5} TCB: 008D4698 Started. ZPCM100I Configuration Manager Shutdown. Posting Main Task: 00000000 ZPAM253I ADDED File PKWARE.MVS.INSTLIB($COPYRIT) ZPAM254I as PKWARE/MVS/INSTLIB/$COPYRIT ZPAM255I (DEFLATED 31%/30%) SecureZIP(R): AES128 ORIG. SIZE 1,280; ZIP ZPAM140I FILES: ADDED EXCLUDED BYPASSED IN ERROR ZPAM140I 1 0 0 0 ZPAM101I Archive Manager Task { 3} TCB: 008D4A98 shutdown begun. ZPAM109I Archive Manager Task { 3} TCB: 008D4A98 shutdown complete. ZPCO101I Compression Task { 5} TCB: 008D4698 shutdown begun. ZPCO109I Compression Task { 5} TCB: 008D4698 shutdown complete. ZPMT002I PKZIP processing complete. RC=00000000 0(Dec) ZPLI001I SecureZIP(R) for z/OS, Version 10.0 - 09/13/07 11.47 LVL(Q1) ZPLI001I Portions copyright (C) 1989-2007 PKWARE, Inc. All rights reserved. ZPLI001I SecureZIP(R) is a trademark of PKWARE, Inc. ZPLI001I Registered, Processor Type=2096 Processor Group=00 Serial Number=01FECE Model=O04 ZPLI001I OS Level: HBB7730 SP7.0.8 -INCLUDE_CMD=SECZIP.IVP.JCL(DEVCERT1) -ECHO=N -ARCHINDD(ARCHIN) -VIEWDETAIL -ACTION(VIEWDETAIL) -VERBOSE -LOGGING_LEVEL(VERBOSE) -INCLUDE_CMD=PKWARE.MVS.JCL(DBPROF) ZPCM027I Including commands from PKWARE.MVS.JCL(DBPROF) *---------------------------------------------------------------------* * PROFILE PKWARE.MVS.JCL(DBPROF) * *---------------------------------------------------------------------* * DATABASE ACCESS CONTROL CARDS -{CSPUB=4;1;PKWARE.MVS.CERTSTOR.PUBLIC} -{CSPRVT=4;1;PKWARE.MVS.CERTSTOR.PRIVATE} -{CSPUB_DBX=PKWARE.MVS.CERTSTOR.DBX} -{CSPUB_DBX_PATH_CN=PKWARE.MVS.CERTSTOR.PATHCN} -{CSPUB_DBX_PATH_EM=PKWARE.MVS.CERTSTOR.PATHEM} -{CSPUB_DBX_PATH_PUBKEY=PKWARE.MVS.CERTSTOR.PATHPUBK} ZPCM011I Processing EXEC PARM parameters ZPAP900I NO API REQUIRED ZPCM100I Configuration Manager Shutdown. Posting Main Task: 00000000 ZPAM030I INPUT Archive opened: FPD.IVPDB.ZIP ZPAM014I 1 file(s) are in the input Archive. ZPAM012I ZIP comment: SecureZIP for z/OS by PKWARE ZPAM013I ********************************************************************************* ZPAM001I Filename: PKWARE/MVS/INSTLIB/$COPYRIT ZPAM002I File type: TEXT


ZPAM003I Date/Time: 11-JUN-2005 05:24:00 ZPAM004I Compression Method: Deflate- Super Fast ZPAM005I Compressed Size: 900 ZPAM006I Uncompressed Size: 1,313 ZPAM007I 32-bit CRC: A6B5182A LHDR Offset: 0 ZPAM008I Created by: PK zSeries 8.1 ZPAM009I Needed to extract: PKUNZIP 6.1 ZPAM010I Encryption: AES_128 Certificate Key BSAFE(R) ZPAM301I File Type: NONVSAM PDS ZPAM302I File PDS Directory Blocks: 25 ZPAM303I File Record Format: FB ZPAM304I File Allocation Type: BLK ZPAM305I File Primary Space Allocated: 78 ZPAM306I File Secondary Space Allocated: 20 ZPAM307I File Record Size: 80 ZPAM308I File Block Size: 27920 ZPAM309I File Volume(s) Used: DEV002 ZPAM310I File Creation Date: 2004/07/23 ZPAM311I File Referenced Date: 2005/06/11 ZPAM319I SMS Storage Class: DEV ZPAM312I File PDS Extended Directory Information: DIRECTORY INFORMATION FOLLOWS LENGTH=00001E 000000 01010006 0104161F 0104161F 11480010 |................|| 000010 00100000 D4C1E240 40404040 40400000 |.... ZPAM313I PDS member TTRKZC: 00210300000F ZPAM320I 1 recipient(s) were designated: ZPCS200I Opening Public Key DB Index (//'PKWARE.MVS.CERTSTOR.PATHPUBK') ZPAM321I Recipient: PKWARE Test1 ZPAM322I Public Key Hash: 830A0AE9DBF0496954763862126ECE7A34BB7A56 ZPAM323I Email: [email protected] ZPAM324I Cert: //'PKWARE.MVS.CERTSTOR.PUBLIC(PUB1CERT)' ZPAM013I ********************************************************************************* ZPAM140I FILES: VIEWED EXCLUDED BYPASSED IN ERROR ZPAM140I 1 0 0 0 ZPAM101I Archive Manager Task { 3} TCB: 008D4A98 shutdown begun. ZPAM109I Archive Manager Task { 3} TCB: 008D4A98 shutdown complete. ZPMT002I PKZIP processing complete. RC=00000000 0(Dec) ZPGE001T UNZIP STARTUP STORAGE QUERY: 24BIT= 8208K 31BIT= 32768K CACHE= ZPLI001I SecureZIP(R) for z/OS, Version 10.0 - 09/13/07 11.47 LVL(Q1) ZPLI001I Portions copyright (C) 1989-2007 PKWARE, Inc. All rights reserved. ZPLI001I SecureZIP(R) is a trademark of PKWARE, Inc. ZPLI001I Registered, Processor Type=2096 Processor Group=00 Serial Number=01FECE Model=O04 ZPLI001I OS Level: HBB7730 SP7.0.8 -INCLUDE_CMD=SECZIP.IVP.JCL(DEVCERT1) -ECHO=N -ARCHINDD(ARCHIN) -RECIPIENT(DB:CN=PKWARE TEST1,R,PASSWORD=******) -TEST -ACTION(TEST) -VERBOSE -LOGGING_LEVEL(VERBOSE) -INCLUDE_CMD=PKWARE.MVS.JCL(DBPROF) ZPCM027I Including commands from PKWARE.MVS.JCL(DBPROF) *---------------------------------------------------------------------* * PROFILE PKWARE.MVS.JCL(DBPROF) * *---------------------------------------------------------------------* * DATABASE ACCESS CONTROL CARDS -{CSPUB=4;1;PKWARE.MVS.CERTSTOR.PUBLIC} -{CSPRVT=4;1;PKWARE.MVS.CERTSTOR.PRIVATE} -{CSPUB_DBX=PKWARE.MVS.CERTSTOR.DBX} -{CSPUB_DBX_PATH_CN=PKWARE.MVS.CERTSTOR.PATHCN} -{CSPUB_DBX_PATH_EM=PKWARE.MVS.CERTSTOR.PATHEM} -{CSPUB_DBX_PATH_PUBKEY=PKWARE.MVS.CERTSTOR.PATHPUBK} ZPCM011I Processing EXEC PARM parameters ZPCS200I Opening Common Name DB Index (//'PKWARE.MVS.CERTSTOR.PATHCN') ZPEN110I Locating Digital Certificates ... ZPCM023I Digital Certificate Store Configuration


{CSCA=1;1;PKWARE.MVS.CERTSTOR.PUBLIC(CAP7)} {CSROOT=1;1;PKWARE.MVS.CERTSTOR.PUBLIC(ROOTP7)} {LDAP=1;192.166.54;4389;1;0;CN=LDAP Administrator;secret;;O=PKWARE;} {CSPUB=4;1;PKWARE.MVS.CERTSTOR.PUBLIC} {CSPRVT=4;1;PKWARE.MVS.CERTSTOR.PRIVATE} {CSPUB_DBX=PKWARE.MVS.CERTSTOR.DBX} {CSPUB_DBX_PATH_CN=PKWARE.MVS.CERTSTOR.PATHCN} {CSPUB_DBX_PATH_EM=PKWARE.MVS.CERTSTOR.PATHEM} {CSPUB_DBX_PATH_PUBKEY=PKWARE.MVS.CERTSTOR.PATHPUBK} ZPCM023C --------------------------------------- ZPCM024I Digital Certificate Request List ZPCM024C Req'd Private Recipient //'PKWARE.MVS.CERTSTOR.PRIVATE(PVT1CERT)' ZPCM024C FILE FOUND *REQUIRED* ZPCM024C -------------------------------- ZPAP900I NO API REQUIRED ZPAM030I INPUT Archive opened: FPD.IVPDB.ZIP ZPCM100I Configuration Manager Shutdown. Posting Main Task: 00000000 ZPEX100I Extract Task { 5} TCB: 008D4678 Started. ZPEN109T BSAFE(R) CryptoC request code= 3594 kPKErr_BSISetKeyInf ZPEX001I tested okay PKWARE/MVS/INSTLIB/$COPYRIT ZPAM140I FILES: TESTED EXCLUDED BYPASSED IN ERROR ZPAM140I 1 0 0 0 ZPAM101I Archive Manager Task { 3} TCB: 008D4A98 shutdown begun. ZPAM109I Archive Manager Task { 3} TCB: 008D4A98 shutdown complete. ZPEX101I Extract Task { 5} TCB: 008D4678 shutdown begun. ZPEX109I Extract Task { 5} TCB: 008D4678 shutdown complete. ZPMT002I PKZIP processing complete. RC=00000000 0(Dec)

Backup and Restore Process SecureZIP for z/OS allows you to perform a backup of your existing local certificate store. Selecting Option 8 then option 3 will start the process of backup.

Initial setup screen Initially you will be required to enter the dataset and member information to store the generated JCL for backup and restore along with a dataset name for the created SecureZIP archive used to contain your local certificate store.

SECUREZIP OPTION ===> Backup & Restore Profile Profile Information Certstore Profile Dataset.: 'PKWARE.MVS.PROFILES(DBFPD1)' Last Backup Submit Date...: Archive Dataset - Enter V to View: 'FPD.CSBKUP.ZIP' Process Options You can Create, Submit, Edit or View the backup and restore job stream Note: To track the last backup submit date you must use the submit option rather than issue the "SUB" command from an edit or view session Function C - Create, S - Submit, E - Edit, V -View Backup JCL ...............: 'FPD.JCLZ.CNTL(BK1)' Restore JCL ..............: 'FPD.JCLZ.CNTL(RS1)' Archive Allocation Options for Backup Management class . . . PRIVATE (Blank for default management class) Storage class . . . . PRIVATE (Blank for default storage class) Volume serial . . . . FPD003 (Blank for system default volume) Device type . . . . . 3390 (Generic unit or device address) Data class . . . . . . (Blank for default data class) Space units . . . . . CYLINDER (BLKS, TRKS, CYLS)


Primary quantity . . 1 (In above units) Secondary quantity . 50 (In above units)

Main Backup and Restore Panel This screen controls the types of processes that you can perform against the local certificate store. If you have done a previous backup, then the ZIP archive name will be displayed along with the date of the last backup. The datasets to be backed up are the datasets pointed to by the certstore profile dataset.

Profile Information This is the certificate store profile dataset that will be used to backup the local certificate store.

Archive Dataset Name of the archive that you wish to create or use in a restore process.

If you select V this will display a VIEWDETAIL of the designated archive dataset.

Process Options The options selected determine the functions performed:

Backup JCL

Enter C to Create the backup job stream Enter S to Submit the backup job stream Enter E to Edit the backup job stream Enter V to View the backup job stream

Restore JCL

Enter C to Create the backup job stream Enter S to Submit the backup job stream Enter E to Edit the backup job stream Enter V to View the backup job stream

You may also choose to save the JCL using a different member name or dataset name/member name combination.

SecureZIP Option ===> Certstore Restore Options Fill in any change information desired. Press ENTER to complete. If no changes are made then the original values will be used High Level Qualifier...: PKWARE.MVS Specify a different HLQ if desired. Note: Must contain the same number of nodes as the original. For example: Orig ==> QZIP.FPD.TEST New ==> FPD.NEW.TEST SMS Classes Management..........: TECHUSER Storage ...........: SUPPORT Data .. ...........:


Restore Volume........: SUP004 Restore Unit .........: 3390

Submit of a Restore JOB When you submit the restore JCL this screen will appear and give you the ability to Restore the datasets in the archive using a different high level qualifier and/or different allocation options. If you press ENTER without change the restore will take the default options.

Option ===> Additional Input Control Cards for View Archive Enter any control card(s) desired for the selected View option. You may wish to view an archive using a Private Key Cert. If the certificate is not in your profile you can place an -INCLUDE_CMD in the input stream. Additional Control Card: 1: 2: 3: 4:

Archive Dataset View - V Selecting V to view an existing archive displays a VIEWDETAIL of the designated archive dataset and generates a panel that allows you to place additional SecureZIP for z/OS control cards into the command stream. You can then add private key certificate information if the archive to be viewed has been encrypted.

Backing Up SecureZIP Partner for z/OS An external utility such as DFDSS should be used to perform backup/restore operations for all local certificate store components. All components should be backed up and restored collectively to maintain store integrity.

Sample jobs are provided in INSTLIB(CSDSSBKP) and INSTLIB(CSDSSRST) to perform backup and restore operations respectively.

Important: When performing a RESTORE operation, do not rename the data sets. Renaming them will invalidate index references in the certificate store.

Directory Certificate Store Configuration - LDAP

This section assists with defining the network connectivity associated with LDAP compliant directory access. Please note that prior to using LDAP services to locate public key digital certificates for RECIPIENT processing, network connections must be defined.

Command settings will be kept in an LDAP profile member for SecureZIP for z/OS to access during ZIP processing.

The LDAP connection commands can be coded manually, however, a series of panels and tools are provided to assist in properly formatting the command parameters and to test connectivity to the desired LDAP server.


SecureZIP Certificate Store Administration Option ===> Select one of the following options and press Enter: 1 Local Certificate Store Administration 2 LDAP Certificate Store Configuration 3 x.509 Certificate Utilities 4 ICSF CKDS Passphrase Registration Service

To access the LDAP certificate store configuration, enter “2” in the Option field from this panel.

Create/Test LDAP Profile Statements This panel will allow you to create configuration information, validate existing configuration information, and read information from an existing profile, if it is established.

SecureZIP LDAP Configuration Setup Option ===> LDAP Certificate Store Administration 1 Edit Active LDAP Profile 2 Create/Test LDAP Profile Statements Active LDAP Profile: 'PKWARE.MVS.JCL(LDAPPROF)' -{LDAP=1;SCULPTOR1.PKWARE.COM;389;0;0;;;*CN;O=PKWARE}

To edit an existing LDAP profile, use the dataset and member name on the panel or enter a different dataset and/or member name and select “1” from this panel.

To create, test, and save LDAP profile information, select “2” from this panel.

Edit existing LDAP profile

File Edit Edit_Settings Menu Utilities Compilers Test Help EDIT PKWARE.MVS.JCL(LDAPPROF) - 01.15 ****** ********************************* Top of Data 000001 -{LDAP=1;SCULPTOR1.PKWARE.COM;389;0;0;;;*CN;O=PKWARE} ****** ******************************** Bottom of Data

The results from selecting “1” are shown in this panel. You can change any information necessary and PF3 out of edit to save the changes.

Create/Test LDAP Link This panel assists the SecureZIP for z/OS administrator in configuring and testing LDAP connections. The following functions are covered:

Create new LDAP Profile Settings


Read values from an existing LDAP Profile with the LOAD command

Test an LDAP connection with PING and TEST commands

Save settings to an LDAP Profile

SecureZIP Create/Test LDAP Link OPTION ===> Active LDAP Profile: 'PKWARE.MVS.JCL(LDAPPROF)' LDAP Number 1 Connect Information * Server Address/IP...: * Server Port.........: 389 Connect USERID......: Connect Password....: Search Timeout......: 0 LDAP Search Configuration Starting Node * > > Default Filter Type.: *CN (*EMAIL,*CN) The following commands may be copied to an LDAP Profile: { ... undefined ...}

Create New LDAP Profile Settings Fill in the required parameters and press ENTER to generate LDAP profile settings. These can then be copied and pasted into a LDAP profile member using the copy and paste functions of your terminal emulator.

You may change fields and press ENTER to generate new settings.

SecureZIP Create/Test LDAP Link OPTION ===> More: + Active LDAP Profile: 'PKWARE.MVS.JCL(LDAPPROF)' LDAP Number 1 Connect Information * Server Address/IP...: SCULPTOR1.PKWARE.COM * Server Port.........: 389 Connect USERID......: Connect Password....: Search Timeout......: 0 LDAP Search Configuration Starting Node * > O=PKWARE > Default Filter Type.: *CN (*EMAIL,*CN) The following commands may be copied to an LDAP Profile: -{LDAP=1;SCULPTOR1.PKWARE.COM;389;0;0;;;*CN;O=PKWARE}


Load Existing LDAP Profile With the Load option you read values from an existing LDAP profile.

SecureZIP Create/Test LDAP Link OPTION ===> LOAD More: + Active LDAP Profile: 'PKWARE.MVS.JCL(LDAPPROF)' LDAP Number 1 Connect Information * Server Address/IP...: SCULPTOR1.PKWARE.COM * Server Port.........: 4389 Connect USERID......: Connect Password....: Search Timeout......: 0 LDAP Search Configuration Starting Node * > O=PKWARE > Default Filter Type.: *CN (*EMAIL,*CN) The following commands may be copied to an LDAP Profile: -{LDAP=1;SCULPTOR1.PKWARE.COM;389;0;0;;;*CN;O=PKWARE}

When an active LDAP profile is provided on the LDAP configuration setup screen, then a predefined LDAP command can be retrieved for testing or use as a model for a new setting. Specify the LDAP number, type LOAD into the command OPTION and press ENTER. If that LDAP number is in the active profile, the settings will be loaded into the screen.

Testing the LDAP Connection Once the profile commands have been generated, you may verify that a connection to the intended LDAP Server can be established by using the PING and TEST options:

When creating a configuration for an LDAP server at a new network address, it is recommended that a PING test be performed first.

OPTION ===> PING The PING option will perform a "TSO PING" command to verify that the network address can be resolved and the associated IP address reached. Once completed, a BROWSE of the output will be automatically presented. Be aware that some network administrators may turn off PING response capabilities, so it is possible that the PING may time out even if the network name (e.g. www.pkware.com) can be resolved to an IP address.

************************************************ Attempting PING to SCULPTOR1.PKWARE.COM ************************************************ CS V1R4: Pinging host PKZ4 (193.178.1.64) Ping #1 response took 0.000 seconds.

Possible errors can be:

The network address cannot be resolved by the domain name server

EZZ3111I Unknown host www.unknown-name.com

Network services may be down along the routes to reach the IP address.


HOST unreachable

The specified host may not be up, or is not accepting PING requests.

Timed out

OPTION ===> TEST [optional-filter] [LIST] The TEST option will call utility program PKZLDAPT to perform a bind request with the specified server, logon (if a userid/password combination is required), and then perform a search based on a filter. Once completed, a BROWSE of the output will be automatically presented.

The default LDAP search filter used is (&(userCertificate=*)), which will give a summary count of the total number of LDAP entries containing a userCertificate. An optional filter may be specified with the test command. Note that the requested filter will automatically be surrounded by$(&...) to complete the LDAP syntax. See the samples below for typical syntax.

Specifying LIST causes some detailed information for the LDAP entries to be listed. The default is to display a summary count of the number of LDAP entries located that match the search filter.

Test Program Notes:

Default Filter Type is not used with the test option. It is only used during live SecureZIP for z/OS processing of RECIPIENTS.

The filter is not retained in the LDAP configuration. It is only used for testing the connection during the administration process.

A long delay (up to a few minutes) may occur if network timeout values are set high. You should contact your network technical support staff regarding network timeout settings.

Sample TEST Syntax To count all entries with a common name:

OPTION ===> test (cn=*)

To list all entries with a common name:

OPTION ===> test (cn=*) LIST

To restrict the search to common names representing a person:

OPTION ===> test (cn=Joe S*)(objectclass=person) LIST


Output from the TEST Command

PKLDAPTEST LDAP Test Starting 2006/02/05 21:14:26 PKLDAPTEST Parameters:Action<S> - Server<SECZIP.PKWARE.COM> Port<4389> - User<> Password<0> - Start Node<O=PKWARE> - Search Filter<(&(cn=*))> LDAP_intialTest - --LDAP init ..... elapsed time 0.000000 seconds LDAP_intialTest - --LDAP bind ..... elapsed time 0.000000 seconds LDAP_intialTest - --LDAP Search ..... elapsed time 0.000000 seconds LDAP_intialTest - --LDAP Attributes ..... elapsed time 0.000000 seconds LDAP_intialTest - Total Entries=15 PKLDAPTEST LDAP Testing Ending RC=0

Common Error Conditions for TEST The bind phase to the server may fail with Can't contact LDAP server for any of the following reasons:

The network/IP address specified is invalid.

Use PING to gather additional information.

The network cannot resolve the route to reach the specified address.

Use PING to gather additional information.

The PORT for the LDAP server is not correct.

Verify the PORT number with the target system's network administrator regarding the LDAP server PORT assignment.

The LDAP server is down.

Output from the TEST Command with Errors

PKLDAPTEST LDAP Test Starting 2005/05/05 21:12:42 PKLDAPTEST Parameters:Action<s> - Server<seczip.pkware.com> Port<389> - User<> Password<0> - Start Node<o=pkware> - Search Filter<(&(userCertificate=*))> LDAP_intialTest - --LDAP init ..... elapsed time 0.000000 seconds LDAP_intialTest - could not bind sculptor1.pkware.com for rc=81 <Can't contact LDAP server> PKLDAPTEST LDAP Testing Ending RC=0

Save Settings to an LDAP Profile Press PF3 (END) to access the LDAP configuration setup screen. EDIT an LDAP profile member and paste the generated settings. Once you have completed the EDIT, you may return to this screen once again to generate and test additional connections.

Note: The input values will be retained throughout your SecureZIP for z/OS session for reference while working on new configurations. However, they will not be saved for future use once the SecureZIP for z/OS dialog has ended.


Please be aware that the LDAP profile may not contain any certificate validation policies for encryption. If the end user specifies only the LDAP profile without a local certificate store, then the SecureZIP default validation settings of TRUSTED and REVOKED will be enforced for the run. This will cause the job to fail during validation of the trusted certificate path because there are no CA and/or root certificates available for processing. If you wish to execute the SecureZIP job with the LDAP profile only, then you need to include the validation policy in the job stream (see sample below), or add the VALENCRYPT policy statement to the LDAP profile.

-INCLUDE_CMD(PKWARE.MVS.PROFILES(LDAP)) -RECIPIENT(LDAP:CN=PKWARE TEST4,R) -{VALENCRYPT=NOTTRUSTED,EXPIRED,NOTREVOKED}

Runtime Configuration

This panel is used for entering configuration information to be used for the ISPF SECZIP interface. That information includes active load library, default options files, job card and other miscellaneous information.

In SecureZIP for z/OS, an additional panel must be configured. Notice at the bottom of the following panel a message appears informing you to Hit ENTER to view the SecureZIP Certificate Store Settings.

Zip/Unzip Runtime Configuration Panel

SecureZIP Runtime Configuration Command ===> More: + Execution load library: 'PKWARE.MVS.LOAD' Initial Execution Default Command Settings Defaults module.....: ACZDFLT (ACZDFLT) ZIP processing......: NULLFILE UNZIP processing....: NULLFILE Foreground Processing Controls Unquoted file specification Prefix with : P (P/U/N) Profile Prefix/Userid/None Temporary working files Use Prefix : P (P/U/O) Profile Prefix/Userid/Other Value==> Lowest Acceptable RC: 4 (0,4,8) SYSPRINT Allocation Type : CYLS (BLKS,TRKS,CYLS) Primary : 3 Secondary : 1 UNIT type for temp files


SecureZIP Runtime Configuration Panel

SecureZIP Runtime Configuration Option ===> Certificate Store Settings ( ENTER to validate, PF7/PF8 to scroll, END to save, / for field options) Private-Cert Recips > 'PKWARE.MVS.JCL(CERTPROF)' DB Profile > 'PKWARE.MVS.JCL(DBPROF)' LDAP Profile > 'PKWARE.MVS.JCL(LDAPPROF)' ZIP Recipient List > -RECIPIENT(DB:CN=PKWARE TEST02,R) UNZIP Recipient List> -RECIPIENT(DB:CN=PKWARE TEST02,R,PASSWORD=PKWARE) Archive Signing > UNDEFINED File Signing > UNDEFINED Authenticate Archive> UNDEFINED Authenticate Files > UNDEFINED ------------------------------------------------------------------------------ ********************************* Top of Data ********************************* Private-key Certificate Recipient(s): =============================================================================== Profile: 'PKWARE.MVS.JCL(CERTPROF)' DATASET NOT FOUND Local Certificate Store DB Profile: =============================================================================== Profile: 'PKWARE.MVS.JCL(DBPROF)' DATASET NOT FOUND

This panel is used for entering configuration information to be used for certificate profile information.

That information includes the locations of the private certificate, the data base profile, and the LDAP profile. With the exception of the private certificate location the locations of the DB and LDAP profile will be completed for you by the certificate store administration and configuration option “CS” from the Main SecureZIP for z/OS panel.

SecureZIP Runtime Configuration Panel Undefined

SecureZIP Runtime Configuration Option ===> Certificate Store Settings ( ENTER to validate PF7/PF8 to scroll) / to Edit the configuration file Private-Cert> undefined DB Profile > undefined LDAP Profile> undefined ------------------------------------------------------------------------------- ***** Top of Data ************************************************************** Private-key Certificate Recipient(s): ===================================== Profile: MISSING DATASET NAME Local Certificate(DB) Profile: ============================== Profile: MISSING DATASET NAME


LDAP Configuration Profile: =========================== Profile: MISSING DATASET NAME ***** Bottom of Data ***********************************************************

Prior to completing certificate store administration and configuration option “CS”, the configuration panel is undefined. As you complete the “CS” functions the panel will be populated with your runtime settings.

SecureZIP Runtime Configuration Panel with DB Profile Defined

SecureZIP Runtime Configuration Option ===> Certificate Store Settings ( ENTER to validate PF7/PF8 to scroll) / to Edit the configuration file Private-Cert> undefined DB Profile > 'PKWARE.MVS.JCL(CCFGFPD1)' LDAP Profile> undefined ------------------------------------------------------------------------------- ***** Top of Data ************************************************************** Private-key Certificate Recipient(s): ===================================== Profile: Undefined Local Certificate(DB) Profile: ============================== * DATABASE ACCESS CONTROL CARDS -{CSPUB=4;1;PKWARE.MVS.CERTSTOR.PUBLIC} -{CSPRVT=4;1;PKWARE.MVS.CERTSTOR.PRIVATE} -{CSPUB_DBX=PKWARE.MVS.CERTSTOR.DBX} -{CSPUB_DBX_PATH_CN=PKWARE.MVS.CERTSTOR.PATHCN} -{CSPUB_DBX_PATH_EM=PKWARE.MVS.CERTSTOR.PATHEM} -{CSPUB_DBX_PATH_PUBKEY=PKWARE.MVS.CERTSTOR.PATHPUBK}

This is an example of how the runtime configuration panel would look after completing the local certificate store configuration

SecureZIP Runtime Configuration Panel with Private Certificate Location

SecureZIP Runtime Configuration Option ===> Certificate Store Settings ( ENTER to validate PF7/PF8 to scroll) / to Edit the configuration file Private-Cert> ‘PKWARE.MVS.JCL(CERTPROF)' DB Profile > 'PKWARE.MVS.JCL(CCFGFPD1)' LDAP Profile> 'PKWARE.MVS.JCL(LDAPFPD1)' ------------------------------------------------------------------------------- ***** Top of Data ************************************************************** Private-key Certificate Recipient(s): ===================================== *---------------------------------------------------------------------* * Profile PKWARE.MVS.JCL(CERTPROF) * *---------------------------------------------------------------------* -recipient(db:cn=PKWARE TEST,R,PASSWORD=PKWARE)


This is the runtime configuration panel with the private certificate identified that will be used to provide the private key to decrypt the archive. Notice that the RECIPIENT location, the requirement to always find the certificate (R), and the password for the private key are displayed as part of the panel information provided.

x.509 Certificate Utilities

This panel is used for working with CA, ROOT, and CRL files. If you receive a file claiming to contain CA or ROOT certificates you can use the List and View features to allow you to review the data within the file. If you are not sure what type of store the file contains, use “BG” as a best guess to simulate and add. The utility will display detail information about each process.

You may view your certificates in a table format, list the data about each certificate in a print format, simulate adding to a store, extract certificates to a temporary store, initialize a store, extract end entity certificates for input to a store, and convert EBCDIC BASE64 to ASCII BASE64.

SecureZIP x.509 Certificate Information Option ===> More: + x.509 Utilities 1 View Certificate(s) - Table Format 2 List Certificate(s) 3 Simulate Certificate Add 4 Work with CRL files 5 Select Certificates from a P7B or PKCS12 source 6 Initialize a P7B Store 7 Extract End Entity for input to a Public Certificate Store 8 Translate EBCDIC BASE64 Certificate to ASCII BASE64 Enter the Certificate Source file to be used: Data Set Name . . . 'SECZIP.FPD.SEC.PKTICAF.CRT' This panel can be used to identify information about certificate files you have obtained but are not sure of the content, initialize a P7B store, or extract certificates from an existing P7B source file. If you know the source is a Certificate Revocation List then select Option 4 to proceed to CRL processing

The Options

Option 1 - View Certificate(s) This option builds an ISPF table display from the Certificate source file.

-----------------------------------------------------------------------------+ Certificate Source : PKWARE.MVS.INSTLIB2(PKWARERT) Certificate Type : P7B with Best Guess Primary commands:%SORT+. Scroll%RIGHT+or%LEFT+for more info. To EXIT Press%PF3 +For HELP Press%PF1 Type Friendly Name ---------------------------------------------------------------- P7B PKTESTDB Root


Multiple passes will be completed with the input source file. Each pass will be detailed in the Certificate Type area. If all of the non password file types cannot be processed, then a popup screen will be displayed to enter a password for processing a PKCS12 file type.

Option 2 - List Certificate(s) This option displays details about each certificate in the source file in a BROWSE window.

In the sample below, the store type used to produce the report is identified for each processing attempt. In this instance, P7B was used as the store type.

-----------------------------------------------------------------------------+ ZPCA960I SecureZIP Certificate Administration 4 Mar 2006 09:50:58 ZPCA960I List Certificate Source File 4 Mar 2006 09:50:58 ZPCA960I Certificate Input=PKWARE.MVS.INSTLIB2(PKWARERT) ZPCA960I *************************************************************** ZPCA960I P7B Attempt 4 Mar 2006 09:50:58 ZPCA960I *************************************************************** ZPCA960I Store Detail using DSN=PKWARE.MVS.INSTLIB2(PKWARERT) --- Certificate 1 --- PKTESTDB Root Subject: C=US S=Wisconsin L=Milwaukee O=PKWARE, Inc. OU=PKWARE, Inc. -- for test and evaluation purposes only CN=PKTESTDB Root -----------------------------------------------------------------------------+

Option 3 - Simulate Certificate Add This option displays details about certificates as they are processed by the simulated ADD environment.

Multiple passes will be completed with the input source file. Each pass will be detailed in the certificate type area.

You may disregard any error messages that do not relate to the type of certificate that is in the source file. This Simulation does not require you to know exactly what it is that is being processed and, based on that assumption, the process can flag data that is in error when it would not be considered an error if it was used correctly. For example, when you input a certificate P7B, this process will correctly simulate an install to the root store using P7B as the type but will fail using CER as the type.

using P7B -----------------------------------------------------------------------------+ Certificate Source : SECZIP.FPD.SEC.FPDALL.P7B Certificate Type : P7B with Best Guess Primary commands:%SORT+. Scroll%RIGHT+or%LEFT+for more info. To EXIT Press%PF3 +For HELP Press%PF1 Type Friendly Name ---------------------------------------------------------------- CA VeriSign Class 1 CA Individual Subscriber-Persona Not Validate ROOT Class 1 Public Primary Certification Authority -----------------------------------------------------------------------------+ using CER


-----------------------------------------------------------------------------+ Command ===> SCROLL ===> CSR Certificate Source : SECZIP.FPD.SEC.PKTICAF.CRT Certificate Type : P7B with Best Guess Primary commands: SORT . Scroll RIGHT or LEFT for more info. To EXIT Press PF3 For HELP Press PF1 Type Friendly Name ----------------------------------------------------------------------- ZPCA990I Simulate Certificate processing 10 Mar 2006 12:59:53 ZPCA990I Cert Input=SECZIP.FPD.SEC.PKTICAF.CRT ZPCA990I ******************************************************************** ZPCA990I CER Attempt 10 Mar 2006 12:59:53 ZPCA990I ******************************************************************** ZPCA990I Store Detail using DSN=SECZIP.FPD.SEC.PKTICAF.CRT ZPCA810E ERROR: Failed to build certificate store '//'SECZIP.FPD.SEC.PKTICAF.CR ZPCA810E ERROR: Cannot continue. Unable to open certificate store. ZPCA810E ERROR: Cannot continue. Unable to process certificate file '//'SECZIP ZPCA991E ******************************************************************** ZPCA991E List Completed with errors 10 Mar 2006 13:05:01 ZPCA991E ********************************************************************

Certain types of errors encountered will present a popup window similar to the one below. To get further information on the error press PF1.

%--------------------------- %-Sim Error-PF1 for detail - %--------------------------- %************************************************************************** %*Sim Error-PF1 for detail - Certificate simulation encountered an error * %*during the add operation. Error text = ZPCA811E ERROR: Cert Wrap failed* %*to open '//'SECZIP.FPD.SEC.FPDALL.P7B''. CW Error = 0x0. Press Enter to * %*continue * %**************************************************************************

Option 4 - Work with CRL files The CRL Utilities allow you to view details about installed certificates, simulate the addition of an update list to your CRL store, and update the CRL store.

You may view the revocation lists in a table format, list the data about each revocation list in a print format, simulate adding to a store, and update the CRL store.

1+ View Installed CRLs from Store - Table Format 2+ List Installed CRLs from Store 3+ Update the CRL Store 4+ Simulate Update 5+ Synchronize Data Base For Options 3 and 4 you must specify the input CRL file. Input X.509 Certificate Revocation List File Data Set Name:_crlsrc+ File Type :_crltype+!(P7B, CRL or BG for Best Guess)


Option 5 - Select Certificates from a P7B or a PKCS12 Source This option will take a P7B or a PKCS12 source file and attempt to separate and copy into the respective stores the certificates contained in the input. These separated certificates can then be used as input into the add processes for updating your local certificate stores. If a 2 is entered to process a PKCS12 source file, a popup screen is displayed in which to enter the password.

x.509 Utilities Select Certificates from Package Type: ___1=P7B, 2=PKCS12 Please note: -- Any existing data in the files will be deleted -- Enter the Sequential File Names to be used for output: These files should be used as temporary stores only CA = 'FPD.PKWARE.STORCSCA' ROOT = 'FPD.PKWARE.STORCSRT' CRL = 'FPD.PKWARE.STORCSRL' CERT Output = 'FPD.PKWARE.STORCSEE' Assume End Entity ==> / Non-blank accepts all non-Certificate Authority certificates as End Entity certificates valid for encryption or signing operations, even if not so marked.

This option displays details about Certificate as they are processed by the Select environment.

If working with a P7B source file, multiple passes are completed with the input source file. Each pass is displayed with detail information, and a request box appears where you can stop the process if you are satisfied with the selected certificates to that point. If you allow the process to continue, each subsequent step reinitializes the output stores, and any certificates selected previously are deleted.

Here is an unsuccessful example using P7B as the certificate type.

using P7B ZPCA940I Select Certificate processing 10 Mar 2005 14:42:56 ZPCA940I Certificate Input=SECZIP.FPD.SEC.PKTICAF.CRT ZPCA940I P7B Attempt 10 Mar 2006 14:42:56 ZPCA940I ******************************************************************** ZPCA940I Store Detail using DSN=SECZIP.FPD.SEC.PKTICAF.CRT ZPCA811E ERROR: Cert Wrap failed to open '//'SECZIP.FPD.SEC.PKTICAF.CRT''. CW ZPCA850E ERROR: Cannot continue. Unable to open certificate file '//'SECZIP.FP ZPCA850E ERROR: Cannot continue. Unable to determine certificate file count. ZPCA850E ERROR: Cannot continue. Unable to process certificate file '//'SECZIP ZPCA941E ******************************************************************** ZPCA941E Select Completed with errors 10 Mar 2006 14:42:56

The popup box will ask you if you wish to continue. If you press enter the output stores will be overwritten.

%************************************************************** %*PKUT001 ===> * %* * %* Continue with next scenario - CER * %* *


%*Press ENTER to continue. * %*Press PF3 or enter CANCEL command to return. * %* * %* * %************************************************************** using CER ZPCA940I CER Attempt 10 Mar 2006 14:44:20 ZPCA940I ******************************************************************** ZPCA940I Store Detail using DSN=SECZIP.FPD.SEC.PKTICAF.CRT ZPCA000I SUCCESS: Added certificate to store '//'FPD.PKWARE.STORCSCA''. DSN= ZPCA000I SUCCESS: Saved certificate store '//'FPD.PKWARE.STORCSCA'' to disk. ZPCA000I Added 1 of a possible 1 certificates to the CA store. ZPCA000I 0 certificates in the CA store before the Add command. ZPCA000I 1 certificates in the CA store after the Add command. ZPCA940I ******************************************************************** ZPCA940I Select Completed rc=0 10 Mar 2006 14:44:23 ZPCA940I ********************************************************************

Notice above that the CER attempt was successful and if you hit enter the certificates that have been extracted will be overwritten.

If you press enter the output stores will be overwritten.

%************************************************************** %*PKUT001 ===> * %* * %* Continue with next scenario - CRL * %* * %*Press ENTER to continue. * %*Press PF3 or enter CANCEL command to return. * %* * %* * %************************************************************** -----------------------------------------------------------------------------+

Option 6 - Initialize a P7B Store This option conditions a dataset for use as a P7B store.

Initialize a P7B Store Please note: -- Any data in the file will be deleted -- Enter the Sequential File Name of the Certificate Store: For example: 'HLQ.CERTSTOR.P7CRL'


Option 7 - Extract End-Entity for Input to a Public Certificate Store This option takes a P7B or a PKCS12 source file and attempts to copy its end-entity certificates into the destination file. These can then be used as input to the Add Certificate processing to place the certificates in the public key stores.

Please note: The member names generated will always be EE and the certificate number. If you use the same output PDS as a previous attempt the existing members will be replaced with any newly generated members. Enter the PDS File Name to be used for output: Note: This file will be used as input to the add certificate function %EE File = 'FPD.PKWARE.STORCSNE' Assume End Entity ==> /_Non-blank accepts all non-Certificate Authority certificates as End Entity certificates valid for encryption or signing operations, even if not so marked. __Use PKCS12 Package for input source (Default is P7B Package) Please note: -- The member names generated will be composed of the following: EE pos 1 and 2 Generated Cert ID pos 3 thru 8 For example: EE1 for the first extracted certificate EE2 for the second extracted certificate Press%'ENTER'+for next topic

If a PKCS12 source file is selected, a popup screen is displayed in which to enter the password of the PKCS12 package.

Also, when selecting a PKCS12 file, the member name generated will have a prefix of PV in place of the EE prefix. These private end-entity members will be created with the same password as the inputted PKCS12 source file.

Option 8 - Translate EBCDIC BASE64 Certificate to ASCII BASE64 This option will take an EBCDIC encoded BASE64 certificate and translate to a BASE64 encoded ASCII certificate.

x.509 Utilities Translate EBCDIC Certificate to ASCII Certificate Note: The translation is standard BASE64 conversion with the addition of the SPACE character converted also. Enter the File Name to be used for input: EBCDIC Cert = Enter the File Name to be used for output: ASCII Cert = ENTER To Process, To EXIT Press PF3 For HELP Press PF1


Certificate Revocation Lists

SecureZIP Certificate Revocation Lists Option ===> Store Configuration: 'SECZIP.FPD.PROFILES(DB810X)' Active CRL Store: SECZIP.FPD900.CERTSTOR.P7CRL 1 View Installed CRLs from Store - Table Format 2 List Installed CRLs from Store 3 Update the CRL Store 4 Simulate Update 5 Synchronize Data Base Index Information requested below only applies to Option 3 and 4 Input X.509 Certificate Revocation List File Data Set Name: UNDEFINED File Type : CRL (P7B, CRL or BG for Best Guess)

Option 1 - View Installed CRLs from Store This option builds an ISPF table display using the certificate revocation List and the current certificate store.

The information is displayed on six screens. The first three screens represent the public or private certificate that is revoked, and the following three screens represent the certificate authority that issued the revocation list.

Screen 1 -----------------------------------------------------------------------------+ Certificate Store : SECZIP.FPD.CERTSTOR.P7CRL Certificate Type : CRL with Best Guess ASCII Based Certificate Primary commands:%SORT+. Scroll%RIGHT+or%LEFT+for more info. To EXIT Press%PF3 +For HELP Press%PF1 #Revoked Certificate Information Type Serial Number IDHash ------------------------------------------------------------------------- #PVT 01 DA9F053EEF6684FC2BDF63962E24775EE81160ED Scroll%Left~or%Right~for additional information pertaining to the revoked certificates.

Screen 2 -----------------------------------------------------------------------------+ Certificate Store : SECZIP.FPD.CERTSTOR.P7CRL Certificate Type : CRL with Best Guess ASCII Based Certificate Primary commands:%SORT+. Scroll%RIGHT+or%LEFT+for more info. To EXIT Press%PF3 +For HELP Press%PF1 #Revoked Certificate Information Type Common Name ------------------------------------------------------------------------- #PVT PKWARE TEST9 -----------------------------------------------------------------------------+


Screen 3 -----------------------------------------------------------------------------+ Certificate Store : SECZIP.FPD.CERTSTOR.P7CRL Certificate Type : CRL with Best Guess ASCII Based Certificate Primary commands:%SORT+. Scroll%RIGHT+or%LEFT+for more info. To EXIT Press%PF3 +For HELP Press%PF1 #Revoked Certificate Information Type Email Address ------------------------------------------------------------------------- #PVT [email protected] -----------------------------------------------------------------------------+

Screen 4 -----------------------------------------------------------------------------+ Certificate Store : SECZIP.FPD.CERTSTOR.P7CRL Certificate Type : CRL Primary commands:%SORT+. Scroll%RIGHT+or%LEFT+for more info. To EXIT Press%PF3 +For HELP Press%PF1 %CRL Issuer Information CertID CRL Friendly Name ------------------------------------------------------------------------- #1 %PKWARE Test Intermediate Cert A -----------------------------------------------------------------------------+

Screen 5 -----------------------------------------------------------------------------+ Certificate Store : SECZIP.FPD.CERTSTOR.P7CRL Certificate Type : CRL Primary commands:%SORT+. Scroll%RIGHT+or%LEFT+for more info. To EXIT Press%PF3 +For HELP Press%PF1 %CRL Issuer Information CertID Organizational Unit ------------------------------------------------------------------------- #1 %PKWARE, INC. -- FOR TEST AND EVALUATION PURPOSES ONLY -----------------------------------------------------------------------------+

Screen 6 -----------------------------------------------------------------------------+ Certificate Store : SECZIP.FPD.CERTSTOR.P7CRL Certificate Type : CRL Primary commands:%SORT+. Scroll%RIGHT+or%LEFT+for more info. To EXIT Press%PF3 +For HELP Press%PF1 %CRL Issuer Information CertID Total Revoked / Last Updated / Next Update ------------------------------------------------------------------------- #1 %1 UNKNOWN UNKNOWN -----------------------------------------------------------------------------+

Option 2 - List Installed CRLs from Store List details about each Certificate Revocation List in your store.

In the sample below, each revocation list is identified by the heading CRL n, where n is the sequential number of the certificate in the store.

Each certificate that is revoked has a SerialNumber= line followed by IDHash= of the CA that issued the certificate. This data is used to identify the public or private key certificate that has


been revoked. When you choose Option 1, the information on those certificates is displayed if it matches public or private key certificates in your store.

-----------------------------------------------------------------------------+ ZPCA920I SecureZIP Certificate Administration 11 Mar 2006 15:47:19 ZPCA920I List Certificate Revocations 11 Mar 2006 15:47:19 ZPCA920I ********************************************************************* ZPCA920I CRL Input=SECZIP.FPD.CERTSTOR.P7CRL ZPCA920I ********************************************************************* Store Detail using DSN=SECZIP.FPD.CERTSTOR.P7CRL --------- --- CRL 1 --- PKWARE Test Intermediate Cert A Issuer: C=US;S=Wisconsin;L=Milwaukee;O=PKWARE, Inc.;OU=PKWARE, Inc. -- for test and LastUpdate: Unknown NextUpdate: Unknown Revoked Serial Numbers (1): SerialNumber=01; IDHash=DA9F053EEF6684FC2BDF63962E24775EE81160ED; --- CRL 2 --- PKWARE Test Intermediate Cert F Issuer: C=US;S=Wisconsin;L=Milwaukee;O=PKWARE, Inc.;OU=PKWARE, Inc. -- for test and LastUpdate: Tue Feb 8 16:01:09 2005 NextUpdate: Tue Apr 9 16:01:09 2024 Revoked Serial Numbers (1): SerialNumber=01; IDHash=7A0F9161C04890CAAEF123170CCB83227EEBEB30; -----------------------------------------------------------------------------+

Option 3 - Update the CRL Store Allows you to update the P7CRL store used for Certificate Revocation.

Store Configuration:%'SECZIP.FPD.PROFILES(DBPROF)' #Active CRL Store: SECZIP.FPD.CERTSTOR.P7CRL 1 View Installed CRLs from Store - Table Format 2 List Installed CRLs from Store 3 Update the CRL Store 4 Simulate Update 5 Synchronize Data Base Index You must enter the file location of the CRL list you wish to use as the input to the process and the type of data contained within. Input X.509 Certificate Revocation List File ---------------+ #Data Set Name: 'SECZIP.FPD.SEC.CRL1.CRL' # File Type : CRL +(P7B, CRL or BG for Best Guess)


You will receive a pop up panel that will ask you the following information.

This panel asks if you want to update the certificate store data base to reflect the revocations in the CRL file. Enter Y or N, and press ENTER. Pressing PF3 or entering the CANCEL command results in the N being entered for you. Normally, if you are installing a single CRL, you should pick Y, and update the data base. If you are installing multiple CRLs, pick N, and the popup will not appear again until you exit and re-enter Certificate Store Administration. If you pick 'N', you should run the Synchronize Data Base Index after all CRLs are installed. Not updating the data base will allow certificates to be viewed and selected, but they will fail during the associated SECZIP run .

After you have hit Enter, you will receive a notification of completion in the message field of the panel: “Done PF1 for info”

Messages inform whether certificates were added and, if so, how many.

%************************************************************************** %*No added certificates Total Before = 2 Total After = 2 * %**************************************************************************

%************************************************************************** %* Added 1 of a possible 1 Total Before = 2 Total After = 3 * %**************************************************************************

Option 4 – Simulate Update - This option can be used to test installation of a CRL. Below is a sample output of this option.

ZPCA910I SecureZIP Certificate Administration 11 Mar 2006 16:28:55 ZPCA910I Input Processing of 'SECZIP.FPD.SEC.CRL3.CRL' ZPCA910I Validation Processing of SECZIP.FPD.CERTSTOR.P7CA ZPCA910I Output Processing of SECZIP.FPD.CERTSTOR.P7CRL ZPCA000I SUCCESS: Added certificate '//'SECZIP.FPD.SEC.CRL3.CRL'' to store '//' ZPCA846W WARNING: Simulation Requested. Nothing will be saved to the store. ZPCA000I SUCCESS: Saved certificate store '//'SECZIP.FPD.CERTSTOR.P7CRL'' to di ZPCA846W WARNING: Simulation Requested. Nothing will be saved to the store. ZPCA000I Added 0 out of 1 certificates to the CRL store. ZPCA000I 3 entries in the CRL store before the Add command. ZPCA000I 3 entries in the CRL store after the Add command. -----------------------------------------------------------------------------+


Option 5 - Synchronize Data Base Index This option displays details about each certificate in the source file. If you specify BG as the store type, two passes are completed on the source file and two sets of listings are displayed. The first is for type CER, and the next is for type P7B. After each listing is displayed, press PF3 to return.

Filename Encryption

How SecureZIP for z/OS Encrypts File Names SecureZIP for z/OS encrypts file names using your current settings for (strong) encryption method and algorithm. File names can be encrypted using either strong password encryption or a recipient list (or both). You must use one of the strong encryption methods: you cannot encrypt file names using traditional, password encryption.

Note: Encrypting names of files and folders in an archive encrypts and hides a good deal of other internal information about the archive as well. To encrypt file names, SecureZIP for z/OS encrypts the archive's central directory, where virtually all such metadata about the archive is stored.

Note: Be aware that archive comments are not encrypted even when you encrypt file names. Do not put sensitive information in an archive comment.

When SecureZIP for z/OS Encrypts File Names With archives that do not already contain encrypted file names:

SecureZIP for z/OS encrypts file names only when you add files to an archive: SecureZIP for z/OS does not encrypt file names when you encrypt files that are already in an archive even if the option to encrypt file names is turned on.

SecureZIP for z/OS encrypts file names only when you add and encrypt files: SecureZIP for z/OS does not encrypt file names when you add files without encrypting them, even if the option to encrypt file names is turned on.

Encrypting File Names When You Update an Archive If you turn on the setting to encrypt file names and then add files to an archive that already contains files with unencrypted file names, SecureZIP for z/OS encrypts the names of all files in the archive.

If the archive contains files whose contents are already encrypted, SecureZIP for z/OS will reject an attempt to add filename encryption.

If you update an archive that already contains files with encrypted file names, SecureZIP for z/OS encrypts the newly added files and their names using the same password or recipient list originally used to encrypt file names in the archive.

Note:

Once file names in an archive are encrypted, you cannot currently remove the encryption or change the password or recipient list used.


You cannot change the encryption on files that are already in an archive that contains encrypted file names.

Opening and Viewing an Archive that Has Encrypted File Names Opening an archive that contains encrypted file names requires PKZIP for zSeries Enterprise Edition version 8.2 or later, or SecureZIP for zSeries 8.1 with the Advanced Encryption Module.

Input required to View Recipients in a Filename Encrypted Archive To view the recipients of an FNE archive you must place VERBOSE in the input.

//FPDTEST3 JOB '0',CLASS=A,REGION=64M, // MSGCLASS=H,MSGLEVEL=(1,1),NOTIFY=&SYSUID //UNZIP EXEC PGM=SECUNZIP //STEPLIB DD DISP=SHR,DSN=PKWARE.MVS.LOAD // DD DISP=SHR,DSN=PKWARE.MVS.LOAD //CERT DD DSN=FPD.FPDPVT08.PFX,DISP=SHR //SYSPRINT DD SYSOUT=* //SYSIN DD * -ARCHIVE_DSN(PKWARE.MVS.FNEREC.ZIP) -VERBOSE -ACTION(VIEW) -RECIPIENT(DD:CERT,R,PASSWORD=PKWARE)

View of Recipients in a Filename Encrypted Archive

ZPLI001I SecureZIP(R) for z/OS, Version 10.0 - 09/13/07 11.47 LVL(Q1) ZPLI001I Portions copyright (C) 1989-2007 PKWARE, Inc. All rights reserved. ZPLI001I SecureZIP(R) is a trademark of PKWARE, Inc. ZPLI001I Registered, Processor Type=2096 Processor Group=00 Serial Number=01FECE Model=O04 ZPLI001I OS Level: HBB7730 SP7.0.8 -INCLUDE_CMD=SECZIP.IVP.JCL(DEVCERT1) -ECHO=N -ARCHIVE_DSN(PKWARE.MVS.FNEREC.ZIP) -VERBOSE -LOGGING_LEVEL(VERBOSE) -ACTION(VIEW) -RECIPIENT(DD:CERT,R,PASSWORD=******) ZPCM011I Processing EXEC PARM parameters ZPEN110I Locating Digital Certificates ... ZPCM023I Digital Certificate Store Configuration {CSPUB=4;1;PKWARE.MVS.CERTSTOR.PUBLIC} {CSPRVT=4;1;PKWARE.MVS.CERTSTOR.PRIVATE} {CSCA=1;1;PKWARE.MVS.CERTSTOR.PUBLIC(CAP7)} {CSROOT=1;1;PKWARE.MVS.CERTSTOR.PUBLIC(ROOTP7)} {CSPUB_DBX=PKWARE.MVS.CERTSTOR.PUBLIC.DBX} {CSPUB_DBX_PATH_CN=PKWARE.MVS.CERTSTOR.PATHCN} {CSPUB_DBX_PATH_EM=PKWARE.MVS.CERTSTOR.PATHEM} {CSPUB_DBX_PATH_PUBKEY=PKWARE.MVS.CERTSTOR.PATHPUBK} {LDAP=1;192.168.1.54;4389;1;0;CN=LDAP Administrator;secret;;O=PKWARE;} ZPCM023C --------------------------------------- ZPCM024I Digital Certificate Request List ZPCM024C Req'd Private Recipient dd:CERT ZPCM024C FILE FOUND *REQUIRED* ZPCM024C -------------------------------- ZPAP900I NO API REQUIRED


ZPCM100I Configuration Manager Shutdown. Posting Main Task: 00000000 ZPAM030I INPUT Archive opened: PKWARE.MVS.FNEREC.ZIP ZPAM710I Archive Directory is Compressed 85% ZPAM711I Archive Directory is Encrypted: AES_256 Certificate Only ZPEX100I Extract Task { 5} TCB: 008D0A90 Started. ZPEX004I Archive Central Directory extracted for processing. ZPAM014I 234 file(s) are in the input Archive. ZPAM012I ZIP comment: SecureZIP for z/OS by PKWARE ZPAM013I ********************************************************************************* ZPAM015I Length Method Size Ratio Date Time CRC-32 Name ZPAM016I ------------- ------------ ------------- ----- ---------- ----- -------- ----------------------------------- ZPAM017I 4,183 Deflate-SFST 2,240 46% 08/30/2005 16:24 419ABFDA ! PKWARE/MVS/JCL/ACZDFLT ZPAM017I 4,183 Deflate-SFST 2,256 46% 08/30/2005 16:24 18A324CE ! PKWARE/MVS/JCL/ACZDFL ZPAM017I 1,067 Deflate-SFST 1,536 0% 08/30/2005 16:24 183003D8 ! PKWARE/MVS/JCL/ZIPVIEW ………………… ………………… …………… ZPAM017I 1,067 Deflate-SFST 1,536 0% 08/30/2005 16:24 2F3E1C63 ! PKWARE/MVS/JCL/ZIP12 ZPAM017I 985 Deflate-SFST 1,520 0% 08/30/2005 16:24 5A8D5879 ! PKWARE/MVS/JCL/ZIP123 ZPAM018I ------------- ------------- ----- ZPAM019I 698,546 450,288 36% ZPAM013I ********************************************************************************* ZPAM140I FILES: VIEWED EXCLUDED BYPASSED IN ERROR ZPAM140I 234 0 0 0 ZPAM712I Archive Directory Encryption Recipients: ZPAM320I 4 recipient(s) were designated: ZPAM321I Recipient: PKWARE Test01 ZPAM323I Email: [email protected] ZPAM325I Valid: 07/23/2002-07/23/2003 ZPAM326I Issuer: VeriSign, Inc. ZPAM321I Recipient: PKWARE Test02 ZPAM323I Email: [email protected] ZPAM325I Valid: 11/05/2003-11/04/2004 ZPAM326I Issuer: VeriSign, Inc. ZPAM321I Recipient: PKWARE Test03 ZPAM323I Email: [email protected] ZPAM325I Valid: 07/22/2003-07/21/2004 ZPAM326I Issuer: VeriSign, Inc. ZPAM321I Recipient: PKWARE Test04 ZPAM323I Email: [email protected] ZPAM325I Valid: 07/22/2003-07/21/2004 ZPAM326I Issuer: VeriSign, Inc. ZPAM101I Archive Manager Task { 3} TCB: 008D0E88 shutdown begun. ZPAM109I Archive Manager Task { 3} TCB: 008D0E88 shutdown complete. ZPEX101I Extract Task { 5} TCB: 008D0A90 shutdown begun. ZPEX109I Extract Task { 5} TCB: 008D0A90 shutdown complete. ZPMT002I PKZIP processing complete. RC=00000000 0(Dec)

View Detail of an Archive that Has Encrypted File Names ZPAM711I in the output below identifies the type of encryption used for filename encryption.

ZPAM030I INPUT Archive opened: PKWARE.MVS.FNEREC.ZIP ZPAM710I Archive Directory is Compressed 85% ZPAM711I Archive Directory is Encrypted: AES_256 Certificate Only ZPAM014I 234 file(s) are in the input Archive.


ZPAM012I ZIP comment: SecureZIP for z/OS by PKWARE ZPAM013I ************************************************************* ZPAM001I Filename: PKWARE/MVS/JCL/ACZDFLT ZPAM002I File type: TEXT ZPAM003I Date/Time: 30-AUG-2005 16:24:00 ZPAM004I Compression Method: Deflate- Super Fast ZPAM005I Compressed Size: 2,240 ZPAM006I Uncompressed Size: 4,183 ZPAM007I 32-bit CRC: 419ABFDA LHDR Offset: 0 ZPAM008I Created by: PK zSeries 9.0 ZPAM009I Needed to extract: ZipSpec 6.1 ZPAM010I Encryption: AES_256 Certificate Key BSAFE(R) ZPAM301I File Type: NONVSAM PDS ZPAM302I File PDS Directory Blocks: 50 ZPAM303I File Record Format: FB ZPAM304I File Allocation Type: CYL ZPAM305I File Primary Space Allocated: 5 ZPAM306I File Secondary Space Allocated: 9 ZPAM307I File Record Size: 80 ZPAM308I File Block Size: 27920 ZPAM309I File Volume(s) Used: FPD002 ZPAM310I File Creation Date: 2005/07/22 ZPAM311I File Referenced Date: 2005/08/30 ZPAM319I SMS Storage Class: PRIVATE ZPAM312I File PDS Extended Directory Information: DIRECTORY INFORMATION FOLLOWS LENGTH=00001E 000000 01040029 0102198F 0102205F 14010033 |........... ....| ) _ 3| 000010 00330000 C6D7C440 40404040 40400000 |....FPD ..| 3 @@@@@@@ | ZPAM312C -SIZE -CREATED-- ------CHANGED------ ---ID-- -INIT VV.MM ZPAM312C 51 2004/07/17 2004/07/24 14:01:29 FPD 51 01.04 ZPAM313I PDS member TTRKZC: 00010700000F ZPAM320I 4 recipient(s) were designated: ZPAM321I Recipient: PKWARE Test03 ZPAM322I Public Key Hash: 07E091CE30862B61663CF9D356863BF84D3DC8D5 ZPAM323I Email: [email protected] ZPAM324I Cert: //'PKWARE.MVS.CERTSTOR.PRIVATE(pkwt03)' ZPAM321I Recipient: PKWARE Test01 ZPAM322I Public Key Hash: 271842663AA344FBC35656BE68B5A46EE7E545F0 ZPAM323I Email: [email protected] ZPAM324I Cert: //'PKWARE.MVS.CERTSTOR.PUBLIC(pkwt01)' ZPAM321I Recipient: PKWARE Test02 ZPAM322I Public Key Hash: 5D9E8B89B5948E9E853338A7250D64C5BED5E9E7 ZPAM323I Email: [email protected] ZPAM324I Cert: //'PKWARE.MVS.CERTSTOR.PUBLIC(pkwt02)' ZPAM321I Recipient: PKWARE Test04 ZPAM322I Public Key Hash: 6E16CFEFFAA093242B89DEE623C7D7428082F3E3 ZPAM323I Email: [email protected] ZPAM324I Cert: //'PKWARE.MVS.CERTSTOR.PUBLIC(pkwt04)' ZPAM013I *************************************************************

Notice in the output above the following fields:

Created by: The program and release level that placed the file in the archive.

Needed To Extract: A program compatible with the listed ZIP file format specification. The number listed is not a version of the SecureZIP for z/OS program but rather a version of the ZIP file format. For example, version 8.1 of the program uses features of the 6.20 ZIP file format that are not available in earlier versions. Preceding versions of the program used earlier versions of the ZIP file format.

Decrypting a Filename Encrypted Archive When opening an archive, SecureZIP for z/OS automatically decrypts file names for anyone on a recipient list for the encrypted file names.

http://www.pkware.com/company/standards/appnote/�


If file names are encrypted using a password (with or without a recipient list), SecureZIP for z/OS requests a password when anyone who is not on the recipient list tries to open the archive. If the correct password is not entered, SecureZIP does not open the archive.


5 Security Questions and Solutions

This chapter contains answers to questions a system administrator is likely to have about integrating SecureZIPz into the operating environment.

Which encryption settings should be chosen?

Various external factors such as legislative requirements or corporate policy may influence your decision to select an algorithm or mode of encryption. However, when operating within those requirements, the following SecureZipz information may be of value.

NIST has instructional information regarding password vs. certificate-based (PKI) encryption. In general, Certificate-based encryption is accepted to be more secure than Password-based encryption.

Support is provided for a 56-bit key length for the DES encryption algorithm and for the older 96-bit “Standard” PKZIP for z/OS ENCRYPTION_METHOD, but key lengths for newer algorithms are supported at a minimum of 128 bits.

PKWARE provides interoperability between z/OS, OS400, iSeries, UNIX and Windows for all algorithms provided with ENCRYPTION_METHOD with its product set at release 8.0 and above. This includes more advanced algorithms with minimum key lengths of 128 bits.

Older releases of PKZIP for z/OS products support “Standard” 96-bit encryption for wider cross-platform compatibility when required.

When RECIPIENT PKI exchanges are required, then ENCRYPTION_METHOD must specify an algorithm other than STANDARD.

Password-based AES encryption is supported by PKWARE products at release 5.5 or higher.

BSAFE_AES and AES password-based encryption are 100% compatible, whether or not an IBM ICSF Hardware-based encryption facility is used. Archives created with PKZIP for zSeries Release 5.5 can be bi-directionally exchanged with SecureZipz products using the BSAFE AES algorithms.

The highest level of performance may be achieved by selecting an algorithm that can be serviced by a hardware-based ENCRYPTION_FACILITY. The use of VERBOSE and SHOW_SETTINGS in a sample PKZIP run will report which facilities are available for

Chapter 5 Security Questions and Solutions 147

each algorithm. In addition, the utility PKCRYUTL (with sample JCL in INSTLIB) can be used to assess the relative performance of each on a specific system.

The IBM Cryptographic Facilities Integration feature of SecureZIP for z/OS enables the use of a system’s activated IBM Cryptographic Hardware feature through published ICSF APIs to achieve the best cryptographic service performance available for data encryption/decryption and digital signature processing.

How is encryption activated?

Encryption is activated through the use of the PASSWORD (and/or RECIPIENT for SecureZIP) commands. If a value is present for either setting, whether through explicit commands or default settings, then encryption will be attempted in accordance with other applicable settings (such as ENCRYPTION_METHOD).

However, if ENCRYPTION_METHOD=NONE is specified, then encryption will be bypassed.

Note that certificate-based encryption for recipients is supported only by SecureZIP for z/OS, not by PKZIP for z/OS. This mode of encryption requires that one of the strong ENCRYPTION_METHODs (minimum 128-bit) be selected.

How is ICSF hardware acceleration activated?

SecureZIP only

ICSF hardware acceleration is discussed in chapter 7, on Cryptographic Facilities. The SecureZIP FACILITY_ENCRYPTDATA, FACILITY_HASH and FACILITY_RANDOM settings permit the use of actively enabled ICSF APIs for IBMHARDWARE and IBMSOFTWARE.

What is the difference between an Encryption Method and an algorithm?

An encryption algorithm is the fundamental component of a SecureZIP Encryption Method. The name of the algorithm (such as DES, 3DES, AES) is included in the Method name for ease of reference. However, the Method applies additional security mechanisms to the base algorithm processing. One such mechanism is “Cipher Block Chaining” with random data that is unique for each file encryption process. The use of Cipher Block Chaining ensures that the resulting cipher text for two different ZIP runs of the same data and password will be different.

How many recipients can be specified?

SecureZIP only


The ZIP file format specification allows for a maximum recipient-list size of 3,275. This size can be restricted further by other file attributes associated with the data, and by run-time capacity limitations (such as virtual storage). (Note: Approximately 20 bytes is required for each recipient within the ZIP archive central directory record for each file. This area is limited to 64K in size).

What virtual storage is required for certificate-based encryption?

SecureZIP only

When using recipient-based encryption, plan on an initial increase of 4MB of 31-bit storage for up to 15 recipients. LDAP will require an additional 1MB for every 27 recipients above 15. File-based and local certificate store will require an additional 1MB for every 41 recipients above 15.

How does ENCRYPTION_METHOD affect certificate-based encryption?

SecureZIP only

Public/private Key encryption using BSAFE(R) is used to digitally envelope the master session Key information. Once the master session Key is determined, an independent file session Key is derived (which is unique for each file) to encrypt the file data with a symmetric algorithm specified by ENCRYPTION_METHOD. Several encryption algorithms are supplied with SecureZip. Any algorithm may be specified for use with PASSWORD. However, an encryption method other than “STANDARD” must be specified for use with RECIPIENTs.

How does SecureZIP activate MASTER_RECIPIENT contingency keys?

SecureZIP only

Note: Beginning with SecureZIP for z/OS 11.0, contingency keys through the use of Security Server Key Rings is available as a replacement for MASTER_RECIPIENT to provide more advanced control of such keys. See the SecureZIP for z/OS Security Administrator’s Guide for more information.

To meet corporate security policies, SecureZIP provides the ability to use the MASTER_RECIPIENT setting to include one or more master recipient contingency key certificate files in a SecureZIP job when an ENCRYPTION_METHOD specification other than “STANDARD” is activated. The setting causes the data to be encrypted for the master recipient(s) in addition to other recipient or password settings, thereby ensuring that the organization can always decrypt its encrypted data.

The primary MASTER_RECIPIENT can be set directly in the defaults module, or indirectly by specifying MASTER_RECIPIENT in a command stream referenced by SECUREZIP_CONFIG. This default-module-only setting specifies a PDS[E] member that contains SecureZIP certificate


store configuration commands to be automatically included in the processing stream. The configuration command values from this member will be included at the start of command input processing prior to //SYSIN statements being read. The data set(member) will be converted into an "INCLUDE_CMD=(pds[e](member)" command internally and will be echoed to the message log in accordance with the ECHO setting. The primary MASTER_RECIPIENT will be reported in the SHOW_SETTINGS report.

Supplemental -MASTER_RECIPIENT commands may be provided via the primary SYSIN input stream, or indirectly from either the SECUREZIP_CONFIG or INCLUDE_CMD specifications. They will be internally converted to RECIPIENT commands for processing.

MASTER_RECIPIENT settings are cumulative. Therefore a setting in the defaults module cannot be overridden or eliminated from an execution.

How does MASTER_RECIPIENT affect activation?

When SecureZIP is being used to encrypt data, either with RECIPIENT or PASSWORD (unless ENCRYPTION_METHOD=STANDARD), a recipient specified by MASTER_RECIPIENT is automatically included. However, a MASTER_RECIPIENT setting does not cause encryption to take place.

How do I copy a local certificate store?

Copying a Local Certificate Store: 1. Generate a set of backup/restore jobs - CS.1.8.3 - Generate both a Backup and Restore job 2. Run the backup 3. Copy the Restore job to another file, and edit. - In the UNZIP step, insert an UNZIPPED_DSN command.. Example: -UNZIPPED_DSN(SECZIP.CWB.CS1,SECZIP.CWB.CS2) - Mass change all HLQ’s in the IDCAMS step from the old HLQ to the new one… in this example, SECZIP.CWB.CS1 -> SECZIP.CWB.CS2. Be sure you don’t accidentally change the –ARCHIVE command in the UNZIP step 4. Run the modified Restore job 5. Call up the ZIP panels 6. Option C (config); press ENTER to get the second screen - Certificate Store Settings 7. On the DB Profile line, enter a / to edit the member 8. Once in the member, change all references to the old Cert Store to the new one. 9. Create a new member -- Command create newmem c99999 on the first line 10. Exit without saving the changed member under the old member name (CANCEL command and confirm no save). 11. Select the new DB Profile member on the Config panel, and you’re in business


How do I remove a local certificate store?

SecureZIP only

When a local certificate store is no longer required, the associated unused components may be deleted. However, be aware that distributed profiles may still reference these data sets. It is highly recommended that a backup of these components be made before deleting them.

An IDCAMS DELETE may be done for:

hlq.CERTSTOR.DBX hlq.CERTSTOR.PRIVATE hlq.CERTSTOR.PUBLIC hlq.CERTSTOR.P7CA hlq.CERTSTOR.P7ROOT hlq.CERTSTOR.P7CRL

Note: The delete for the DBX cluster will automatically delete the alternate index and path components.

Scan PARMLIB and JCL libraries for configuration profile references to the deleted components. Perform cleanup as needed.

How can the contents of an x.509 certificate file be determined?

SecureZIP only

The PKSCNPRT member located under the INSTLIB dataset is designed to read and report on an end-entity X.509 certificate files. This job works with public key files in CER format (either DER or Base64 encoded), and private key files in PFX or P12 format (either DER or Base64 encoded). See the following sample job:

********************************* Top of Data *********************** //SCANCERT JOB (8900),PKWARE,MSGCLASS=H, // CLASS=B,REGION=8M,NOTIFY=&SYSUID // JCLLIB ORDER=PKWARE.MVS.INSTLIB <== VERIFY //JOBLIB DD DSN=PKWARE.MVS.LOAD,DISP=SHR <== VERIFY //*** //* BEFORE RUNNING THIS JOB, EDIT THE FOLLOWING ITEMS: //* //* 1. TAILOR THE JOB CARD TO FIT YOUR INSTALLATION STANDARDS. //* 2. IF NECESSARY, CHANGE HIGH-LEVEL QUALIFIERS FOR THE LOAD //* LIBRARY AND FILES FROM "PKWARE.MVS" TO FIT THE PRODUCT //* INSTALLATION SUPPORT FILES ON YOUR SYSTEM. //* 3. CHANGE THE SECOND PARAMETER OF THE %RMCRTPRT STATEMENT TO //* MATCH YOUR INSTALLED SECUREZIP LOAD LIBRARY. //* 4. THE 3RD PARAMETER, IF PROVIDED IS THE PASSWORD OF THE P12/PFX //* PRIVATE-KEY CERTIFICATE FILE. "*" MAY BE USED TO //* INDICATE THAT THE FILE IS FOR A PUBLIC-KEY CERTIFICATE FILE. //* NOTE: THE PASSWORD IS CASE-SENSITIVE AND MUST BE BRACKETED BY //* DOUBLE QUOTES. I.E. "your password goes here" //*** //LISTCER EXEC PKISPF //SCANIN DD DISP=SHR,DSN=PKWARE.MVS.INSTLIB2(PVT3CERT) <= INPUT X.509


//PKSCNPRT DD SYSOUT=* <= OUTPUT LIST //ISPF.SYSTSIN DD * ISPSTART CMD(RMCRTPRT DD:SCANIN PKWARE.MVS.LOAD "PKWARE" //* ******************************** Bottom of Data *********************

The following is the resulting output of the job above, detailing the end-entity certificate information.

********************************* TOP OF DATA ************************** PKSCANCRT scan(0) file is: dd:SCANIN PKSCANCRT Private Cert will be processed (6) PKSCANCRT --file #1 found (2106) dd:SCANIN Type=1 --- Certificate 1 --- PKWARE Test3 Subject: CN=PKWARE Test3 [email protected] Issuer: C=US S=Wisconsin L=Milwaukee O=PKWARE, Inc. OU=PKWARE, Inc. -- for test and evaluation purposes only CN=PKWARE Test Intermediate Cert [email protected] SerialNumber: 03 NotBefore: Mon Dec 20 09:06:09 2004 NotAfter: Fri Dec 13 09:06:09 2024 KeyUsage: E0 00 SHA-1 Hash of Certificate(Thumbprint): 7B 88 01 52 1B FF 0B B1 2E 42 32 40 03 75 05 0E 60 EE 52 97 Public Key Hash: A7 C6 BB 45 BF 22 98 47 B7 3A FA 74 7C 00 37 8E 91 20 2C 31 End Entity RMCRTPRT - RMCRTPRT - Certificate Details RMCRTPRT - =================== RMCRTPRT - CN= RMCRTPRT - Email= RMCRTPRT - FN= RMCRTPRT - Issuer= RMCRTPRT - Valid Dates= RMCRTPRT - SerialNumber= RMCRTPRT - Usage= RMCRTPRT - Trust= RMCRTPRT - Revoke= RMCRTPRT - ******************************** BOTTOM OF DATA *************************

You may also report on an intermediate CA, trust root CA, and/or a CRL by selecting option 3 (“x.509 Certificate Utilities”) from the SecureZIP Certificate Store Administration panel.

Here you will enter the certificate source file in question and select option 2 (“List Certificates”). This option displays details about each certificate in the source file in a BROWSE window. From here you can determine the contents.


6 PKWARE PartnerLink: SecureZIP Partner

This chapter applies only to participants in the PKWARE PartnerLink program. Other readers may skip this section.

PKWARE PartnerLink enables a sponsor organization to give partner organizations that may not have SecureZIP for z/OS the SecureZIP Partner for z/OS application so that sponsor and partner can use SecureZIP for z/OS to securely exchange ZIP archives.

This chapter addresses administration activities unique to the SecureZIP Partner for z/OS application, used by PartnerLink partners.

About SecureZIP Partner for z/OS

SecureZIP Partner for z/OS is a special version of SecureZIP for z/OS. It provides most of the functionality of the full program but works only with archives created by (or for) a sponsor.

SecureZIP Partner has two modes of operation:

Read mode: Read mode enables SecureZIP functionality to extract files from a ZIP archive signed by a sponsor. In this mode, the program can decrypt and decompress files and authenticate digital signatures.

In Read mode, the program only extracts; it does not add files to a new or existing archive and does not compress, encrypt, or sign files. SecureZIP Partner extracts only archives digitally signed by a sponsor.

Write mode: Write mode enables SecureZIP functionality for adding files to a ZIP archive, including commands to compress, encrypt, and digitally sign files.

In Write mode, the program can create and update archives, but only for a designated PartnerLink sponsor and only if the sponsor provides certificates for SecureZIP Partner to use to encrypt. New or updated archives are automatically encrypted for sponsor recipients: only those recipients can decrypt and read the files.

SecureZIP Partner only does certificate-based encryption. It does not do passphrase-based encryption.

See the chapter relating to PartnerLink in the SecureZIP for z/OS User’s Guide for an operational description of the SecureZIP Partner product.

Chapter 6 PKWARE PartnerLink: SecureZIP Partner 153

If You Are a Sponsor: Sign the Central Directory A sponsor organization uses SecureZIP as usual to work with archives for, or from, a partner. There is just one special requirement when creating an archive for a partner: In order for the partner to be able to extract the archive you must sign the central directory of the archive using a certificate included in the Sponsor Distribution Package. A Sponsor Distribution Package is a package that PKWARE assembles for a sponsor to configure for partners of that sponsor.

Terms and Acronyms Used in This Chapter

The PKWARE PartnerLink program introduces some new concepts and terminology:

Sponsor – An installation responsible for initiating and defining a PartnerLink sponsor-partner relationship with one or more other installations. A sponsor uses the full-featured SecureZIP product; a partner uses the special SecureZIP Partner for z/OS version.

Partner – An installation configured using a particular sponsor’s Sponsor Distribution Package (see below) to be a partner of that sponsor. A partner uses SecureZIP Partner for z/OS to work with archives from, or for, the sponsor.

Sponsor Distribution Package – A configuration package distributed to a partner on behalf of a sponsor to define the authorization requirements and provide the certificates needed to process ZIP archives from, or for, the sponsor. The package is digitally signed using a PKWARE-assigned certificate.

Sponsor File – A component file in a Sponsor Distribution Package

Sponsor Imprint – A unique digital representation of a registered sponsor-partner relationship within the PKWARE PartnerLink program. This may represent the unique identification of Distribution Package components or of ZIP archives being read.

Sponsor/Partner Registration ID – A unique registration number that identifies a particular sponsor-partner relationship

Read mode – The mode of SecureZIP Partner UNZIP processing that extracts archives from (and only from) a PartnerLink sponsor configured on the partner’s system

Write mode – The mode of SecureZIP Partner ZIP processing that creates an encrypted ZIP archive for a particular configured PartnerLink sponsor

FF – Acronym for full-featured SecureZIP operations, as distinct from those of SecureZIP Partner

PKWARE PartnerLink Program: Overview

The PKWARE PartnerLink program provides a straightforward, secure way for an organization to exchange sensitive information with outside partners.

A PartnerLink sponsor organization establishes a PartnerLink partner relationship with another organization. As a PartnerLink partner, the external organization receives the SecureZIP Partner program to use to decrypt and extract archives created by the sponsor using the full


SecureZIP program. The partner can also use the program to create archives for the sponsor that only the sponsor can decrypt.

The SecureZIP Partner program used by a PartnerLink partner extracts archives only from a sponsor and creates and encrypts archives only for a sponsor.

Decrypting and Extracting Sponsor Data (Read Mode) When SecureZIP Partner is installed at a partner location, a sponsor can create, digitally sign, and encrypt SecureZIP secure containers (ZIP archives) for the partner. In Read mode, the SecureZIP Partner program verifies that the data file received has the appropriate signature from the sponsor and that the signature is valid. This confirms that the data is from the expected sender and that no tampering has occurred. The partner can then decrypt and extract the data.

Creating an Archive for a Sponsor If a sponsor has provided an encryption key, a partner can also use SecureZIP Partner (Write mode) to create encrypted ZIP archives for the sponsor. SecureZIP Partner automatically encrypts any data placed in an archive. The archive can then be transferred to media or transmitted to the sponsor electronically.

Getting Started SecureZIP customers join the PartnerLink program by contacting PKWARE and applying for a PartnerLink sponsorship.


A PartnerLink sponsor provides PKWARE with a copy of the public key matching the certificate that will be used to sign secure containers sent to partners. This key enables a partner to authenticate sponsor signatures.

A sponsor may also provide a copy of a public key for the partner to use to encrypt data files for the sponsor, and also a copy of a designated (public) contingency key. These encryption keys are needed only if a sponsor wants to enable partners to create archives for delivery to the sponsor. SecureZIP Partner creates only archives encrypted for a designated sponsor, using sponsor-provided keys. If a sponsor does not provide keys for encryption, a partner cannot use SecureZIP Partner to create archives. SecureZIP Partner does not create unencrypted archives.

PKWARE incorporates the sponsor keys into a PartnerLink Sponsor Distribution Package (SDP). The Sponsor Distribution Package is used to configure a SecureZIP Partner installation to extract SecureZIP secure containers signed by a sponsor and (if encryption keys are provided) to encrypt data files for a sponsor using the sponsor’s public keys. SecureZIP Partner extracts archives only if they are signed by a sponsor. If keys for encryption are included in the SDP, SecureZIP Partner automatically encrypts archives created for the respective sponsor using the included keys. Only the sponsor recipients who own those keys can decrypt and read the files in an archive that SecureZIP Partner encrypts.

Once the Sponsor Distribution Package has been created, a sponsor can invite outside partner, customer, or vendor organizations to participate as PartnerLink partners. The sponsor supplies instructions on how to contact PKWARE to request a copy of the SecureZIP Partner application. After SecureZIP Partner is installed and configured at the partner location, sponsor and partner can exchange data files with confidence that the data is protected.

Co-existence with Other PKWARE Products

The SecureZIP Partner for z/OS product package can be installed alongside other SecureZIPz product releases. If a full-featured SecureZIP for z/OS is also to be run at the same release/maintenance level, a single software installation may be performed, using independent license control data sets and configuration settings to govern the operating characteristics.

Recommendations Installations using both SecureZIP Partner and full-featured SecureZIP for z/OS in

the same system should configure separate local certificate stores for each. Although certificate store components can co-exist in the same Store, care must be taken that full-featured component names assigned by the system administrator do not conflict with names automatically generated by SecureZIP Partner.

Installations using both SecureZIP Partner and full-featured SecureZIP for z/OS in the same system at the same release level may elect to install only one set of execution libraries for ease of maintenance. The license control data set used at run-time (as controlled by the defaults module LICENSE_HLQ parameter) can be used to select the appropriate mode of operation.

When other releases of SecureZIPz are operating in the same system, only one set of libraries may be installed in the system LINKLST. The other release of software must be run with a JOBLIB/STEPLIB for the load library.


If separation of software operation is required, separate ISPF startup dialogs should be configured in the system (Ref: PKZSTART startup exec) with the associated LIBDEF information.

PartnerLink Certificate Store Administration and Configuration

Certificate administration and use in the SecureZIP Partner operating environment differ slightly from the case with full-featured SecureZIP for z/OS.

Whereas all digital key components are individually administered in a full-function installation, SecureZIP Partner components are pre-packaged for distribution and installation into a Sponsor Distribution Package. Many features of SecureZIP Partner work the same as in full-featured SecureZIP, but some features work differently and use special components of a Sponsor Distribution Package instead of standard SecureZIP components.

The following table indicates which components of the SecureZIP for z/OS local certificate store are used in relationship with the mode of operation.

Certificate Use Full Feature SecureZIP SecureZIP Partner

Archive Signature Authentication Full Certificate Store* Sponsor Distribution Package SPONSOR AUTH/auth.p7

File Signature Authentication “ Full Certificate Store

Archive Signing “ Full Certificate Store

File Signing “ Full Certificate Store

Encryption “ Sponsor Distribution Package SPONSOR RECIPIENT/recip.p7

Decryption “ Full Certificate Store

* A fully functional certificate store includes public-key and/or private-key X.509 certificate files along with their associated certificate authority trust chain and an optional certificate revocation list. To set up a certificate store, use the SecureZIP for z/OS certificate store administration tool. You are responsible for obtaining the appropriate digital certificate resources.

Choosing a Configuration Model Depending on your installation’s business requirements for segregated process controls, you may choose to coordinate the operation of sponsor profiles from a centralized certificate store, or segregate the configurations entirely.

Components supporting a sponsor profile are installed as members of partitioned data sets with the unique sponsor/partner registration control number used as a relational index.

Shared Certificate Store for Multiple Sponsor Profiles The SecureZIP for z/OS certificate store supports the ability to install and configure multiple sponsor profiles within a single store. This centralized approach may be the simplest to manage.


Segregated Certificate Store for Individual Sponsor Profiles If segregated access to sponsor information is desired, then multiple independent stores may be defined to provide data set level access control to the resources.

Configured Sponsor Package Components When a Sponsor Distribution Package is installed, various components are configured within the certificate store. The following table describes the components and how they are used.

Component Usage Location

Sponsor Authentication Configuration Setting

-{SPONSOR_AUTH=1;0;dsname}

Used to access an input ZIP archive (via -AUTHCHK=ARCHIVE) by a SecureZIP Partner execution. Multiple Sponsor Authentication Configuration Settings commands are accepted, thereby permitting access to a ZIP archive that is from one of many possible sponsors.

dsname references an installed Sponsor Authentication File

The SPONSOR_AUTH parameter has the same format as the other Certificate Store files (e.g. CSCA=…)

dsname:

hlq.CERTSTOR.SPONSOR.INFO

(Accccccc)

Where hlq is the high level qualifier of the configured Local Certificate Store

Where ccccccc is the Sponsor ID

SecureZIP Partner Recipient Command

-RECIPIENT(DSN:’dsname’)…

Used to create a ZIP archive by a SecureZIP Partner execution.

dsname references an installed SecureZIP Partner Authorized Recipient File.

Only 1 SecureZIP Partner RECIPIENT configuration command will be accepted for processing per ZIP pass.

dsname:


(Rccccccc)



Sponsor Authentication File

PKCS#7 file identifying a list of authentication public-key/certificates to validate the source of an input ZIP archive

Referred to by the Sponsor Authentication Configuration Setting supplied to the SecureZIP Partner run.

dsname:

hlq.CERTSTOR.SPONSOR.AUTH

(Accccccc)




Component Usage Location

SecureZIP Partner Authorized Recipient File

PKCS#7 file identifying a list of Sponsor-provided public-key/certificates that can be used to encrypt new data being added to a ZIP archive.

Referred to by the SecureZIP Partner Recipient Command supplied to the SecureZIP Partner run.

dsname:

hlq.CERTSTOR.SPONSOR.RECIP

(Rccccccc)



Package Information File

An XML file containing the Sponsor Package description. Used by package list and installation processes.


(Xccccccc)



Local Certificate Store Index

Certificate Store index records are written to represent the Sponsor Authentication File and the SecureZIP Partner Authorized Recipient File. They are represented in the ISPF certificate table display as record types READ and SLNK respectively.

CSPUB_DBX Local Certificate Store Index

During package installation, ISPF statistics will be set for component members to reflect the following:

The Created Date will reflect the Sponsor Package create date (from inside the XML informational description).

The Changed Date/Time will reflect the installation date/time on the local system.

The ID will reflect the User ID associated with the installing job/session.

Installing a Sponsor Distribution Package Although the SecureZIP Partner for z/OS software license is provided with the product package, the ability to operate with ZIP archives is activated through the use of sponsor configuration components.

Note: Before continuing with steps in this section, ensure that the Software Activation License has been applied.

Sponsor Distribution Package Installation Steps A Sponsor Distribution Package is installed as a configuration to an existing local certificate store. The following steps define the process to configure SecureZIP Partner for operations with a related sponsor.

Note: It is highly recommended that a copy of the original Sponsor Distribution Package be retained after the installation is complete in support of a subsequent installation to a certificate store of a different name or location.


1. Verify that the PartnerLink SecureZIP Partner software license has been applied.

Refer to chapter 2, “SecureZIP Partner License Activation.”

2. Verify that the Certificate Store has been created.

Reference chapter 4, “Create a New Local Certificate Store DB.”

3. If not already done, perform a binary transfer of the Sponsor Distribution Package to the system.

4. View the Sponsor Package using the SecureZIP Certificate Store Administration and Configuration ISPF dialog (option CS) for PartnerLink Administration.

Note the Sponsor Name and ID information.

5. Install the package

o Foreground install: Use the SecureZIP Certificate Store Administration and Configuration ISPF dialog (option CS) for PartnerLink Administration (option 4.3).

o Batch install: Use the SecureZIP Certificate Store Administration and Configuration ISPF dialog (option CS) for PartnerLink Administration to generate a batch job and submit.

Use the SecureZIP Certificate Store Administration and Configuration ISPF dialog (option CS) for PartnerLink Administration (option 5.1) to view the installed Sponsor configuration.

Sample PKWARE Sponsor Distribution Package A sample Sponsor Distribution Package has been included in INSTLIB2(PLIVPPKG) to assist you in understanding the process for Sponsor Distribution Package installation and to verify the certificate store setup.

1. Verify that the PartnerLink SecureZIP Partner software license has been applied.

Refer to chapter 2, “SecureZIP Partner License Activation.”

2. Verify that the Certificate Store has been created.

Reference chapter 4, “Create a New Local Certificate Store DB.”

3. Use the SecureZIP Certificate Store Administration and Configuration ISPF dialog (option CS) for PartnerLink Administration (option 5.2) to list sponsor package in seczip.mvs.INSTLIB2(PLIVPPKG).

4. Install the test package

o Foreground install: Use the SecureZIP Certificate Store Administration and Configuration ISPF dialog (option CS) for PartnerLink Administration (option 5.3) to install the test Sponsor package from seczip.mvs.INSTLIB2(PLIVPPKG).

o Batch install: Use the SecureZIP Certificate Store Administration and Configuration ISPF dialog (option CS) for PartnerLink Administration to generate a batch job for seczip.mvs.INSTLIB2(PLIVPPKG) and submit.

5. Use the SecureZIP Certificate Store Administration and Configuration ISPF dialog (option CS) for PartnerLink Administration (option 5.1) to view the installed Sponsor configuration. The following entries should be displayed:


Type Common Name SLNK PKWARE, Inc. READ PKWARE, Inc.

6. Modify and run the test job in seczip.mvs.INSTLIB(PLIVPZIP) to verify the use of the test Sponsor configuration.

Updating a Sponsor Distribution Package A currently configured Sponsor in the local certificate store can be updated with a newer version by following the normal steps for installing a Sponsor Distribution Package.

The installation procedure will check the creation date (as contained in the XML data) of the input package against the previously installed package information.

If the creation date of the input package is later than the previously installed package, then the old components will be removed, and the new package components installed (both foreground and batch processing).

When running the installation process via the foreground dialog and the creation date of the input package is equal to or older than the currently installed package, the administering user will be prompted to confirm the installation.

When running the installation process via a batch job and the creation date of the input package is equal to or older than the currently installed package, installation will be halted. The administering user may then choose to do one of the following:

o Leave the existing package in place

o Remove the existing package and then retry the install

Removing a Sponsor Distribution Package 1. Use the SecureZIP Certificate Store Administration and Configuration ISPF dialog

(option CS) for PartnerLink Administration (option 5.1) to view the list of installed Sponsors.

2. Use the “D” line command for either the “SLNK” or “READ” table row. All components for the associated Sponsor ID will be removed.

Providing a Sponsor Configuration for Execution The certificate store where the Sponsor Distribution Package components were installed must be provided (for Read access) to the executing Read (UNZIP) or Write (ZIP) jobs. In addition, specific configuration components will be required for the associated processing request.

Read-Mode Configuration In addition to the basic certificate store configuration settings, one or more -{SPONSOR_AUTH…} command settings as generated in the SPONSOR.INFO must be provided for proper authentication of the input ZIP archive. The UNZIP run-time process may include these command settings in the standard command input streams (SYSIN, INCLUDE_CMD), or as part of the SECUREZIP_CONFIG setting in the defaults module.


See the following sample JCL, which displays the required SecureZIP Partner parameters that would allow a partner to authenticate the sponsor’s digital signature, decrypt and extract the data to a valid output dataset:

//EXTRACT EXEC PGM=SECUNZIP //STEPLIB DD DISP=SHR,DSN=SZPARTNR.PLINK.LOAD //SYSPRINT DD SYSOUT=* //SYSIN DD * -ARCHIVE_DSN(SPONSOR.SIGNED.ZIP) -ACTION(EXTRACT) -INCLUDE_CMD(PLINK.USER.PROFILES(PARTNER)) -{SPONSOR_AUTH=1;0;PLINK.PARTNER.CERTSTOR.SPONSOR.AUTH(A0001234)} -RECIPIENT(DB:CN=PKWARE TEST4,PASSWORD=PKWARE) -UNZIPPED_DSN(SPONSOR.DATA.INPUT.FILE,PLINK.SPONSORS.OUTFILE)

In the sample above, the partner’s UNZIP includes the INCLUDE_CMD and SPONSOR_AUTH parameters. The INCLUDE_CMD parm (PLINK.USER.PROFILES(PARTNER)) points to the proper partner certificate store for processing, while the SPONSOR_AUTH statement (PLINK.PARTNER.CERTSTOR.SPONSOR.AUTH(A0001234)) is related to the Sponsor Authorization details contained within the SDP that the partner must install prior to attempting to extract and decrypt an archive received from a sponsor. The sponsor’s ID in the sample above is 1234, as the SPONSOR_AUTH command indicates by selecting the appropriate PDS member (A0001234). The UNZIPPED_DSN parameter, although not required, can be a very useful command as it allows a partner to specify the original input file (SPONSOR.DATA.INPUT.FILE) and a new outfile name (PLINK.SPONSORS.OUTFILE) during the extraction process, essentially renaming the outfile to a valid HLQ and node structure in accordance with their environment.

If sponsor data is encrypted, then the partner must apply the appropriate decryption parameters during the UNZIP job. If the sponsor archive is encrypted with a digital certificate (using the partner’s public key), as in the sample above, then the RECIPIENT parameter is required to specify the private key certificate to use to decrypt, along with the password protecting the private key. If passphrase-only encryption is used on the sponsor archive, then the partner must use the PASSWORD parameter instead of RECIPIENT and must enter the appropriate passphrase to decrypt.

Write-Mode Configuration One SecureZIP Partner RECIPIENT command must be provided at ZIP run time to designate the sponsor the archive is being created for with data encryption. It may be specified by any of the following means:

The SecureZIP Run Time Configuration DB Profile settings

Included commands from the defaults SECUREZIP_CONFIG

Indirect commands via INCLUDE_CMD

Additional command line at the bottom of the screen for ZIP processing.

Note: Only one RECIPIENT command is permitted per run. Care should be taken to ensure that only one RECIPIENT request is made when combining the RECIPIENT command with other configuration settings or using it with implicit includes.

See the following sample JCL, which details the required SecureZIP Partner parameters that allow a partner to compress and encrypt data to send to the sponsoring organization:


-ARCHIVE_DSN(PARTNERS.SECURED.ZIP) -ACTION(ADD) -INCLUDE_CMD(PLINK.USER.PROFILES(PARTNER)) -RECIPIENT(DSN:'PLINK.PARTNER.CERTSTOR.SPONSOR.RECIP(R0001234)') -ENCRYTION_METHOD(AES256) PARTNER.INPUT.DATAFILE

A partner’s ZIP job must include a RECIPIENT command that points to the appropriate SPONSOR.RECIP PDS(member) and an INCLUDE_CMD statement that identifies the proper certificate store.

The RECIPIENT parameter is required during ZIP processing and encrypts the data for a designated sponsor (sponsor ID 1234 in the sample above). The PDS member (PLINK.PARTNER.CERTSTOR.SPONSOR.RECIP(R0001234)’ specifies which SDP to use for encryption and secures the data with the sponsor’s public keys contained within the SDP. The INCLUDE_CMD parm (PLINK.USER.PROFILES(PARTNER) directs the SecureZIP Partner to the appropriate certificate store where the sponsor’s SDP has been installed.

The ENCRYPTION_METHOD will default to AES128 unless another value is specified in the job stream. The archive is encrypted with the sponsor’s public key from the SDP. The partner will not be able to test or extract the data from the archive because only the sponsor has the private key needed to decrypt.

Chapter 7 Cryptographic Facility Utility - PKCRYUTL 163

7 Cryptographic Facility Utility - PKCRYUTL

SecureZIP only

The SecureZIP for z/OS IBM Cryptographic Facilities Integration feature enables the selection of locally activated IBM cryptographic facilities to complete cryptographic service requests for data encryption and digital signature processing. (See “SecureZIP ICSF Operations” in the “System Requirements” section of chapter 1.)

Cryptographic Facility Categories SecureZIP for z/OS automatically determines which facilities are available for use when a cryptographic service is required. It also selects which facility to use based on configurable preference lists specified through either the defaults module or a command.

Facilities are organized into sets of similar cryptographic functionality. For example, all symmetric data encryption methods, such as DES and AES, fall into the ENCRYPTDATA facility category. Digital signature creation or authentication requires a cryptographic HASH facility.

(See also the FACILITY_ENCRYPTDATA, FACILITY_HASH, and FACILITY_RANDOM commands in the SecureZIP for z/OS User’s Guide).

Assessing a System’s Cryptographic Capabilities with PKCRYUTL

Available ICSF APIs and underlying facilities (hardware or software emulation) vary across system configurations (see the table “ICSF feature/facility requirements” in chapter 1). The PKCRYUTL utility program provided with the product can help the administrator or user select the most appropriate facility settings when planning to employ cryptographic features of SecureZIP for z/OS.

The simplest choice for facility settings is to allow SecureZIP to choose a facility based on the default settings distributed with product. As distributed, SecureZIP gives preference first to ICSF hardware services, then to ICSF software emulation, and finally to software cryptographic facilities native to the SecureZIP product. This order of precedence generally provides the best performance when used in conjunction with the default ENCRYPTION_METHOD and SIGN_HASHALG algorithm settings and ensures that at least one facility can be selected to complete the processing request.


PKCRYUTL can also be used to verify that alternative facility preference or algorithm settings will run on a target system.

PKCRYUTL Execution The SecureZIP product provides sample batch JCL in INSTLIB(PKCRYUTL) that will execute a report step for each cryptographic category.

The SecureZIP Administration Services ISPF dialog has a “Cryptographic Services Utility” selection that provides an options panel for foreground execution. Online help is also accessible in the dialog.

PKCRYUTL Reporting The utility is intended to be run once for a facility category to be assessed. Multiple processing phases are performed by the utility during the run to:

Report on the basic operating environment

Report active ICSF facilities

Report which API facilities are available for SecureZIP to use

Run timing tests for available facilities

Report throughput rates for various algorithm/facility combinations

Indicate which facility would be selected for a properly licensed SecureZIP product

PKCRYUTL Sample Report

ZPEN350I PKCRYUTL 1.4 Cryptographic API Review Utility ZPEN350I Copyright (C) 1989-2006 PKWARE, Inc. All rights reserved. ZPEN350I Program and Output used by permission only. PKWARE, Inc. ZPEN378I Testing with 1048571 Bytes Active ZPEN336I CSRSI Query IBM Type(2066) Mod(0A2) #(000000000001824A) ZPEN300I OSname<z/OS> OS Ver(01) Rel(06) Mod( ) HWclass<Z/X00 > ZPEN307I ICSF is Active/CCVTACT ZPEN308I ICSF is at a proper level for CSFIQF ZPEN309I z/Architecture Hardware Available -Z/X00 ZPEN313I CSNBSYE (AES) System Capable with ICSF when available. ZPEN314I AES Software Only Available -Z/X00 ZPEN320I CryptoAPI Facilities HW SW SecureZIP ZPEN321I 96 Bit Encryption --- --- PKW ZPEN321I AES 128 Encryption --- SYE BSAFE ZPEN321I AES 192 Encryption --- SYE BSAFE ZPEN321I AES 256 Encryption --- SYE BSAFE ZPEN321I 3DES Encryption ENC --- BSAFE ZPEN321I DES Encryption ENC --- BSAFE ZPEN321I RC4 Encryption --- --- BSAFE ZPEN321I CRC32 Hashing --- --- PKW ZPEN321I SHA1 Hashing OWH --- BSAFE ZPEN321I MD5 Hashing --- OWH BSAFE ZPEN321I SHA256 Hashing --- --- --- ZPEN321I Random Data Gen RNG --- PKW ZPEN322I Facility Encryptdata Seq: IBMHW(1) IBMSW(2) PKW(3) ZPEN322I Facility Hash (Signature) Seq: IBMHW(1) IBMSW(2) PKW(3) ZPEN322I Facility Randomdata Seq: IBMHW(1) IBMSW(2) PKW(3)


ZPEN340I /--------Encryptdata Matrix (01) --------/ ZPEN341I 0001(96 Bit Encryption ) Select (10/10) SecureZIP ZPEN342I Status-IBMHW(-NotCap-) IBMSW(-NotCap-) PKW( PKW ) ZPEN341I 6801(RC4 Encryption ) Select (10/10) SecureZIP ZPEN342I Status-IBMHW(-NotCap-) IBMSW(-NotCap-) PKW( BSAFE ) ZPEN341I 660E(AES 128 Encryption) Select (20/70) IBM Software ZPEN342I Status-IBMHW( -NoAPI-) IBMSW(SYE/SYD ) PKW( BSAFE ) ZPEN341I 660F(AES 192 Encryption) Select (20/70) IBM Software ZPEN342I Status-IBMHW( -NoAPI-) IBMSW(SYE/SYD ) PKW( BSAFE ) ZPEN341I 6610(AES 256 Encryption) Select (20/70) IBM Software ZPEN342I Status-IBMHW( -NoAPI-) IBMSW(SYE/SYD ) PKW( BSAFE ) ZPEN341I 6603(3DES Encryption ) Select (40/70) IBM Hardware ZPEN342I Status-IBMHW(ENC/DEC ) IBMSW( -NoAPI-) PKW( BSAFE ) ZPEN341I 6601(DES Encryption ) Select (40/70) IBM Hardware ZPEN342I Status-IBMHW(ENC/DEC ) IBMSW( -NoAPI-) PKW( BSAFE ) ********************************************** ZPEN370I *************Start of Testing***************** *************Nbr of Bytes=1048571************* *************Nbr of MEG= 1******************** Test Summary Results CPU Usage ZPEN383I Crypto Facilities HW SW BSAFE/PKW ZPEN384I 96 Bit Encryption N/A N/A N/A ZPEN384I AES 128 Encryption ------ 0.113* 0.167 ZPEN384I AES 192 Encryption ------ 0.132* 0.191 ZPEN384I AES 256 Encryption ------ 0.150* 0.218 ZPEN384I 3DES Encryption 0.058* ------ 1.102 ZPEN384I DES Encryption 0.042* ------ 0.378 ZPEN384I RC4 Encryption ------ ------ 0.072* Test Summary Results Megabytes/CP Second ZPEN383I Crypto Facilities HW SW BSAFE/PKW ZPEN384I 96 Bit Encryption N/A N/A N/A ZPEN384I AES 128 Encryption ------ 8.83* 5.98 ZPEN384I AES 192 Encryption ------ 7.58* 5.23 ZPEN384I AES 256 Encryption ------ 6.68* 4.60 ZPEN384I 3DES Encryption 17.19* ------ 0.91 ZPEN384I DES Encryption 23.74* ------ 2.65 ZPEN384I RC4 Encryption ------ ------ 13.85* ZPEN385I-Testing Completed Total CPU Seconds(2.625) Total Elapsed Seconds(3) ZPEN374I-Completing with rc=0 -------------------------------

PKCRYUTL Interpretation Report lines are generated in standard SecureZIP message format. This section includes basic explanatory information for the majority of the messages. Additional information for each message, including system and user response, can be found in the SecureZIP Messages Guide as well as in the online Message section of the SecureZIP ISPF Dialog.

ZPEN300I OSname<oooo> OS Ver(vv) Rel(rr) Mod(mm) HWclass<cccccccc> A request was made to report on the available cryptographic facilities for the current operating


environment. The operating system level and hardware platform govern which cryptographic facilities may be available for use. Classification of hardware. S/390 Pre-zArchitecture, possibly with G5/G6 Z/X00 zArchitecture z800/z900, possibly with CCF Z/X90 zArchitecture z890/z990, with CPACF Z9 zArchitecture z9-109 or equivalent, with CPACF ZPEN301E-AMUTCQRY Error Occurred: A request was made to report on the available cryptographic facilities for the current operating environment. An attempt was made to determine what cryptographic facilities are available through ICSF, but required ICSF and/or hardware facilities are not operative. ZPEN320I The CCVT is not built by ICSF. The Cryptographic Communications Vector Table is the major control block used in the operating system to govern ICSF service requests. It appears that ICSF has not been started in the operating environment. ZPEN303I Either ICSF is not up, or it is up in PCF mode. It appears that ICSF is not currently running, or an older PCF service is running. ZPEN304I There are no valid cryptographic units ACTIVE. Although ICSF is operating, there are no active hardware cryptographic components in the system. Although one or more may show as ONLINE, they are not usable by ICSF due to configuration settings. ZPEN305E-Unknown ICSF Error Code: +2+H+ A request was made to report on the available cryptographic facilities for the current operating environment. An attempt was made to determine what cryptographic facilities are available through ICSF, but required ICSF and/or hardware facilities are not operative. ZPEN306I State Error Found <State=%02X/Error=%02X> The Cryptographic Communications Vector Table is the major control block used in the operating system to govern ICSF service requests.


When ICSF environmental conditions are determined to be inappropriate to ICSF operations through SecureZIP this message may be issued. State Flags: x'80' - An error has been detected (See Error Flags) x'40' - ICSF is active in the system x'20' - The ICSF level supports CSFIQF x'10' - z/Architecture hardware is present x'08' - CPACF Crypto Assist Hardware is present x'04' - CSNBSYE/CSNBSYD API services are available Error Flags: x'80' - The CCVT has never been initialized by ICSF x'40' - ICSF is not up in an appropriate mode x'20' - There are no hardware crypto devices available Sample State/Error codes: State=80/Error=80 - ICSF was never started. No other info is available (no CCVT) State=B4/Error=40 - ICSF is in the process of starting but has not completed initialization. State=B4/Error=60 - ICSF has been shut down. ZPEN307I ICSF is [not] Active/CCVTACT A request was made to report on the available cryptographic facilities for the current operating environment. ICSF (which is required for IBMHARDWARE and IBMSOFTWARE cryptographic facility use) is active in the system. ZPEN308I ICSF is [not] at a proper level for CSFIQF A request was made to report on the available cryptographic facilities for the current operating environment. ICSF (which is required for IBMHARDWARE and IBMSOFTWARE cryptographic facility use) is at a release level that supports the ICSF Query Facility CSFIQF. This is necessary to determine whether more advanced cryptographic services (such as Hardware-based AES) are available for use. ZPEN309I z/Architecture Hardware Available %s The Cryptographic Communications Vector Table is the major control block used in the operating system to govern ICSF service requests. The hardware classification is also shown. - CCF (Cryptographic Coprocessor Feature) may be available with Z/X00 or S/390 systems. - CPACF (CP Assist for Cryptographic Functions) may be active on Z/X90 or Z9 systems ZPEN310I CP Assist For Cryptographic Functions Available The Cryptographic Communications Vector Table is the major control block used in the operating system to govern ICSF service requests.


CPACF hardware acceleration is available for select service requests. ZPEN313I CSNBSYE (AES) System capable with ICSF when available. ICSF AES symmetric data encryption can be performed on this system if the IBM Hardware Cryptographic feature is enabled. The CSNBSYE API will be used to access the IBMSOFTWARE or IBMHARDWARE facility depending on the system hardware available. ZPEN314I AES Software Only Available [system_classification] Some systems (hardware) do not support hardware-based AES processing. ICSF will provide CSNBSYE API software emulation. Classification of hardware. S/390 Pre-zArchitecture, possibly with G5/G6 Z/X00 zArchitecture z800/z900, possibly with CCF Z/X90 zArchitecture z890/z990, with CPACF Z9 zArchitecture z9-109 or equivalent, with CPACF ZPEN320I Crypto Facilities HW SW SecureZIP A request was made to report on the available cryptographic facilities for the current operating environment. A list of supported cryptographic algorithms follows indicating which API facilities are available for use by SecureZIP. The cryptographic API facilities are categorized into one of the following groups: HW - IBM Cryptographic Hardware SW - IBM Cryptographic Software SecureZIP - Software algorithms ZPEN321I [crypto_algorithm] [hw_API] [sw_API] [SecureZIP_API] A request was made to report on the available cryptographic facilities for the current operating environment. A separate report line is listed for each algorithm to indicate which (if any) API is available for use by SecureZIP before dynamic evaluation. A subsequent check of each algorithm will be performed based on run-time options and environmental characteristics. [crypto_algorithm] The [crypto_algorithm] name will also identify the use type for the algorithm. Symmetric Data Encryption algorithms: 96 Bit Encryption AES 128 Encryption AES 192 Encryption AES 256 Encryption 3DES Encryption DES Encryption


RC4 Encryption Data Integrity and Digital Signature algorithms: CRC32 Hashing SHA1 Hashing MD5 Hashing SHA256 Hashing [hw_API] [sw_API] The IBM Cryptographic facilities are accessed through one if the following ICSF APIs (hardware and software). ENC- CSNBENC/CSNBDEC Encipher/Decipher SYE- CSNBSYE/CSNBSYD Symmetric Key Encrypt/Decrypt OWH- CSNBOWH One way hash RNG- CSNBRNG Random Number Generation [SecureZIP_API] SecureZIP provides software algorithms using one of the following services. BSAFE-RSA BSAFE CryptoC PKW -PKWARE internal routine "------" indicates that no service facility could be identified under the API service category for the algorithm. ZPEN322I [Facility Category] Seq: IBMHW(x) IBMSW(x) PKW(x) As part of the CryptoAPI report (see also ZPEN320I), the specified FACILITY sequence is displayed. [x] - The preferred facility order of choice. 0 - Not included in the FACILITY list 1 - First selection if available for use 2 - Second selection if available for use 3 - Third selection if available for use [Facility Category] Encryptdata Algorithms associated with symmetric data encryption. HASH (Signature) Algorithms associated with hashing. Uses include digital signature creation and authentication. RandomData Algorithms associated with creating random data for encryption extensions (such as Cipher Block Chaining) ZPEN340I /--------[Facility_Category] Matrix ([type_code]) --------/ A request was made to report on the available cryptographic facilities for the current operating environment. A separate report is listed for each category of cryptographic service. All associated algorithms are included in the report along with resulting selection results. [Facility_Category]


Encryptdata Algorithms associated with symmetric data encryption. HASH (Signature) Algorithms associated with hashing. Uses include digital signature creation and authentication. ZPEN341I [alg_id]([algorithm_name]) Select ([code]) [Facility Category] A request was made to report on the available cryptographic facilities for the current operating environment. A separate report line is listed for each algorithm to indicate which (if any) API is selected for use by PKWARE after dynamic evaluation. Each algorithm is validated against requested FACILITY settings, licensing and facilities reported by ICSF. [Facility Category] The final facility chosen is shown. NONE FOUND No viable facility could be identified for use. This algorithm cannot be serviced with the current configuration. IBM Hardware The CryptoAPI identified in ZPEN321I (HW) will be used IBM Software The CryptoAPI identified in ZPEN321I (SW) will be used SecureZIP The CryptoAPI identified in ZPEN321I (PKW) will be used ZPEN342I Status-IBMHW([APIstate]) IBMSW([APIstate]) PKW([APIstate]) A request was made to report on the available cryptographic facilities for the current operating environment. A separate report line is listed for each algorithm to indicate which (if any) API is available for use by SecureZIP after dynamic evaluation. Each algorithm is validated against requested FACILITY settings, licensing and facilities reported by ICSF. [APIstate] The state of each facility type is reported for the algorithm reported in the preceding ZPEN341I message. State definitions are as follows: -NotCap- The facility category is not capable of servicing this algorithm, and is therefore not available for use. -NoAPI- No API could be identified as being available for use in the current run-time environment.


-NoFacil- This facility was not listed in the associated FACILITY setting, and is not available for use. -NoLic- The product does not have the appropriate SecureZIP feature license code enabled to make use of this facility category. -NotSup- This algorithm is not supported under the current release of SecureZIP. BSAFE BSAFE(r) CryptoC routines included with the SecureZIP product has been identified as being viable for use. ENC/DEC For the system platform being executed on, the ICSF CSNBENC(encipher) and CSNBDEC(decipher) API calls were identified as viable for use. SYE/SYD For the system platform being executed on, the ICSF CSNBSYE(symmetric key encipher) and CSNBSYD(symmetric key decipher) API calls were identified as viable for use. PKW A PKWARE proprietary routine was identified as viable for use. OWH For the system platform being executed on, the ICSF CSNBOWH(One Way Hash) API call was identified as viable for use. ZPEN383I Crypto Facilities HW SW SecureZIP A request was made to produce a timing report for supported cryptographic facilities in the current operating environment. A list of supported cryptographic algorithms follows indicating which API facilities are available for use by SecureZIP. A list of supported cryptographic algorithms follows showing timing test values for each. A preceding header line will indicate whether this report is for raw TCB CPU time, or a computed throughput rate in megabytes per CP Second. ZPEN384I [crypto_algorithm] [hw_API] [sw_API] [SecureZIP_API] A request was made to produce a timing report for supported cryptographic facilities in the current operating environment. A value will be listed for each facility category associated with the correlated facility API listed in ZPEN321I. An "*" following a timing value indicates that the corresponding API will be selected based on the facility preference list shown in ZPEN322I. A preceding header line will indicate whether this report


is for raw TCB CPU time, or a computed throughput rate in megabytes per CP Second. Note: The "96 bit encryption" algorithm will not have timings run. The SecureZIP(PKW) facility API will always be selected for use when ENCRYPTION_METHOD(STANDARD) is specified.

Chapter 8 SMF Record Formats 173

8 SMF Record Formats

SecureZIP only

The activation procedure for SMF recording is covered in chapter 2 in the section “Enable SMF Recording.” This chapter provides record format descriptions that can be used in auditing operational activities of SecureZIP.

The standard SMF record header for records with subtypes is used (ref. z/OS MVS System Management Facility, “Standard SMF Record Header”).

The SecureZIP product distribution library INSTLIB(PKSMFREC) contains assembler maps of each record type. Individual DSECT maps are referenced in the following formats; the following record subtypes may be written:

Subtype * Description

1 (1) Session Start One per ZIP|UNZIP invocation

2 (2) Session Settings One per ZIP|UNZIP invocation (optional)

3 (3) File Activity One per file process completion (optional)

99 (63) Session Summary One per ZIP|UNZIP invocation

* Offsets and numerical references are shown in decimal and (hexadecimal) form.

The following format definitions map the various possible record sections.

Before each subtype record listing, commonly used record segments are shown.

A Common Header is used for all Subtypes. Each unique subtype description follows with offsets continuing from the end of the Common Header.

The general format is for each subtype to begin with a fixed length portion that includes control flags, to be followed by optional variable length data fields.

Variable length portions may be provided with either unformatted or declared formats. Layouts for special data areas such as Certificate List elements are also provided.


Table 2: SMF Record Format - Common Header

Offset Name Len Format Description

Mapped by PKSMFHDR DSECT

0 (0) PKSMFLEN

2 Binary Length, including data

2 (2) PKSMFSEG

2 Binary X’0000’ – Records are non-spanned

4 (4) PKSMFFLG

1 Binary Flags

X'40' Subtypes valid

X'1E' MVS Level

5 (5) PKSMFREC 1 Binary SMF Record Type value

6 (6) PKSMFTIM 4 Binary Time

10 (A) PKSMFDAT 4 Packed Date (0CYYDDDF)

14 (E) PKSMFSID 4 Char SYSTEM IDENTIFICATION

18 (12) PKSMFSS 4 Binary SUBSYS ID (not set)

22 (16) PKSMFSTY 2 Binary RECORD SUB-TYPE value

X'0001' - ZIP session start

X'0002' - Session parms

X'0003' - FILE process

X'0099' - ZIP session summary

24 (18) REC_VERSION 2 Binary VERSION-ID (FORMAT dependent) value

X’0001’ for initial release

26 (1A) JOBNAME 8 Char JOBNAME, STCNAME OR TSU ID (see Note 1)

34 (22) JOBID 8 Char JES JOBID/STCID/TSUID

42 (2A) SESSIONID 16 Binary UNIQUE ZIP SESSION ID

58 (3A) FLAG1 1 Binary

bits

Flag1 – Common for all subtypes

X’80’ VARIABLE SECTION fields exist (Check RELCNT)

X’40’ Variable section is in SUBVAR_FIELD format

X’01’ Some records filtered (Subtype 99 only)

59 (3B) FLAG2 1 Binary

bits

FLAG # 2 (Subtype specific)

-- Flags for subtype 1 - NONE --


-- Flags for subtype 3 File Process Control

x'80' Add

x'40' Freshen

x'20' Copy




Mapped by PKSMFHDR DSECT

60 (3C) FLAG3 1 Binary bits



-- Flags for subtype 3 File Process Indicators

X'40' Variable data for encrypt exists

X'01' Digital Signature indicated

X'02' Authenticate succeeded

X'04' AUTHCHK attempt failed


61 (3D) FLAG4 1 Binary RESERVED

62 (3E) RELOFF 2 Binary Offset to first relocate section from the beginning of the record header, represented as PKSMFxxxx_SXS.

The total length of the relocate section is provided in the SXS field of the subtype map.

64 (40) RELCNT 2 Binary Count of the number of relocate sections. This field will be x’0000’ if no variable data exists.

66 (42) Beginning of unique subtype fields

Note 1: The combination of JOBNAME/JOBID/SESSIONID is used to correlate all SMF records from a particular session together.

The Variable Section Elements are conditionally placed into the VARIABLE SECTION of a unique subtype. The precise location depends upon the length of information that precedes each variable entry. For that reason, offsets are provided relative to the current location in the record. The offset to the first entry of the relocate section is defined in the RELOFF field of the common header.


Table 3: SMF Record Format – Variable Relocate Section Element Map

Offset

From current position

Name Len Format Description

Mapped by PKSMF_VAR_ELEMENT DSECT

+0 (0) VAR_ID 2 Binary Unique field Identifier

+2 (2) VAR_FIELDFMT 1 Binary value

When FLAG1 SMF1_SUB_FORMAT is ON, this is formatted data in accordance with the VAR_FIELDFMT definition.

A unique value will be present:

X’01’ Binary Undeclared binary

X’02’ Binary value

X’03’ Character

X’04’ Char_ASCII

X’05’ Certificate List

+3 (3) VAR_LEN 2 Binary Length of following data

+5 (5) VAR_INFO (FIELDFMT)

Var When VAR_FIELDFMT is in effect, this starts the beginning of the format-dependent data. It applies to Binary, Binary value, Character and Char_ASCII

+5 (5) CERTLIST_

COUNT

2 Binary Value

When VAR_FIELDFMT x’05’ Certificate List is indicated, a numeric count of Certificate List Extension fields that follow is provided.

+7 (7) Certificate List Extension Fields

Var See “Subtype 0002 Session Settings – Certificate List Extension”

The Certificate List Extension maps special field data relating to digital certificates within a VAR_FIELDFMT section of a Variable Section Element. One or more entries may exist as reflected in the CERTLIST_COUNT field.


Table 4: SMF Record Format – Certificate List Extension

Offset

From current position

Name Len Format Description

Mapped by PKSMF2VA DSECT

+0 (0) Use_code 1 Binary Certificate Usage Indicator

x'.1' Used for Encryption

x'.2' Used for File Signing

x'.4' Used for Archive Signing

x’.A’ Used for AUTHCHK (Files)

x’.C’ Used for AUTHCHK (Archive)x'1.' Certificate Required Flag (may be used with others)

+1 (1) PrFlag1 1 Binary Processing Flag

X’80’ Found and processed By File

X’40’ Found and processed By LDAP

X’20’ Found and processed By SAF/RACF


X'01' Not Found in File System.

X'02' Not Found in LDAP System.

X'04' Cert Was Required but failed

X'08' Cert Found but failed to open

X'10' Cert Requires Password.

X'40' Not Found in SAF


X’01’ Private key found in request

X’02’ SAF Error was encountered

+4 (4) LCERTSRC 2 Binary Length of the following field (non inclusive)

+6 (6) CERTSRC Var Char Certificate Source Reference


Table 5: SMF Record Format – Subtype 0001 Session Start


FIXED SECTION Continues from the end of the Common Header

66 (42) STEPNAME 8 Char STEPNAME from SCTSNAME

74 (4A) PROCSTEP 8 Char PROC STEPNAME from SCTSCLPC

82 (52) USERID 8 Char UserID from ASXBUSER

90 (5A) PRODUCTID 2 Char PKWARE Product Identifier

“PK” PKZIP

“SZ” SecureZIP

“PL” PartnerLink

92 (5C) VERSION 8 Char Product version info

100 (64) LEVEL 8 Char Refresh/Build Level

108 (6C) CALLMODE 8 Char CALLMODE setting

“BATCH”

“ISPF”

“API-B”

“TSO”

116 (74) ACTION 1 Char Representation of basic ACTION request (See User’s Guide)

VARIABLE SECTION See Variable Section Element Map for the layout of each field following the SXS

117 (7D) SXS 2 Binary Size of extended information segment (size of all sections that follow).

Pointed to by RELOFF offset in the common header.

Each variable segment is described as a 'triplet' with a field ID, a data type descriptor, a length, and variable information depending upon the section type.

Field order is not implied.

dependent Field ID 2 Binary X’0001’ - Input Archive

Written when an input archive is used for processing.

Datatype 1 Binary X’03’

Field Length 2 Binary Total length of this field including length and Field ID

Char Input Archive File Name (MVS DSN or UNIX



PATH)

dependent Field ID 2 Binary X’0002’ - Output Archive

Written during ZIP processing when an output archive is used for processing.

Datatype 1 Binary X’03’

Field Length 2 Binary Total length of this field including length and Field ID

Char Output Archive File Name (MVS DSN or UNIX PATH)

Table 6: SMF Record Format – Subtype 0002 Session Settings



VARIABLE SECTION See Variable Section Element Map for the layout of each field following the SXS

66 (42) SXS 2 Binary Size of extended information segment (size of all sections that follow).


Each variable length portion is described as a 'quartet' with a section type code, a sub-field format descriptor, a format-dependent variable length descriptor and the associated variable information.


Trailing blanks for character fields may be removed.

dependent Field ID 201 2 Binary 201 - X’00C9’ - ENCRYPTION_METHOD

Condition: ZIP with any encryption.

Sub-Field Format 1 Binary X’03’ Character

Field Length 2 Binary Length of the following data

Var Char ENCRYPTION_METHOD value

dependent Field ID 202 2 Binary 202 - X’00CA’ - FILENAME_ENCRYPTION

Condition: ZIP with any encryption.





Value Var Char FILENAME_ENCRYPTION value

dependent Field ID 203 2 Binary 203 - X’00CB’ - KEY_PROTECT_LEVEL

Condition: ZIP with ENCRYPTION_METHOD other than “STANDARD”.



Value Var Char KEY_PROTECT_LEVEL value

dependent Field ID 204 2 Binary 204 - X’00CC’ - SECURE_OPT_MSK3DES

Condition: ZIP with ENCRYPTION_METHOD other than “STANDARD”.



Value Var Char SECURE_OPT_MSK3DES value

dependent Field ID 205 2 Binary 205 - X’00CD’ – CKDS Passphrase Key Request

Condition: ZIP or UNZIP with a CKDS based Key Label reference



Value Var Char PASSWORD CKDS_xxx reference

dependent Field ID 206 2 Binary 206 - X’00CE’ – Digital Signature Request list

Condition: ZIP with SIGN_ARCHIVES or SIGN_FILES

Sub-Field Format 1 Binary X’05’ Certificate list; count; var-list


CertCount 2 Binary Unsigned count of cert-list extension fields that follow

List Extensions Var Cert-list A list of certificate request descriptors as mapped by the Certificate List Extension



dependent Field ID 207 2 Binary 207 - X’00CF’ – Signature Authentication Request list

Condition: ZIP or UNZIP with AUTHCHK for Files or Archive with specific AUTHCHK certificates.





dependent Field ID 208 2 Binary 208 - X’00D0’ – Recipient Certificate Request list

Condition: ZIP or UNZIP with RECIPIENT certificate requests





dependent Field ID 209 2 Binary 209 - X’00D1’ - FACILITY_ENCRYPTDATA

Condition: ZIP or UNZIP (conditional use in run)



Value Var Char FACILITY_ENCRYPTDATA value

dependent Field ID 210 2 Binary 210 - X’00D2’ - FACILITY_HASH




Value Var Char FACILITY_HASH value

dependent Field ID 211 2 Binary 211 - X’00D3’ - FACILITY_RANDOM




Value Var Char FACILITY_RANDOM value



dependent Field ID 212 2 Binary 212 - X’00D4’ - LDAP_ENCRYPT_CERT_SELECT

Condition: ZIP with RECIPIENT LDAP: requests



Value Var Char LDAP_ENCRYPT_CERT_SELECT value

dependent Field ID 213 2 Binary 213 - X’00D5’ - FIPSMODE




Value Var Char FIPSMODE value

dependent Field ID 214 2 Binary 214 - X’00D6’ - HFS_SAF_CHECK




Value Var Char HFS_SAF_CHECK value

dependent Field ID 215 2 Binary 215 - X’00D7’ - ARCHIVE_PATHMODE

Condition: ZIP using UNIX filesystem archive (conditional use in run)



Value Var Char ARCHIVE_PATHMODE value

dependent Field ID 216 2 Binary 216 - X’00D8’ - OUTFILE_PATHMODE

Condition: UNZIP using UNIX filesystem output file (conditional use in run)



Value Var Char OUTFILE_PATHMODE value

dependent Field ID 217 2 Binary 217 - X’00D9’ - SVC

Condition: ZIP & UNZIP





Value Var Char SVC value

dependent Field ID 218 2 Binary 218 - X’00DA’ - SMF_SUBTYPES




Value Var Char SMF_SUBTYPES value

dependent Field ID 219 2 Binary 219 - X’00DB’ – Certificate Services Policy Buffer




Value Var Char A buffer containing process settings such as:

{VALENCRYPT...}

{VALSIGN…}

{AUTHENTICATE…}

{CSPUB…}

{SAFSET…}

Table 7: SMF Record Format – Subtype 0003 Files



66 (42) FILEIDENT 8 Binary Unique File Identifier (within Archive)

74 (4A) GPBIT_FLAGS 2 Binary ZIP File format General Purpose Bit Flags (Note 2)

76 (4C) IFILE 2 Binary IFILE Attributes (Note 2)

X'x1xx' - File marked as TEXT

X'x2xx' - Records have ZDW prefix

78 (4E) PROCESS_RC 4 Binary Processing return code for this file



82(52) File Type 4 Char General z/OS File Type

'JES ' JES

'PO ' Partitioned Organization

'PO-E' PDSE

'PS ' Physical Sequential

'UNIX' UNIX (HFS, zFS...)

'VS ' VSAM

86 (56) Compress Method 2 Binary ZIP Compression Method used (Note 2)

VARIABLE SECTION

See Variable Section Element Map for the layout of each field following the SXS





dependent Field ID 301 2 Binary 301 - X’012D’ – ZOSFILENAME



var Char Local system file name (MVS DSN or UNIX PATH)

dependent Field ID 302 2 Binary 302 - X’012E’ – ZIPFILENAME



var Char Filename representation from ZIP Archive (translated to EBCDIC)

dependent Field ID 303 2 Binary 303 - X’012F’ – Data Encryption Information

Comprised of three 2-byte fields that follow


Field Length 2 Binary Length of the data fields that follow (total)



2 Binary Encryption Algorithm Identifier

'0166' DES

'0168' RC4

'0366' 3DES

'0966' 3DES(112)

'0E66' AES128

'0F66' AES192

'1066' AES256

'1166' AES - GENERIC (Ref Key Length)

2 Binary Key Length (Little Endian - #bits) (Note 2)

2 Binary Encryption Control Flags

Flags

'.1..' Passphrase used

'.2..' Digital Certificate(s) used

'.3..' COMBO Passphrase/Certificate

Note 2 - Annotated fields represent data in the format consistent with the ZIP File Format Specification "Appnote", which can be obtained by request from PKWARE, Inc.

Table 8: SMF Record Format – Subtype 0099 (0063) End Session



66 (42) MAX_RC 4 Binary Final Session Return Code (Condition Code)

70 (46) #ADDED 4 Binary Count of files processed for the ACTION indicated in subtype 1. (Ref. message ZPAM140I)

Applies to ADD and UPDATE

74 (4A) #FRESHENED 4 Binary File Count

Applies to FRESHEN

78 (4E) RESERVED 4 Binary RESERVED

82 (52) #COPIED 4 Binary File Count

Applies to ADD, FRESHEN, UPDATE, COPY, DELETE

86 (56) #DELETED 4 Binary File Count

Applies to DELETE

90 (5A) #EXTRACTED 4 Binary File Count

Applies to EXTRACT


94 (5E) #TESTED 4 Binary File Count

Applies to TEST

98 (62) #VIEWED 4 Binary File Count

Applies to VIEW*

102 (66) #SKIPPED 4 Binary Count of files skipped (typically based on –EXCLUDE processing)

106 (6A) #BYPASSED 4 Binary Count of files bypassed (Ref. message ZPAM140I)

110 (6E) #ERROR 4 Binary Count of files in error (Ref. message ZPAM140I)

114 (72) FLAG1 1 Binary X’80’ - Input archive directory signature detected

X’40’ – Input archive directory File Name Encryption was detected.

X’08’ - Output Archive directory signature was created.

115 (73) FLAG2 1 RESERVED



118 (76) RESERVED 4 RESERVED

122 (7A) RESERVED 4 RESERVED

126 (80) VARIABLE SECTION

RESERVED





Glossary 187

Glossary

This glossary provides definitions for items that may have been referenced in the SecureZIPz

documentation. It is not meant to be exhaustive. There are excellent sources of documentation for computing terms on the Internet. For example:

IBM’s Terminology Web Site

http://www.networking.ibm.com/nsg/nsgmain.htm

Absolute Path Name

A string of characters that is used to refer to an object, starting at the highest level (or root) of the directory hierarchy. The absolute path name must begin with a slash (/), which indicates that the path begins at the root. This is in contrast to a Relative Path Name.

Access Method

A technique that is used to read a record from, or to write a record into, a file. Usually either: SAM (Sequential Access Method - where records are processed one after another in the order in which they appear in the file), or random (the individual records can be processed in any order) such as VSAM ).

AES

The Advanced Encryption Standard is the official US Government encryption standard for customer data.

Alternate Index

An index of a file based on a key different from the base. It allows the file to be processed in a secondary key order.

American Standard Code for Information Interchange (ASCII)

The ASCII code (American Standard Code for Information Interchange) was developed by the American National Standards Institute for information exchange among data processing systems, data communications systems, and associated equipment, and is the standard character set used on Windows and many UNIX-based operating systems. In a ZIP archive, ASCII is used as the normal character set for compressed text files. The ASCII character set consists of 7-bit control characters and symbolic characters, plus a single parity bit. Since ASCII is used by most microcomputers and printers,

http://www.networking.ibm.com/nsg/nsgmain.htm�


text-only files can be transferred easily between different kinds of computers and operating systems. While ASCII code does include characters to indicate backspace, carriage return, etc., it does not include accents and special letters that are not used in English. To accommodate those special characters, Extended ASCII has additional characters (128-255). Only the first 128 characters in the ASCII character set are standard on all systems. Others may be different for a given language set. It may be necessary to create a different translation tables (see Translation Table) to create standard translation between ASCII and other character sets.

American National Standards Institute (ANSI)

An organization sponsored by the Computer and Business Equipment Manufacturers Association for establishing voluntary industry standards.

Application Programming Interface (API)

An interface between the operating system (or systems-related program) that allows an application program written in a high-level language to use specific data or services of the operating system or the program. The API also allows you to develop an application program written in a high-level language to access SECZIP data and/or functions of the SECZIP system.

Application System/400 (iSeries)

A family of general purpose computing systems from IBM which run Operating System/400 (OS/400).

Archive

(1) The act of transferring files from the computer into a long-term storage medium. Archived files are often compressed to save space.

(2) An individual file or group of files which must be extracted and decompressed in order to be used.

(3) A file stored on a computer network, which can be retrieved by a file transfer program (FTP) or other means.

(4) The SECZIP file that holds the compressed/zipped data file.

Batch Job

A unit of work defining one or more execution steps submitted to the Job Entry Subsystem (JES) with a JOB statement.

Big ENDIAN

A binary (hexadecimal) representation of numeric data in which the most significant byte is on the left. In the context of bit flags, the most significant bit is on the left.

Binary File

A file that is to be handled in its native form without text translation.

Glossary 189

Block

(1) A group of records that are recorded or processed as a unit.

(2) A set of adjacent records stored as a unit on a disk, diskette, or magnetic tape.

Cipher Block Chain (CBC)

Cipher Block Chaining refers to a method of encryption of blocks of data that involves an initialization vector that is put together with the first block of data and the encryption key. This method of encryption makes sure that each block of data thereafter is uniquely modified, further protecting the data from fraudulent access.

Code Page

A specification of code points for each graphic character set or for a collection of graphic character sets. Within a given code page, a code point can have only one specific meaning. A code page is also sometimes known as a code set.


An operating environment interface where a textual command and its associated parameters may be entered.

Configuration File

(1) A file that specifies the way a program functions.

(2) In SECZIP, the file that contains the default values needed for the system to run. These can usually be respecified to meet local user requirements.

Contingency Key

An ordinary cryptographic key from a digital certificate that is designated as a master recipient for use, in addition to any other recipients, whenever SecureZIP does strong encryption. Including a master recipient contingency key in a list of recipients ensures that the organization that owns the key can decrypt the encrypted files.

CP Assist for Cryptographic Functions (CPACF)

A set of cryptographic instructions available on all central processors. These are available in varying degrees on zSeries z/890, z/990, and System z9 platforms.

Cryptographic Coprocessor Feature (CCF)

A method of protecting data. Cryptographic services include data encryption and message authentication. These are available on systems supporting the G5/G6 chipsets, including MP2000, MP3000, 9672, as well as z-architecture systems z800 and z900.

Cryptography

(1) A method of protecting data. Cryptographic services include data encryption and


message authentication.

(2) In cryptographic software, the transformation of data to conceal its meaning; secret code.

(3) The transformation of data to conceal its information content, to prevent its undetected modification, or to prevent its unauthorized use.

Cyclic Redundancy Check (CRC)

A Cyclic Redundancy Check is a number derived from a block of data, and stored or transmitted with the data in order to detect any errors in transmission. This can also be used to check the contents of a ZIP archive. It is similar in nature to a checksum. A CRC may be calculated by adding words or bytes of the data. Once the data arrives at the receiving computer, a calculation and comparison is made to the value originally transmitted. If the calculated values are different, a transmission error is indicated. The CRC information is called redundant because it adds no significant information to the transmission or archive itself. It is only used to check that the contents of a ZIP archive are correct. When a file is compressed, the CRC is calculated and a value is calculated based upon the contents and using a standard algorithm. The resulting value (32 bits in length) is the CRC that is stored with that compressed file. When the file is decompressed, the CRC is recalculated (again, based upon the extracted contents), and compared to the original CRC. Error results will be generated showing any file corruption that may have occurred.

Data Compression

The reduction in size (or space taken) of data volume on the media when performing a save or store operation.

Data Integrity

(1) The condition that exists as long as accidental or intentional destruction, alteration, or loss of data does not occur.

(2) Within the scope of a unit of work, either all changes to the database management systems are completed or none of them are. The set of change operations are considered an integral set.

Delimiter

A character or sequence of characters that marks the beginning or end of a unit of data. This is commonly used in non-record data streams in workstation and UNIX-based systems.

Double-byte Character Set (DBCS)

A set of characters in which each character is represented by 2 bytes. Languages such as Japanese, Chinese, and Korean, which contain more symbols than can be represented by 256 code points, require double-byte character sets. Because each character requires 2 bytes, the typing, displaying, and printing of DBCS characters requires hardware and programs that support DBCS. Four double-byte character sets

Glossary 191

are supported by the system: Japanese, Korean, Simplified Chinese, and Traditional Chinese. See also the Single-Byte Character Set (SBCS).

Dump

In problem analysis and resolution, to write, at a particular instant, all or part of the contents of main or auxiliary storage onto another data medium (such as tape, printer, or spool) for the purpose of protecting the data or collecting error information.

Dynamic Allocation (DYNALLOC)

Dynamic Allocation (DYNALLOC) is a facility utilizing the SVC99 function which allows a program to directly access a dataset without the need for corresponding JCL statements.

Encryption

The transformation of data into an unintelligible form so that the original data either cannot be obtained or can be obtained only by decryption.

Enqueue

The Enqueue macro (ENQ) is used to restrict access to a resource, so that only the appropriate number of users with the appropriate mode gain access to the resource at one time. It is commonly used to "lock" a resource to prevent modifications from multiple sources to cancel out each other.

Extended Attribute

Information attached to an object that provides a detailed description about the object to an application system or user.

Extended Binary Coded Decimal Interchange Code (EBCDIC)

The Extended Binary Coded Decimal Interchange Code a coded character set of 256 8 bit characters. EBCDIC is similar in nature to ASCII code, which is used on many other computers. When ZIP programs compress a text file, they translate data from EBCDIC to ASCII characters within a ZIP archive using a translation table.

FIPS

Federal Information Processing Standards defining information processing standards for use within government agencies. Information regarding specific standards definitions are available online from the Computer Security Resource Center at csrc.nist.gov using keyword “FIPS”.

Fixed-Length

A dataset or data definition characteristic in which all of the records are the same length. See also Variable Length.


GDG

Generation Data Groups.

GNU

A recursive acronym for the name of the Free Software Foundation's freely distributable replacement for UNIX.

Greenwich Mean Time (GMT)

A synonym for Universal Time Coordinated (UTC) which is the mean solar time of the meridian of Greenwich, England, and is the prime basis of standard time throughout the world.

GZIP

GZIP (also known as GNU zip) is a compression utility designed to use a different standard for handling compressed file data in an Archive.

ICF

Integrated Catalog Facility.

IDCAMS

The utility program used by IBM’s Access Method Services to create and manage VSAM datasets.

Installation Verification Procedure (IVP)

A sample application, script, or jobstream provided to verify successful installation of a product (may be either software or hardware).

iSeries

AS400 Operating environments.

JCL

Job Control Language is a command language for mainframes and minicomputers, used for launching applications.

Job Entry Subsystem (JES)

An IBM licensed program that receives jobs into the system and processes all output data produced by the jobs. Commonly known as JES2 or JES3

Julian Date

A date format that contains the year in positions 1 and 2, and the day in positions 3 through 5. The day is represented as 1 through 366, right-adjusted, with zeros in the

Glossary 193

unused high-order positions. For example, the Julian date for April 6, 1987 is 87096.

Kanji

Characters originating from the Chinese characters used in the Japanese written language.

Keyed Sequence

An order in which records are retrieved based on the contents of key fields in records. For example, a bank name and address file might be in order and keyed by the account number.

Keyword

(1) A mnemonic (abbreviation) that identifies a parameter in a command.

(2) A user-defined word used as one of the search values to identify a document during a search operation.

(3) In COBOL, a reserved word that is required by the syntax of a COBOL statement or entry.

(4) In DDS, a name that identifies a function.

(5) In REXX, a symbol reserved for use by the language processor in a certain context. Keywords include the names of the instructions and ELSE, END, OTHERWISE, THEN, and WHEN.

(6) In query management, one of the predefined words associated with a query command.

(7) A name that identifies a parameter used in an SQL statement. Also see parameter.

LBI (Large Block Interface)

The set of BSAM, BPAM, and QSAM interfaces that deal with block sizes in 4-byte fields instead of 2-byte fields. This mode of operation is device and system-dependent.

Lempel-Ziv (LZ)

A technique for compressing data. This technique replaces some character strings, which occur repeatedly within the data, with codes. The encoded character strings are then kept in a common dictionary, which is created as the data is being sent.

Library Lookaside

An operating system facility intended to improve the performance of module fetching through the LLA started task. Related terms include LNKLST, Link List.

Linkage Editor

A system-related program that resolves cross-references between separately compiled object modules and then assigns final storage addresses to create a single load


module.

Little ENDIAN

A binary (hexadecimal) representation of numeric data in which the least significant byte is on the left. In the context of bit flags, the least significant bit is on the left.

MVS

Multiple Virtual Storage is the generic name for the portion of the z/OS operating systems which runs non Unix-System-Services workloads such as batch and TSO/E. It is in this environment that SecureZIPz executes.

New ZIP Archive

A New ZIP archive is the archive created by a compression program when either an old ZIP archive is updated or when files are compressed and no ZIP archive currently exists. It may be thought of as the “receiving” archive. Also see Old ZIP Archive.

NIST

National Institute of Standards and Technology is a part of the U.S. Department of Commerce, formerly called the National Bureau of Standards, that defines standards for voice, data, and video transmissions, encryption, and other kinds of technology.

Null Value

A parameter which has no value assigned.

Old ZIP Archive

An Old ZIP archive is an existing archive which is opened by a compression program to be updated or for its contents to be extracted. It may be thought of as the “sending” archive. Also see New ZIP Archive.

Packed Decimal Format

A decimal value in which each byte within a field represents two numeric digits except the far right byte, which contains one digit in bits 0 through 3 and the sign in bits 4 through 7. For all other bytes, bits 0 through 3 represent one digit; bits 4 through 7 represent one digit. For example, the decimal value +123 is represented as 0001 0010 0011 1111 (or 123F in hexadecimal).

Parameter

(1) A value supplied to a command or program that is used either as input or to control the actions of the command or program.

(2) In COBOL, a variable or a constant that is used to pass values between calling and called programs.

(3) In the Integrated Language Environment (ILE), an identifier that defines the types

Glossary 195

of arguments that are passed to a called procedure.

(4) In REXX, information entered with a command name to define the data on which a command processor operates and to control the execution of the command.

(5) In DB2 UDB for iSeries SQL, the keywords and values that further define SQL precompiler commands and SQL statements. Also see keyword.

Parameter List

A list of values in a calling program that corresponds exactly to a list in a called program for the purposes of providing addressability and data exchange. It contains parameter names and the order in which they are to be associated in the calling and called program.

Partitioned Dataset

A Partitioned Dataset (PDS) is a dataset in direct access storage that is divided into partitions (which are called members), each of which can contain a program, part of a program, JCL, parameters, or other forms of data. When a compression program is compressing a PDS, each member is treated as a separate file within the resultant ZIP archive. When an archive is decompressed to a PDS, each file within the archive creates a separate member within the PDS.

Path Name

(1) A string of characters used to refer to an object. The string can consist of one or more elements, each separated by a slash (/), and may begin with a slash. Each element is typically a directory or equivalent, except for the last element, which can be a directory or another object (such as a file).

(2) A sequence of directory names followed by a file name, each separated by a slash.

Programming Language/I (PL/I)

A programming language designed for use in a wide range of commercial and scientific computer applications.

Program Temporary Fix (PTF)

A temporary solution to (or a bypass of) a problem that is necessary to provide a complete solution to correct a defect in a current unaltered release of a program. May also be used to provide an enhancement to a product before a new release of the product is available. Generally, PTFs are incorporated in a future release of the product.

RDW

Record Descriptor Word.

Record

A group of related data, words, or fields treated as a single unit, such as a name,


address, and social security number.

Record Format

A document or display that names each part of a file and provides specific information for each field such as length and type of information contained within the field.

Relative Path Name

A string of characters that is used to refer to an object, starting at some point in the directory hierarchy other than the root. A relative path name does not begin with a slash (/). The starting point is frequently a user's current directory. This is in contrast to an absolute path name and path name.

Return Code

A value generated by operating system software to a program to indicate the results of an operation by that program. The value may also be generated by the program and passed back to the operator.

Rijndael

The combined name of the two researchers that developed the Advanced Encryption Standard (AES) for the US Government (Dr. Joan Daemen and Dr. Vincent Rijmen).

Sequential Dataset

A sequential dataset holds a single file of records which are organized on the basis of their successive physical positions, such as on magnetic tape.

Single-Byte Character Set (SBCS)

A coded character set in which each character is represented by a one-byte code point. A one-byte code point allows representation of up to 256 characters. Languages that are based on an alphabet, such as the Latin alphabet (as contrasted with languages that are based on ideographic characters) are usually represented by a single-byte coded character set. For example, the Spanish language can be represented by a single-byte coded character set. Also see the Double-Byte Character Set (DBCS).

Spanned Record

A logical record that is stored across more than one block. This is commonly used to get around system limitations that blocks cannot be larger than x number of bytes. With spanned records, one record spans two or more blocks.

Translation Table

Translation tables are used by the SECZIP and SECUNZIP programs for translating characters in compressed text files between the ASCII character sets used within a ZIP archive and the EBCDIC character set used on IBM-based systems. These tables may be created and modified by you as documented in the user's guide.

Glossary 197

Truncate

To cut off or delete the data that will not fit within a specified line width or display. This may also be attributed to data that does not fit within the specified length of a field definition.

Universal Time Coordinated (UTC)

A synonym for Greenwich Mean Time (GMT) which is the mean solar time of the meridian of Greenwich, England, and is the prime basis of standard time throughout the world.

Variable-Length

A characteristic of a file in which the individual records (and/or the file itself) can be of varying length. Also see Fixed-Length.

Virtual Storage Access Method

The Virtual Sequential Access Method (VSAM) is an access method for the direct or sequential processing of fixed-length and variable-length records on direct access devices. The records in a VSAM dataset or file can be organized in logical sequence by a key field (key sequence dataset or KSDS), in the physical sequence in which they are written on the dataset or file (entry-sequence or PS), or by relative-record number (RR). The datasets are managed by the IDCAMS utility program and is used by commands and macros from within application programs.

ZIP Archive

A ZIP archive is used to refer to a single dataset that contains a number of files compressed into a much smaller physical space by SecureZIPz software.


Index

$

$INSTLIC, 42

3

3DES, 29

A

Activating the ISPF Interface, 60 ACZDFLT, 42 AES, 29 ARCHIVE_STORCLASS, 42 ARCHIVE_UNIT, 42 ARCHIVE_VOLUMES, 42 ASMDFLT, 42 ASMSAFE, 43 authentication, 22, 24

B

BASIC, 49

C

CAPACITY, 49 certificate authority, 24 certificate stores, 28 certificate validation policies, 82 certificates, 24, 25, 28

root, 26 Conditional Use, 56 cryptographic services, 163 Current Use License, 53

D

Defaults Module, 42 DEMO, 49 DES, 29 DISASTER RECOVERY, 49

E

EBCDIC, 44 encryption, 22, 31, 163

algorithms, 29 certificate-based, 32 password, 31

enhanced tape processing, 18

ENTERPRISE, 49

F

facilities, 163 –FACILITY_ENCRYPTDATA, 74, 75 FEATURES, 49 FIPS, 29

H

HFS, 15 Hierarchical File System, 15

I

IBM Cryptographic Facilities Integration, 163 IBM’s Terminology Web Site, 187 ICSF, 10 Installation Overview, 34 Integrated Cryptographic Service Facility. See ICSF ISPF Main Menu, 61 ISR@PRIM, 61

K

keys, 22, 24, 31

L

Library Lookaside, 61 LICENSE_HLQ, 42 Licensed Types, 49 Licensing and Initializing the Demo, 45, 56 LICPRINT, 54 LICSHSYS, 56 LICxxxx, 42

M

Media Distribution for Installation, 34

O

OUTFILE_STORCLASS, 42 OUTFILE_UNIT, 42 OUTFILE_VOLUMES, 42

P

PartnerLink, 21, 91, 152 passwords, 31 PEM, 28

199

PKCRYUTL, 163 PKCS#12, 28 PKCS#7, 28 PKI, 23, 24 PKZALLOC, 61 private key, 24, 25, 32 Protecting Files with the SAFETYEX Module, 43 public key, 24, 25

R

RC4, 30 Reporting, 54 Running a Disaster Recovery Test, 59

S

SAF, 82, 84 SAFETYEX, 43 SAFETYEX Module, 43 SecureZIP Partner, 21, 48, 91, 122, 152 Self-Extracting ZIP File, 35 Show System Information, 55 signing, 24, 25 Specific Changes, 41, 42 sponsor, 152 Sponsor Distribution Package, 153

SYSEXEC, 60 SYSPROC, 60 System Access Facility security server. See SAF

T

Tailoring Site Specific Changes, 41, 42 TEMP_STORCLASS, 42 TEMP_UNIT, 42 TEMP_VOLUMES, 42 TIME-DELIMITED, 49 translation controls, 44 Trial Period, 45 Triple DES, 29 Type of Media Distribution for Installation, 34

U

UNIX, 15

V

VSAM_STORCLASS, 42 VSAM_VOLUMES, 42

X

X.509, 24

Date post:	21-May-2018
Category:	Documents
Upload:	dokhue
View:	224 times
Download:	1 times