pkzip /securezip for z/os -...
TRANSCRIPT
PKZIP®/SecureZIP® for z/OS®
System Administrator’s Guide
SZZSA-V9R0022
PKWARE Inc.
PKWARE, Inc. 648 N Plankinton Avenue, Suite 220 Milwaukee, WI 53203 Main office: 888-4PKWARE (888-475-9273) Sales: 937-847-2374 (888-4PKWARE / 888-475-9273) Sales - E-Mail: [email protected] Support: 937-847-2687 Support - http://www.pkware.com/business_and_developers/support Fax: 414-289-9789 Web Site: http://www.pkware.com 9.0 Edition (2006) SecureZIP for z/OS, PKZIP for z/OS, SecureZIP for i5/OS®, PKZIP for i5/OS, SecureZIP for UNIX, and SecureZIP for Windows are just a few of the members of the PKZIP family. PKWARE Inc. would like to thank all the individuals and companies—including our customers, resellers, distributors, and technology partners—who have helped make PKZIP the industry standard for trusted ZIP solutions. PKZIP enables our customers to efficiently and securely transmit and store information across systems of all sizes, ranging from desktops to mainframes. This edition applies to the following PKWARE Inc. licensed programs: PKZIP for z/OS (Version 9, Release 0, 2006) SecureZIP for z/OS (Version 9, Release 0, 2006) SecureZIP Partner for z/OS (Version 9, Release 0, 2006) PKWARE, PKZIP, and SecureZIP are registered trademarks of PKWARE, Inc. z/OS, i5/OS, zSeries, and iSeries are registered trademarks of IBM Corporation. Other product names mentioned in this manual may be trademarks or registered trademarks of their respective companies and are hereby acknowledged. Any reference to licensed programs or other material, belonging to any company, is not intended to state or imply that such programs or material are available or may be used. The copyright in this work is owned by PKWARE Inc., and the document is issued in confidence for the purpose only for which it is supplied. It must not be reproduced in whole or in part or used for tendering purposes except under an agreement or with the consent in writing of PKWARE Inc., and then only on condition that this notice is included in any such reproduction. No information as to the contents or subject matter of this document or any part thereof either directly or indirectly arising there from shall be given or communicated in any manner whatsoever to a third party being an individual firm or company or any employee thereof without the prior consent in writing of PKWARE Inc. Copyright © 1989 - 2010 PKWARE Inc. All rights reserved.
iii
Contents
PREFACE............................................................................................................. 1
Notices.........................................................................................................................1
About This Manual......................................................................................................1
Conventions Used in This Manual ............................................................................2
Related Publications ..................................................................................................2
Related Information on the Internet..........................................................................3
User Help and Contact Information ..........................................................................4
1 SYSTEM PLANNING AND ADMINISTRATION............................................. 5
Planning for Administration Activities .....................................................................6
System Requirements................................................................................................8 Operating System .....................................................................................................8 Region Size and Storage ..........................................................................................8 Static Disk Space......................................................................................................9 Tape Device Considerations.....................................................................................9 SecureZIP ICSF Operations ...................................................................................10
Migration Considerations ........................................................................................14
Distinctive Features of PKZIP and SecureZIP for z/OS ........................................15
Distinctive Features of SecureZIP for z/OS............................................................17
PKWARE PartnerLink: SecureZIP Partner for z/OS ..............................................17
Encryption .................................................................................................................17
Authentication...........................................................................................................18 Data Integrity...........................................................................................................18 Digital Signature Validation.....................................................................................18 Digital Signature Source Validation ........................................................................19
Public-Key Infrastructure and Digital Certificates ................................................19 Public-Key Infrastructure (PKI) ...............................................................................19 x.509 .......................................................................................................................20 Digital Certificates ...................................................................................................20
iv
Certificate Authority (CA) ........................................................................................20 Private Key..............................................................................................................21 Public Key ...............................................................................................................21 Certificate Authority and Root Certificates..............................................................21
Setting Up Stores for Digital Certificates on zOS .................................................21 Setting Up the Certificate Stores.............................................................................21 Updating the Certificate Stores ...............................................................................23
Types of Encryption Algorithms .............................................................................24 FIPS 46-3, Data Encryption Standard (DES)..........................................................24 Triple DES Algorithm (3DES)..................................................................................24 Advanced Encryption Standard (AES)....................................................................24 Comparison of the 3DES and AES Algorithms.......................................................24 RC4 .........................................................................................................................25 Standard..................................................................................................................26
Key Management ......................................................................................................26
Passwords and PINS................................................................................................26
Recipient Based Encryption....................................................................................26
Random Number Generation...................................................................................27
Integrity of Public and Private Keys .......................................................................27
Data Encryption ........................................................................................................27
2 INSTALLATION, LICENSING, AND CONFIGURATION............................. 29
Installation Overview................................................................................................29
Type of Media Distribution for Installation.............................................................29
Installation from Downloaded File or CD ...............................................................30 Non-SMP/E Installation...........................................................................................30 SMP/E Installation...................................................................................................33
Installing from Tape..................................................................................................36
Tailoring Site-Specific Changes to the Defaults Module......................................37
Protecting Files with the SAFETYEX Module ........................................................38
Tailoring for Filename and Data Character Set Conversions ..............................38
SMS Dataclass Considerations...............................................................................39 Note for users of PKZIP for MVS and PKZIP for zSeries 5.6 .................................40 Considerations when Exporting Private Keys using RACDCERT..........................40
Evaluation Activity Log............................................................................................40 Activity Log Setup and Configuration......................................................................41
Licensing Requirements..........................................................................................43 Licensed Types .......................................................................................................43 Product Features.....................................................................................................44 Evaluation Period....................................................................................................47 Release-Dependent Licensing................................................................................47 Current Use License ...............................................................................................47 Reporting.................................................................................................................47
v
Show System Information .......................................................................................50 Conditional Use.......................................................................................................51
Initializing the License .............................................................................................51 PKZIP and Full-Featured SecureZIP License Activation........................................51 SecureZIP Partner License Activation ....................................................................52 Reporting the PKZIP/SecureZIP for z/OS License .................................................52 PKZIP/SecureZIP for z/OS Grace Period ...............................................................54 Running a Disaster Recovery Test .........................................................................54
Activating the ISPF Interface...................................................................................55
ISPF Main Menu ........................................................................................................56
Running PKZIPz with Library Lookaside (LLA and LNKLST)...............................56
Verifying the Installation..........................................................................................57
3 SECURITY ADMINISTRATION OVERVIEW ............................................... 58
Keywords, Phrases, and Acronyms Used..............................................................58
Accessing Certificates ............................................................................................59 Public Key Certificate..............................................................................................59 Private Key Certificates...........................................................................................60 Certificate Authority and Root Certificates..............................................................60
Configuration Profile ................................................................................................60 Contents of the Configuration Profile ......................................................................60 Data Base (DB) Profile (Local Certificate Store).....................................................61 LDAP Profile (Networked Certificate Store)............................................................61 Recipient Searches.................................................................................................62
Local Certificate Stores............................................................................................62 Access x.509 Public and Private Key Certificates ..................................................62 Authentication and Certificate Validation Policies...................................................64 Other Profile Commands ........................................................................................66
4 CERTIFICATE STORE MANAGEMENT...................................................... 68 SecureZIP Main Panel—Access to the Certificate Stores......................................68 SecureZIP Certificate Store Administration and Configuration...............................68
Local Certificate Store Administration...................................................................69 SecureZIP Local Certificate Store...........................................................................70 Create a New Local Certificate Store DB ...............................................................71 Certificate Validation Options..................................................................................72 Generated JCL to Build the Initial Certificate Store ................................................73 View Data Base Certificate Entries .........................................................................74 List Data Base Certificate Entries ...........................................................................80 Add a Certificate to the Local Store ........................................................................82 Add a New Certificate to the CA Store....................................................................83 Add a New Trusted Root Certificate to the Root Store ...........................................83 Delete a Certificate from the Local Store................................................................85 Synchronize the Index for the Local Certificate Store.............................................87 Generated JCL for Synchronization........................................................................89 CA, Root, and CRL Verification ..............................................................................89 Report DB Statistics ................................................................................................90
vi
Edit Active DB Profile ..............................................................................................92 Backup and Restore Process .................................................................................96
Directory Certificate Store Configuration - LDAP .................................................99 Create/Test LDAP Profile Statements ....................................................................99 Edit existing LDAP profile .....................................................................................100 Create/Test LDAP Link .........................................................................................100 Create New LDAP Profile Settings .......................................................................100 Load Existing LDAP Profile...................................................................................101 Testing the LDAP Connection...............................................................................101
Runtime Configuration...........................................................................................104 Zip/Unzip Runtime Configuration Panel................................................................105 SecureZIP Runtime Configuration Panel ..............................................................105 SecureZIP Runtime Configuration Panel Undefined ............................................106 SecureZIP Runtime Configuration Panel with DB Profile Defined........................106 SecureZIP Runtime Configuration Panel with Private Certificate Location ..........107
x.509 Certificate Utilities ........................................................................................107 The Options...........................................................................................................108 Certificate Revocation Lists ..................................................................................113
Filename Encryption ..............................................................................................117
5 SECURITY QUESTIONS AND SOLUTIONS............................................. 121
Which encryption settings should be chosen?...................................................121
How is encryption activated?................................................................................122
How is ICSF hardware acceleration activated?...................................................122
What is the difference between a SecureZIP Encryption Method and an Algorithm? 122
How many recipients can be specified? ..............................................................122
What virtual storage is required for certificate-based encryption? ..................123
How does ENCRYPTION_METHOD affect certificate-based encryption? ........123
How does SecureZIP activate MASTER_RECIPIENT contingency keys? ........123
How does MASTER_RECIPIENT affect activation? ............................................123
How do I copy a local certificate store?...............................................................124
How do I remove a local certificate store?...........................................................124
How can the contents of an x.509 certificate file be determined? ....................124
6 PKWARE PARTNERLINK: SECUREZIP PARTNER ................................ 127
About SecureZIP Partner for z/OS ........................................................................127 If You Are a Sponsor: Sign the Central Directory .................................................128
Terms and Acronyms Used in This Chapter........................................................128
PKWARE PartnerLink Program: Overview...........................................................128 Decrypting and Extracting Sponsor Data (Read Mode)........................................129 Creating an Archive for a Sponsor........................................................................129 Getting Started ......................................................................................................129
vii
Co-existence with Other PKWARE Products.......................................................130 Recommendations ................................................................................................130
PartnerLink Certificate Store Administration and Configuration ......................131 Choosing a Configuration Model...........................................................................131 Installing a Sponsor Distribution Package ............................................................133 Updating a Sponsor Distribution Package ............................................................135 Removing a Sponsor Distribution Package ..........................................................135 Providing a Sponsor Configuration for Execution .................................................135
7 CRYPTOGRAPHIC FACILITY UTILITY - PKCRYUTL.............................. 137 Cryptographic Facility Categories .........................................................................137
Assessing a System’s Cryptographic Capabilities with PKCRYUTL................137 PKCRYUTL Execution ..........................................................................................138 PKCRYUTL Reporting ..........................................................................................138 PKCRYUTL Sample Report..................................................................................138 PKCRYUTL Interpretation.....................................................................................139
GLOSSARY...................................................................................................... 147
INDEX............................................................................................................... 158
viii
1
Preface
PKZIP for z/OS and SecureZIP for z/OS are members of the PKWARE family of products providing high-performance data compression and data protection across multiple operating systems and platforms.
PKZIP for z/OS provides powerful, easy-to-use data compression on the mainframe. PKZIP for z/OS Enterprise Edition additionally includes support for password-based decryption of encrypted files, powered by trusted RSA® BSAFE. Files created by PKZIP for z/OS use the widely-adopted ZIP format and can be accessed on all major platforms throughout the enterprise—from mainframe to PC.
SecureZIP for z/OS provides powerful, easy-to-use data compression and data protection on the mainframe. SecureZIP for z/OS delivers high-performance data compression and protects data with digital signatures and trusted RSA BSAFE encryption, either password- or certificate-based, with key lengths of up to 256 bits. Like PKZIP for z/OS, SecureZIP for z/OS uses the widely-adopted ZIP format and creates files that can be accessed on all major platforms throughout the enterprise.
Notices
To better align our products with IBM naming conventions and to support the future development of new products on the IBM System z and System i platforms, PKWARE has changed the names of its large-platform products to reference the compatible IBM operating systems instead of specific platforms. In particular, beginning with version 9.0, the PKZIP product is called PKZIP for z/OS instead of PKZIP for zSeries, as in version 8.x, and SecureZIP is called SecureZIP for z/OS instead of SecureZIP for zSeries.
Licensing requirements have changed for this release. See chapter 2 for current information.
About This Manual
This manual provides information to help a system administrator install and use PKZIP for z/OS or SecureZIP for z/OS in an operational environment. It is assumed that anyone using this manual has a good understanding of JCL and dataset processing. The manual applies to the following operating systems:
OS/390 – Version 2.10
z/OS - all releases
2
Conventions Used in This Manual
Throughout this manual, the following conventions are used:
PKZIPz (bold-italicized) refers to both PKZIP for z/OS and SecureZIP for z/OS. Information given for PKZIPz applies to both products. Information given specifically for PKZIP for z/OS or SecureZIP for z/OS applies specifically to that product.
The use of the Courier font indicates text that may be found in job control language (JCL), parameter controls, or printed output.
The use of italics in a command line indicates a value that must be substituted by the user, for example, a data set name. Italics are also used in body text to quote command names and so forth or to indicate the title of a manual or other publication.
Bullets (•) indicate items (or instructions) in a list.
The use of <angle brackets> in a command definition indicates a mandatory parameter.
The use of [square brackets] in a command definition indicates an optional parameter.
A vertical bar (|) in a command definition is used to separate mutually exclusive parameter options or modifiers.
When sample JCL is shown, or references to the PKZIPz libraries are made, the high-level qualifier PKWARE.MVS may be used generically. The high-level qualifiers for the packaged products will be PKZIP.MVS for PKZIP for z/OS and SECZIP.MVS for SecureZIP for z/OS). Note that the actual high-level qualifiers installed on your system may be different.
Program examples may show either SecureZIP or PKZIP constructs. In general, examples apply to both programs unless the examples appear in sections of the manual that relate exclusively to SecureZIP features. Such sections are marked like this:
Requires SecureZIP
Related Publications
PKZIP/SecureZIP for z/OS product manuals include:
PKZIP/SecureZIP for z/OS System Administrator's Guide - Provides detailed information to assist the system administrator with the installation and administrative requirements necessary to use PKZIPz in an operational environment.
PKZIP/SecureZIP for z/OS User’s Guide - Provides detailed information on the product set in OS/390 and z/OS operating environments. Also provided is a general introduction to data compression, PKZIPz specific data compression, and an overview on how to use PKZIPz, PKZIPz control cards, and parameters.
PKZIP/SecureZIP for z/OS Messages and Codes - This provides information on the messages and codes that are displayed on the consoles, printed outputs, and associated terminals.
IBM Manuals relating to the PKZIP/SecureZIP for z/OS products include:
3
System Codes - Documents the completion codes issued by the operating system when it terminates a task or an address space. Describes the wait state codes placed in the program status word (PSW) when the system begins a wait state. Describes the causes of loops.
System Messages - Documents the messages issued by the OS/390 operating system. The descriptions explain why the component issued the message, give the actions of the operating system, and suggest responses by the applications programmer, system programmer, and/or operator.
JES2 Messages - Documents the messages issued by the JES2 subsystem. The descriptions explain why the component issued the message, give the actions of the operating system, and suggest responses by the applications programmer, system programmer, and/or operator.
JCL User's Guide - Describes the job control tasks needed to enter jobs into the operating system, control the system's processing of jobs, and request the resources needed to run jobs. To perform the tasks, programmers code job control statements. The user's guide assists in deciding how to perform job control tasks.
JCL Reference - Describes the job control tasks needed to enter jobs into the operating system, control the system's processing of jobs, and request the resources needed to run jobs. To perform the tasks, programmers code job control statements. The reference guide; is designed to be used while coding the statements.
Access Methods Services - Documents the functions that are available with Virtual Storage Access Method (VSAM) and describes the IDCAMS commands that can be issued to control VSAM datasets.
TSO/E Command Reference - Documents the functions of the TRANSMIT and RECEIVE Command Facility used for the distribution and allocation of PKZIPz installation libraries.
ICSF Application Programmers Guide – Describes how to use the callable services provided by the Integrated Cryptographic Service facility.
ICSF Administrators Guide – Describes how to manage cryptographic keys by using the zOS Integrated Cryptographic Service facility.
ICSF Overview – Contains overview and planning information for the zOS Integrated Cryptographic Service facility.
zSeries Hardware Management Console Operations Guide – Contains information pertinent to setting hardware cryptographic keys associated with ICSF.
MVS/QuickRef 6.3 Copyright (C) 1989-2002, Chicago-Soft, Ltd. includes both messages and command reference material for PKZIPz.
Related Information on the Internet
PKWARE, Inc.
www.pkware.com
4
FTP site
Product manuals - ftp://bigiron.pkware.com/pub/manuals/zOS
Product downloads - ftp://bigiron.pkware.com/pub/products
o PKZIP for z/OS - ftp://bigiron.pkware.com/pub/products/pkzip/zOS
o SecureZIP for z/OS - ftp://bigiron.pkware.com/pub/products/securezip/zOS
o SecureZIP Partner for z/OS - ftp://bigiron.pkware.com/pub/products/partnerlink/zOS
National Institutes of Standards and Technology
Computer Security Resource Center - http://csrc.ncsl.nist.gov
Information on the AES development - http://csrc.nist.gov/encryption/aes
Information on Key Management - http://csrc.nist.gov/CryptoToolkit/tkkeymgmt.html
RSA BSAFE® Content Library – http://www.rsasecurity.com/content_library.asp
User Help and Contact Information
For licensing, please contact Sales at 937-847-2374 (888-4PKWARE / 888-475-9273) or email [email protected].
For technical assistance, contact Technical Support at 937-847-2687 or visit the support web site: http://www.pkware.com/business_and_developers/support
5
1 System Planning and Administration
PKZIP/SecureZIP for z/OS contain two main programs: PKZIP (or SECZIP in SecureZIP) and PKUNZIP (or SECUNZIP in SecureZIP). The ZIP program is used to compress or store files into a ZIP format archive, while the UNZIP program is used to extract data compressed into ZIP-compatible archives. Processing control is available through the use of customized option modules, shared command lists, and individual job inputs. In addition to file selection, features such as compression levels and performance selections can be specified.
To guarantee data integrity, a 32-bit cyclic redundancy check (CRC) is a standard feature. A ZIP archive is platform-independent; therefore, data compressed (zipped) on one platform, such as UNIX or Windows, can be decompressed (unzipped) on another platform, such as OS/390 or z/OS, by using a compatible version of the UNZIP program.
With its advanced password and certificate-based security features, SecureZIP for z/OS offers multiple methods of encryption and is an excellent choice for securing data and data transfers. However, it is important that system administrators carefully plan in advance the design, development, and testing tasks required to successfully integrate SecureZIP for z/OS as a secure solution into a production environment.
The following sections chart the production and pre-production planning activities for administration and discuss PKZIPz model environments and important concepts for the systems administrator. They also describe encryption, types of algorithms in use, information about specific mandates requiring the use of secure data, and how SecureZIP for z/OS will secure that data.
6
Planning for Administration Activities
Pre-Production Administration Activities
Design Development Test
Analysis
Definition
Network
Security
Operations
Monitoring
Performance
GatherDesign
Requirements
GenerateSystem andPrepare JCL
VerifyOnlineDesign
AnalyzeProtection
Requirements
EstablishSecurity
Procedures
VerifySystemAccess
PlanNetwork
Requirements
CoordinateNetwork
Generation
VerifyNetwork
Availability
AnalyzeSystem
Requirements
DevelopOperationsProcedures
TestOperations/Recovery
PredictWorkload
EstablishResponse
Criteria
TestCritical
Responses
DevelopMonitoringStrategy
MonitorDuringTest
AnalyzeApplicationPackage
FinalizeWorkload
And Function
7
Production Administration Activities
Production Maintenance ApplicationModifications
Analysis
Definition
Network
Security
Operations
Monitoring
Performance
ReviseSystem
Definition
Redesignand Test
AuditSecurity
Problems
MaintainSecurityDesign
Add toSecurityDesign
ChangeNetwork
Configuration
ReviewNetwork
Configuration
AuditOperationsand Service
ReviseOperationsProcedures
AnalyzeOperations
Requirements
InterpretSystem
Performance
ApplyTuning
Challenges
Monitorand GatherStatistics
ReviseMonitoringStrategy
Assess and ScheduleChanges
AssessImpact
8
System Requirements
This section describes the system requirements for SecureZIP for z/OS.
Operating System The minimum operating system level supported are:
OS/390 – Version 2.10
z/OS - all releases
To extract files greater than 2 gigabytes or to create archives greater than 2 gigabytes in a PDSE, operating system maintenance associated with APAR BW57702 is required.
zOS 1.6 or zOS 1.7 installations intending to use ICSF cryptographic services should ensure that RACF maintenance associated with APAR OA11874 is installed.
Language Environment release-dependent runtime options modules are supplied with the product and are dynamically selected for use at the release levels shown in the following table. If higher levels of Language Environment are encountered, informational system messages may be issued (CEE3611I, CEE3615I, CEE3627I). These have no functional impact on product operations.
Operating System Release Language Environment FMID Language Environment Options Release
OS/390 2.10 HLE7703 1.3
z/OS 1/1 HLE7703 1.3
z/OS 1.2 HLE7704 1.5
z/OS 1.3 HLE7705 1.5
z/OS 1.4 HLE7706 1.5
z/OS 1.5 HLE7708 1.5
z/OS 1.6 HLE7709 1.6
z/OS 1.7 HLE7720 1.6
Region Size and Storage See the section “Region Size and Storage” in chapter 3 of the PKZIP/SecureZIP for z/OS User’s Guide for information relating to minimum virtual storage requirements.
9
Static Disk Space Product data set allocations are approximately as follows:
Tracks %Used XT Device CEXEC 61 88 1 3390 HELP 39 89 2 3390 INSTLIB 17 100 1 3390 INSTLIB2 3 66 1 3390 LICENSE 1 100 1 3390 LOAD 230 100 1 3390 MACLIB 7 85 1 3390 SPKZCLIB 75 78 1 3390 SPKZMLIB 2 50 1 3390 SPKZPLIB 38 78 1 3390 SPKZSLIB 4 75 1 3390 SPKZTLIB 2 50 1 3390
SecureZIP certificate store data set allocations are approximately as follows:
Tracks %Used XT Device CERTSTOR.DBX.DATA 150 ? 1 3390 CERTSTOR.DBX.INDEX 1 ? 1 3390 CERTSTOR.DBXCN.DATA 15 ? 1 3390 CERTSTOR.DBXCN.INDEX 1 ? 1 3390 CERTSTOR.DBXEM.DATA 15 ? 1 3390 CERTSTOR.DBXEM.INDEX 1 ? 1 3390 CERTSTOR.DBXPUBK.DATA 15 ? 1 3390 CERTSTOR.DBXPUBK.INDEX 1 ? 1 3390 CERTSTOR.PRIVATE 150 6 1 3390 CERTSTOR.PUBLIC 150 6 1 3390 CERTSTOR.P7CA 150 1 1 3390 CERTSTOR.P7CRL 150 1 1 3390 CERTSTOR.P7ROOT 150 1 1 3390 CERTSTOR.SPONSOR.AUTH 15 6 1 3390 CERTSTOR.SPONSOR.INFO 15 6 1 3390 CERTSTOR.SPONSOR.RECIP 15 6 1 3390
Tape Device Considerations The following notes apply when ZIP archives may be directed to a tape or cartridge device.
Do not use DCB option TRTCH=COMP when specifying a non-STORE form of ZIP compression.
If Large Block Interface (LBI) tape processing is to be used (ARCHIVE_ZIPFORMAT= FULL_LBI or XTAPE_LBI) and there is any restriction on maximum block size for tape cartidges, review the setting for SMS Dataclass “Block Size Limit” or PARMLIB(DEVSUPxx) TAPEBLKSZLIM and set the ZIP defaults (or pre-defined command sets) for ARCHIVE_BLKSIZE accordingly.
IECIOSxx parmlib parameter MIH:
If your site does not specify an IOS= member in the IEASYSxx member, then a default value of 3:00 minutes for 3490 missing tape device interrupts is used. This value is too low for PKZIP tape processing. IBM 3490 Planning and Migration Guide recommends a value of 20 minutes for missing interrupts associated with 3490E tape drives. Set a temporary increase to the MIH values for tape by using the following MVS console
10
command:
SETIOS MIH,TAPE=20:00
To change parmlib, place the following in member IECIOSxx:
MIH TIME=20:20,DEV=nnnn
where nnnn is the device address.
For devices configured as 3590s, the control unit controls both the primary and secondary MIH values. The primary MIH governs most commands, and the second MIH governs a small group of long-running commands, such as LOCATE and FORWARD SPACE FILE.
SecureZIP ICSF Operations This section pertains to system-supplied cryptographic facilities that are supplemental to inherent SecureZIP cryptographic services. An appropriate SecureZIP license is required to access these facilities.
The system-supplied cryptographic facilities available for SecureZIP for z/OS to use depend on the hardware configuration and controlling system software. ICSF callable services are utilized by SecureZIP to faciliate access to system-supplied cryptographic facilities for selected system configurations. For planning purposes, the following checklist may be used to ensure that the operating environment is activated appropriately to support the desired cryptographic feature through SecureZIP:
Refer to the “ICSF Feature/Facility Requirements Table” later in this section to identify the desired cryptographic feature and associated facility requirements
Ensure that the correct hardware feature codes are installed for the target platform
Ensure that the ICSF Program Product is installed at the proper release level
Use the TSO/ISPF ICSF dialog to determine if ICSF is active and the necessary components are operative. Select option 1 and press Enter. If ICSF is not available, you will receive the message shown in the upper right portion of the screen below.
HCR7730 -------------- Integrated Cryptographic Serv ICSF IS NOT ACTIVE OPTION ===> Enter the number of the desired option. 1 COPROCESSOR MGMT - Management of Cryptographic Coprocessors 2 MASTER KEY - Master key set or change, CKDS/PKDS Processing 3 OPSTAT - Installation options 4 ADMINCNTL - Administrative Control Functions 5 UTILITY - ICSF Utilities 6 PPINIT - Pass Phrase Master Key/CKDS Initialization 7 TKE - TKE Master and Operational Key processing 8 KGUP - Key Generator Utility processes 9 UDX MGMT - Management of User Defined Extensions Licensed Materials - Property of IBM 5694-A01 (C) Copyright IBM Corp. 1989, 2004. All rights reserved. US Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. Press ENTER to go to the selected option.
11
Press END to exit to the previous menu.
If ICSF is active, you will see screens like the following. These may or may not identify coprocessors, but they can be used by SecureZIP for z/OS. The coprocessor status is based on the hardware configuration of your environment.
System with no coprocessors available
------------------------- ICSF Coprocessor Management ------------------------- COMMAND ===> SCROLL ===> PAGE Select the coprocessors to be processed and press ENTER. Action characters are: A, D, E, K, R and S. See the help panel for details. COPROCESSOR SERIAL NUMBER STATUS ----------- ------------- ------ ******************************* Bottom of data ********************************
System with coprocessors available
------------------------- ICSF Coprocessor Management ------------- Row 1 of 4 COMMAND ===> SCROLL ===> PAGE Select the coprocessors to be processed and press ENTER. Action characters are: A, D, E, R, and S. See the help panel for details. COPROCESSOR MODULE ID/SERIAL NUMBER STATUS ----------- --------------------------------- ------ . C0 04100000000043FD 04100000000043FD ACTIVE . C1 04100000000041A2 04100000000041A2 ACTIVE . P00 94E04777 ACTIVE . P01 94E04781 ACTIVE
System with coprocessors online but not initalized for use
------------------------- ICSF Coprocessor Management -------- Row 1 to 1 of 1 COMMAND ===> SCROLL ===> PAGE Select the coprocessors to be processed and press ENTER. Action characters are: A, D, E, K, R and S. See the help panel for details. COPROCESSOR SERIAL NUMBER STATUS ----------- ------------- ------ . E01 95000276 ONLINE ******************************* Bottom of data *******************************
If necessary, perform some or all of the following system configuration activities in accordance with the z/OS ICSF Administrators Guide and the z/OS Cryptographic Services System Programmer’s Guide:
o Ensure that the system (or LPAR) is configured for the hardware cryptographic facility
o Perform Hardware Management Console (HMC) activities to enable cryptographic usage through ICSF
12
o Perform Power On Reset to activate HMC settings
o Prepare ICSF run-time environment (e.g. allocation of control data sets)
o Start ICSF in update mode to establish pass phrases
Ensure that ICSF is started with production run-time parameters
Conditionally update RACF (or equivalent security product) to permit access to the following CSFSERV Resource classes (if CSFSERV is desired to be an active class) for READ access:
o CSFCKM
o CSFIQF
o CSFOWH
o CSFRNG
The following tables show the levels of system hardware and operating software required by various cryptographic features.
ICSF Feature/Facility Requirements Table This table provides an overview of system facilities required to access a specific cryptographic feature. For each supported Service within a platform configuration, three pieces of information are shown.
The minimum Hardware facility required
The Software callable service used
A minimum ICSF release level (referenced by FMID)
13
Cryptographic Service S/390 z/800 & z/900 z/890 & z/990 z9-109
DES/3DES Hardware Acceleration CCF
CSNBENC
HCR7703
CCF
CSNBENC
HCR7704
CPACF
CSNBSYE
HCR7720
CPACF
CSNBSYE
HCR7720
AES ICSF Software Not available CCF
CSNBSYE
HCR7706
CPACF
CSNBSYE
HCR7720
CPACF
CSNBSYE
HCR7720
AES128 Hardware Acceleration Not available Not available Not available CPACF
CSNBSYE
HCR7730
SHA-1 Hardware Acceleration CCF
CSNBOWH
HCR7703
CCF
CSNBOWH
HCR7704
CPACF
CSNBOWH
HCR7720
CPACF
CSNBOWH
HCR7720
MD5 ICSF Software CCF
CSNBOWH
HCR7703
CCF
CSNBOWH
HCR7704
CPACF
CSNBOWH
HCR7720
CPACF
CSNBOWH
HCR7720
Pseudo Random Data Generation CCF
CSNBRNG
HCR7703
CCF
CSNBRNG
HCR7704
CPACF
CSNBRNG
HCR7720
CPACF
CSNBRNG
HCR7720
Table: ICSF feature/facility requirements
Notes:
S/390 comprises G5(9672), G6(9672), MP2000, MP3000 with an activated CCF configuration. In addition, this grouping includes z/Architecture systems running OS/390 2.10.
ICSF is assumed to be running in non-PCF mode, and FMIDs are listed at the minimum supported level. SMP/E and ICSF settings should be checked to verify the ICSF operating level and configuration. (Note that HCRP220 and prior FMIDs were for PCF.)
Some ICSF levels may be required to be at a higher level than those shown due to IBM system configuration requirements.
Through the callable service, ICSF directs which hardware/software facility to use based on the call request and the available configuration.
IBM technical support documents and maintenance buckets should be reviewed to determine a complete set of system feature enablement requirements to activate the necessary level of ICSF and associated system-provided services.
14
Distributed Operating System ICSF Levels The following table is provided as a convenience for planning purposes to show ICSF levels typically provided with a given level of the operating system. System-specific planning and requirements review should be performed for an installation.
Operating System Distributed ICSF Level Enabled Feature as Used by SecureZIP
OS/390 2.10 HCR7703 Base ICSF for CSNBENC
z/OS 1.2 HCR7704
z/OS 1.3 HCR7706 CSNBSYE CPACF (z/x90, z/9)
z/OS 1.4 HCR7706 or HCR7708
z/OS 1.5 HCR7708
z/OS 1.6 HCR770A
z/OS 1.7 HCR7720 or
HCR7730
CSNBSYE CPACF for DES/3DES
CSNBSYE AES128 hardware (z/9)
z/OS 1.8 HCR7731
Note that many of the ICSF release levels can be installed on earlier releases of the operating system.
Migration Considerations
Maintenance (TT2808) is recommended for installations intending to execute under z/OS 1.8 (using Language Environment release 1.7).
Installations using GZIP=Y in customized default modules should convert to ARCHIVE_ZIPFORMAT=GZIP. The GZIP setting is no longer honored when defined in the defaults module.
Installations activating ARCHIVE_ZIPFORMAT Enhanced Tape Processing (XTAPE, XTAPE_LBI or FULL_LBI) should be aware that there are back-level release sharing considerations. ARCHIVE_ZIPFORMAT=FULL is recommended if a tape archive created by the current release is to be accessed by an older release of PKZIP for z/OS or SecureZIP for z/OS. However, toleration maintenance change TT2741 is available for PKZIP for zSeries (releases 5.6 & 8.2) and SecureZIP for zSeries (releases 8.1 & 8.2) to provide restricted UNZIP processing capabilities. For information, refer to the ARCHIVE_ZIPFORMAT and ARCHIVE_BLKSIZE commands in the PKZIP/SecureZIP for z/OS User’s Guide.
Installations suppressing the //SYSIN PDS member verification for performance reasons with PROC_OPT1=N (available with PKZIP for MVS 5.0.10 maintenance) in ACZDFLT should change to CHECK_SYSIN_MEMBER=N in the assembly of ACZDFLT. PROC_OPT1 is longer used for this purpose in PKZIP for MVS Release 5.5 or SecureZIP for z/OS.
Installations controlling the //SYSPRINT DCB attributes with PROC_OPT2 (available with PKZIP for MVS 5.0.10 maintenance) in ACZDFLT should change to
15
SYSPRINT_DCB in the assembly of ACZDFLT. PROC_OPT2 is no longer used for this purpose in PKZIP for MVS Release 5.5 or SecureZIP for z/OS.
Installations utilizing the filename case-insensitivity feature with PROC_OPT3=U (available with PKZIP for MVS 5.5.0 maintenance) in ACZDFLT should change to FILENAME_SELECT_CASE=U in the assembly of ACZDFLT. PROC_OPT3 is no longer used for this purpose in SecureZIP for z/OS.
Upgrade note: Installations previously using text translation tables other than EBC#8859 for TRANSLATE_TABLE_DATA or TRANSLATE_TABLE_FILEINFO should review the data translation characters used. The newer default tables in EBC#8859 use the IBM ICONV standard character sets for IBM-1047 EBCDIC and ISO-8859-1 ASCII. In general, the newer default table is better for general-purpose text translation than the older ASCIIUS, ASCIIUSE, ASCIIUK, and ASCIIUKE tables. However, the older tables are still provided for compatibility in case installation-dependent processing requires translation of specialized character sets.
The command ZIP_UNMOVABLE_CHKPT replaces functional fix TT1825 using PROC_OPT5 in earlier releases of the product. Installations previously using PROC_OPT5 are encouraged to use ZIP_UNMOVABLE_CHKPT. PROC_OPT5 is still active in this release, with differences in message notification (see command Usage Notes in the User’s Guide for more information).
The command GZIPCRC_IGNORE replaces functional fix TT2367 using PROC_OPT6 in earlier releases of the product. Installations previously using PROC_OPT6 are encouraged to use the new command. PROC_OPT6 is still active in this release, but may be removed in the future.
Encryption features associated with the Advanced Encryption Module of PKZIP for zSeries releases 5.5 and 5.6 are now only available with SecureZIP for z/OS. However, PKZIP for z/OS Enterprise Edition does include decryption capabilities allowing access to ZIP files created by earlier releases.
SecureZIP installations previously using MASTER_RECIPIENT commands for contingency key processing will find a difference in processing if multiple MASTER_RECIPIENT command settings are provided in an execution. Whereas release 8.1 used the last command value, now all MASTER_RECIPIENT settings are cumulatively added to the run to provide support for multiple contingency keys.
Installations using password-based encryption with passphrases greater than 95 characters should reference information from PKWARE HIPER fix TT3057.
Distinctive Features of PKZIP and SecureZIP for z/OS
Distinctive features of PKZIP/SecureZIP for the z/OS and OS/390 operating environments include:
Ability to process execution from ISPF Panels, as a TSO/E command, within TSO/E REXX EXECs or CLISTs, from an application program, or a stand-alone batch utility
16
A robust ISPF panel interface that displays the ZIP archive directory in a table format and enables selection of individual archived (zipped) files for browsing, viewing, extracting, or deleting
Compression and extraction of datasets of the following types on DASD:
o Sequential files
o PDS and PDSE members
o VSAM files (KSDS, ESDS, RRDS)
o JES2 subsystem input files (for example, //ddname DD *)
Command extensions allowing greater flexibility in file selection
Unique filename translation to/from system/390 DSNAME conventions and the UNIX-style names typically found in zip archives
Compressing and extracting of datasets of the following types on tape:
o Sequential files
o Compressing and extracting of files to OS/390 and z/OS Load Libraries
o Compressing and extracting of files to Generation Data Groups (GDGs)
o GDG files can be used as a ZIP archive
Retention of dataset allocation information, such as dataset organization, device type, and DCB/Cluster attributes. Preservation of this information allows for duplication of the file with the same characteristics during the UNZIP process. Support of ZIP archives within the following dataset organizations:
o Sequential files (DASD, Tape, or Cartridge)
o PDS and PDSE members
o VSAM ESDS
Selection of datasets for processing based upon user-specified control statements, DD JCL specifications, or user-defined filtering lists
Execution on OS/390 2.10. SecureZIP also executes on a z/OS system IPL’d in 64-bit mode.
Execution in AMODE 31, using storage primarily above the 16-Mb line. However, certain operating system control blocks and system services require virtual storage below the 16-Mb line. The amount of virtual storage available within each of these areas of an address space will limit the use of some performance options (for example, multi-tasking and temporary files in storage) and capabilities.
Defaults customizable during installation. Multiple defaults modules may be created for use in a variety of application needs.
Use of pre-defined command files saved in a place selected by the user or system administrator. These can be referenced by multiple jobs or users, thus eliminating the need for individual JCL command streams. They can also be used in combination with individual job inputs to provide a consistent set of processing controls.
Certain features of PKZIP for z/OS are separately licensed.
17
Distinctive Features of SecureZIP for z/OS
Distinctive features of SecureZIP for the z/OS and OS/390 operating environments include:
Incorporation of the IBM Integrated Cryptographic Service Facility (ICSF) APIs, enabling the use of hardware acceleration on a variety of hardware platforms for data encryption/decryption and digital signature creation/authentication.
Dynamic run-time selection of a cryptographic facility appropriate to the current operating environment. This allows the same SecureZIP configuration to perform data encryption and signature hash operations under different system cryptographic profiles and also to take advantage of newly activated cryptographic hardware.
Ability to access certificates in directory servers through an LDAP-compliant interface. SecureZIP can look for certificates in LDAP certificate stores and automatically search these stores for recipients to whom you are sending an email message so that you can use their keys when encrypting an attachment. (Requires the optional Directory Integration module.)
Certain features of SecureZIP for z/OS are separately licensed.
PKWARE PartnerLink: SecureZIP Partner for z/OS
SecureZIP for z/OS is also available in a special version—SecureZIP Partner for z/OS—through the PKWARE PartnerLink program. The PKWARE PartnerLink program provides a straightforward, secure way for an organization to exchange sensitive information with outside partners who perhaps do not have SecureZIP.
SecureZIP Partner for z/OS differs from the full SecureZIP for z/OS in that it only extracts archives from, and only creates and encrypts archives for, a PartnerLink sponsor.
See chapter 6 for information about SecureZIP Partner for z/OS. Contact PKWARE for more information about the PKWARE PartnerLink program.
Note: SecureZIP Partner for z/OS was called SecureZIP for z/OS Reader/SecureLink prior to release 9.0 of SecureZIP for z/OS.
Encryption
Encryption provides confidentiality for data. Unencrypted data is called plaintext. Encryption transforms the plaintext data into an unreadable form, called ciphertext, using an encryption key. Decryption transforms the ciphertext back into plaintext using a decryption key.
Several algorithms have been approved in FIPS for the encryption of general purpose data. Each of these algorithms is a symmetric key algorithm, where the encryption key is the same as the decryption key. SecureZIP for z/OS uses symmetric key algorithms when encrypting user data.
In order to maintain the confidentiality of the data encrypted by a key, the key must be known only by the entities that are authorized to access the data. These symmetric key algorithms are commonly known as block cipher algorithms because the encryption and decryption processes each operate on blocks (chunks) of data of a fixed size.
18
FIPS 46-3 and FIPS 197 have been approved for the encryption of general-purpose data. The protection of keys is discussed below under “Key Management.”
Authentication
Requires SecureZIP
Authentication is the process of validating digital signatures that may be attached to files in an archive or to an archive’s central directory.
Authentication is a separate operation from data encryption. Whereas encryption is concerned with preventing parties from accessing sensitive data (such as private medical or financial information), authentication confirms that information actually comes unchanged from the purported source.
Authenticating digitally signed data both verifies the signature and validates the signed data.
Data Integrity Both PKZIP and SecureZIP use a Cyclic Redundancy Check (CRC) to ensure that data is successfully transferred into and out of a ZIP archive. The CRC process creates a unique hash value “thumbprint” from the original data stream. The thumbprint is regenerated at the receiving end and compared with the hash of the source for equality. The thumbprint value is stored independently of the data stream and is used during UNZIP processing to complete validation of the data.
SecureZIP extends the concept of the CRC in two ways for the purpose of providing a tamper-resistant container within the ZIP archive. First, more rigorous HASH algorithms (MD5 and SHA-1) are used (as specified by the SIGN_HASHALG command) in addition to the 32-bit CRC to accurately reflect the uniqueness of the data stream. Second, the hash value is encrypted within a digital signature using a private-key certificate for the purpose of tamper detection at the completion of file extraction.
For more information regarding SHA-1 (Secure Hash Algorithm), see FIPS PUB 180-1, describing the Secure Hash Standard, at http://www.itl.nist.gov/fipspubs/fip180-1.htm.
SecureZIP for z/OS provides two commands, SIGN_ARCHIVE and SIGN_FILES, to intiate the creation of digital signatures within the ZIP archive. The AUTHCHK command is used to perform a tamper check operation using the digital signature and hash.
Digital Signature Validation
Requires SecureZIP
SecureZIP makes use of certificate-based encryption within the public key infrastructure (PKI) to generate and validate digital signatures. PKI provides an authentication chain for certificates to guarantee that the signature was created by the purported source. SecureZIP supports the certificate chain authentication process by including necessary identification
19
information within the ZIP archive. Subsequently, the certificate(s) used for signing can be authenticated through a complete chain of trust.
To complete the chain of trust, a root (or self-signed) certificate representing the certificate’s issuing organization is installed on the authenticating system. This provides the receiving organization with the authority to declare how the final trust sequence should be treated. Signatures based on certificates from certificate authorities (CA) that are not authorized or trusted are declared as being untrusted by SecureZIP.
Additional facets of validating a certificate’s viability for use include a defined range of dates within which a certificate may be used and whether the certificate has been declared to have been revoked. Configurable SecureZIP policies (EXPIRED and REVOKED attributes) provide support to ensure that the certificates involved in authentication also adhere to these restrictions.
SecureZIP for z/OS provides a means to install and access the certificates necessary for signing and authentication. The AUTHCHK command, along with configured policy settings governs the type (archive directory or data files) and level of authentication that is to be performed.
Digital Signature Source Validation A final step in the authentication process is to ensure that the archive and/or file data was sent from a particular source. The previous steps verified that the archive directory and/or files were signed with a private-key certificate that came from a trusted source (CA) and that the data stream has not been tampered with since it was placed into the ZIP archive. However, these steps alone do not guarantee that a different party under the same root/CA chain did not perform the signing operation.
SecureZIP for z/OS provides an optional parameter in the AUTHCHK command to declare the specific party from whom the data is expected.
Public-Key Infrastructure and Digital Certificates
Public-Key Infrastructure (PKI) Use of digital certificates for encryption and digital signing relies on a combination of supporting elements known as a public-key infrastructure (PKI). These elements include software applications such as SecureZIP that work with certificates and keys as well as underlying technologies and services.
The heart of PKI is a mechanism by which two cryptographic keys associated with a piece of data called a certificate are used for encryption/decryption and for digital signing and authentication. The keys look like long character strings but represent very large numbers. One of the keys is private and must be kept secure so that only its owner can use it. The other is a public key that may be freely distributed for anyone to use to encrypt data intended for the owner of the certificate or to authenticate signatures.
20
How the Keys Are Used With encryption/decryption, a copy of the public key is used to encrypt data such that only the possessor of the private key can decrypt it. Thus anyone with the public key can encrypt for a recipient, and only the targeted recipient has the key with which to decrypt.
With digital signing and authentication, the owner of the certificate uses the private key to sign data, and anyone with access to a copy of the certificate containing the public key can authenticate the signature and be assured that the signed data really proceeds unchanged from the signer.
Authentication has one additional step. As an assurance that the signer is who he says he is—that the certificate with Bob’s name on it is not fraudulent—the signer’s certificate itself is signed by an issuing certificate authority (CA). The CA in effect vouches that Bob is who he says he is. The CA signature is authenticated using the public key of the CA certificate used. This CA certificate too may be signed, but at some point the trust chain stops with a self-signed root CA certificate that is simply trusted. The PKI provides for these several layers of end-user public key certificates, intermediate CA certificates, and root certificates, as well as for users’ private keys.
x.509 X.509 is an International Telecommunication Union (ITU-T) standard for PKI. X.509 specifies, among other things, standard formats for public-key certificates. A public-key certificate consists of the public portion of an asymmetric cryptographic key (the public key), together with identity information, such as a person’s name, all signed by a certificate authority. The CA essentially guarantees that the public key belongs to the named entity.
Digital Certificates A digital certificate is a special message that contains a public key and identify information, such as the owner’s name and perhaps email address, about the owner. An ordinary, end-user digital certificate is digitally signed by the CA that issued it to warrant that the CA issued the certificate and has received satisfactory documentation that the owner of the certificate is who he says he is. This warrant, from a trusted CA, enables the certificate to be used to support digital signing and authentication, and encryption of data uniquely for the owner of a certificate.
For example, Web servers frequently use digital certificates to authenticate the server to a user and create an encrypted communications session to protect transmitted secret information such as Personal Identification Numbers (PINs) and passwords.
Similarly, an email message may be digitally signed, enabling the recipient of the message to authenticate its authorship and that it was not altered during transmission.
To use PKI technology in SecureZIP for z/OS for encryption and to attach digital signatures, you must have a digital certificate.
Certificate Authority (CA) A certificate authority (CA) is a company (usually) that, for a fee, will issue a public-key certificate. The CA signs the certificate to warrant that the CA issued the certificate and has received satisfactory documentation that the owner of the new certificate is who he says he is.
21
Private Key A digital certificate contains both private and public portions of an asymmetric cryptographic key together with identity information, such as a person's name and (possibly) email address. The private portion of the key is called the private key and is used to decrypt data encrypted with the associated public key and to attach digital signatures.
A private key must be accessible solely by the owner of the certificate because it represents that person and provides access to encrypted data intended only for the owner.
SecureZIP for z/OS uses a private key maintained in x.509 PKCS#12 format. This means that the private key cannot be accessed unless a password is entered for each SecureZIP request.
Public Key A public key consists of the public portion of an asymmetric cryptographic key in a certificate that also contains identity information, such as the certificate owner’s name.
The public key is used to authenticate digital signatures created with the private key and to encrypt files for the owner of the key’s certificate.
For information on the digital enveloping process SecureZIP for z/OS uses for certificate-based encryption, see the Secure .ZIP Envelopes whitepaper at the PKWARE Web site.
Certificate Authority and Root Certificates End entity certificates and their related keys are used for signing and authentication. They are created at the end of the trust hierarchy of certificate authorities. Each certificate is signed by its CA issuer and is identified in the “Issued By” field in the end certificate. In turn, a CA certificate can also be issued by a higher level CA. Such certificates are known as intermediate CA certificates. At the top of the issuing chain is a self-signed certificate known as the root.
SecureZIP for z/OS uses public-key certificates in PKCS#7 format. The intermediate CA certificates are maintained independently from the ROOT certificates.
Setting Up Stores for Digital Certificates on zOS
Requires SecureZIP
To use certificates for encryption/decryption or digital signing/authentication, SecureZIP needs to access the keys in the certificates.
Unlike Windows, zOS does not have a native facility for storing digital certificates and converting them into a form that SecureZIP can use. To address this, SecureZIP provides a utility program to set up and manage certificate stores on zOS for use with SecureZIP.
Setting Up the Certificate Stores The PKWARE utility used to administer the local certificate store is accessed through an ISPF dialog. The CREATE option assists you in setting up the store and imports certificates you
22
want SecureZIP to use. For detailed instructions on creating certificate stores on zOS, refer to the SecureZIP for z/OS System Administrator’s Guide.
The utility procedure maintains the stores listed in the following table.
Store Description
Public
A store for end-entity certificates used to identify encryption recipients or for authentication of digital signatures. Certificate files in this store contain only public keys; they do not contain private keys. SecureZIP for z/OS represents these certificates held in the local certificate store through the ISPF interface as “CER” entries. Other system types may refer to this store as “Other People” or “Address Book”
Private A store for end-entity certificate files with their respective private keys. Private keys are used to decrypt files or perform digital signing. SecureZIP for z/OS represents these certificates held in the local certificate store through the ISPF interface as “PFX” entries.
(Private keys in this store are encrypted using PKCS#8 format and PKCS#5 version 2.)
Other system types may refer to this store as “Personal” or “MY Store”
Intermediate Certificate Authority
A store of issuing certificates files associated with the end-entity certificates. These certificates are used to authenticate the validity of an end-entity digital signature on a receiving system. They are also included in a SecureZIP archive when a signing operation is performed.
Other system types may refer to this store as “CA”
Trusted Root Certificate Authority
A store of issuing certificates that are classified as “self signed,” meaning that each one is at the top of a hierarchy of issuing CAs. These certificates are used to authenticate the validity of an end-entity digital signature on a receiving system. They are deemed to be “trusted” by virtue of their installation on an authenticating system. They are also included in a SecureZIP archive when a signing operation is performed.
Other system types may refer to this store as “ROOT”
The local certificate store administrative utility sets up the certificate stores as physical files containing X.509 certificates, with a VSAM index structure providing search and selection capabilities.
A SecureZIP for z/OS “create” dialog is provided to lead a systems administrator through the steps needed to allocate and prime a new local certificate store. Sample test certificates are installed to each store type, making it ready for use. In addition, a configuration file is generated that should be made accessible for SecureZIP users for use in encryption, decryption, signing, and authentication requests. The configuration file may be included explicity through an INCLUDE_CMD command, or implicitly by activating it through the PARMLIB configuration of the SecureZP defaults module.
A set of high-level qualifiers is used to control the allocation of the physical store data sets and index components. This permits multiple distinct local certificate stores to be created, administered and accessed independently within a system. This is useful for segregating test
23
from production, or other departmental separation. Data set protection may then be applied to various components to control update or read access as needed.
RACF ALTER authority (or equivalent) must be granted to the systems administrator responsible for creating a new certificate store. This authority is also required for creating backups, performing recovery operations, or performing some synchronization tasks which re-allocate components.
Updating the Certificate Stores X.509 certificates may be added to the local certificate store through the SecureZIP local certificate store administration tool. These certificates are frequently obtained through another platform and transferred (binary) to the operational zOS system for installation.
Important: All X.509 certificates should be transferred to the local zOS environment in binary mode with no translation.
When certificates are added, the certificate administration tool determines the appropriate store location based on the certificate type specified and dynamically builds an index entry for future search and selection.
SecureZIP can import certificates and keys in the following file formats:
Format Description
PEM Contains a single end-entity public-key certificate. It may be in Base-64 encoded (ASCII text with ASCII headers) or DER-encoded binary format.
Common file extensions: .pem, .cer, .key
PKCS#12 Contains a single end-entity private-key certificate (which also contains and its public keys). By definition, it is in binary format.
Common file extensions: .pfx, .p12
PKCS#7 Contains one or more CA (and or Root) certificates
Common file extension: .p7b
You must tell the certificate store administrative dialog what certificate file-type and key-type to import. The utility copies the existing certificates and keys from their specified location and adds them to the appropriate store locations. When transferring certificates to the zOS environment in preparation for an import to the local certificate store, be sure to allocate the file they are stored in as sequential, with a DCB RECFM of F, FB, V or VB.
RACF UPDATE authority (or equivalent) must be granted to the systems administrator responsible for altering the certificate store. This authority is also required when performing the on-line Synchronize function.
24
Types of Encryption Algorithms
FIPS 46-3, Data Encryption Standard (DES) The FIPS (Federal Information Processing Standards) specification 46-3 formerly specified the DES algorithm for use in Federal government applications. In 2004, the specification was changed such that DES is no longer approved for Federal government applications.
Triple DES Algorithm (3DES) Triple DES is a more recent algorithm related to DES. Triple DES is a method for encrypting data in 64-bit blocks using three 56-bit keys by combining three successive invocations of the DES algorithm.
ANSI X9.52 specifies seven modes of operation for 3DES and three keying options: 1) the three keys may be identical (one key 3DES), 2) the first and third key may be the same but different from the second key (two key 3DES), or 3) all three keys may be different (three key 3DES). One key 3DES is equivalent to DES under the same key; therefore, one key 3DES, like DES, will not be approved after 2004. Two key 3DES provides more security than one key 3DES (or DES), and three key 3DES achieves the highest level of security for 3DES. NIST recommends the use of three different 56-bit keys in Triple DES for Federal Government sensitive/unclassified applications.
SecureZIP for z/OS uses three-key 3DES when Triple DES is selected as the data encryption algorithm.
Advanced Encryption Standard (AES) The Advanced Encryption Standard (AES) encryption algorithm specified in FIPS 197 is the result of a multiyear, worldwide competition to develop a replacement algorithm for DES. The winning algorithm (originally known as Rijndael) was announced in 2000 and adopted in FIPS 197 in 2001.
The AES algorithm encrypts and decrypts data in 128-bit blocks, with three possible key sizes: 128, 192, or 256 bits. The nomenclature for the AES algorithm for the different key sizes is AES-x, where x is the size of the AES key. NIST considers all three AES key sizes adequate for Federal Government sensitive/unclassified applications.
Please see http://www.nist.gov/public_affairs/releases/g00-176.htm a press release recapping NIST’s position
SecureZIP for z/OS uses AES as the default encryption algorithm.
Comparison of the 3DES and AES Algorithms Both the 3DES and AES algorithms are considered to be secure for the foreseeable future. Below are some points of comparison:
3DES builds on DES implementations and is readily available in many cryptographic products and protocols. The AES algorithm is new; although many implementers are quickly adding the algorithm to their products, and protocols are being modified to
25
incorporate the algorithm, it may be several years before the AES algorithm is as pervasive as 3DES.
The AES algorithm was designed to provide better performance (e.g., faster speed) than 3DES.
Although the security of block cipher algorithms is difficult to quantify, the AES algorithm, at any of the key sizes, appears to provide greater security than 3DES. In particular, the best attack known against AES-128 is to try every possible 128-bit key (i.e., perform an exhaustive key search, also known as a brute force attack)). By contrast, although three key 3DES has a 168-bit key, there is a “shortcut” attack on 3DES that is comparable, in the number of required operations, to performing an exhaustive key search on 112-bit keys. However, unlike exhaustive key search, this shortcut attack requires a lot of memory. Assuming that such shortcut attacks are not discovered for the AES algorithm, the uses of the AES algorithm may be more appropriate for the protection of high-risk or long-term data.
The smallest AES key size is 128 bits; the recommended key size for 3DES is 168 bits. The smaller key size means that fewer resources are needed for the generation, exchange, and storage of key bits.
The AES block size is 128 bits; the 3DES block size is 64 bits. For some constrained environments, the smaller block size may be preferred; however, the larger AES block size is more suitable for cryptographic applications, especially those requiring data authentication on large amounts of data.
See http://www.nist.gov/public_affairs/releases/g00-176.htm for a press release describing NIST’s position on the two algorithms.
With a block cipher algorithm, the same plaintext block will always encrypt to the same ciphertext block whenever the same key is used. If the multiple blocks in a typical message were to be encrypted separately, an adversary could easily substitute individual blocks, possibly without detection. Furthermore, data patterns in the plaintext would be apparent in the ciphertext. Cryptographic modes of operation have been defined to alleviate these problems by combining the basic cryptographic algorithm with a feedback of the information derived from the cryptographic operation.
FIPS 81, DES Modes of Operation, defines four confidentiality (encryption) modes for the DES algorithm specified in FIPS 46-3: the Electronic Codebook (ECB) mode, the Cipher Block Chaining (CBC) mode, the Cipher Feedback (CFB) mode, and the Output Feedback (OFB) mode.
SecureZIP for z/OS uses Cipher Block Chaining for data encryption.
RC4 The RC4 algorithm is a stream cipher designed by Rivest for RSA Security. It is a variable key-size stream cipher with byte-oriented operations. The algorithm is based on the use of a random permutation. Analysis shows that the period of the cipher is overwhelmingly likely to be greater than 10100. Eight to sixteen machine operations are required per output byte, and the cipher can be expected to run very quickly in software. Independent analysts have scrutinized the algorithm and it is considered secure.
RC4 is used for secure communications, as in the encryption of traffic to and from secure web sites using the SSL protocol.
26
Standard PKZIP for z/OS provides support for password-based encryption and decryption using a 96-bit “Standard” encryption algorithm that is supported by older ZIP-compatible utilities. In addition, PKZIP for z/OS Enterprise Edition supports the decryption of all password-based algorithms provided in SecureZIP for z/OS.
Key Management
The proper management of cryptographic keys is essential to the effective use of cryptography for security. Keys are like the combination of a safe. If the combination becomes known to an adversary, the strongest safe provides no security against penetration. Similarly, poor key management can easily compromise strong algorithms. Ultimately, the security of information protected by cryptography directly depends on the strength of the keys, the effectiveness of mechanisms and protocols associated with keys, and the protection afforded the keys.
Cryptography can be rendered ineffective by the use of weak products, inappropriate algorithm pairing, poor physical security, and the use of weak protocols. All keys need to be protected against modification, and secret and private keys need to be protected against unauthorized disclosure. Key management provides the foundation for the secure generation, storage, distribution, and destruction of keys.
Further information is available on key management at the NIST Computer Security Resource Center web site, http://csrc.nist.gov/CryptoToolkit/tkkeymgmt.html
Passwords and PINS
FIPS 112, Password Usage, provides guidance on the generation and management of passwords used to authenticate the identity of a system user and, in some instances, to grant or deny access to private or shared data. This standard recognizes that passwords are widely used in computer systems and networks for these purposes, although passwords are not the only method of personal authentication, and the standard does not endorse the use of passwords as the best method.
The password used to encrypt a file with PKZIPz may be from 1 to 250 characters in length. Different passwords may be used for various files within a ZIP archive, although only one password may be specified per run.
The password is not stored in the ZIP archive and, as a result, care must be taken to keep passwords secure and accessible by some other source.
Recipient Based Encryption
Requires SecureZIP
Password-based encryption depends on both the sender and receiver knowing, and providing intellectual input (the password) in clear text. The password is used to derive a binary master
27
session key for each decryption run. No key information is kept within the ZIP archive, therefore both parties must retain the password in an external location.
Recipient-based encryption provides a means by which the master session key (MSK) information can be hidden, protected, and carried within the ZIP archive. This is done by using a technique known as digital enveloping with public key encryption. The technique requires that the creating process have a copy of the recipient's public key digital certificate, which is used to protect and store the MSK. In addition, the receiving side must have a copy of the recipient's private key digital certificate. With these two pieces of information in place, there is no need for users to retain or recall a password for decryption.
Random Number Generation
Random numbers are used within many cryptographic applications, such as the generation of keys and other cryptographic values, the generation of digital signatures, and challenge response protocols. Some approved algorithms to produce random numbers have been specified in FIPS 186-2, Digital Signature Standard. An effort is in progress by the Financial Services Committee of ANSI to develop a random number generation standard.
Integrity of Public and Private Keys
Public and private keys must be managed properly to ensure their integrity. The key owner is responsible for protecting private keys. The private signature key must be kept under the sole control of the owner to prevent its misuse. The integrity of the public key, by contrast, is established through a digital certificate issued by a certification authority (CA) that cryptographically binds the individual’s identity to his or her public key. Binding the individual’s identity to the public key enables the key to be reliably used, for example, to authenticate signatures created with the corresponding private key.
A PKI includes the ability to recover from situations where an individual’s private signature key is lost, stolen, compromised, or destroyed. This is done by revoking the digital certificate that contains the private signature key’s corresponding public key (discussed further below). The user then creates or is issued a new public/private signature key pair and receives a new digital certificate for the new public key.
Data Encryption
SecureZIP for z/OS security functions include strong encryption tools using RSA BSAFE and IBM ICSF. SecureZIP for z/OS provides symmetric data encryption through these facilities using the RC4, DES, 3DES or AES algorithms.
RSA High-Quality Security - RSA Security submits its Crypto-C products for FIPS 140 testing and validation. FIPS 140-1 and FIPS 140-2 are U.S. Government standards which specify the security requirements to be satisfied by a cryptographic module. RSA Security supports this testing and certification with over 20 years of experience in the security industry.
28
IBM zOS Integrated Cryptographic Service Facility (ICSF) provides several callable services to access both hardware and software implementations of the DES, 3DES and AES algorithms.
SecureZIP for z/OS uses a multi-layer key generation process based on a user-specified password of up to 250 characters, and/or a user’s digital certificate, that creates a unique internal key for each file being processed. The same password will result in a different system-generated key for each file.
SecureZIP for z/OS also implements the use of cipher block chaining (CBC) to further enhance industry standard encryption algorithms. This feature ensures that each block of data is uniquely modified, further protecting the data from fraudulent access.
SecureZIP for z/OS encryption is activated through the use of the PASSWORD and/or RECIPIENT commands. If a value is present for either setting, whether through commands or default settings, then encryption will be attempted in accordance with other settings (for example, ENCRYPTION_METHOD). However, if ENCRYPTION_METHOD=NONE is specified, then encryption will be bypassed.
29
2 Installation, Licensing, and Configuration
Installation Overview
The installation of PKZIP/SecureZIP for z/OS is accomplished by following the steps summarized below:
Select the media to be used in installing PKZIPz.
Install from downloaded file, CD or tape.
Review the README.TXT file for recent information updates.
Evaluate system requirements.
Edit the supplied job control (JCL) with appropriate parameter changes for your data center.
Review the present chapter on installation, license, and configuration in this manual and proceed accordingly.
Run the installation verification jobs and test product features by modifying the sample JCL supplied in PKWARE.MVS.INSTLIB.
Begin using the product.
Details of these summarized instructions may be found below.
Type of Media Distribution for Installation
The PKZIPz may be received and installed from a variety of media types:
Downloaded from the PKWARE web site http://www.pkware.com/downloads
Received from PKWARE on compact disc (CD).
Received from PKWARE on magnetic cartridge.
30
Installation from Downloaded File or CD
Non-SMP/E Installation If you have downloaded PKZIP for z/OS or SecureZIP for z/OS from PKWARE’s Web site, ftp site, or have received the product on CD, then the file you need to start with is the self-extracting zip file called PKzSeries.exe (PKZIP), SZzSeries.exe (SecureZIP) or PLzSeries.exe (SecureZIP Partner). The self-extracting file contains the binary XMIT files needed for installation along with various other supporting text and documentation.
The files extracted include:
Documentation (distributed in Adobe® Acrobat® .PDF format)
PKZIP and SecureZIP for z/OS SYSTEM ADMINISTRATOR’S GUIDE.PDF
PKZIP and SecureZIP for z/OS MESSAGES AND CODES.PDF
PKZIP and SecureZIP for z/OS USER'S GUIDE.PDF
Text Files
GLOBAL CONTACTS.TXT A list of domestic and international resellers
LICENSE.TXT PKWARE's license agreement
README.TXT Installation and Configuration
ALLOC.JCL Allocation JCL (IEFBR14)
RECEIVE.JCL Receive the transmitted files
WHATSNEW.TXT A text file documenting product changes
31
Product Binaries
PKZIP Data Set SecureZIP Data Set PartnerLink Data Set Distribution Library
PKZIP.XMIT.CEXEC SECZIP.XMIT.CEXEC PLINK.XMIT.CEXEC Compiled REXX Library
PKZIP.XMIT.HELP SECZIP.XMIT.HELP PLINK.XMIT.HELP Help Library
PKZIP.XMIT.INSTLIB SECZIP.XMIT.INSTLIB PLINK.XMIT.INSTLIB Install Library
PKZIP.XMIT.INSTLIB2 SECZIP.XMIT.INSTLIB2 PLINK.XMIT.INSTLIB2 Install Library 2
PKZIP.XMIT.LOAD SECZIP.XMIT.LOAD PLINK.XMIT.LOAD Common Load Module
PKZIP.XMIT.MACLIB SECZIP.XMIT.MACLIB PLINK.XMIT.MACLIB Macro Library
PKZIP.XMIT.SPKZCLIB SECZIP.XMIT.SPKZCLIB PLINK.XMIT.SPKZCLIB REXX Exec Library
PKZIP.XMIT.SPKZMLIB SECZIP.XMIT.SPKZMLIB PLINK.XMIT.SPKZMLIB Message Library
PKZIP.XMIT.SPKZPLIB SECZIP.XMIT.SPKZPLIB PLINK.XMIT.SPKZPLIB Panel Library
PKZIP.XMIT.SPKZSLIB SECZIP.XMIT.SPKZSLIB PLINK.XMIT.SPKZSLIB Skeleton Library
PKZIP.XMIT.SPKZTLIB SECZIP.XMIT.SPKZTLIB PLINK.XMIT.SPKZTLIB Table Library
You should review the installation instructions found below if you are installing from download or CD. If the software was received on magnetic cartridge, please see “Installing from Tape”, below, for the installation JCL, or download the JCL from our Web site. In either case, follow the instructions applicable to your installation method before continuing through this document.
You should have downloaded or copied a file on your PC called PKzSeries.exe (PKZIP), SZzSeries.exe (SecureZIP) or PLzSeries.exe (PartnerLink). This is a self-extracting ZIP file. Once you double-click on the file, the files, by default, will extract a total of twenty (20) files to a pre-defined folder on your PC.
Below are the step-by-step non-smp/e installation instructions.
I. TRANSFERRING THE TEXT FILES TO THE HOST 1. Transfer the text file "ALLOC.JCL" to the host. You may transfer the file into an existing
PDS, or you may use the allocation in step 2 below:
o Convert the data from ASCII to EBCDIC
o Insert CR/LF's
2. A suitable allocation for "ALLOC.JCL" is as follows:
SPACE UNITS: BLKS BLKS: 5 (PRI) 1 (SEC) DIRBLKS: 0 RECFM: FB LRECL: 80 BLKSIZE: 3120 DSORG: PS
3. Follow the same procedure for the "RECEIVE.JCL" provided file.
32
II. RUNNING THE ALLOC JCL The “ALLOC” job contains JCL that will perform an IEFBR14 for the eleven (11) binary dataset allocations. You will need to edit the ALLOC JCL with the appropriate variables in order to achieve a RC=00.
1. Before you submit the ALLOC JCL (ALLOC.JCL), you will need to supply a job card. You will also need to modify the job variables. As an example:
// CEXEC DD DSN={pkware}.XMIT.CEXEC,DISP=(NEW,CATLG), // UNIT={sysda},VOL=SER={pkware1},SPACE=(CYL,(2,2)), // DCB=(RECFM=FB,LRECL=80,BLKSIZE=3120)
2. {pkware} is the name of the pre-allocated dataset that is being created by this job. These are the target datasets that you transfer the binary files into.
3. {sysda} is the unit where PKZIPz files will reside.
4. {pkware1} is the volume where the PKZIPz files reside
5. Submit the job, and review and correct any non-zero return codes.
6. Your eleven (11) target datasets have successfully been allocated.
III. TRANSFERRING THE BINARY FILES TO THE HOST Before you transfer the files to the host, it is imperative that you do not perform any kind of translation of the data from ASCII to EBCDIC or append CR/LF's. If you do, your uploaded datasets will be corrupted.
1. Transfer the binary files (PKWARE.XMIT.*) from your PC into the target datasets that you created in Step II:
o Do not translate the data
o Do not insert CR/LF's
2. Be sure to transfer all eleven binaries, and then move onto the next step.
IV. RUNNING THE RECEIVE JCL The “RECEIVE” job contains JCL that will perform an IKJEFT01 for the eleven binary datasets. You will need to edit the RECEIVE JCL with the appropriate variables in order to achieve a RC=00.
1. Before you submit the RECEIVE JCL, you will need to supply a job card. You will also need to modify the job variables. As an example:
RECEIVE INDSN('{dsnhlq}.XMIT.CEXEC') DSNAME('{dsnhlq}.CEXEC')
2. INDSN {dsnhlq} is the high-level qualifier of the XMIT'd dataset you transferred from the PC to the host.
3. DSNAME {dsnhlq} is the DSN that gets created by this job. It’s what you want to call the installed PKZIPz product libraries.
4. Submit the job, and review and correct any non-zero return codes.
5. Your eleven binary datasets have successfully been converted to a trial-ready version of PKZIPz.
33
V. Licensing PKZIP/SecureZIP for z/OS Please refer to “Initializing the License,” later in this chapter, for information and instructions on how to license your copy of PKZIPz.
This ends the installation of PKZIPz if you are installing from PKzSeries.exe or SZzSeries.exe. If you are performing a SMP/E installation or installing from a tape cartridge, then continue on to the next section.
SMP/E Installation The installation and software management of PKZIPz can also be accomplished with SMP/E. Although the product requires no operating system modifications or authorized routines, the ability to manage the software is enhanced using IBM’s SMP/E facilities.
The PKzSeriessmp.exe (PKZIP), SZzSeriessmp.exe (SecureZIP), or PLzSeriessmp.exe (PartnerLink) file contains the binary XMIT files needed for installation, along with text files, a README.TXT, and other files that have sample JCL to process the files for implementation. The files are listed in the following tables.
Documentation (distributed in Adobe® Acrobat® .PDF format)
PKZIP and SecureZIP for z/OS SYSTEM ADMINISTRATOR’S GUIDE.PDF
PKZIP and SecureZIP for z/OS MESSAGES AND CODES.PDF
PKZIP and SecureZIP for z/OS USER'S GUIDE.PDF
Text Files
GLOBAL CONTACTS.TXT A list of domestic and international resellers
LICENSE.TXT PKWARE's license agreement
README.TXT Installation and Configuration
RECEIVE.JCL Receive the transmitted files
ALLOC.JCL Allocation JCL (IEFBR14)
SMPALCSI.TXT This job allocates the VSAM files needed to build a new SMP/E environment. If PKZIPz is being installed in an existing SMP/E CSI, this job will not be needed.
SMPALPDS.TXT This job allocates the Partitioned Data Set files needed to build an SMP/E environment.
SMPAPPLY.TXT This job applies the elements of the FUNCTION PKZIP82. A return code of four (RC=4) is expected in the listings from IEBCOPY for z/OS load modules.
SMPRECV.TXT This job receives the FUNCTION PKZIP82. All of the ++ MCS elements are in the input file PKWARE.MVS.SMP.MCS.
SMPUCLIN.TXT This job updates the SMP/E CSI environment to prepare for the install of PKZIPz.
WHATSNEW.TXT A text file documenting product changes
34
Product Binaries
PKZIP Data Set SecureZIP Data Set PartnerLink Data Set Distribution Library
PKZIP.XMIT.SMP.DCEXE SECZIP.XMIT.SMP.DCEXE PLINK.XMIT.SMP.DCEXE Compiled REXX Library
PKZIP.XMIT.SMP.DHELP SECZIP.XMIT.SMP.DHELP PLINK.XMIT.SMP.DHELP Help Library
PKZIP.XMIT.SMP.DINST SECZIP.XMIT.SMP.DINST PLINK.XMIT.SMP.DINST Install Library
PKZIP.XMIT.SMP.DINST2 SECZIP.XMIT.SMP.DINST2 PLINK.XMIT.SMP.DINST2 Install Library 2
PKZIP.XMIT.SMP.DLOAD SECZIP.XMIT.SMP.DLOAD PLINK.XMIT.SMP.DLOAD Common Load Module
PKZIP.XMIT.SMP.DMACL SECZIP.XMIT.SMP.DMACL PLINK.XMIT.SMP.DMACL Macro Library
PKZIP.XMIT.SMP.DCLIB SECZIP.XMIT.SMP.DCLIB PLINK.XMIT.SMP.DCLIB REXX Exec Library
PKZIP.XMIT.SMP.DMLIB SECZIP.XMIT.SMP.DMLIB PLINK.XMIT.SMP.DMLIB Message Library
PKZIP.XMIT.SMP.DPLIB SECZIP.XMIT.SMP.DPLIB PLINK.XMIT.SMP.DPLIB Panel Library
PKZIP.XMIT.SMP.DSLIB SECZIP.XMIT.SMP.DSLIB PLINK.XMIT.SMP.DSLIB Skeleton Library
PKZIP.XMIT.SMP.DTLIB SECZIP.XMIT.SMP.DTLIB PLINK.XMIT.SMP.DTLIB Table Library
PKZIP.XMIT.SMP.MCS SECZIP.XMIT.SMP.MCS PLINK.XMIT.SMP.MCS SMP MCS Control Cards
You should have downloaded or copied a file on your PC called PKzSeriessmp.exe (PKZIP), SZzSeriessmp.exe (SecureZIP), or PLzSeriessmp.exe (PartnerLink). These are self-extracting ZIP files. When you double-click on the file, a total of twenty-six (26) files will extract to a pre-defined folder on your PC. Below are step-by-step SMP/E installation instructions. Please note that an understanding of SMP/E is recommended prior to using this approach.
I. TRANSFERRING THE TEXT FILES TO THE HOST 1. Transfer the text file "ALLOC.JCL" to the host. You may transfer the file into an existing
PDS or you may use the allocation in step "2" below:
o Convert the data from ASCII to EBCDIC
o Insert CR/LF's
2. A suitable allocation for "ALLOC.JCL" is as follows:
SPACE UNITS: BLKS BLKS: 5 (PRI) 1 (SEC) DIRBLKS: 0 RECFM: FB LRECL: 80 BLKSIZE: 3120 DSORG: PS
3. Follow the same procedure for the "RECEIVE.JCL" provided file.
35
II. RUNNING THE ALLOC JCL The “ALLOC” job contains JCL that will perform an IEFBR14 for the twelve binary dataset allocations. You will need to edit the ALLOC JCL with the appropriate variables in order to achieve a RC=00.
1. Before you submit the ALLOC JCL (ALLOC.JCL), you will need to supply a job card. You will also need to modify the job variables. As an example:
// CEXEC DD DSN={pkware}.XMIT.SMP.DCEXE,DISP=(NEW,CATLG), // UNIT={sysda},VOL=SER={pkware1},SPACE=(CYL,(2,2)), // DCB=(RECFM=FB,LRECL=80,BLKSIZE=3120)
2. {pkware} is the name of the preallocated dataset that is being created by this job. These are the target datasets that you transfer the binary files into.
3. {sysda} is the unit where PKZIPz files will reside.
4. {pkware1} is the volume where the PKZIPz files reside
5. Submit the job, and review and correct any non-zero return codes.
6. Your twelve target datasets have successfully been allocated.
III. TRANSFERRING THE BINARY FILES TO THE HOST Before you transfer the files to the host, it is imperative that you do not perform any kind of translation of the data from ASCII to EBCDIC or append CR/LF's. If you do, your uploaded datasets will be corrupted.
1. Transfer the binary files (PKWARE.XMIT.*) from your PC into the target datasets that you created in step IV.
o Do not translate the data
o Do not insert CR/LF's
2. Be sure to transfer all twelve binaries, and then move onto the next step.
IV. RUNNING THE RECEIVE JCL The "RECEIVE" job contains JCL that will perform an IKJEFT01 for the twelve binary datasets.
You need to edit the RECEIVE JCL with the appropriate variables in order to achieve a RC=00.
1. Before you submit the RECEIVE JCL, you will need to supply a job card. You will also need to modify the job variables. As an example:
RECEIVE INDSN('{dsnhlq}.XMIT.SMP.DCEXE') DSNAME('{dsnhlq}.SMP.DCEXE')
2. INDSN {dsnhlq} is the high level qualifier of the XMIT'd dataset you transferred from the PC to the host.
3. DSNAME {dsnhlq} is the DSN that gets created by this job.
4. Submit the job, and review and correct any non-zero return codes.
5. Your twelve binary datasets have successfully been converted to a distribution package for the SMP installation.
36
V. SMP/E INSTALLATION: The installation and software management of PKZIPz can be accomplished with SMP/E. Although the product requires no operating system modifications or authorized routines, the ability to manage the software is enhanced using IBM’s SMP/E facilities.
The file PKWARE.MVS.SMP.MCS is the SMPPTFIN DD file for the RECEIVE processing. This file contains all of the control information to build the PKZIPz environment. After running the RECEIVE JCL, all of the necessary files that you need to start the SMP process have been allocated on your system. The included five (SMP*.JCL files) jobs allocate, define, and build PKZIPz and must be run in the following sequence:
SMPALPDS.JCL SMPALCSI.JCL SMPUCLIN.JCL SMPRECV.JCL SMPAPPLY.JCL
Please note that user-specific customization may be required if you choose to install PKZIPz in an existing SMP/E CSI. Consideration has been given to this possibility, but it is up to each individual site to verify that there are no problems with duplicate DDDEF, library structures, or utility definitions that may prevent these job streams from completing successfully.
VI. Licensing PKZIPz Please refer to the section “Tailoring Site-Specific Changes to the Defaults Module,” below, for required information and procedures to properly license your copy of PKZIPz.
This ends the SMP/E installation of PKZIPz. If you are installing from a tape cartridge, then continue on to the next section.
Installing from Tape
If you have received PKZIPz on a magnetic cartridge, the installation is as simple as an IEBCOPY of the PKZIPz libraries from tape to DASD.
The screen below shows the first step of the IEBCOPY, one of the steps needed to complete the installation of PKZIPz from tape.
37
//JS010 EXEC PGM=IEBCOPY //* //SYSUT1 DD DSN=PKWARE.MVS.CEXEC, // UNIT=tape,LABEL=(,SL), <=== // DISP=OLD,VOL=(,RETAIN,,,SER=seczip1) <=== //* //SYSUT2 DD DSN=pkware.mvs.CEXEC, <=== // DISP=(NEW,CATLG,DELETE), // SPACE=(CYL,(2,1,52)), // UNIT=disk, <=== // VOL=SER=volume <=== //* //SYSUT3 DD UNIT=sysda,SPACE=(CYL,(5,5)) <=== //SYSUT4 DD UNIT=sysda,SPACE=(CYL,(5,5)) <=== //* //SYSPRINT DD SYSOUT=* //* //SYSIN DD * COPY INDD=SYSUT1,OUTDD=SYSUT2 /*
If you prefer not to type this entire job stream, you may download the COPYCART.TXT JCL from our website and upload it to a data set or member. Remember to perform an ASCII or TEXT transfer to convert the data from ASCII to EBCDIC, modify the JCL, and submit.
Tailoring Site-Specific Changes to the Defaults Module
The configuration defaults module, *.MVS.LOAD(ACZDFLT), is provided with the product. It is coded to allow for execution in a generic MVS environment. However, to make changes to the defaults, you will need to modify the *.MVS.INSTLIB(ACZDFLT) module. YOU MUST MODIFY THIS MODULE BEFORE YOU PROCEED TO USE PKZIPz. It is recommended that the values defined in the module be reviewed before running in a production setting.
Upgrade note: Installations suppressing the //SYSIN PDS member verification for performance reasons with PROC_OPT1=N (available with 5.0.10 maintenance and above) in ACZDFLT should change to CHECK_SYSIN_MEMBER=N in the assembly of ACZDFLT. PROC_OPT1 will no longer be used for this purpose in Release 5.5 and above.
MCZDFLTS TYPE=CSECT, * LICENSE_HLQ=PKWARE.MVS, * == Change this to reflect your installation ACTIVITY_LOG=PKWARE.ACTIVITY.LOG, * == Change this to reflect your installation PARMLIB_DSNAME_ZIP=NULLFILE * PARMLIB_DSNAME_UNZIP=NULLFILE, *
Once you have, at minimum, modified the LICENSE_HLQ statement to reflect your installation, you will need to assemble these changes via the ASMDFLT member in the *.MVS.INSTLIB to assist in creating a customized defaults module.
You may modify the other values in this module, or you may add to it. At minimum, the above three lines need to be modified or validated.
The table below represents the contents of the PKZIPz defaults module. This table explains, in brief, the default parameters of the ACZDFLT’s member and their relevance.
38
LICENSE_HLQ The high-level qualifiers of the xxx.LICENSE dataset. LICENSE_HLQ= is generally set to the same qualifier used during installation of PKZIPz The default qualifier is PKWARE.MVS.
See also: $INSTLIC and LICxxxx members.
ARCHIVE_UNIT
OUTFILE_UNIT
TEMP_UNIT
Device types to use during dynamic allocation request for non-VSAM files.
ARCHIVE_STORCLASS
OUTFILE_STORCLASS
TEMP_STORCLASS
VSAM_STORCLASS
In DF/SMS environment, dynamic allocation information in lieu of volume allocation specifications.
ARCHIVE_VOLUMES
OUTFILE_VOLUMES
TEMP_VOLUMES
VSAM_VOLUMES
Dynamic allocation target volumes for non-DF/SMS datasets. These are optional for non-VSAM datasets but are required for VSAM DEFINE CLUSTER control cards.
Protecting Files with the SAFETYEX Module
As delivered, the SAFETYEX module will protect SECUNZIP from overwriting SYS1. dataset names. If you would like to remove this restriction or add additional restrictions, you will need to edit the SAFETYEX source member in *.MVS.INSTLIB, make and save your changes, and run the ASMSAFE member of the *.MVS.INSTLIB to protect any files you specify from UNZIP overwrite processing.
If you do not want to make any changes to this module, then there is nothing that you need to do.
Tailoring for Filename and Data Character Set Conversions
PKZIPz provides cross-platform character set conversion capabilities. This affects both the data stream (such as converting EBCDIC to ASCII for to represent text data on a work station) and the file names shown in the ZIP archive.
The character translation controls use assembled control tables. These are referenced by the settings for TRANSLATE_TABLE_DATA and TRANSLATE_TABLE_FILEINFO, as described in the User’s Guide. You should confirm that the default translation tables are appropriate for the intended cross-platform processing environment(s).
When a different default translation table for either aspect of processing is required (the settings may also be specified with commands), the respective setting can be modified in the defaults module and re-assembled, or additional defaults modules can be assembled for selection by the user.
39
When code page translation requirements exist that are not covered by those tables provided with PKZIPz, additional tables can be created. INSTLIB contains sample JCL members MAKETRT and ASMTRTS to complete this process. See the appendix “Making Code Page Translate Tables” in the User’s Guide for more information.
SMS Dataclass Considerations
PKZIPz parameters overlap with several SMS Data Class parameters. In general, SMS Data Class specifications will provide default values in place of PKZIPz default settings. Explicit PKZIPz commands (SYSIN, PARMLIB, included command streams and EXEC PARM values) will be presented to Dynamic Allocation as overrides for any default setting.
Due to the way DFSMS handles override requests, sub-groups of parameters are defined in SecureZIP to assist with control of where default values should come from. These subgroups are:
Allocation SPACE
Directory Blocks
Volume Count
DCB Attributes
Output archive block size extensions
DFSMS Data Classes may or may not contain values for all of the attribute sets above. PKZIPz provides a means of identifying which sets of attributes should be expected to be handled by SMS Data Classes so that PKZIPz does not specify its own default values. (DFSMS receives control after PKZIPz has built its list and does not provide a means by which PKZIPz can systematically pre-determine which values will be provided by SMS).
DFSMS groups allocation type (Cylinders, Tracks, etc.), primary space, and secondary space into a category. If even one of these values is provided in an allocation request, then SMS will not provide its default values for the remaining entries. For example, if ARCHIVE_SPACE_PRIMARY is provided as a command, then PKZIPz needs to supply the TYPE and SECONDARY default values even if a DATACLASS is specified.
DFSMS treats the Directory Block allocation value separately from other space parameters. In the previous example, SecureZIP will not provide its default ARCHIVE_DIRBLKS value even though it provides the other allocation attributes. This is consistent with SMS Data Class operations.
PKZIPz makes use of temporary files during various phases of processing that have very specific DCB attribute requirements. For this reason, PKZIPz will specify the necessary overrides regardless of TEMPFILE_DATACLASS usage.
Output archive block size control extensions are provided with PKZIPz to work in conjunction with existing system controls, for both LBI (Large Block Interface) and non-LBI processing. Configurable default settings for ARCHIVE_BLKSIZE and ARCHIVE_ZIPFORMAT should be reviewed for applicability. Details regarding block size selection are documented in the User’s Guide under the ARCHIVE_BLKSIZE command. LBI processing has a specific tie to the DFSMS Dataclass Block Size Limit (BLKSZLIM).
40
Note for users of PKZIP for MVS and PKZIP for zSeries 5.6 Previous levels of maintenance for release 5.6 specified a volume count even if it was 1. The maintenance level associated with fix TT1777 eliminated VOLCNT=1 from the allocation request. In addition, the maximum number specified for any of the MULTIVOL=Y commands is now 59 to be consistent with system limitations for DASD devices. If a unit type other than DASD is assigned (either explicitly or indirectly through SMS), and a volume count greater than 59 is desired, then MULTIVOL=N should be specified in PKZIP, and an SMS Data Class should be designated which can assign the desired volume count.
Considerations when Exporting Private Keys using RACDCERT If X.509 certificate information is to be obtained through RACDCERT for subsequent import processing to the SecureZIP Local Certificate Store, then PTF UW94302 associated with APAR OW56418 must be installed prior to the RACDCERT EXPORT action. (OW56418: RACDCERT EXPORT CREATING PKCS#12 PACKAGES THAT DO NOT CONFORM TO ASN.1 STANDARD THEREFORE CANNOT BE IMPORTED.)
Evaluation Activity Log
During your evaluation period of PKZIP/SecureZIP for z/OS, a PKWARE sales support associate will contact you and request the PKACTLOG “Analyze” command be executed, at which point we ask that you relay the information to us so that we may fully understand your usage of the PKZIPz product. When a demonstration license key is active for the product, certain activities are written to a pre-allocated sequential data set specified by this setting.
The following is the sequence of events necessary to initiate the Evaluation Activity Log.
1. First, before applying your demo license key for PKZIP/SecureZIP for z/OS, an ACTIVITY_LOG data set must be pre-allocated using the PKACTLOG dialog command (shown in screen samples below).
2. Next, modify the ACZDFLT member, specifying the ACTIVITY_LOG= target data set name. Once the ACZDFLT member has been modified, you must re-assemble the defaults by submitting the ASMDFLT member under the INSTLIB. The ACTIVITY_LOG command is specified in the defaults module only.
3. Finally, after the defaults are modified, apply the demo license key you have received from PKWARE to the license data set before attempting to use other PKACTLOG options.
Please note: Users of PKZIP/SecureZIP must be given update authority to the log data set within the installation security software. A failure to write to the log data set will cause PKZIP/SecureZIP to terminate without completing the requested operation. Messages will be issued to indicate the reason for the termination.
Concurrent PKZIP/SecureZIP operations are permitted while the ACTIVITY_LOG feature is active. However, the log data set will be serialized through normal operating system ENQ/DEQ actions associated with Data Set Allocation. The data set is only allocated by PKZIP/SecureZIP when brief write operations are required. It is released during long-running processes such as compression and encryption.
41
When a permanent license key is applied, PKZIP/SecureZIP will cease to allocate and write to the ACTIVITY_LOG Data Set. At this time, the ACTIVITY_LOG data set may be migrated/deleted from the system, and the ACTIVITY_LOG= setting in ACZDFLT may be removed. These actions are discretionary to the installation and are not required for PKZIP/SecureZIP operation.
The PKACTLOG ISPF dialog command is accessible from the main PKZIP/SecureZIP User Interface panel although the command is not listed on the menu.
Activity Log Setup and Configuration If you do not use the high-level qualifier PKWARE.MVS, you must change module ACZDFLT supplied in INSTLIB to define the License high-level qualifier and the ACTIVITY LOG data set name.
Once ACZDFLT is set up, enter the command PKACTLOG on the product's main panel.
SecureZIP Version 9.0 Option ===> C Config Modify Run-time Configuration Settings ZD Zip Defaults Modify Default ZIP Command Settings UD Unzip Defaults Modify Default UNZIP Command Settings U Unzip Decompress, Decrypt, Authenticate File(s) in an Archive V View Display the Contents of a Zip Archive Z Zip Compress, Encrypt, Sign File(s) into a Zip Archive S Sysprint Browse Log of Last Foreground Execution M Messages Message ID lookup A Administration Administration Services and Reference Information For HELP Press PF1 Release Date: 06/26/2006 07.22 LVL(0)
SecureZIP Version 9.0 Option ===> Evaluation Activity Log Options Log Dataset: PKWARE.ACTIVITY.LOG C Config Modify Evaluation Activity Log Settings A Analyze Analyze Evaluation Activity Log B Browse Browse Evaluation Activity Log file X EXIT ******************************************************************************** * * * This panel will be disabled when a permanent license is applied. * * * ******************************************************************************** For HELP Press PF1
42
Configuration Option Select option 'C' to execute the Activity Log Configuration and allocate the data set whose name you placed in ACZDFLT.
-----------------------ALLOCATE EVALUATION ACTIVITY LOG----------------------- Command ===> Data Set Name . . . : 'PKWARE.ACTIVITY.LOG' Management class . . . SUPPORT (Blank for default management class) Storage class . . . . SUPPORT (Blank for default storage class) Volume serial . . . . SUP004 (Blank for system default volume) ** Device type . . . . . (Generic unit or device address) ** Data class . . . . . . **NONE** (Blank for default data class) Space units . . . . . CYLS (BLKS, TRKS, CYLS, KB, MB) Primary quantity . . 50 (In above units) Secondary quantity 20 (In above units) Directory blocks . . (Zero for sequential data set) * Record format . . . . VB Record length . . . . 27994 Block size . . . . . 27998 (Zero for SMS default)
Analysis Option Select option ‘A’ to initiate the “Analyze” routine which reads the Activity Log and presents a summation of all activities.
PKZIP Version 9.0 Command ===> Activity Log Summary Log Dataset: PKWARE.ACTIVITY.LOG Invocation Summary File Compression Summary ZIP Calls : 2037 Total Number of Files : 27843 Add . . . . : 374 Total Input Size . . . : 21.036GB Update . . . : 1644 Total Compressed Size . . : 6.108GB Freshen. . . : 19 Compression Ratio . . . . : 70.9 Copy . . . . : 4 Number Files > 4 Gig. . . : 3 Delete . . . : 6 Number of Files by Type UNZIP Calls : 3370 Sequential . . . . . . . : 4767 View . . . . : 1627 Partitioned members . . : 23046 Test . . . . : 171 VSAM . . . . . . . . . . : 30 Extract. . . : 1562 Number of Files by Data Type Mode of Operation Binary . . . . . . . . . : 11081 Batch. . . . : 4167 Text . . . . . . . . . . : 16762 ISPF . . . . : 14 Applic. Call : 1152 Archive Type Summary PKZIP Format . . . . . . : 2006 GZIP Format . . . . . . : 31
Browse Option Selecting option ‘B’ uses ISPF Browse to look at the raw Activity Log data. Character fields will be visible in normal browse mode. Some fields are stored in binary and will only be visible in HEX mode.
CAUTION: During Browse, the Activity Log file is allocated DISP=SHR and will cause batch jobs to wait for DISP=MOD access to the file.
43
Menu Utilities Compilers Help ----------------------------------------------------------------------------------------------------------------------------------- BROWSE PKWARE.ACTIVITY.LOG Line 00000000 Col 001 132 Command ===> Scroll ===> CSR *********************************************************** Top of Data ************************************************************ OPENDVPGNL010105201F09582107BAZSZIP.IVP.ASM.FIRST ..................... FILEDVPGNL010105201F09584188BAZSZIP.IVP.ASM.FIRST SZIP.IVP.IN.ASM($LCGL FILEDVPGNL010105201F09584188BAZSZIP.IVP.ASM.FIRST SZIP.IVP.IN.ASM($COPY FILEDVPGNL010105201F09584188BAZSZIP.IVP.ASM.FIRST SZIP.IVP.IN.ASM($QZGL FILEDVPGNL010105201F09584188BAZSZIP.IVP.ASM.FIRST SZIP.IVP.IN.ASM(ACAMN FILEDVPGNL010105201F09584188BAZSZIP.IVP.ASM.FIRST SZIP.IVP.IN.ASM(ACAMH
Licensing Requirements
PKZIP for z/OS, SecureZIP for z/OS and the PartnerLink SecureZIP Partner are licensed products. Without proper licensing the products can only be used to view archives. Product features can be licensed separately as the user needs dictate. The license key will contain all of the elements necessary to validate a customer’s use of PKZIPz.
PKZIPz provides a set of processes that update the current use license data set, allow reporting of the license information, allow conditional use of the product during a disaster recovery, and allow conditional use during a modification of the customer’s physical environment.
The licensing process is comprised of several key elements that are described in the following sections.
Licensed Types The following table contains the parameters, and a brief description, used to determine licensing:
44
Type Description Use
BASIC The BASIC license type is the base line. It represents a license for which there are no restrictions, other than time. In contrast, all the other license types define restrictions within which the application is licensed and the customer is to abide.
Customer will receive a predetermined set of product features.
CAPACITY The CAPACITY license type compares the capacity of the operating environment (as defined by the machine serial number) along with a predefined table; for instance, to assure the application is running in a machine whose computing capacity is not larger than that for which the product is licensed.
Customer will designate the serial number of the processor(s).
DEMO A DEMO license is typically restricted to a certain time period, number of executions, or limited set of functions. These licenses may allow any of the other types of use. This license is also known as “Try and Buy” or “Supply before Buy.” These terms and conditions can be an added restriction to any of the license types.
Trial period.
DISASTER RECOVERY
A DISASTER RECOVERY license is granted by the vendor to allow a specified product to execute under conditions defined as “disaster recovery” for a specified period of time or for a specified number of occurrences. These terms and conditions can be an added restriction to any of the license types.
Implemented with a 5-day grace period to allow the customer to contact PKWARE to update the license. The grace period will never expire on a weekend.
ENTERPRISE An ENTERPRISE license is assigned to an enterprise; which may be comprised of multiple sites, complexes, nodes, and/or serial numbers. It is an all-encompassing license to a single entity. These terms and conditions are derived from any of the license types.
Allows a customer full access to all features of PKZIPz on all systems.
FEATURES A packaging and enablement option. An optional feature of a product can be packaged, licensed, and enabled at the discretion of the software publisher. Features can be licensed in the same manner as software products and can, therefore, be of any license type.
See product options below.
TIME-DELIMITED Each license type is modifiable by time. Each license will have a finite time period.
Product Features The license key contains codes to reflect the product features selected by the customer.
PKZIP for z/OS and SecureZIP for z/OS Standard Edition contain the following features:
45
Features Description
Standard Edition Compression
Decompression
Traditional Decryption
Cross Platform Interoperability
32-bit CRC Error Checking
Automatically Converts from EBCDIC to ASCII/ASCII to EBCDIC
Multiple Compression Formats
Includes International Translation Tables
Integrated Help Feature
Multi-Volume Archive Support
Enhanced File Handling that supports up to 17 different RECFMs
Supports GDGs and GDG Base Groups
Simulate Mode
Automatic Device Detection
Cataloged Tape Datasets
Customizable configuration and Installation
SEQ File Handlers
PDS File Handlers
VSAM File Handlers
Magnetic Tape Handlers
User Exits
Application Callable
PDS/E File Handlers
Command Line Interface
46
The following optional PKZIP for z/OS additional features are available:
Features Description
Enterprise Edition Decrypts password-based strongly encrypted ZIP files from SecureZIP
Decrypts password-based filename encryption from SecureZIP
Provides GZIP-compatibility support
Provides foreground ZIP/UNZIP processing using an ISPF dialog
Enhanced tape processing
Provides the ability to create self-extracting archives for selected platforms
Provides ZIP64 large file support, which includes processing for:
Archives with more than 65,535 files
File sizes of 4 gigabytes or greater
Archives with a total size of 4 gigabytes or greater
SecureZIP for z/OS includes all features found in the PKZIP for z/OS Enterprise Edition. In addition to the PKZIP compression features, SecureZIP for z/OS provides access to the following security-related features (see tables below):
Advanced password-based encryption/decryption (AES, DES, 3DES and RC4 algorithms) using RSA’s BSAFE Crypto-C routines
Certificate-based decryption and digital signature authentication
Filename encryption
IBM Cryptographic Facilities Integration (not available with SecureZIP Partner for z/OS)
The following optional features are also available for SecureZIP for z/OS:
Features Description
Standard Edition IBM Cryptographic Facilities Integration - Provides support to use ICSF cryptographic service APIs for supported data encryption and digital signature hash algorithms. Both hardware acceleration and ICSF software emulation are supported.
RSA BSAFE strong passphrase encryption
Enterprise Edition Advanced Encryption - Provides public/private key PKI certificate-based encryption and digital signing (Integrated with SecureZIP Partner)
Directory Integration - Enables access to certificates residing on an LDAP server (Not available with SecureZIP Partner)
Contingency key
File name encryption
47
PartnerLink SecureZIP Partner is a software activation license provided with the product package. This license activates a predefined set of features when operating in this mode. Operational capabilities are defined by the PartnerLink program with distributed sponsor- exchange authorizations.
Note: Enhanced tape processing is provided with release 9.0 of SecureZIP Partner.
Evaluation Period You can obtain a trial license that allows full use of the product for a specified evaluation period. Contact Sales for a key to generate a trial license.
For Technical Support, please contact the Product Services Division or visit the Support Web site.
Release-Dependent Licensing
Each release of PKZIPz requires that a new license key be obtained from Customer Service and that a new license record be generated. The new release fails with the message ZPLI901E Product License is Invalid if the license data set is used from a previous release.
Current Use License When you receive the license control card information from PKWARE, you build the license data set using the Build License program (there is a sample job stream in member LICUPDAT in the Installation Data set (INSTLIB)). Executing this job stream updates the LICENSE data set and produces a report that reflects the state of PKZIPz at your location.
Following is a sample of the output:
ZPLI200I CONTROL CARD INPUT TO THE LICENSE RECORD *LICENSED BY PKWARE 12/22/04 FPD 55 X37C8901 104620127 PKWARE Inc. 23 RT1A2217 20050102 01052B70601B 12 RT1A1331 20050102 01462A903041 14 XXOP2217 20050102 01052B70601B 73 XZZX2217 20050102 01052B70601B 18 RT562217 20050102 01052B70601B 89 1414C1EF 20050930 01052B70601B ZPLI200I THE LICENSE RECORD HAS BEEN UPDATED FOR SecureZIP ON 01/08/01 AT 1:45pm FROM CPU *******************************************************************************************
Reporting To report on the status of the license at your location, run the sample job stream in member LICPRINT in the Installation Data set (pkware.mvs.INSTLIB).
48
Sample Full-feature product license report
ZPLI200I A LICENSE REPORT HAS BEEN REQUESTED ON 03/18/06 AT 10:57pm VER: 9.0 IN PKZIP.MVS ZPLI200I For Technical Support assistance, please contact Product Services Division ZPLI200I at 937-847-2687 or go on-line at http://www.pkware.com/business_and_developers/support ZPLI200I Portions copyright (C) 1989-2006 PKWARE, Inc. All rights reserved. ZPLI200I Reg. U.S. Pat. and Tm. Off. Patent No. 5,051,745 ZPLI200I Other U.S. and international patent applications pending. ZPLI200I Portions of this software include RSA BSAFE(R) cryptographic ZPLI200I or security protocol software from RSA Security Inc. ******************************************************************************************* ZPLI200I SecureZIP (TM) IS LICENSED TO CUSTOMER # 575304644 ZPLI200I - CUSTOMER NAME - PKWARE, INC ******************************************************************************************* ZPLI200I The OS version is z/OS 01.06.00 - FMID HBB7709 (SP7.0.6). ZPLI200I CPU model 2066 with 2 online ZPLI200I Service units per second per online CPU is 6341.66 ZPLI200I Approximate total MIPS (SUs/SEC / 48.5 * #CPUs) is 261.51 ZPLI200I CEC MSU per hour capacity is 44 - LPAR MSU per hour capacity is 44 ZPLI200I Central Processing Complex (CPC) Node Descriptor: CPC ND = 002066.0A2.IBM.02.00000001824A ZPLI200I CPC ID = 00 Type(002066) Model(0A2) Manufacturer(IBM) Plant(02) Seq Num(00000 ZPLI200I CPU serial number for CPU 0 is 03824A2066 (3824A), version code 00, model 0A2. ZPLI200I CPU serial number for CPU 1 is 13824A2066 (3824A), version code 00, model 0A2. ZPLI200I Model from CPC SI ******************************************************************************************* ZPEN350I PKCRYUTL 1.5 Cryptographic API Review Utility ZPEN350I Copyright (C) 1989-2006 PKWARE, Inc. All rights reserved. ZPEN350I Program and Output used by permission only. PKWARE, Inc. ZPEN351I PKCRYUTL Registered copy (Pre-release) expires 6/30/2006 ZPEN336I CSRSI Query IBM Type(2066) Mod(0A2) S/N(000000000001824A) ZPEN300I OSname<z/OS> OS Ver(01) Rel(06) Mod( ) HWclass<Z/X00 > ZPEN307I ICSF is Active/CCVTACT ZPEN308I ICSF is at a proper level for CSFIQF ZPEN309I z/Architecture Hardware Available -Z/X00 ZPEN313I CSNBSYE (AES) System Capable with ICSF when available. ZPEN314I AES Software Only Available -Z/X00 ZPEN320I CryptoAPI Facilities HW SW SecureZIP ZPEN321I 96 Bit Encryption --- --- PKW ZPEN321I AES 128 Encryption --- SYE BSAFE ZPEN321I AES 192 Encryption --- SYE BSAFE ZPEN321I AES 256 Encryption --- SYE BSAFE ZPEN321I 3DES Encryption ENC --- BSAFE ZPEN321I DES Encryption ENC --- BSAFE ZPEN321I RC4 Encryption --- --- BSAFE ZPEN321I CRC32 Hashing --- --- PKW ZPEN321I SHA1 Hashing OWH --- BSAFE ZPEN321I MD5 Hashing --- OWH BSAFE ZPEN321I SHA256 Hashing --- --- --- ZPEN321I Random Data Gen RNG --- PKW ZPEN322I Facility Encryptdata Seq: IBMHW(1) IBMSW(2) PKW(3) ZPEN322I Facility Hash (Signature) Seq: IBMHW(1) IBMSW(2) PKW(3) ZPEN322I Facility Randomdata Seq: IBMHW(1) IBMSW(0) PKW(2) ZPEN374I-Completing with Return Code=0 Error Code=0--------------------------- ******************************************************************************************* ZPLI200I COMPRESSION IS LICENSED ON THE FOLLOWING PROCESSORS ZPLI200I SERIAL# 00824A PROCESSOR TYPE 2066 VERSION/MODEL 0A2 WITH AN EXPIRATION DATE OF 02 ZPLI200I DECOMPRESSION IS LICENSED ON THE FOLLOWING PROCESSORS ZPLI200I SERIAL# 00824A PROCESSOR TYPE 2066 VERSION/MODEL 0A2 WITH AN EXPIRATION DATE OF 02 ZPLI200I HARDWARE CRYPTO IS LICENSED ON THE FOLLOWING PROCESSORS ZPLI200I SERIAL# 00824A PROCESSOR TYPE 2066 VERSION/MODEL 0A2 WITH AN EXPIRATION DATE OF 02 ZPLI200I ENHANCED TAPE PROCESSING IS LICENSED ON THE FOLLOWING PROCESSORS ZPLI200I SERIAL# 00824A PROCESSOR TYPE 2066 VERSION/MODEL 0A2 WITH AN EXPIRATION DATE OF 02 ZPLI200I DECRYPTION IS LICENSED ON THE FOLLOWING PROCESSORS ZPLI200I SERIAL# 00824A PROCESSOR TYPE 2066 VERSION/MODEL 0A2 WITH AN EXPIRATION DATE OF 02
49
ZPLI200I GZIP SUPPORTED FILES LICENSED ON THE FOLLOWING PROCESSORS ZPLI200I SERIAL# 00824A PROCESSOR TYPE 2066 VERSION/MODEL 0A2 WITH AN EXPIRATION DATE OF 02 ZPLI200I ISPF IS LICENSED ON THE FOLLOWING PROCESSORS ZPLI200I SERIAL# 00824A PROCESSOR TYPE 2066 VERSION/MODEL 0A2 WITH AN EXPIRATION DATE OF 02 ZPLI200I COMMAND LINE INTERFACE IS LICENSED ON THE FOLLOWING PROCESSORS ZPLI200I SERIAL# 00824A PROCESSOR TYPE 2066 VERSION/MODEL 0A2 WITH AN EXPIRATION DATE OF 02 ZPLI200I ADVANCED ENCRYPTION IS LICENSED ON THE FOLLOWING PROCESSORS ZPLI200I SERIAL# 00824A PROCESSOR TYPE 2066 VERSION/MODEL 0A2 WITH AN EXPIRATION DATE OF 02 ZPLI200I DIRECTORY INTEGRATION IS LICENSED ON THE FOLLOWING PROCESSORS ZPLI200I SERIAL# 00824A PROCESSOR TYPE 2066 VERSION/MODEL 0A2 WITH AN EXPIRATION DATE OF 02 ZPLI200I SELF EXTRACTION CREATOR IS LICENSED ON THE FOLLOWING PROCESSORS ZPLI200I SERIAL# 00824A PROCESSOR TYPE 2066 VERSION/MODEL 0A2 WITH AN EXPIRATION DATE OF 02 *******************************************************************************************
Sample Evaluation (Demo) product license report
ZPLI220I A demo license has been requested on 03/18/04 AT 9:12am ZPLI220I Please contact PKWARE Sales at 937-847-2374 to receive an evaluation license. ********************************************************************************* CPU model 2066 with 1 online CPU serial number for CPU 0 is 04263B2066 (4263B), version code 00. Service units per second per online CPU is 5612.07 Approximate total MIPS (SUs/SEC / 48.5 * #CPUs) is 115.71 Central Processing Complex (CPC) Node Descriptor: CPC ND = 002066.0B1.IBM.02.00000001263B CPC ID = 00 Type(002066) Model(0B1) Manufacturer(IBM) Plant(02) Seq Num(00000001263B) *********************************************************************************
Sample SecureZIP Partner Product License Report
ZPLI200I A LICENSE REPORT HAS BEEN REQUESTED ON 03/18/06 AT 2:32pm VER: 9.0 IN SECZIP.M ZPLI200I For Technical Support assistance, please contact Product Services Division ZPLI200I at 937-847-2687 or go on-line at http://www.pkware.com/business_and_developers/support ZPLI200I Portions copyright (C) 1989-2006 PKWARE, Inc. All rights reserved. ZPLI200I Reg. U.S. Pat. and Tm. Off. Patent No. 5,051,745 ZPLI200I Other U.S. and international patent applications pending. ZPLI200I Portions of this software include RSA BSAFE(R) cryptographic ZPLI200I or security protocol software from RSA Security Inc. ******************************************************************************************* ZPLI200I PKWARE PartnerLink SecureZIP(R) IS LICENSED TO CUSTOMER # 575304644 ZPLI200I - CUSTOMER NAME - PKWARE SecureZIP Partner ******************************************************************************************* ZPLI200I The OS version is z/OS 01.06.00 - FMID HBB7709 (SP7.0.6). ZPLI200I CPU model 2066 with 2 online ZPLI200I Service units per second per online CPU is 6341.66 ZPLI200I Approximate total MIPS (SUs/SEC / 48.5 * #CPUs) is 261.51 ZPLI200I CEC MSU per hour capacity is 44 - LPAR MSU per hour capacity is 44 ZPLI200I Central Processing Complex (CPC) Node Descriptor: CPC ND = 002066.0A2.IBM.02.00000001824A ZPLI200I CPC ID = 00 Type(002066) Model(0A2) Manufacturer(IBM) Plant(02) Seq Num(00000001824A) ZPLI200I CPU serial number for CPU 0 is 03824A2066 (3824A), version code 00, model 0A2. ZPLI200I CPU serial number for CPU 1 is 13824A2066 (3824A), version code 00, model 0A2. ZPLI200I Model from CPC SI ******************************************************************************************* ZPEN350I PKCRYUTL 1.5 Cryptographic API Review Utility ZPEN350I Copyright (C) 1989-2006 PKWARE, Inc. All rights reserved. ZPEN350I Program and Output used by permission only. PKWARE, Inc. ZPEN351I PKCRYUTL Registered copy (Pre-release) expires 6/30/2006 ZPEN336I CSRSI Query IBM Type(2066) Mod(0A2) S/N(000000000001824A) ZPEN300I OSname<z/OS> OS Ver(01) Rel(06) Mod( ) HWclass<Z/X00 >
50
ZPEN307I ICSF is Active/CCVTACT ZPEN308I ICSF is at a proper level for CSFIQF ZPEN309I z/Architecture Hardware Available -Z/X00 ZPEN313I CSNBSYE (AES) System Capable with ICSF when available. ZPEN314I AES Software Only Available -Z/X00 ZPEN320I CryptoAPI Facilities HW SW SecureZIP ZPEN321I 96 Bit Encryption --- --- PKW ZPEN321I AES 128 Encryption --- SYE BSAFE ZPEN321I AES 192 Encryption --- SYE BSAFE ZPEN321I AES 256 Encryption --- SYE BSAFE ZPEN321I 3DES Encryption ENC --- BSAFE ZPEN321I DES Encryption ENC --- BSAFE ZPEN321I RC4 Encryption --- --- BSAFE ZPEN321I CRC32 Hashing --- --- PKW ZPEN321I SHA1 Hashing OWH --- BSAFE ZPEN321I MD5 Hashing --- OWH BSAFE ZPEN321I SHA256 Hashing --- --- --- ZPEN321I Random Data Gen RNG --- PKW ZPEN322I Facility Encryptdata Seq: IBMHW(1) IBMSW(2) PKW(3) ZPEN322I Facility Hash (Signature) Seq: IBMHW(1) IBMSW(2) PKW(3) ZPEN322I Facility Randomdata Seq: IBMHW(1) IBMSW(0) PKW(2) ZPEN374I-Completing with Return Code=0 Error Code=0--------------------------- ******************************************************************************************* ZPLI200I This is a SecureZIP Partner for z/OS License *******************************************************************************************
Show System Information When establishing a valid license with PKWARE for your system, specific operating information is required. To display hardware and software information at your location, run the sample job stream in member LICSHSYS in the Installation Data set (pkware.mvspkware.mvs.INSTLIB). Executing this job stream displays a Show System Information report.
Following is a sample of the report:
ZPLI210I SECUREZIP - Display System Information - Version 9.0P-R ************************************************************************ SecureZIP (R) is a trademark of PKWARE, Inc. PKZIP (R) is a registered trademark of PKWARE, INC. Portions copyright (C) 1989-2006 PKWARE, Inc. All rights reserved. Reg. U.S. Pat. and Tm. Off. Patent No. 5,051,745 Other U.S. and international patent applications pending. Portions of this software include RSA BSAFE(R) cryptographic or security protocol software from RSA Security Inc. ************************************************************************ For Licensing, please contact the Sales Division at 937-847-2374 or email [email protected] For Technical Support assistance, please contact the Product Services Division at 937-847-2687 or go online at http://www.pkware.com/business_and_developers/support Saturday 03/18/2006 (2006.077) 14:32:14 CPU model 2066 with 2 online Service units per second per online CPU is 6341.66. Approximate total MIPS (SUs/SEC / 48.5 * #CPUs) is 261.51. CEC MSU per hour capacity is 44 - LPAR MSU per hour capacity is 44 Central Processing Complex (CPC) Node Descriptor: CPC ND = 002066.0A2.IBM.02.00000001824A CPC ID = 00 Type(002066) Model(0A2) Manufacturer(IBM) Plant(02) Seq Num(00000001824A) CPU serial number for CPU 0 is 03824A2066 (3824A), version code 00, Model(0A2). CPU serial number for CPU 1 is 13824A2066 (3824A), version code 00, Model(0A2).
51
******************************************************************************************* The OS version is z/OS 01.06.00 - FMID HBB7709 (SP7.0.6). JES2 z/OS 1.5 DFSMS z/OS 1.6.0 Model from CPC SI ZPEN350I PKCRYUTL 1.5 Cryptographic API Review Utility ZPEN350I Copyright (C) 1989-2006 PKWARE, Inc. All rights reserved. ZPEN350I Program and Output used by permission only. PKWARE, Inc. ZPEN351I PKCRYUTL Registered copy (Pre-release) expires 6/30/2006 ZPEN336I CSRSI Query IBM Type(2066) Mod(0A2) S/N(000000000001824A) ZPEN300I OSname<z/OS> OS Ver(01) Rel(06) Mod( ) HWclass<Z/X00 > ZPEN307I ICSF is Active/CCVTACT ZPEN308I ICSF is at a proper level for CSFIQF ZPEN309I z/Architecture Hardware Available -Z/X00 ZPEN313I CSNBSYE (AES) System Capable with ICSF when available. ZPEN314I AES Software Only Available -Z/X00 ZPEN320I CryptoAPI Facilities HW SW SecureZIP ZPEN321I 96 Bit Encryption --- --- PKW ZPEN321I AES 128 Encryption --- SYE BSAFE ZPEN321I AES 192 Encryption --- SYE BSAFE ZPEN321I AES 256 Encryption --- SYE BSAFE ZPEN321I 3DES Encryption ENC --- BSAFE ZPEN321I DES Encryption ENC --- BSAFE ZPEN321I RC4 Encryption --- --- BSAFE ZPEN321I CRC32 Hashing --- --- PKW ZPEN321I SHA1 Hashing OWH --- BSAFE ZPEN321I MD5 Hashing --- OWH BSAFE ZPEN321I SHA256 Hashing --- --- --- ZPEN321I Random Data Gen RNG --- PKW ZPEN322I Facility Encryptdata Seq: IBMHW(1) IBMSW(2) PKW(3) ZPEN322I Facility Hash (Signature) Seq: IBMHW(1) IBMSW(2) PKW(3) ZPEN322I Facility Randomdata Seq: IBMHW(1) IBMSW(0) PKW(2) ZPEN374I-Completing with Return Code=0 Error Code=0---------------------------
Conditional Use PKWARE recognizes that there may be periods where the licensing environment established by the customer is no longer valid. Circumstances such as disaster recovery processing or the installation or upgrade of new processors will affect the environment.
See “PKZIP/SecureZIP for z/OS Grace Period” later in this chapter for more information.
Initializing the License
The SecureZIP Partner for z/OS product comes with a predefined software activation license for use on any zOS system. For more information, see “SecureZIP Partner License Activation,” later in this chapter.
For all other products, each release of PKZIPz requires that a new license key be obtained from Customer Service and that a new license record be generated. The new release will fail with ZPLI901E Product License is Invalid message if the License dataset is used from a previous release.
PKZIP and Full-Featured SecureZIP License Activation Transfer the license file provided by PKWARE from the PC to the host. Be sure to
convert the data from ASCII to EBCDIC and insert CR/LF’s. Copying the authorization
52
code from the text file and pasting it to the LICENSE member of the INSTLIB is an acceptable alternative.
After the file has been transferred or copied to the host, edit the INSTLIB(LICUPDAT) member, supply a job card, and modify the following line of JCL:
000400 //LICENSE PROC HLVL=PKWARE.MVS,URUNIT=SYSDA,URVOL=WORK01
“PKWARE.MVS” is your high level qualifier for your installation. URUNIT and URVOL are the target unit and volume for the installed PKZIPz product.
SecureZIP Partner License Activation A software license is provided with the SecureZIP Partner for z/OS package for the purpose of activating, configuring and verifying the installation of the software. A Sponsor Distribution Package must also be obtained independently through the PKWARE PartnerLink program to activate data interchange capabilities with a PartnerLink sponsor.
The SecureZIP Partner software license enables a pre-defined set of features to be run on any system. Because of this, you are not required to identify your specific processor to be used to run the products.
The PKWARE PartnerLink SecureZIP Partner license is created by member LICRPLKB in INSTLIB.
Executing this job stream creates the LICENSE dataset and produces a report that reflects the state of PKWARE PartnerLink SecureZIP at your location.
The JCL in INSTLIB for the sample jobs contains the symbolic parameter HLVL. HLVL is used as the high level qualifier for the REXX EXEC libraries and as the high level qualifier for the LICENSE dataset. By default, they both point to the same high level qualifier. If you use more than one high level qualifier, you must use override JCL.
Edit the INSTLIB(LICRPLKB) member, supply a job card, and modify the following line of JCL:
000400 //LICENSE PROC HLVL=PKWARE.MVS,URUNIT=SYSDA,URVOL=WORK01
“PKWARE.MVS” is the high-level qualifier for your installation. URUNIT and URVOL are the target unit and volume for the installed PKZIPz product.
In addition, you must change the value "license hlq" in the UPDATE SYSIN control cards to reflect the high level qualifier of the license dataset.
//UPDATE.SYSTSIN DD * RECEIVE INDDN(LICIN) DSNAME('license hlq.LICENSE')
Reporting the PKZIP/SecureZIP for z/OS License The procedures below describe how to obtain the license report.
Edit the *.MVS820.INSTLIB(LICPRINT) member, supply a job card, and substitute the following default line:
000400 //LICENSE PROC HLVL=PKWARE.MVS
“PKWARE.MVS” represents the high-level qualifier for your installation.
53
When you submit this job, the output should give you a return code of zero (RC=00) and the following additional lines.
ZPLI200I A LICENSE REPORT HAS BEEN REQUESTED ON 03/18/06 AT 10:57pm VER: 9.0 IN PKZIP.MVS ZPLI200I For Technical Support assistance, please contact Product Services Division ZPLI200I at 937-847-2687 or go on-line at http://www.pkware.com/business_and_developers/support ZPLI200I Portions copyright (C) 1989-2006 PKWARE, Inc. All rights reserved. ZPLI200I Reg. U.S. Pat. and Tm. Off. Patent No. 5,051,745 ZPLI200I Other U.S. and international patent applications pending. ZPLI200I Portions of this software include RSA BSAFE(R) cryptographic ZPLI200I or security protocol software from RSA Security Inc. ******************************************************************************************* ZPLI200I SecureZIP (TM) IS LICENSED TO CUSTOMER # 575304644 ZPLI200I - CUSTOMER NAME - PKWARE, INC ******************************************************************************************* ZPLI200I The OS version is z/OS 01.06.00 - FMID HBB7709 (SP7.0.6). ZPLI200I CPU model 2066 with 2 online ZPLI200I Service units per second per online CPU is 6341.66 ZPLI200I Approximate total MIPS (SUs/SEC / 48.5 * #CPUs) is 261.51 ZPLI200I CEC MSU per hour capacity is 44 - LPAR MSU per hour capacity is 44 ZPLI200I Central Processing Complex (CPC) Node Descriptor: CPC ND = 002066.0A2.IBM.02.00000001824A ZPLI200I CPC ID = 00 Type(002066) Model(0A2) Manufacturer(IBM) Plant(02) Seq Num(00000 ZPLI200I CPU serial number for CPU 0 is 03824A2066 (3824A), version code 00, model 0A2. ZPLI200I CPU serial number for CPU 1 is 13824A2066 (3824A), version code 00, model 0A2. ZPLI200I Model from CPC SI ******************************************************************************************* ZPEN350I PKCRYUTL 1.5 Cryptographic API Review Utility ZPEN350I Copyright (C) 1989-2006 PKWARE, Inc. All rights reserved. ZPEN350I Program and Output used by permission only. PKWARE, Inc. ZPEN351I PKCRYUTL Registered copy (Pre-release) expires 6/30/2006 ZPEN336I CSRSI Query IBM Type(2066) Mod(0A2) S/N(000000000001824A) ZPEN300I OSname<z/OS> OS Ver(01) Rel(06) Mod( ) HWclass<Z/X00 > ZPEN307I ICSF is Active/CCVTACT ZPEN308I ICSF is at a proper level for CSFIQF ZPEN309I z/Architecture Hardware Available -Z/X00 ZPEN313I CSNBSYE (AES) System Capable with ICSF when available. ZPEN314I AES Software Only Available -Z/X00 ZPEN320I CryptoAPI Facilities HW SW SecureZIP ZPEN321I 96 Bit Encryption --- --- PKW ZPEN321I AES 128 Encryption --- SYE BSAFE ZPEN321I AES 192 Encryption --- SYE BSAFE ZPEN321I AES 256 Encryption --- SYE BSAFE ZPEN321I 3DES Encryption ENC --- BSAFE ZPEN321I DES Encryption ENC --- BSAFE ZPEN321I RC4 Encryption --- --- BSAFE ZPEN321I CRC32 Hashing --- --- PKW ZPEN321I SHA1 Hashing OWH --- BSAFE ZPEN321I MD5 Hashing --- OWH BSAFE ZPEN321I SHA256 Hashing --- --- --- ZPEN321I Random Data Gen RNG --- PKW ZPEN322I Facility Encryptdata Seq: IBMHW(1) IBMSW(2) PKW(3) ZPEN322I Facility Hash (Signature) Seq: IBMHW(1) IBMSW(2) PKW(3) ZPEN322I Facility Randomdata Seq: IBMHW(1) IBMSW(0) PKW(2) ZPEN374I-Completing with Return Code=0 Error Code=0--------------------------- ******************************************************************************************* ZPLI200I COMPRESSION IS LICENSED ON THE FOLLOWING PROCESSORS ZPLI200I SERIAL# 00824A PROCESSOR TYPE 2066 VERSION/MODEL 0A2 WITH AN EXPIRATION DATE OF 02 ZPLI200I DECOMPRESSION IS LICENSED ON THE FOLLOWING PROCESSORS ZPLI200I SERIAL# 00824A PROCESSOR TYPE 2066 VERSION/MODEL 0A2 WITH AN EXPIRATION DATE OF 02 ZPLI200I HARDWARE CRYPTO IS LICENSED ON THE FOLLOWING PROCESSORS ZPLI200I SERIAL# 00824A PROCESSOR TYPE 2066 VERSION/MODEL 0A2 WITH AN EXPIRATION DATE OF 02 ZPLI200I ENHANCED TAPE PROCESSING IS LICENSED ON THE FOLLOWING PROCESSORS ZPLI200I SERIAL# 00824A PROCESSOR TYPE 2066 VERSION/MODEL 0A2 WITH AN EXPIRATION DATE OF 02 ZPLI200I DECRYPTION IS LICENSED ON THE FOLLOWING PROCESSORS
54
ZPLI200I SERIAL# 00824A PROCESSOR TYPE 2066 VERSION/MODEL 0A2 WITH AN EXPIRATION DATE OF 02 ZPLI200I GZIP SUPPORTED FILES LICENSED ON THE FOLLOWING PROCESSORS ZPLI200I SERIAL# 00824A PROCESSOR TYPE 2066 VERSION/MODEL 0A2 WITH AN EXPIRATION DATE OF 02 ZPLI200I ISPF IS LICENSED ON THE FOLLOWING PROCESSORS ZPLI200I SERIAL# 00824A PROCESSOR TYPE 2066 VERSION/MODEL 0A2 WITH AN EXPIRATION DATE OF 02 ZPLI200I COMMAND LINE INTERFACE IS LICENSED ON THE FOLLOWING PROCESSORS ZPLI200I SERIAL# 00824A PROCESSOR TYPE 2066 VERSION/MODEL 0A2 WITH AN EXPIRATION DATE OF 02 ZPLI200I ADVANCED ENCRYPTION IS LICENSED ON THE FOLLOWING PROCESSORS ZPLI200I SERIAL# 00824A PROCESSOR TYPE 2066 VERSION/MODEL 0A2 WITH AN EXPIRATION DATE OF 02 ZPLI200I DIRECTORY INTEGRATION IS LICENSED ON THE FOLLOWING PROCESSORS ZPLI200I SERIAL# 00824A PROCESSOR TYPE 2066 VERSION/MODEL 0A2 WITH AN EXPIRATION DATE OF 02 ZPLI200I SELF EXTRACTION CREATOR IS LICENSED ON THE FOLLOWING PROCESSORS ZPLI200I SERIAL# 00824A PROCESSOR TYPE 2066 VERSION/MODEL 0A2 WITH AN EXPIRATION DATE OF 02 *******************************************************************************************
PKZIP/SecureZIP for z/OS Grace Period PKWARE recognizes that there may be periods where the licensing environment established by the customer is no longer valid. Circumstances such as disaster recovery processing or the installation or upgrade of new processors will affect the environment.
To accommodate the installation, PKZIPz has a process that will allow you to continue to use the product for a grace period of five days when the established licensing environment is no longer valid. Note that the user must have write authority on the license dataset to invoke the grace period. This authority is only required the first time PKZIP/PKUNZIP is run after a CPU change has occurred; it is not required after the grace period has been successfully invoked (this is one time per CPU, not one time per IPL).
During the grace period, error messages will be displayed on the console (and the printout) for each execution of PKZIPz. At the end of the period, if the license is not updated, the product will no longer function for the new CPUs except to VIEW an archive. The five-day grace period is designed so that the program will not cease to function on a weekend or the Monday following the five-day grace period. You must contact PKWARE at [email protected] during the grace period to obtain licensing to allow extended use.
Note: The SecureZIP Partner for z/OS software activation license does not require or support grace period processing.
Running a Disaster Recovery Test There are no special procedures necessary in order for you to use PKZIPz during a disaster recovery test. Because PKZIPz licensing allows for such contingencies, the user can perform the following process to have PKZIPz run at the DR site with a RC=00.
1. First, copy the production image of PKZIPz from the production system over to the Disaster Recovery system.
2. Once the image is on the system, simply run PKZIPz from the CPU you want, and PKZIPz will run conditionally for five days with a RC=0. (This time limit does not apply to SecureZIP Partner for z/OS.) If operation beyond this time frame is required, contact PKWARE [email protected].
If operating SecureZIP Partner for z/OS, you can rerun the predefined license job from INSTLIB if necessary.
55
Activating the ISPF Interface
The ISPF interface requires a PKZIP Enterprise Edition or SecureZIP license. Activation of the PKZIPz ISPF interface is accomplished as follows:
During product installation, the PKZIPz ISPF libraries are loaded to disk. The high level qualifiers (dsnhlq) are selected by the user during the installation process.
To configure the SecureZIP Certificate Store Processing and ISPF Panels, the user will need to make a few modifications to the PKWARE.MVS.INSTLIB(PKISPF) and PKWARE.MVS.INSTLIB(PKZSTART) members.
For certificate store processing you must edit the PKISPF member and make the following changes to reflect your installation:
Change the value of ‘HLVL' to reflect the high level qualifier for your installation. This defaults to 'PKWARE.MVS'.
HLVL=PKWARE.MVS
Change the value of 'ISP' to reflect the high level qualifier for your system ISPF files. This defaults to 'ISP'.
ISP=ISP
Change the value of 'SYSDA' to indicate the unit type for temporary files. The default is 'SYSDA'.
SYSDA=SYSDA
To prepare the PKZIPz ISPF panels you must edit the PKZSTART member and make the following changes to reflect your installation:
If the user environment can not support compiled REXX, change the value of ’env’ to 'EXEC'. If your environment does support compiled REXX, then you do not have to change anything on this line. This defaults to 'CEXEC'.
env = 'CEXEC'
Change the value of 'ispfhlq' to reflect the high level qualifier for your installation. This defaults to 'PKWARE.MVS'.
ispfhlq = 'PKWARE.MVS'
Change the value of 'llib' to indicate the name of the installed load library. The default is 'PKWARE.MVS.LOAD'.
llib = 'PKWARE.MVS.LOAD'
Now save your changes to the PKZSTART member.
To quickly test whether the user configuration has worked, simply type "EXEC" next to the PKZSTART member. If everything has gone accordingly during the installation, after typing in “EXEC”. the user should be prompted to enter the configuration screen for PKZIPz.
You may choose to add the PKZSTART member to a REXX exec in your SYSEXEC or SYSPROC concatenation that will initialize the ISPF interface. If the user prefers to activate the PKZIPz ISPF from your ISPF main menu, add an entry that will activate PKZIPz. Both methods are explained in the following paragraphs. Significant performance improvements can be achieved by using the compiled REXX exec.
56
ISPF Main Menu
To execute PKZIPz from an ISPF menu panel you must add an entry to the main menu for ISPF. This is normally a panel named (ISR@PRIM). Add the following line (or whatever the user deems appropriate) to the BODY section of the panel definition:
P PKZIPz for z/OS 9.0 ISPF
Add the following line to the PROC section:
P,'CMD(%PKZSTART)'
Replace the ‘P’ with whatever main menu option you added in the BODY section of the panel definition. The user will notice that the PKZSTART exec has an argument passed to it. The argument ‘CEXEC’ causes the libraries containing the compiled REXX routines to be allocated. The user will gain significant increases in performance by using these libraries. If your operating system release or any other reason might prevent you from using the compiled REXX, then call PKZSTART with the argument of ‘EXEC’ and the normal interpreted REXX libraries will be used.
PKZSTART is the initial exec that starts the interface and it also allocates the necessary ISPF application libraries. Consequently, it must be modified to reflect the installed library names (as it was documented in the previous section).
Running PKZIPz with Library Lookaside (LLA and LNKLST)
This section applies only if PKZIPz is to be executed from Library Lookaside.
To install PKZIPz into Library Lookaside for the purpose of eliminating JOBLIB and STEPLIB DD statements for execution, follow your installation’s standards for implementing LNKLST for the PKZIPz LOAD library. See the IBM z/OS Initialization and Tuning publications for more information.
To access PKZIPz from the system LNKLST while running ISPF, enter the Configuration panel (option C from the menu panel). In the field labeled “Execution load library,” enter the string: “*LNKLST” (no quotes) in the Execution load library field. In this mode of operation, the ISPF EXEC procedures call PKZIPz programs from the system link list instead of from a particular library. In addition, ISPF-generated background jobs will not include a STEPLIB.
Care must be taken to perform a MODIFY LLA REFRESH or UPDATE operation for the PKZIPz data set when adding or maintaining tailored PKZIPz modules. Doing this will cause Library Lookaside to rebuild its directory indexes and enable future executions to access new copies of the modules. (For more information regarding LLA commands, see the IBM z/OS MVS Commands manual.)
Tailored PKZIPz modules include:
Defaults modules
Translation tables for TRANSLATE_TABLE_DATA and TRANSLATE_TABLE_FILEINFO
The SAFETYEX load module
57
Verifying the Installation
To ensure proper design and implementation has taken place, it is crucial for the system administrator to run the installation verification procedures that ship with PKZIPz. Once the product has completed installation and is properly licensed, you can run the pre-defined IVP streams. Instructions for customizing these jobs to the standards of your facility are included in comments at the beginning of each job’s JCL stream.
The pre-packaged IVP streams located under the *.INSTLIB dataset are as follows:
IVPBASIC – Demonstrates the compression, viewing, testing, and decompression of a catalog listing to an archive contained in a PDS member.
IVPLMOD – Compresses LOAD module members and then views, tests, and rebuilds the LOAD library from the archive.
IVPSECUR – Sample strong encryption jobs to compress 1MB, 10MB, 100MB, and 1GB data files and to test and decompress the files from the archives. SecureZIP for z/OS users only.
IVPVSAM – Demonstrates the compression, viewing, testing, and decompression of a VSAM KSDS to a VSAM archive. (Non-VSAM files and archives can be mixed with VSAM. This job simply shows that VSAM can be used for either.)
IVPVSPAN – Sample job to IEBCOPY-Unload a PDS, ZIP it, and reload it to verify the operation of variable spanned files.
Recipient-based encryption, signing and authentication can also be tested from the Local Certificate Store main menu. Option 8 (Run Installation Verification Job) prompts the user with the IVP JCL stream that has been customized for the signing and authentication standards of your facility. This job demonstrates the compression, encryption, signing, and authentication of an archive using SecureZIP for z/OS. The expected return code is zero for each of the IVP job runs.
To report any unexpected job results when running the various IVP streams, contact PKWARE Technical Support.
Users of SecureZIP Partner for z/OS should not run the IVP jobs detailed above, as they are intended only for the full-featured PKZIP and SecureZIP for z/OS products. The pre-packaged PartnerLink IVP job is located under the *.INSTLIB dataset:
PLIVPZIP – Demonstrates the successful configuration of the PKWARE, Inc., test Sponsor Distribution Package. A pre-signed archive is provided in INSTLIB2(PLIVPZIP) for SecureZIP Partner access.
58
3 Security Administration Overview
This section discusses how you utilize SecureZIP for z/OS to secure your data. Elements that are required to make a SecureZIP for z/OS archive are discussed in detail. These elements, when selectively used, combine to create a SecureZIP for z/OS archive or allow the extraction of a file or files from a SecureZIP for z/OS created archive.
A series of ISPF panels are used to assist you in building and maintaining the SecureZIP Certificate Store. These panels are not part of the separately licensed feature “ISPF”. They are standard with SecureZIP for z/OS. The ISPF screens and SecureZIP commands that are used to accomplish these task are shown in this chapter, along with notes and comments.
Keywords, Phrases, and Acronyms Used
SecureZIP for z/OS introduces new terminology to users that are familiar with PKZIP. These expressions directly relate to the security features inherent in SecureZIP for z/OS.
Public key certificate(s)
Private key certificate(s)
Data base profile (local certificate store)
LDAP profile (networked certificate store)
Password
RECIPIENT
MASTER RECIPIENT
Configuration profile
Certificate store
Common name
Path
Cert configuration
PING
TCPIP
59
User certificate
Certificate authority
Recipient database
Recipient searches
Filename encryption
Authentication
File Signing
Archive signing
Root certificates
CA certificates
Certificate revocation list
Authentication
File Signing
Archive signing
Root certificates
CA certificates
Certificate revocation list
Accessing Certificates
SecureZIP for z/OS provides access to Certificates through a sets of local files, either sequential, PDS or PDSE, and VSAM index paths when control card requests are present.
In addition, RECIPIENT(LDAP"...) requests are resolved through configured network definitions.
Public Key Certificate Certificate-based encryption allows the exchange of encrypted data without the exposure of also exchanging or retaining a password. This form of encryption uses a Public-key digital certificate when creating and it then uses a corresponding Private-key certificate by the recipient to decrypt. Digital certificates may be identified and selected by naming information, such as "Common Name" or and email address.
To do this SecureZIP for z/OS performs a process called “Digital Enveloping” using digital certificates when encrypting data for specified public key recipients. Access the Secure .ZIP Envelopes whitepaper at the PKWARE web site.
The Public Key Certificate consists of the public portion of an asymmetric cryptographic key (the "public key"), together with identity information, such as a person's name, all of which is signed by a certificate authority Certificate authority (CA). The CA essentially guarantees that the public key belongs to the named entity
60
Private Key Certificates To UNZIP a file that has been encrypted with a Public-key certificate, the receiver must supply a matching Private-key certificate. This is done by including RECIPIENT commands that specify the location of the Private-key certificate along with its associated access password. Note this password is not a password used to encrypt a file, but rather a password that is used to access the Private Key Certificate.
-RECIPIENT commands may be included in the command input stream directly, or be included through the INCLUDE CMD command. A Private-Cert profile designates a saved repository of the private key certificates. When SecureZIP for z/OS dialogs prepare batch JCL or UNZIP call streams, these commands will be automatically included when File Decryption is requested.
Certificate Authority and Root Certificates End entity certificates and their related keys are used for signing and authentication. They are created at the end of the hierarchy of certificate authorities. Each certificate is signed by its CA issuer and is identified in the “Issued By” field in the end certificate. In turn, a CA certificate can also be issued by a higher level CA. Such certificates are known as intermediate CA certificates. At the top of the issuing chain is a self-signed certificate known as the root.
SecureZIP uses the certificates for signing and authentication operations. SecureZIP for z/OS makes use of these certificates in PKCS#7 format. The intermediate CA certificates are maintained independently from the ROOT certificates.
Configuration Profile
A configuration profile is a collection of SecureZIP for z/OS commands that describe the necessary environment. At execution time this profile is read to locate the appropriate stores and index. SecureZIP provides various means by which the configuration information can be supplied. Contact your technical support staff for instructions regarding access to the configuration.
Contents of the Configuration Profile Execution configuration values may be supplied in any of the following ways. It is highly recommended that the command sources be coordinated in logical groups (Local Cert Store settings, or LDAP settings) so that overrides are not overly complex.
Direct commands in the SYSIN stream.
When accepted, these commands take precedence over other sources.
INCLUDE_CMD indirect reading of profile commands.
This is the method employed when you specify a file location through the SecureZIP Active DB Profile: field. When accepted, these commands take precedence over profiles read by the Defaults module, but may be overridden by SYSIN commands.
61
Defaults module indirect reading of profile commands.
This is the method employed when you specify UNDEFINED in the SecureZIP Active DB Profile: field.
Data Base (DB) Profile (Local Certificate Store) During SecureZIP for z/OS processing, that requires encryption intended for a RECIPIENT, associated Public-key certficate(s) must be located. One way of designating which Public-key recipients to include is through the DB: form of the RECIPIENT command. This allows for recipient selection based on name or email address through a configured database of certificates on the system that is executing SecureZIP for z/OS.
Your technical support staff is responsible for configuring the local Certificate Store and should provide you with information on which profile dataset, typically a member of a Partitioned Data Set, to use. Below is a sample of the contents of the Data Base Profile.
* ------------------------------------------------- * * Local zSeries development certificate store * * ------------------------------------------------- * -{CSPUB=4;1;SECZIP.CERTSTOR.PUBLIC} -{CSPRVT=4;1;SECZIP.CERTSTOR.PRIVATE} -{CSCA=1;1;SECZIP.CERTSTOR.PUBLIC(CAP7)} -{CSROOT=1;1;SECZIP.CERTSTOR.PUBLIC(ROOTP7)} -{CSPUB_DBX=SECZIP.CERTSTOR.PUBLIC.DBX} -{CSPUB_DBX_PATH_CN=SECZIP.CERTSTOR.PATHCN} -{CSPUB_DBX_PATH_EM=SECZIP.CERTSTOR.PATHEM} -{CSPUB_DBX_PATH_PUBKEY=SECZIP.CERTSTOR.PATHPUBK}
LDAP Profile (Networked Certificate Store) During SecureZIP for z/OS processing that requires encryption intended for a RECIPIENT the associated Public-key certficate(s) must be located.
One way of designating which Public-key recipients to include is through the LDAP interface to a directory server: form of the RECIPIENT command. This allows for recipient selection based on name, email address or other installation-configured LDAP fields. One or more LDAP compliant servers may be configured for searching.
The technical support staff responsible for configuring the LDAP compliant directory that stores certificates will provide you with information of which profile dataset, which is typically a member of a Partitioned Data Set, to use. Below is a sample of the contents of the file.
* ------------------------------------------------- * * zSeries LDAP access * * ------------------------------------------------- * * --- * Primary LDAP * --- -{LDAP=1;192.168.9.12;389;0;0;;;*EMAIL;| o=pkware,c=US,cn=user,dc=cosmos,dc=securezip,dc=com} * ---
62
Recipient Searches When RECIPIENT requests are made for either the Local Certificate Store ("DB:"), an LDAP ("LDAP:") or both, ("SYSTEM:"), a set of search criteria are provided. The search criteria of E-mail address ("EM=" or "mail=") and Common Name ("CN=") are accepted by both the DB: and LDAP: service providers.
When multiple RECIPIENT requests are made, it is possible that two or more search criteria may resolve to the same recipient certificate. For example, if both EM= and CN= are used in different RECIPIENT (or MASTER_RECIPIENT) requests, then the same public key certificate may be found. The first entry found will be used, and any duplicate copies of the same certificate will be ignored, resulting in only one representation of that certificate.
A search for an individual by name or e-mail address may result in multiple digital certificates being located, whether from the same Certificate Store source or not. This means that more than one representation of an individual can be included in the run.
LDAP searching can be accomplished with direct RECIPIENT requests via "RECIPIENT(LDAP:search_criteria)" or implicitly with "-RECIPIENT(*system:search_criteria)". In both cases, the Certificate Store Configuration settings define the order in which the LDAP servers are to be searched. However, in the case of using "*system", local Certificate Stores are searched prior to any of the configured LDAPs.
When multiple stores are to be searched (*system: or LDAP:), all RECIPIENT requests are searched in one store before the next store is referenced. If a RECIPIENT request has one or more entries found in one Store, then subsequent Stores are not searched for that request. This means that it is possible for generic LDAP search criteria to bypass entries defined in subsequent LDAP servers. RECIPIENT requests that were not satisfied at all by the higher-level Store search will continue to be searched for.
Example: Search LDAP’s for RECIPIENT matches
LDAP #1 0 entries 0 matches
LDAP #2 3 entries 3 matches
Add entry LDAP #1 has an entry added matching RECIPIENT
LDAP #1 1 entry 1 match
LDAP #2 3 entries 0 matches
Local Certificate Stores
Access x.509 Public and Private Key Certificates SecureZIP for z/OS introduces a new subtask, CSERV, that utilizes RSA’s BSAFE Cert-C Toolkit to access X.509 Public and Private key certificates. The access to the various certificate stores by this task is governed by various forms of the RECIPIENT, SIGN_ARCHIVE, SIGN_FILES and AUTHCHK commands, as well as by a suite of configuration commands.
The configuration commands are read either through SYSIN, INCLUDE_CMD(parmlib) or SECUREZIP_CONFIG specifications.
The syntax of the commands is -{ ... }. The semi-colon (;) is used as a parameter delimiter.
63
-{CSPUB=type;Seq;string PUB} -{CSPRVT=type;Seq;string Prvt} -{CSCA=type;Seq;string CA} -{CSROOT=type;Seq;string Root} -{CSPUB_DBX=vsam_cluster_base_index} -{CSPUB_DBX_PATH_CN=vsam_path_through_AIX_for_Common_Name} -{CSPUB_DBX_PATH_EM=vsam_path_through_AIX_for_Email_address} -{CSPUB_DBX_PATH_PUBKEY=vsam_path_through_AIX_for_PublicKey} -{AUTHENTICATE=TRUSTED,EXPIRED,REVOKED,TAMPERCHECK} -{VALSIGN=TRUSTED,EXPIRED,NOTREVOKED} -{VALENCRYPT=TRUSTED,EXPIRED,NOTREVOKED} -{RESET}
Where:
type (*PATH 0) (FILE 1) (*DB 2) (*LDAP 3) (*PDS 4)
Seq 0 through 9 (Cert Store search order)
LDAP - timeout of 0 results in system settings
user of NULL or ";;" will use "anonymous" login
Certificate Store References –{CSxxx}
If not supplied through configuration changes, the defaults are:
{CSPUB=1;9;DUMMY} {CSPRVT=1;9;DUMMY} {CSCA=1;9;DUMMY} {CSROOT=1;9;DUMMY} {CSPUB_DBX=SECZIP.CERTSTOR.PUBLIC.DBX} {CSPUB_DBX_PATH_CN=SECZIP.CERTSTOR.PATHCN} {CSPUB_DBX_PATH_EM=SECZIP.CERTSTOR.PATHEM} {CSPUB_DBX_PATH_PUBKEY=SECZIP.CERTSTOR.PATHPUBK}
The local zSeries certificate store for public key certificates (configuration settings for {CSPUB_...}), can be built as a PDS[E] indexing scheme for common name and email address searches. This is accomplished through a VSAM base cluster and a set of alternate index paths to access the appropriate field types.
The PDS[E] and the VSAM suite are managed as a unit and should not be manipulated independently from the supplied SecureZIP utilities. When no Public Key Store (CSPUB=) PDS[E] is specified, then the indexing (CSPUB_DBX...) files are not accessed.
The CSCA (Certificate Authority) and CSROOT (Trusted Root Certificate Authority) certificates are maintained in repective sequential files in X.509 PKCS#7 format.
Overrides to {CSxxx…} or {LDAP…} configuration commands can be done through input command streams or included members. However care must be taken to coordinate overrides so that intermixed PATHS do not result in different databases or indexes being used when resolving the various search criteria.
64
Authentication and Certificate Validation Policies Certificate validation may be done when activities in the following functional areas are performed:
Recipient based encryption
Archive or file signing
Authentication of digital signatures for files and/or archive directory
Validation policies are passed to SECZIP and SECUNZIP to govern various aspects of certificate validation at execution time. The policies are defined in configuration profile settings, and may also be included as override commands for individual executions of SECZIP and SECUNZIP.
The policy command settings are coded in the same format as other certificate store profile commands, with the syntax -{...}
Each functional area supports a single policy statement with its associated settings. The CERTSTORE Policy Setup panel will generate a policy statement for each functional area for use in the certificate store profile.
-{AUTHENTICATE=...}
-{VALENCRYPT=...}
-{VALSIGN=...}
{AUTHENTICATE} Policy
The {AUTHENTICATE} setting can be used within an include member that contains configuration commands, or within the standard command stream. It defines the level of processing that AUTHCHK commands will perform. The last AUTHENTICATE command found in the input stream will be used for processing and fully defines the signature authentication elements to be verified. The default settings may be changed by the SecureZIP administrator at any time. However, if this command is not supplied, all supported elements default to being checked. Elements include:
[NO]TAMPERCHECK – The signature associated with the archive or file(s) involved will be used to verify that the content has not been altered since the archive was built.
[NOT]EXPIRED – The digital certificates used to originally perform the signing operation contain internal date ranges of validity. The AUTHCHK operation will fail if any of the certificates in the trust chain are not found to be within their stated data range. Note that an end-certificate may have expired at the time that the archive is being accessed, and NOTEXPIRED may be used to continue processing.
[NOT]REVOKED – A certificate owner may request that the issuing certificate authority declare a certificate to be revoked and thereby no longer consider that certificate to be valid. The AUTHCHK operation will fail if any of the certificates in the trust chain are found to have been revoked or if the revocation status could not be determined.
[NOT]TRUSTED – Each end-certificate used in the signature must be traced back to a trusted root certificate. The CACA and CSROOT stores on the local system performing the authentication check will be accessed to determine if the entire certificate chain can be trusted. Although the Root (“self-signed”) certificate may be included within the archive, it MUST also exist in the CSROOT store to complete the TRUSTED state.
65
{VALSIGN} Policy
The {VALSIGN} setting can be used within an include member that contains configuration commands, or within the standard command stream. It defines the level of processing that SIGN_FILES and SIGN_ARCHIVE commands will perform during SECZIP execution. The last VALSIGN command found in the input stream will be used for processing and fully defines the signing certificate elements to be verified. The default settings may be changed by the SecureZIP administrator at any time. However, if this command is not supplied, all supported elements default to being checked. Elements include:
[NOT]EXPIRED – The digital certificates used to originally perform the signing operation contain internal date ranges of validity. The AUTHCHK operation will fail if any of the certificates in the trust chain are not found to be within their stated data range. Note that an end-certificate may have expired at the time that the archive is being accessed, and NOTEXPIRED may be used to continue processing.
[NOT]REVOKED – A certificate owner may request that the issuing certificate authority declare a certificate to be revoked and thereby no longer consider that certificate to be valid. The AUTHCHK operation will fail if any of the certificates in the trust chain are found to have been revoked or if the revocation status could not be determined.
[NOT]TRUSTED – Each end-certificate used in the signature must be traced back to a trusted root certificate. The CACA and CSROOT stores on the local system performing the authentication check will be accessed to determine if the entire certificate chain can be trusted. Although the Root (“self-signed”) certificate may be included within the archive, it MUST also exist in the CSROOT store to complete the TRUSTED state.
{VALENCRYPT} Policy
The {VALENCRYPT} setting can be used within an include member that contains configuration commands, or within the standard command stream. It defines the level of processing that RECIPIENT-based encryption requests will perform during SECZIP execution. The last VALENCRYPT command found in the input stream will be used for processing and fully defines the signing certificate elements to be verified. The default settings may be changed by the SecureZIP administrator at any time. However, if this command is not supplied, all supported elements default to being checked. Elements include:
[NOT]EXPIRED – The digital certificates used to originally perform the signing operation contain internal date ranges of validity. The AUTHCHK operation will fail if any of the certificates in the trust chain are not found to be within their stated data range. Note that an end-certificate may have expired at the time that the archive is being accessed, and NOTEXPIRED may be used to continue processing.
[NOT]REVOKED – A certificate owner may request that the issuing certificate authority declare a certificate to be revoked and thereby no longer consider that certificate to be valid. The AUTHCHK operation will fail if any of the certificates in the trust chain are found to have been revoked or if the revocation status could not be determined.
[NOT]TRUSTED – Each end-certificate used in the signature must be traced back to a trusted root certificate. The CACA and CSROOT stores on the local system performing the authentication check will be accessed to determine if the entire certificate chain can be trusted. Although the Root (“self-signed”) certificate may be included within the archive, it MUST also exist in the CSROOT store to complete the TRUSTED state.
66
Be aware there are some conditions under which a certificate validation will fail because superfluous certificates are selected during a DB: search request. By marking a certificate entry in the local certificate store as "Suspended", DB: search requests will filter out the suspended entry from the request.
For example, assume the following:
A recipient command has been used with "DB:CN=Joe Smith,R", thereby requiring the certificate to be available for use for ZIP encryption.
VALENCRYPT=EXPIRED is active
The original certificate for Joe Smith is about to expire, and a new certificate for the same common name is acquired and installed to the certificate store
The older certificate may remain in the certificate store to resolve references to that recipient when viewing older archives. However, the sample DB: search request will return both certificates in the search for new encryption requests. Since the request is marked as “Required,” the older certificate will fail the validation and the ZIP encryption will fail.
By marking the older certificate as “Suspended” when the newer certificate is installed, subsequent DB: requests will only return the currently active certificate. The older one will still be available for VIEW processing of older archives that used it as a recipient.
Other Profile Commands
{RESET} Clearing the Active Configuration
The {RESET} command can be used at the beginning of an include member that contains configuration commands, or within the standard command stream to “clear” all existing {CSxxx…} and {LDAP…} configuration commands that may have been previously loaded. This will help avoid mixed entries if an incomplete set of overrides is present. Remember that the defaults module may include settings for the configuration commands even if commands are not explicitly coded at run-time. The default settings may be changed by the SecureZIP administrator at any time.
Execution Time SecureZIP for z/OS is commonly run as a batch job step utility to place one or more files into a SecureZIP container (archive) prior to subsequent processing (such as transporting to an off-board system). Processing considerations when utilizing Recipient-based Encryption include:
Using INCLUDE_CMD to reference the Local Certificate Store configuration control records (created by the initial setup in Certificate Store Administration) in the SYSIN command stream
Using the RECIPIENT command to trigger certificate-based encryption. (Optionally, the RECIPIENT command used for extraction (decryption) may be referenced via INCLUDE_CMD to protect the password information contained within it).
Having dataset-level READ authority (via RACF or equivalent product) to the private-key certificate and referenced command files necessary to access the certificate
67
Performing JCL return code checking within the job stream after the SECZIP program has completed to test the success of Encryption/Decryption processing
Security Considerations To ensure the continued integrity of private-key certificates within an organization, special attention should be paid to protecting access to them.
The X.509 PKCS#12 certificate format supported by SecureZIP has an inherent security mechanism designed to protect the private keys within the transportable certificate by way of an access password. This means that without the appropriate password, the private keys cannot be accessed from the private-key PKCS#12 digital certificate (on any system or location).
RACF READ authority (or equivalent) must be granted to the job accessing certificate store, X.509 certificate file and the referenced input stream containing the command having the certificate request (and password for a private-key certificate).
To perform a decryption operation, SecureZIP for z/OS requires read access to the PKCS#12 private-key certificate (file or PDS member), as well as a command (RECIPIENT) containing the corresponding password. Similarly, the signing and authentication commands (SIGN_ARCHIVE, SIGN_FILES and AUTCHK) may reference private keys. The following should be considered when using SecureZIP to access private keys:
Password information will be masked out in SecureZIP SYSPRINT output.
If jobstream inputs can be viewed by operational staff members, then an indirect reference to the command(s) containing the password should be considered.
Read protection of command files containing passwords
Read protection of PKCS#12 certificate files
Optionally use ECHO=N within the command sequence to eliminate the command from showing in the SYSPRINT output.
SecureZIP administrative certificate files are located within the INSTLIB2 dataset and must be available for some administrative functions. Read access should be provided to the SecureZIP administrator for this library as the create and verification processes will fail if the library is not accessible.
68
4 Certificate Store Management
The ISPF panels in this chapter are used to build and maintain the SecureZIP for z/OS certificate store. These panels are not part of the separately licensed feature “ISPF”. They are standard with SecureZIP for z/OS.
SecureZIP Main Panel—Access to the Certificate Stores
SecureZIP Version 9.0 Option ===> C Config Modify Run-time Configuration Settings ZD Zip Defaults Modify Default ZIP Command Settings UD Unzip Defaults Modify Default UNZIP Command Settings U Unzip Decompress, Decrypt, Authenticate File(s) in an Archive V View Display the Contents of a Zip Archive Z Zip Compress, Encrypt, Sign File(s) into a Zip Archive S Sysprint Browse Log of Last Foreground Execution M Messages Message ID lookup A Administration Administration Services and Reference Information For HELP Press PF1 Release Date: 06/26/2006 07.22 LVL(0)
To access the certificate store administration and configuration, enter “A” in the Option field from the main SecureZIP panel; then enter “CS” from the main SecureZIP Administration panel.
SecureZIP Certificate Store Administration and Configuration Local certificate store
SecureZIP for z/OS provides access to both public and private key certificates through a set of local files, either PDS or PDSE, and VSAM index paths. The composite of these elements is known as recipient database access.
69
LDAP certificate store
SecureZIP for z/OS also provides access to public key certificates located in an external LDAP (Light Weight Directory Access Protocol) server via a TCPIP network connection.
x.509 certificate information
SecureZIP for z/OS also provides identification of and simulation with certificates prior to including them in your local certificate store.
Each certificate store is described in detail below.
Local Certificate Store Administration
This section assists with allocating the components necessary to support the local DB, as well as administer the certificates within it.
SecureZIP for z/OS provides access to both public and private key certificates through a set of local files, PDS or PDSE, and index paths. The files and VSAM indexing components (Cluster, Alternate Indexes and Paths) must be allocated and synchronized.
The following administration phases should be planned for:
Initial Setup: A one-time initialization of the local certificate store datasets. This is initiated through the SecureZIP ISPF Dialogs and is performed by a generated batch job stream. Certificate store datasets are allocated and initialized for future use. In addition, a set of run-time configuration control records is generated for run-time access by SecureZIP.
Certificate Administration: The addition of new certificates to be used for encryption must be periodically performed as new exchange partners are identified. Installation of the certificates may be performed either through ISPF dialog foreground (manual) processing, or via a batch job stream. The following certificate administration actions must be accounted for:
One or more public-key certificates must be available for use when a RECIPIENT encryption operation is performed (when updating an archive). These digital certificates may either be placed into MVS datasets (or PDS members) on the system that will be used to perform the encryption.
A private-key certificate must be available for use when a decryption operation is performed (either during extract processing, or when accessing an archive that has been protected with Filename Encryption). Corresponding RECIPIENT command instructions with the associated private-key certificate password must also be prepared for run-time access.
In order to complete the above tasks, digital certificate data must be made available to the activating system in the form of sequential files:
o Private-key certificates in PKCS#12 format (.PFX DSN suffix)
o Certificate Authority and Root Certificates in DER or B64 format (.CER DSN suffix)
70
PartnerLink SecureZIP Partner: Supplemental administration activities unique to SecureZIP Partner for z/OS are covered in the section “PartnerLink Certificate Store Administration and Configuration” in chapter 6.
A configuration profile is a collection of SecureZIP for z/OS commands that describe the collection of components. At execution time this profile is read to locate the appropriate stores and index.
SecureZIP Certificate Store Administration Option ===> Select one of the following options and press Enter: 1 Local Certificate Store Administration 2 LDAP Certificate Store Configuration 3 x.509 Certificate Utilities
To access the local certificate store administration and configuration, enter “1” in the Option field.
SecureZIP Local Certificate Store
SecureZIP Local Certificate Store Option ===> Local Certificate Store Administration 1 View Certificate Entries (ISPF Table) 2 List Certificate Entries 3 Add new Certificates 4 Delete a Certificate 5 Synchronize/Verify Local Store Certificates 6 Report Statistics 7 Edit Active Profile 8 Supplemental Administration Utilities Create Define and Initialize a New Local Certificate Store CRL Work with Certificate Revocation Lists Active Store Configuration: 'PKWARE.MVS.JCL(DBPROF)' -{CSPUB=4;1;SECZIP.CERTSTOR.PUBLIC} -{CSPRVT=4;1;SECZIP.CERTSTOR.PRIVATE} -{CSPUB_DBX=SECZIP.CERTSTOR.DBX} -{CSPUB_DBX_PATH_CN=SECZIP.CERTSTOR.PATHCN} -{CSPUB_DBX_PATH_EM=SECZIP.CERTSTOR.PATHEM} -{CSPUB_DBX_PATH_PUBKEY=SECZIP.CERTSTOR.PATHPUBK}
This is the main local certificate store panel. It will guide you in establishing your local cert-store environment. To create a new local certificate store database, enter “CREATE” in the Option field.
71
Create a New Local Certificate Store DB
SecureZIP Local Certificate Store Option ===> Create and Prime New Local Certificate Store Fill in the required information below using the DOWN PFK to complete all fields, including storage management options if necessary. Then Press ENTER to generate the create JCL. Batch Job Card information: //SECZIP81 JOB 'SEZIP82',CLASS=A,REGION=8M, // MSGCLASS=H,MSGLEVEL=(1,1),NOTIFY=&SYSUID //* High-Level Qualifier(s): PKWARE.MVS (up to 20 characters) A set of PDS/PDSE datasets, VSAM Clusters, Alternate Indexes and PATHs will be allocated by the JOB. All components of the store must be allocated in the form: hlqs...CERTSTOR.type New Store Configuration Profile: 'PKWARE.MVS.JCL(DBPROF)' For example: 'PKWARE.MVS.PARMLIB(CERTCFG1)' Specify the PDS and member where the run-time configuration commands are to be placed for SecureZIP. The PDS dataset and/or member will be allocated if they do not already exist. If the PDS member already exists, it will be overwritten. This member is to be referenced in SecureZIP runs requiring requests from the Local Certificate Store via -RECIPIENT=DB This may be achieved in one of the following ways: 1. Use -INCLUDE_CMD=dsname(member) in the command stream for an individual run. 2. Specify this dataset in the DB Profile field of each user's SecureZIP Runtime Configuration panel. 3. Specify this dataset in the SECUREZIP_CONFIG= parameter of the SecureZIP defaults module (ACZDFLT) to make it effective as a default for all users. Specify SMS/non-SMS allocation parameters Management class . . . (Blank for default management class) Storage class . . . . (Blank for default storage class) Data class . . . . . . (Blank for default data class) Volume serial . . . . (Specify for NON sms volume) Device type . . . . . (Specify for NON sms volume)
This panel will set up the job stream to create the public, private, CA and root certificate stores, the data base, all corresponding paths, and the data base profile.
The public, private, CA and root certificate stores, and the DB profile are PDS files. The data base is a VSAM cluster with alternate index paths. The certificate stores are initialized with 1 CA, 1 root, four public and four private certificates in their respective stores. The password for those private certificates is PKWARE.
New Data Base Profile The profile is used to read the configuration commands to allow access to the certificates during execution of SecureZIP for z/OS in either ZIP or UNZIP operations. If the data base profile does not exist, one will be dynamically allocated. If it exists you will see the message “Profile Exists” in the upper right corner of the screen.
72
The data base profile follows the standard PDS dataset name format: datasetname(membername).
High-Level Qualifier The high-level qualifier (hlq) is used to prefix the certificate stores as well as all components of the database. Multiple nodes are acceptable.
For the certificates, the PDS names are:
hlq.CERTSTOR.PUBLIC hlq.CERTSTOR.PRIVATE
For the Data Base, the names are:
hlq.CERTSTOR.DBX hlq.CERTSTOR.DBXCN hlq.CERTSTOR.DBXEM hlq.CERTSTOR.DBXPUBK hlq.CERTSTOR.PATHCN hlq.CERTSTOR.PATHEM, hlq.CERTSTOR.PATHPUBK hlq.CERTSTOR.P7CA hlq.CERTSTOR.P7ROOT hlq.CERTSTOR.P7CRL
Batch Job Card information This is the JOB Card to be used for the batch run.
Certificate Validation Options When you are satisfied with the parameters you have entered, press ENTER and enter Y or N into the associated certificate validation fields.
SECUREZIP CERTSTORE Policy Setup Command ===> Specify whether certificate validation should be performed for each phase of processing ( Y or N ). Press PF1 for detailed information. Encryption: Y Trusted Y Expired Y Revoked Signing: Y Trusted Y Expired Y Revoked Authentication: Y Trusted Y Expired Y Revoked Y Tampercheck The configuration profile for certificate store access also defines default policy settings to be used for certificate validation. Certificates may be validated for use during RECIPIENT selection for Encryption, Signing Certificate selection (SIGN FILES/SIGN ARCHIVE), and Authentication (AUTHCHK) processing.
73
Generated JCL to Build the Initial Certificate Store When you are satisfied with the parameters you have entered you would then press ENTER. An Edit session will be created for you to review and submit to generate the certificate store.
File Edit Edit_Settings Menu Utilities Compilers Test Help -------------------------------------------------------------------------------- ****** ********************************* Top of Data **************** 000001 //FPDCS1 JOB 'ACCOUNTING INFO',CLASS=A,REGION=8M, 000002 // MSGCLASS=H,MSGLEVEL=(1,1),NOTIFY=&SYSUID 000003 //* 000004 //****************************************************************** 000005 //* PLEASE BE SURE PROCEDURE PKISPF IN INSTLIB HAS BEEN TAILORED * 000006 //* TO MEET YOUR SITES SPECIFICATIONS. * 000007 //****************************************************************** 000008 // JCLLIB ORDER=PKWARE.MVS.INSTLIB 000009 //JOBLIB DD DISP=SHR,DSN='PKWARE.MVS.LOAD' 000010 //* 000011 //* GENERATED JCL TO BUILD INITIAL CERTIFICATE STORE 000012 //* DELETE OLD CERTIFICATE STORE 000013 //DELCERT EXEC PGM=IEFBR14 000014 //DPUB DD DISP=(MOD,DELETE,DELETE),SPACE=(TRK,(0)), 000015 // DSN=PKWARE.MVS.CERTSTOR.PUBLIC 000016 //DPRV DD DISP=(MOD,DELETE,DELETE),SPACE=(TRK,(0)), 000017 // DSN=PKWARE.MVS.CERTSTOR.PRIVATE 000018 //* CREATE PUBLIC CERTIFICATE STORE 000019 //COPYIN EXEC PGM=IEBCOPY ……………………………………. ………………………………….
After you have SUBmitted the JOB and then pressed PF3 to end the Edit session, the following screen appears.
****************************** Top of Data ******************************* *** * LOCAL CERTIFICATE STORE CONFIGURATION CONTROL * * Include this member in SecureZIP runs requiring Local Certificate * Store RECIPIENTS, SIGN_ARCHIVE, SIGN_FILES and AUTHCHK signatories. *** -{CSPUB=4;1;PKWARE.MVS.CERTSTOR.PUBLIC} -{CSPRVT=4;1;PKWARE.MVS.CERTSTOR.PRIVATE} -{CSPUB_DBX=PKWARE.MVS.CERTSTOR.DBX} -{CSPUB_DBX_PATH_CN=PKWARE.MVS.CERTSTOR.PATHCN} -{CSPUB_DBX_PATH_EM=PKWARE.MVS.CERTSTOR.PATHEM} -{CSPUB_DBX_PATH_PUBKEY=PKWARE.MVS.CERTSTOR.PATHPUBK} -{CSCA=1;0;PKWARE.MVS.CERTSTOR.P7CA} -{CSROOT=1;0;PKWARE.MVS.CERTSTOR.P7ROOT} -{CSCRL=1;0;PKWARE.MVS.CERTSTOR.P7CRL} -{AUTHENTICATE=TRUSTED,EXPIRED,REVOKED,TAMPERCHECK} -{VALSIGN=TRUSTED,EXPIRED,REVOKED} -{VALENCRYPT=TRUSTED,EXPIRED,REVOKED} ****************************** Bottom of Data ****************************
This is the data base profile that will be saved in the dataset and member you specified. It is used to read the configuration commands to allow access to the certificates during execution of SecureZIP for z/OS in either ZIP or UNZIP operations.
74
View Data Base Certificate Entries You can view details about a certificate.
SecureZIP Local Certificate Store Option ===> View Data Base Certificate Entries Active Store Configuration: 'PKWARE.MVS.JCL(DBPROF)’ Select one or more types for viewing: (Default is all) Public Private Certificate-Authority Root Optional Search Criteria: Search String: Search Fields: ALL (CN/EM/ALL) Case Sensitive: N (Y/N) Filters: Exclusion - Do not show certificates with the following characterstics. Revoked Suspended Expired Not Trusted Inclusion - Show certificates only having the specific indicators. Encryption Signing
This panel will create a data base table display using the criteria entered in the fields. The table view will provide an opportunity to select individual entries for various actions.
Active Store Configuration The data base to be operated upon.
Select Types: This is a report filter that you can use to select the types of certificates to report on. You may report on all certificates in the store by pressing Enter (Default) or selecting a specific type(s).
Public key (CER) end-entity certificates will be included from the certificate store index.
Private key (PFX) end-entity certificates will be included from the certificate store index.
Certificate-authority (P7B) intermediate issuing certificates will be displayed from the active x.509 CA store data set.
Root (P7B) self-signed issuing certificates will be displayed from the active x.509 root store data set.
Search String Enter a string of characters to be used as a filter, listing only those certificates containing a match for the string. Leave this field blank if no filtering is desired.
Search Fields Enter ALL, CN (common name) or EM (Email address).
Case Sensitive Specifiy whether the search string should be case sensitive.
75
Filters Filters can be useful in viewing qualified certificates in the local certificate store. The filters may be used in combination with other type and search criteria to further restrict the number of entries returned.
The Exclusion filters will eliminate entries known to have failed the specified characteristic (based on the information held in the index). For example, index entries marked as “Revoked” by the System Administration Validate function will fail the “Revoked” policy test when an attempt is made to use them for signing or encryption. This filter will assist in locating certificate entries that are known to have never failed the Validation test. However, it does not guarantee that the trust chain is currently intact within the certificate store configuration. (The system administrator may not have run the Validate service request against the certificate).
The Inclusion filters will assist in identifying certificates issued for a specific purpose. However, certificates issued without the designated use flag will be eliminated from the display. Your enterprise must obtain certificates specific to the qualifications from a certificate authority for this filter to be of use.
Be aware that when a certificate validation policy is set for a given SecureZIP action such as Encryption, Signing or Authentication, a dynamic check against the live certificate store is performed in lieu of the database index record settings. This means that multiple certificates identified by a CN= or EMAIL= search may still be identified at run-time and be flagged as unusable based on the policy in force. When records are no longer desired to be referenced at run-time because they are Expired, Revoked, or Not Trusted, the system administrator should mark the entries as Suspended.
PKCSV001 SecureZIP View Certificate Store Row 1 to 10 Command ===> SCROLL ===> CSR Certificate Database: 'SECZIP.NEWDB.CERTSTOR.DBX' Primary commands: LOCATE , SORT and SAVE. Scroll RIGHT or LEFT for more information. Enter line command or '/' for list of valid line commands. Cmd Type Common Name ------------------------------------------------------------------- /_ CER Al Smith __ CER Bill Jones __ CER Kevin Johnson __ CER Mark Arrow __ CER Matt Brewster __ CER Michael Stanley __ CER PKWARE Test1 __ PFX PKWARE Test1 __ CER PKWARE Test2 __ PFX PKWARE Test2
76
Valid Line Commands
SecureZIP Certstore Line Commands Command ==> Action: I D Delete Certificate I Detailed Certificate Information EX Edit Certificate Index information VAL Validate Certificate RC Generate -RECIPIENT command based on Common Name RE Generate -RECIPIENT command based on Email Address SAC Generate -SIGN_ARCHIVE command based on Common Name SAE Generate -SIGN_ARCHIVE command based on Email Address SFC Generate -SIGN_FILES command based on Common Name SFE Generate -SIGN_FILES command based on Email Address AAC Generate -AUTHCHK archive command based on Common Name AAE Generate -AUTHCHK archive command based on Email Address AFC Generate -AUTHCHK files command based on Common Name AFE Generate -AUTHCHK files command based on Email Address SUS Suspend a certificate from use The Generate option(s) will place the commands to a memory clipboard for a subsequent SAVE command.
Specifying “D” to delete the certificate you will remove the specified certificate from your local store. Please be aware that deleting certificate authority and/or root certificates will prevent authentication processing from completing a TRUST check operation.
Before permanently removing the certificate from the local store, SecureZIP will prompt the user with the following screen:
Confirm Certificate Delete Active DB Profile: 'PKWARE.MVS.PROFILE(CERTCFG1)' Certificate to be deleted: Location= 1 Name = Class 3 Public Primary Certification Authority Serial #= 02CDBA356FFDWE4BC54FE22ACBA72A325 Note: Certificates that are issued by the certification authorities or any lower level certification authorities will no longer be trusted. Press ENTER to continue or PF3 to exit without deleting the certificate. Press ENTER to continue or PF3 to exit without deleting the certificate
By requesting “I” for additional information about the certificate, a report will be generated and displayed.
Certificate Summary =================== Certificate Location //'SECZIP.NEWDB.CERTSTOR.PUBLIC(PUB1CERT)' Installed: 2005/10/20 by: INSTALL -RECIPIENT(DB:CN=PKWARE Test1,PASSWORD=-) CN=PKWARE Test1 [email protected]
77
Issuer= Valid Dates=04/14/2004-04/13/2024 Certificate Details =================== PKDecode64_Certs found Dcode --- Certificate --- PKWARE Test1 Subject: C=US OU=Certification Services CN=PKWARE Test1 [email protected] Issuer: C=US OU=Certification Services CN=PKWARE Test1 [email protected] SerialNumber: 00 NotBefore: Wed Apr 14 13:20:41 2004 NotAfter: Sat Apr 13 13:20:41 2024 SHA-1 Hash of Certificate: DF 31 1E 8D DF 02 BD 0C 7C 4A 75 72 00 CA 03 6D 68 95 49 C9 Public Key Hash: 83 0A 0A E9 DB F0 49 69 54 76 38 62 12 6E CE 7A 34 BB 7A 56 Self Signed
The following table explains fields of certificate details in the display.
Heading Description
Subject Information about the entity to whom the certificate was issued.
Issuer Information about the entity that issued the certificate
Serial Number Serial number of the certificate
NotBefore/NotAfter Date range for which the certificate is valid
SHA-1 Hash of Certificate The SHA-1 algorithm hash, or “thumbprint,” of the certificate
Public Key Hash The hash or “thumbprint,” of the public key
Key Usage Key usage flags that determine how the certificate was intended to be used.
The public key hash value is the prime key used in the local certificate store index.
The Issuer fields are composed of several x.509 subfields. The exact set varies; the following table describes some of the most commonly used.
78
Code Description
O Organization
OU Organizational Unit
CN Common Name
E Email address
C Country
ST State or Province
L Locality or City
The Common Name (CN) and Email (E) fields can be searched to identify Recipients.
By entering “EX” from the SecureZIP Line Commands panel, you may edit the certificate index information such as the certificate member name. See resulting screen below:
Edit Certificate Index Information Active DB Profile: 'PKWARE.MVS.PROFILE(CERTCFG1)' Certificate Path: //'PKWARE.MVS.CERTSTOR.PUBLIC(PUB4CERT)' Common Name: PKWARE Test4 Email Address: [email protected] Certificate PDS member name: PUB4CERT The member name may be changed here. The Certificate Store index will be updated to reflect the new location. Press ENTER to process, or END to return.
If you request “VAL” SecureZIP for will look to validate the certificate by using the current -{VALENCRYPT=...} setting in the profile. It validates the certificate by generating a -RECIPIENT(...,R,PASSWORD=pppppp) command, and running SecureZIP for both ZIP and TEST. Please be aware that, if -{VALENCRYPT=} is not active, the certificate will always pass the validation check.
You may also generate and save commands for the RECIPIENT, SIGN_ARCHIVE, SIGN_FILES and AUTHCHK (archive and/or file) parameters. For example, by selecting RC, you will see the –RC appear on the far right of the screen (see below):
Command ===> SCROLL ===> PAGE Certificate Database: 'PKWARE.MVS.CERTSTOR.DBX' Selection Mode: Administration Primary commands: LOCATE , SORT and SAVE. Scroll RIGHT or LEFT for more info. Enter line command or '/' for list of valid line commands. Cmd Type Common Name ------------------------------------------------------------------------- CER PKWARE Test4 -RC
Enter SAVE on the command line to save the command string to a PDS member where you will decide if the saved command is to be used for ZIP or UNZIP processing (see below):
79
Command ===> Select (/) the recipient list store you wish to use: Member names can be changed on the next screen. / ZIP ==> 'SECZIP.PKWARE.PROFILE($RECIPS)' UNZIP/View==> UNDEFINED (Also used for View) Press ENTER to process - Enter END or press PF3 to exit
Upon selecting the appropriate data set and member name, insert a forward slash “/” next to the desired options (see below):
Save a Recipient List Command ===> Save Recipient List in: Data set name ==> 'SECZIP.PKWARE.PROFILE' Member Name ==> $RECIPS Enter "/" to select options Replace an existing member Member list Edit/View the saved list / Make this list your active list. Press ENTER to process - Enter END or press PF3 to exit
Once you’ve made your selection(s), press ENTER, and you will have successfully saved the RECIPIENT command to a PDS member:
BROWSE SECZIP.PKWARE.PROFILE($RECIPS) - 01.01 Command ===> ****** ******************************* Top of Data ************************************ 000001 -RECIPIENT(DB:CN=PKWARE Test4) ****** ****************************** Bottom of Data **********************************
By requesting SUS, you effectively suspend a certificate from use. As discussed above, if certificates are no longer desired to be referenced at run-time because they are expired, revoked, or not trusted, the system administrator should mark the entries as “Suspended.”
To re-enable or “unsuspend” the certificate, enter “UNS” next to the appropriate certificate.
Please note that a suspended certificate is still available for VIEW processing of older archives that used it as a recipient.
80
List Data Base Certificate Entries
SecureZIP Local Certificate Store Option ===> List Data Base Certificate Entries Active DB Profile: 'PKWARE.MVS.JCL(CERTCFG1)' List Public, Private or Both: BOTH For filtering report, output can be limited to Public or Private. Default is both (no filtering). Sort Report by; Common name, Email, Path: Enter CN for Common Name, EM for Email, PA for Path. Default is physical order of database (public hash). Press ENTER to continue.
This panel will run the data base report of the selected data base using the criteria entered in the fields. The report will be run in foreground and an ISPF browse session will be invoked to allow you to review the report.
Active Data Base Profile The data base to be reported upon.
List Public, Private or Both This is a report filter that you can use to select the type of report. You may report on all certificates in the store by specifying “BOTH”, only the private certificates by specifying “PRIVATE”, or only the public certificates by specifying “PUBLIC”. Each command can be abbreviated down to the first two characters.
Sort Report The report can be sorted by common name, email, path, or be allowed to default to public hash, in which case no actual sort takes place. The commands can be abbreviated as follows: Common Name - CN, Email - EM, Path - PA.
Example of a report in physical order (no sort)
000001 IDC0005I NUMBER OF RECORDS PROCESSED WAS 4 000002 Certificate Data Base Report for 'PKWARE.MVS.CERTSTOR.DBX' 000003 --------------------------------------------------------------------- 000004 Public Certificate 000005 Public Key Hash 39A01D5F31B3455B69195AE3A1AF81BED3B28C51 000006 Common Name PKWARE Test2 000007 Common Name Hash 6DE947807CDCFF6B2996BEA359BF39FEB009958B 000008 Email [email protected] 000009 Email Hash 1C6D2FBA039AE4B91E4199E0F9A71B4F46D30AF1 000010 Path //'PKWARE.MVS.CERTSTOR.PUBLIC(PUB2CERT)' 000011 --------------------------------------------------------------------- 000012 Public Certificate 000013 Public Key Hash 830A0AE9DBF0496954763862126ECE7A34BB7A56 000014 Common Name PKWARE Test1 000015 Common Name Hash F8D28D6D8291BBB2BC69561188EADAC9DCE01858 000016 Email [email protected]
81
000017 Email Hash A236B17D27B439CAB2EBB8FCE98500D10332E157 000018 Path //'PKWARE.MVS.CERTSTOR.PUBLIC(PUB1CERT)' 000019 --------------------------------------------------------------------- 000020 Private Certificate 000021 Public Key Hash 39A01D5F31B3455B69195AE3A1AF81BED3B28C51 000022 Common Name PKWARE Test2 000023 Common Name Hash 6DE947807CDCFF6B2996BEA359BF39FEB009958B 000024 Email [email protected] 000025 Email Hash 1C6D2FBA039AE4B91E4199E0F9A71B4F46D30AF1 000026 Path //'PKWARE.MVS.CERTSTOR.PRIVATE(PVT2CERT)' 000027 --------------------------------------------------------------------- 000028 Private Certificate 000029 Public Key Hash 830A0AE9DBF0496954763862126ECE7A34BB7A56 000030 Common Name PKWARE Test1 000031 Common Name Hash F8D28D6D8291BBB2BC69561188EADAC9DCE01858 000032 Email [email protected] 000033 Email Hash A236B17D27B439CAB2EBB8FCE98500D10332E157 000034 Path //'PKWARE.MVS.CERTSTOR.PRIVATE(PVT1CERT)' 000035 ---------------------------------------------------------------------
Example of a report in order by Email address
****** ******************************************************* Top of Da 000001 IDC0005I NUMBER OF RECORDS PROCESSED WAS 4 000002 Certificate Data Base Report for 'PKWARE.MVS.CERTSTOR.DBX' 000003 ----------------------------------------------------------------- 000004 Public Certificate 000005 Public Key Hash 830A0AE9DBF0496954763862126ECE7A34BB7A56 000006 Common Name PKWARE Test1 000007 Common Name Hash F8D28D6D8291BBB2BC69561188EADAC9DCE01858 000008 Email [email protected] 000009 Email Hash A236B17D27B439CAB2EBB8FCE98500D10332E157 000010 Path //'PKWARE.MVS.CERTSTOR.PUBLIC(PUB1CERT)' 000011 ----------------------------------------------------------------- 000012 Private Certificate 000013 Public Key Hash 830A0AE9DBF0496954763862126ECE7A34BB7A56 000014 Common Name PKWARE Test1 000015 Common Name Hash F8D28D6D8291BBB2BC69561188EADAC9DCE01858 000016 Email [email protected] 000017 Email Hash A236B17D27B439CAB2EBB8FCE98500D10332E157 000018 Path //'PKWARE.MVS.CERTSTOR.PRIVATE(PVT1CERT)' 000019 ----------------------------------------------------------------- 000020 Private Certificate 000021 Public Key Hash 39A01D5F31B3455B69195AE3A1AF81BED3B28C51 000022 Common Name PKWARE Test2 000023 Common Name Hash 6DE947807CDCFF6B2996BEA359BF39FEB009958B 000024 Email [email protected] 000025 Email Hash 1C6D2FBA039AE4B91E4199E0F9A71B4F46D30AF1 000026 Path //'PKWARE.MVS.CERTSTOR.PRIVATE(PVT2CERT)' 000027 --------------------------------------------------------------------- 000028 Public Certificate 000029 Public Key Hash 39A01D5F31B3455B69195AE3A1AF81BED3B28C51 000030 Common Name PKWARE Test2 000031 Common Name Hash 6DE947807CDCFF6B2996BEA359BF39FEB009958B 000032 Email [email protected] 000033 Email Hash 1C6D2FBA039AE4B91E4199E0F9A71B4F46D30AF1 000034 Path //'PKWARE.MVS.CERTSTOR.PUBLIC(PUB2CERT)' 000035 ---------------------------------------------------------------------
82
Add a Certificate to the Local Store The following instructions detail how to add new public and private keys to the local certificate store. Please note that when performing certificate administration add or delete activities, SecureZIP will write change activity messages to the ISPF LOG if it is active. If an historical record of certificate store changes is desired, be sure to set the ISPF log data set defaults in the Log/List Settings panel to allocate and retain the LOG data set.
Add New Certificate to the Local Store SecureZIP Local Certificate Store Option ===> Add new Certificate to the Local Store Active Store Configuration: 'SECZIP.FPD.PROFILES(DBPROF)' Specify Certificate sub-store to be updated: 1 - Public Certificate Store - "CER" 2 - Private Certificate Store - "PFX" 3 - Intermediate Certificate Authorities - "CER" or "P7B" 4 - Trusted Root Certificate Authorities - "CER" or "P7B" Press ENTER to identify the certificate source file. The Local Certificate Store is organized into 4 sub-stores. When importing new certificates, you must indicate which section is to be updated based on the type of x.509 certificate file is being used as input. The annotated suffixes are provided as a guide to help identify the type of source file being imported. The suffix of the data set name is not required, nor is it analyzed during the import process.
This panel is used to select the type of certificate to be added to the local certificate store.
Specify Certificate sub-store to be updated Enter the number representing the certificate to be added.
SecureZIP Local Certificate Store Option ===> Add new Public Key Certificate to the Local Store Active Store Configuration: 'SECZIP.FPD.PROFILES(DBPROF)' Input Certificate PDS/File: Enter the full PDS/Sequential file name of the source certificate. Certificate PDS member name: Enter an optional member name for ease of reference, such as 3 initials plus the year that the certificate was issued in. If left blank, a name will be generated of the form GENnnnnn. Press ENTER to continue.
This panel is for adding public key certificates to the local cert store and Data Base.
83
Input Certificate PDS or File A sequential file or member of a PDS can be used as input. All members of a PDS can be copied by entering (*) for the member name.
For private Certificate(s), enter password Password is required for private certificate store.
Output Certificate PDS member name For a sequential file or a single PDS member addition, the certificate store member name can be chosen; otherwise the store member name will be generated. If an entire PDS is used as input then the inputted PDS member names will be used.
Add a New Certificate to the CA Store This panel is for adding certificate authority certificates to the store.
Active Store Configuration:|PKSDBPRF Input Certificate File:_srcfile Enter the full file name of the source certificate(s). For example: your.instlib2.library(castore) Input Certificate Type :_pksctype Enter the file type to be imported. Either CER or P7B Note: Before you install this certificate you must verify that the certificate is actually from the certification authority and can be trusted. You should install the certificate only once you have confirmed its authenticity. Once you install the certificate, SecureZIP will use it to complete future certificate Trust Chain validation processing associated with the certification authority. If you install this certificate without confirming the autheticity you may be creating a security risk. Press ENTER to continue or PF3 to exit without adding the certificate
Add a New Trusted Root Certificate to the Root Store This panel is for adding trusted root certificates to the store.
Add new Trusted Root to the Local Store More: + Warning: The certificates are from a certification authority (CA) claiming to represent the organizations that will be displayed on the next screen. Once you install the certificate, SecureZIP will use it to complete future certificate Trust Chain validation processing associated with the certification authority. Note: Before you install the certificate you must verify that the certificate is actually from the certification authority and can be trusted. You should install the certificate only once you have confirmed its authenticity. To do this, you should contact the CA listed to verify the certificate autheticity. To help you in your verification please use the Thumbprint HASH. If you install this certificate without confirming the authenticity you may be creating a security risk. Input Certificate File: 'SECZIP.FPD.SEC.PKTICAF.CRT'
84
Enter the full Sequential file name of the source certificate(s). For example: your.instlib2.library(rtstore) Input Certificate Type : Enter the file type to be imported. Either CER or P7B Backup Copy . . . : N ( Y - Copy Store Before Update, N - No Copy) Backup DSN. . . : 'FPD.PKWARE.BACKUP.CERTSTOR' Press ENTER to continue or PF3 to exit without adding the certificate
The following message will appear prior to adding any root certificate:
Warning: The certificates are from a certification authority (CA) claiming to represent the organizations that will be displayed on the next screen. Once you install the certificate, SecureZIP will use it to complete future certificate Trust Chain validation processing associated with the certification authority.
Review the warning and enter the source file of the root certificate along with the type of certificate.
If you would like to backup your existing root store, place a Y+ in the Backup Copy field and enter a dataset to be used to hold the root store.
After reviewing the data presented on the next screen, you will then enter SAVE to process the root certiificate.
A table of certificates to be added will be displayed. You will use this information to verify the authenticity of the certificates. Once that has been completed, enter SAVE on the command line, or press PF3 to stop the add.
Certificate Source:#tbsource CA Store :#tbcsca ROOT Store :#tbcsroot If you install the certificate(s) without confirming the autheticity you may be creating a security risk. Enter%SAVE~to continue adding the ROOT Certificate, Else%PF3~to end !Scroll%RIGHT!or%LEFT!for more info. +Type Friendly Name +-------------------------------------------------------------------------
Please note that once all certificate chain components for a private-key certificate are installed to the local certificate store, a verification of the trust chain should be performed to ensure that future signing operations will carry the necessary certificate store information for authentication processing. This can be accomplished by performing the following steps:
1. Perform a ZIP SIGN_ARCHIVE run with the private-key certificate
2. Perform an UNZIP VIEWDETAIL run against the archive from the previous step with the following command settings:
-AUTHCHK(ARCHIVE) -VERBOSE -{AUTHENTICATE=ALL}
3. Perform a manual check on the reported signature certificates saved in the archive to ensure that the root certificate is in the list.
85
4. Review the messages to ensure that the authentication check passed with message ZPEN035I
ZPEN035I Archive Directory Authentication Succeeded ZPAM700I Archive was digitally signed by PKWARE Test3 ZPAM329I 3 Signature Certificates were saved in the archive: ZPAM321I Cert Name: PKWARE Test3 ZPAM323I Email: [email protected] ZPAM325I Valid: 12/20/2004-12/13/2024 ZPAM326I Issuer: PKWARE, Inc. ZPAM321I Cert Name: PKTESTDB Root ZPAM323I Email: [email protected] ZPAM325I Valid: 12/20/2004-12/19/2024 ZPAM326I Issuer: PKWARE, Inc. ZPAM321I Cert Name: PKWARE Test Intermediate Cert ZPAM323I Email: [email protected] ZPAM325I Valid: 12/20/2004-12/14/2024 ZPAM326I Issuer: PKWARE, Inc.
To assist in performing this process, the Local Certificate Administration "View Certificate Entries" table display provides a VAL line command. Selecting this command line option will cause a ZIP/UNZIP sequence to run in the foreground and will analyze the results for display.
Delete a Certificate from the Local Store
SecureZIP Local Certificate Store OPTION ===> Delete a Certificate from the Local Store Active Store Configuration: 'SECZIP.FPD.PROFILES(DBPSTD)' Specify Certificate sub-store to be updated: 1 - Public Certificate Store - "CER" 2 - Private Certificate Store - "PFX" - Intermediate Certificate Authorities - "CER" or "P7B" - Trusted Root Certificate Authorities - "CER" or "P7B" The Local Certificate Store is sub-divided into 4 sub-stores. When deleting certificates, you must indicate which section is to be updated based on the type of x.509 certificate file being used. The Intermediate Certificate Authorities and the Trusted Root Certificate Authorities must be deleted from the View Certificate Entries (ISPF Table) Panel - Option 1 Press ENTER to process.
This panel is used to select the type of certificate to be deleted from the local certificate store.
86
Specify Certificate sub-store to be updated Enter the number representing the certificate to be deleted.
SecureZIP Local Certificate Store OPTION ===> Delete a Public Certificate from the Local Store Active Store Configuration: 'SECZIP.FPD.PROFILES(DBPROF)' Certificate PDS member to Delete: PDS member in the certificate store to delete. This delete process will also delete the Database entry and all corresponding paths. Only the member name should be entered, which can be found by performing option 2 List DB Certificate Entries Press ENTER to continue.
This panel is for deleting a public certificate from the local certificate store and data base. Certificates are deleted individually.
Certificate PDS member to Delete Enter the PDS member name to be deleted from the certificate store. Contents of a particular certificate can be derived from the data base report.
SecureZIP Local Certificate Store OPTION ===> Delete a Private Certificate from the Local Store Active Store Configuration: 'SECZIP.FPD.PROFILES(DBPROF)' Certificate PDS member to Delete: PDS member in the certificate store to delete. This delete process will also delete the Database entry and all corresponding paths. Only the member name should be entered, which can be found by performing option 2 List DB Certificate Entries Enter the password for the Private Certificate: Password entry indicates that a private-key certificate is to be deleted. WARNING: Files in archives that have been encrypted with only this private-key certificate cannot be opened if the private-key certificate is not available for use. Press ENTER to continue.
This panel is for deleting a private certificate from the local certificate store and data base. Certificates are deleted individually.
Certificate PDS member to Delete Enter the PDS member name to be deleted from the certificate store. Contents of a particular certificate can be derived from the Data Base report.
87
Enter password A password is required to delete a private certificate.
WARNING: Once a private certificate is deleted, any files that are in archives encrypted with only that certificate cannot be opened. The private-key certificate would need to be reinstalled from an external source.
Synchronize the Index for the Local Certificate Store
SecureZIP Local Certificate Store Option ===> Synchronize the Index of the Local Store Active DB Profile: 'PKWARE.MVS.JCL(NEWDB)' Enter "/" to generate batch full index rebuild - OR - Enter "/" to select foreground option(s) / Remove unmatched index entries / Index unresolved certificates / Process Private-key Certificates (password prompt when required) / Delete duplicate-key Certificates
This panel directs you to the types of stores to be processed. Select 1 or 2 and press “Enter”
SecureZIP Local Certificate Store Option ===> Synchronize the Index of the Local Store Active DB Profile: 'PKWARE.MVS.JCL(NEWDB)' _ Enter "/" to generate batch full index rebuild - OR - Enter "/" to process foreground option(s) Remove Unmatched Index Entries Index Unresolved Certificate Information Process Private-key Certificates (password prompt when required) Delete Duplicate-key Certificates Refresh existing fields from certificate data
This panel (Option 1) serves two functions:
Rebuilds the Database index in batch from an existing public-key store.
Performs specific foreground index synchronization tasks.
Batch rebuild When selecting to rebuild the database in batch, all of the index components are deleted and redefined. The index entries are rebuilt by opening each certificate in the store and parsing the appropriate information.
88
A separate job step is required (see job step 'BUILD SEQ DATABASE FROM PRIVATE STORE') for each separate password represented in the private store.
Warning: Without the correct password for each private-key certificate, the index entries cannot be rebuilt and will be lost. The index entries may be restored by providing the correct password through a Foreground synchronization.
Foreground Operations In the event that individual certificates or index entries require synchronization, the following cleanup tools are available:
Remove unmatched index entries
Select this option to remove index entries for which there are no matching certificate (as, for example, when a certificate member is manually removed from the PDS). This feature removes the index entry if the associated PDS or member does not exist.
Index Unresolved Certificates
Select this option when certificates for which there is currently no index entry have been added manually to the PDS store. The certificate(s) will be identified from a member list and scanned as if a certificate Add function had been requested.
Process Private-key Certificates (password prompt when required)
A sub-option of "Index Unresolved Certificates": Select this option in conjunction with the previous option to index unresolved certificates. A password prompt will be presented for each private-key certificate that has not yet been indexed so that the certificate may be opened. An opportunity is given to bypass each certificate for which the password is not known.
Delete Duplicate-key Certificates
A sub-option of "Index Unresolved Certificates": Select this option to physically delete certificates for which there is already a matching index. (It is recommended that any potential orphan index entries first be deleted by using the option "Remove unmatched index entries" to avoid deleting certificates which do not have a true duplicate).
Refresh existing fields from certificate data
This option invokes a re-read of the certificate to parse field data and update the index record information. Updated field information includes:
o Valid Date Range
o Serial number
o Use Flags
o Trust Status (conditionally updated)
o Revocation Status (conditionally updated)
89
Generated JCL for Synchronization
****** ********************************* Top of Data **************************** 000001 //FPDCS1 JOB 'ACCOUNTING INFO',CLASS=A,REGION=8M, 000002 // MSGCLASS=H,MSGLEVEL=(1,1),NOTIFY=&SYSUID 000003 //* 000004 //****************************************************************** 000005 //* PLEASE BE SURE PROCEDURE PKISPF IN INSTLIB HAS BEEN TAILORED * 000006 //* TO MEET YOUR SITES SPECIFICATIONS. * 000007 //****************************************************************** 000008 // JCLLIB ORDER=PKWARE.MVS.INSTLIB 000009 //JOBLIB DD DISP=SHR,DSN='PKWARE.MVS.LOAD' 000010 //* 000011 //* GENERATED JCL TO BUILD DATA BASE FROM CERTIFICATE STORE 000012 //* BUILD SEQ DATABASE FROM PUBLIC STORE 000013 //PDS2DBPB EXEC PKISPF 000014 //STDOUT DD SYSOUT=* 000015 //STDERR DD SYSOUT=* 000016 //ISPF.SYSTSIN DD * 000017 ISPSTART CMD(%RMPDS2DB PKWARE.MVS.CERTSTOR.PUBLIC + 000018 FPD.CERT.SEQDBPUB.TEMP ) 000019 //* BUILD SEQ DATABASE FROM PRIVATE STORE 000020 //PDS2DBPV EXEC PKISPF 000021 //STDOUT DD SYSOUT=* ……………………….. …………………………….
Review and SUBmit the JOB.
CA, Root, and CRL Verification
SecureZIP Local Certificate Store Command ===> Verify CA / Root / Revocation List Store Active Store Configuration: 'SECZIP.FPD.PROFILES(DBPSTD)' Select Store for viewing: (Default is all) Certificate-Authority Root Revocation List Press ENTER to continue.
This panel (Option 2) is used to select the type of store.
Place a “Y” for CA, Root, or CRL or simply press “Enter” to verify the stores.
*********************************************************** Top of Data PKCSDEL - Verify CA / Root / CRL Store 2 Feb 2006 12:07:18 PKCSDEL - CA=SECZIP.FPDSTD.CERTSTOR.P7CA SUCCESS: CA Store '//'SECZIP.FPDSTD.CERTSTOR.P7CA'' verified successfully. 1 certificates found. PKCSDEL - ROOT=SECZIP.FPDSTD.CERTSTOR.P7ROOT SUCCESS: Root Store '//'SECZIP.FPDSTD.CERTSTOR.P7ROOT'' verified successfully. 1 certificates found.
The panel above is the output from the verify process.
90
Report DB Statistics
SecureZIP Local Certificate Store Option ===> Local Certificate Store Administration 1 View Certificate Entries (ISPF Table) 2 List DB Certficate Entries 3 Add new Certificates to the Local Store 4 Delete a Certificate from the Local Store 5 Re-synchronize the Index for the Local Store 6 Report DB Statistics 7 Edit Active DB Profile 8 Supplemental Administration Utilties
Option 6 – Report DB Statistics Generates a view of the local certificate store information. This view will contain details on the certificate datasets, the local store data base, and the path/alternate indexes to the local store data base.
000001 Public Certificate Dataset Information 000002 Data Set Name = PKWARE.MVS.CERTSTOR.PUBLIC 000003 Number of certificates = 2 000004 000005 Dataset Organization = PDS 000006 Record Format = VB 000007 Logical Record Length = 27994 000008 Block Size = 27998 000009 Space Type = CYLINDER 000010 Primary Allocation = 10 000011 Secondary Allocation = 1 000012 Total Allocated = 10 000013 Allocated extents = 1 000014 Used Extents = 1 000015 Directory Blocks 000016 Allocated = 400 000017 Used = 1 000018 000019 Private Certificate Dataset Information 000020 Data Set Name = PKWARE.MVS.CERTSTOR.PRIVATE 000021 Number of certificates = 2 000022 000023 Dataset Organization = PDS 000024 Record Format = VB 000025 Logical Record Length = 27994 000026 Block Size = 27998 000027 Space Type = CYLINDER 000028 Primary Allocation = 10 000029 Secondary Allocation = 1 000030 Total Allocated = 10 000031 Allocated extents = 1 000032 Used Extents = 1 000033 Directory Blocks 000034 Allocated = 400 000035 Used = 1 000036 000037 Public Certificate Store DataBase Information 000038 Data Set Name = PKWARE.MVS.CERTSTOR.DBX 000039 Cluster Name = PKWARE.MVS.CERTSTOR.DBX 000040
91
000041 Data Name = PKWARE.MVS.CERTSTOR.DBX.DATA 000042 Space Type = CYLINDER 000043 Primary Allocation = 1 000044 Secondary Allocation = 2 000045 Percent Free Space = 98 000046 Total Records = 4 000047 High Allocated RBA = 829440 000048 High Used RBA = 829440 000049 000050 Index Name = PKWARE.MVS.CERTSTOR.DBX.INDEX 000051 Space Type = TRACK 000052 Primary Allocation = 1 000053 Secondary Allocation = 1 000054 Total Records = 1 000055 High Allocated RBA = 33792 000056 High Used RBA = 1024 000057 000058 Public Certificate Store DataBase Alternate Indexes with Path 000059 Alternate Index Name = PKWARE.MVS.CERTSTOR.DBXCN 000060 Cluster Name = PKWARE.MVS.CERTSTOR.DBX 000061 000062 Data Name = PKWARE.MVS.CERTSTOR.DBXCN.DATA 000063 Space Type = CYLINDER 000064 Primary Allocation = 1 000065 Secondary Allocation = 1 000066 Percent Free Space = 98 000067 Total Records = 2 000068 High Allocated RBA = 829440 000069 High Used RBA = 829440 000070 000071 Index Name = PKWARE.MVS.CERTSTOR.DBXCN.INDEX 000072 Space Type = TRACK 000073 Primary Allocation = 1 000074 Secondary Allocation = 1 000075 Total Records = 1 000076 High Allocated RBA = 25088 000077 High Used RBA = 512 000078 000079 Path Name = PKWARE.MVS.CERTSTOR.PATHCN 000080 000081 Public Certificate Store DataBase Alternate Indexes with Path 000082 Alternate Index Name = PKWARE.MVS.CERTSTOR.DBXEM 000083 Cluster Name = PKWARE.MVS.CERTSTOR.DBX 000084 000085 Data Name = PKWARE.MVS.CERTSTOR.DBXEM.DATA 000086 Space Type = CYLINDER 000087 Primary Allocation = 1 000088 Secondary Allocation = 1 000089 Percent Free Space = 98 000090 Total Records = 2 000091 High Allocated RBA = 829440 000092 High Used RBA = 829440 000093 000094 Index Name = PKWARE.MVS.CERTSTOR.DBXEM.INDEX 000095 Space Type = TRACK 000096 Primary Allocation = 1 000097 Secondary Allocation = 1 000098 Total Records = 1 000099 High Allocated RBA = 25088 000100 High Used RBA = 512 000101 000102 Path Name = PKWARE.MVS.CERTSTOR.PATHEM 000103 000104 Public Certificate Store DataBase Alternate Indexes with Path 000105 Alternate Index Name = PKWARE.MVS.CERTSTOR.DBXPUBK 000106 Cluster Name = PKWARE.MVS.CERTSTOR.DBX 000107 000108 Data Name = PKWARE.MVS.CERTSTOR.DBXPUBK.DATA
92
000109 Space Type = CYLINDER 000110 Primary Allocation = 1 000111 Secondary Allocation = 1 000112 Percent Free Space = 98 000113 Total Records = 2 000114 High Allocated RBA = 829440 000115 High Used RBA = 829440 000116 000117 Index Name = PKWARE.MVS.CERTSTOR.DBXPUBK.INDEX 000118 Space Type = TRACK 000119 Primary Allocation = 1 000120 Secondary Allocation = 1 000121 Total Records = 1 000122 High Allocated RBA = 25088 000123 High Used RBA = 512 000124 000125 Path Name = PKWARE.MVS.CERTSTOR.PATHPUBK 000126
Edit Active DB Profile
Option 7 – Edit Active DB Profile SecureZIP for z/OS uses a set of configuration commands to determine the location of Public and Private Certificates via an index. The commands can be grouped together within a PDS or PDSE member as a Data Base profile.
Specify the dataset (and member) of a saved DB profile.
File Edit Edit_Settings Menu Utilities Compilers Test Help --------------------------------------------------------------------------------------- EDIT SECZIP.FPD.PROFILES(DBPROF) - 01.00 Columns 00001 00080 Command ===> Scroll ===> CSR ****** ********************************* Top of Data ********************************** 000001 *** 000002 * LOCAL CERTIFICATE STORE CONFIGURATION CONTROL 000003 * 000004 * Include this member in SecureZIP runs requiring Local Certificate 000005 * Store RECIPIENTS, SIGN_ARCHIVE, SIGN_FILES and AUTHCHK signatories. 000006 *** 000007 -{CSPUB=4;1;SECZIP.FPD.CERTSTOR.PUBLIC} 000008 -{CSPRVT=4;1;SECZIP.FPD.CERTSTOR.PRIVATE} 000009 -{CSPUB_DBX=SECZIP.FPD.CERTSTOR.DBX} 000010 -{CSPUB_DBX_PATH_CN=SECZIP.FPD.CERTSTOR.PATHCN} 000011 -{CSPUB_DBX_PATH_EM=SECZIP.FPD.CERTSTOR.PATHEM} 000012 -{CSPUB_DBX_PATH_PUBKEY=SECZIP.FPD.CERTSTOR.PATHPUBK} 000013 -{CSCA=1;0;SECZIP.FPD.CERTSTOR.P7CA} 000014 -{CSROOT=1;0;SECZIP.FPD.CERTSTOR.P7ROOT} 000015 -{AUTHENTICATE=TRUSTED,EXPIRED,NOTREVOKED,TAMPERCHECK} ****** ******************************** Bottom of Data ********************************
Option 8 – Supplemental Administration Utilities Included within the Supplemental Administration Utilities option you will see the ability to run report statistics (1), run the installation verification job (2) and the backup and restore process (3).
Report Statistics See Option 6 “Report Statistics” above.
93
Run Installation Verification Job By selecting this option SecureZIP for z/OS will validate your configuration. Submit the job and review the output.
File Edit Edit_Settings Menu Utilities Compilers Test Help -------------------------------------------------------------------------------- EDIT FPD.SPFTEMP4.CNTL Columns 00001 Command ===> Scroll ****** ********************************* Top of Data 000001 //FPDCS1 JOB 'ACCOUNTING INFO',CLASS=A,REGION=8M, 000002 // MSGCLASS=H,MSGLEVEL=(1,1),NOTIFY=&SYSUID 000003 //* 000004 //****************************************************************** 000005 //* PLEASE BE SURE PROCEDURE PKISPF IN INSTLIB HAS BEEN TAILORED * 000006 //* TO MEET YOUR SITE'S SPECIFICATIONS. * 000007 //****************************************************************** 000008 // JCLLIB ORDER=PKWARE.MVS.INSTLIB 000009 //JOBLIB DD DISP=SHR,DSN='PKWARE.MVS.LOAD' 000010 //* 000011 //*** 000012 //* CLEANUP RESIDUAL WORK ARCHIVE 000013 //* STORE. 000014 //*** 000015 //CLEAN1 EXEC PGM=IEFBR14 000016 //DEL DD DISP=(MOD,DELETE),DSN=FPD.IVPDB.ZIP,SPACE=(TRK,(0)) 000017 //*** 000018 //* ZIP A TEST FILE USING A -RECIPIENT FROM THE LOCAL CERTIFICATE 000019 //* STORE. 000020 //*** 000021 //SECZIP EXEC PGM=SECZIP
CS IVP Sample Output Output from SecureZIP for z/OS CS IVP steps.
ZPLI001I SecureZIP(R) for z/OS, Version 9.0 - 06/26/2006 07.22 LVL(0) ZPLI001I Copyright. 1989-2006 PKWARE Inc. All Rights Reserved. ZPLI001I SecureZIP (R) is a trademark of PKWARE, Inc. ZPLI001I Registered, Processor Type=7060 Processor Group=00 Serial Number=00052 ZPLI001I OS Level: HBB7707 SP7.0.6 -INCLUDE_CMD=SECZIP.IVP.JCL(DEVCERT1) -ECHO=N -INFILE_DD(INFILE) -ARCHOUTDD(ARCHOUT) -RECIPIENT(DB:CN=PKWARE TEST1,R) -BSAFE_AES128 -ENCRYPTION_METHOD(BSAFE_AES128) -VERBOSE -LOGGING_LEVEL(VERBOSE) -INCLUDE_CMD=PKWARE.MVS.JCL(DBPROF) ZPCM027I Including commands from PKWARE.MVS.JCL(DBPROF) *---------------------------------------------------------------------* * PROFILE PKWARE.MVS.JCL(DBPROF) * *---------------------------------------------------------------------* * DATABASE ACCESS CONTROL CARDS -{CSPUB=4;1;PKWARE.MVS.CERTSTOR.PUBLIC} -{CSPRVT=4;1;PKWARE.MVS.CERTSTOR.PRIVATE} -{CSPUB_DBX=PKWARE.MVS.CERTSTOR.DBX} -{CSPUB_DBX_PATH_CN=PKWARE.MVS.CERTSTOR.PATHCN} -{CSPUB_DBX_PATH_EM=PKWARE.MVS.CERTSTOR.PATHEM} -{CSPUB_DBX_PATH_PUBKEY=PKWARE.MVS.CERTSTOR.PATHPUBK} ZPCM011I Processing EXEC PARM parameters
94
ZPCS200I Opening Common Name DB Index (//'PKWARE.MVS.CERTSTOR.PATHCN') ZPEN110I Locating Digital Certificates ... ZPCM023I Digital Certificate Store Configuration {CSCA=1;1;PKWARE.MVS.CERTSTOR.PUBLIC(CAP7)} {CSROOT=1;1;PKWARE.MVS.CERTSTOR.PUBLIC(ROOTP7)} {LDAP=1;192.168.1.54;4389;1;0;CN=LDAP Administrator;secret;;O=PKWARE;} {CSPUB=4;1;PKWARE.MVS.CERTSTOR.PUBLIC} {CSPRVT=4;1;PKWARE.MVS.CERTSTOR.PRIVATE} {CSPUB_DBX=PKWARE.MVS.CERTSTOR.DBX} {CSPUB_DBX_PATH_CN=PKWARE.MVS.CERTSTOR.PATHCN} {CSPUB_DBX_PATH_EM=PKWARE.MVS.CERTSTOR.PATHEM} {CSPUB_DBX_PATH_PUBKEY=PKWARE.MVS.CERTSTOR.PATHPUBK} ZPCM023C --------------------------------------- ZPCM024I Digital Certificate Request List ZPCM024C Req'd Public Recipient //'PKWARE.MVS.CERTSTOR.PUBLIC(PUB1CERT)' ZPCM024C FILE FOUND *REQUIRED* ZPCM024C -------------------------------- ZPCM025I Digital Certificates Found: 1 ZPCM025C PKWARE Test1;[email protected]; ZPCM025C -------------------------------- ZPAP900I NO API REQUIRED ZPAM030I OUTPUT Archive opened: FPD.IVPDB.ZIP ZPCM017I A total of 1 ADD/UPDATE candidate file(s) were identified. ZPCO100I Compression Task { 5} TCB: 008D4698 Started. ZPCM100I Configuration Manager Shutdown. Posting Main Task: 00000000 ZPAM253I ADDED File PKWARE.MVS.INSTLIB($COPYRIT) ZPAM254I as PKWARE/MVS/INSTLIB/$COPYRIT ZPAM255I (DEFLATED 31%/30%) SecureZIP(R): BSAFE_AES128 ORIG. SIZE 1,280; ZIP ZPAM140I FILES: ADDED EXCLUDED BYPASSED IN ERROR ZPAM140I 1 0 0 0 ZPAM101I Archive Manager Task { 3} TCB: 008D4A98 shutdown begun. ZPAM109I Archive Manager Task { 3} TCB: 008D4A98 shutdown complete. ZPCO101I Compression Task { 5} TCB: 008D4698 shutdown begun. ZPCO109I Compression Task { 5} TCB: 008D4698 shutdown complete. ZPMT002I PKZIP processing complete. RC=00000000 0(Dec) ZPGE001T UNZIP STARTUP STORAGE QUERY: 24BIT= 8208K 31BIT= 32768K CACHE= ZPLI001I SecureZIP(R) for z/OS, Version 9.0 - 06/26/2006 07.22 LVL(0) ZPLI001I Copyright. 1989-2006 PKWARE Inc. All Rights Reserved. ZPLI001I SecureZIP (R) is a trademark of PKWARE, Inc. ZPLI001I Registered, Processor Type=7060 Processor Group=00 Serial Number=00052 ZPLI001I OS Level: HBB7707 SP7.0.6 -INCLUDE_CMD=SECZIP.IVP.JCL(DEVCERT1) -ECHO=N -ARCHINDD(ARCHIN) -VIEWDETAIL -ACTION(VIEWDETAIL) -VERBOSE -LOGGING_LEVEL(VERBOSE) -INCLUDE_CMD=PKWARE.MVS.JCL(DBPROF) ZPCM027I Including commands from PKWARE.MVS.JCL(DBPROF) *---------------------------------------------------------------------* * PROFILE PKWARE.MVS.JCL(DBPROF) * *---------------------------------------------------------------------* * DATABASE ACCESS CONTROL CARDS -{CSPUB=4;1;PKWARE.MVS.CERTSTOR.PUBLIC} -{CSPRVT=4;1;PKWARE.MVS.CERTSTOR.PRIVATE} -{CSPUB_DBX=PKWARE.MVS.CERTSTOR.DBX} -{CSPUB_DBX_PATH_CN=PKWARE.MVS.CERTSTOR.PATHCN} -{CSPUB_DBX_PATH_EM=PKWARE.MVS.CERTSTOR.PATHEM} -{CSPUB_DBX_PATH_PUBKEY=PKWARE.MVS.CERTSTOR.PATHPUBK} ZPCM011I Processing EXEC PARM parameters ZPAP900I NO API REQUIRED ZPCM100I Configuration Manager Shutdown. Posting Main Task: 00000000 ZPAM030I INPUT Archive opened: FPD.IVPDB.ZIP ZPAM014I 1 file(s) are in the input Archive. ZPAM012I ZIP comment: SecureZIP for z/OS by PKWARE ZPAM013I ********************************************************************************* ZPAM001I Filename: PKWARE/MVS/INSTLIB/$COPYRIT
95
ZPAM002I File type: TEXT ZPAM003I Date/Time: 11-JUN-2005 05:24:00 ZPAM004I Compression Method: Deflate- Super Fast ZPAM005I Compressed Size: 900 ZPAM006I Uncompressed Size: 1,313 ZPAM007I 32-bit CRC: A6B5182A LHDR Offset: 0 ZPAM008I Created by: PK zSeries 8.1 ZPAM009I Needed to extract: PKUNZIP 6.1 ZPAM010I Encryption: AES_128 Certificate Key BSAFE(R) ZPAM301I File Type: NONVSAM PDS ZPAM302I File PDS Directory Blocks: 25 ZPAM303I File Record Format: FB ZPAM304I File Allocation Type: BLK ZPAM305I File Primary Space Allocated: 78 ZPAM306I File Secondary Space Allocated: 20 ZPAM307I File Record Size: 80 ZPAM308I File Block Size: 27920 ZPAM309I File Volume(s) Used: DEV002 ZPAM310I File Creation Date: 2004/07/23 ZPAM311I File Referenced Date: 2005/06/11 ZPAM319I SMS Storage Class: DEV ZPAM312I File PDS Extended Directory Information: DIRECTORY INFORMATION FOLLOWS LENGTH=00001E 000000 01010006 0104161F 0104161F 11480010 |................| H | 000010 00100000 D4C1E240 40404040 40400000 |....MAS ..| @@@@@@@ | ZPAM313I PDS member TTRKZC: 00210300000F ZPAM320I 1 recipient(s) were designated: ZPCS200I Opening Public Key DB Index (//'PKWARE.MVS.CERTSTOR.PATHPUBK') ZPAM321I Recipient: PKWARE Test1 ZPAM322I Public Key Hash: 830A0AE9DBF0496954763862126ECE7A34BB7A56 ZPAM323I Email: [email protected] ZPAM324I Cert: //'PKWARE.MVS.CERTSTOR.PUBLIC(PUB1CERT)' ZPAM013I ********************************************************************************* ZPAM140I FILES: VIEWED EXCLUDED BYPASSED IN ERROR ZPAM140I 1 0 0 0 ZPAM101I Archive Manager Task { 3} TCB: 008D4A98 shutdown begun. ZPAM109I Archive Manager Task { 3} TCB: 008D4A98 shutdown complete. ZPMT002I PKZIP processing complete. RC=00000000 0(Dec) ZPGE001T UNZIP STARTUP STORAGE QUERY: 24BIT= 8208K 31BIT= 32768K CACHE= ZPLI001I SecureZIP(R) for z/OS, Version 9.0 - 06/26/2006 07.22 LVL(0) ZPLI001I Copyright. 1989-2006 PKWARE Inc. All Rights Reserved. ZPLI001I SecureZIP (R) is a trademark of PKWARE, Inc. ZPLI001I Registered, Processor Type=7060 Processor Group=00 Serial Number=00052 ZPLI001I OS Level: HBB7707 SP7.0.6 -INCLUDE_CMD=SECZIP.IVP.JCL(DEVCERT1) -ECHO=N -ARCHINDD(ARCHIN) -RECIPIENT(DB:CN=PKWARE TEST1,R,PASSWORD=******) -TEST -ACTION(TEST) -VERBOSE -LOGGING_LEVEL(VERBOSE) -INCLUDE_CMD=PKWARE.MVS.JCL(DBPROF) ZPCM027I Including commands from PKWARE.MVS.JCL(DBPROF) *---------------------------------------------------------------------* * PROFILE PKWARE.MVS.JCL(DBPROF) * *---------------------------------------------------------------------* * DATABASE ACCESS CONTROL CARDS -{CSPUB=4;1;PKWARE.MVS.CERTSTOR.PUBLIC} -{CSPRVT=4;1;PKWARE.MVS.CERTSTOR.PRIVATE} -{CSPUB_DBX=PKWARE.MVS.CERTSTOR.DBX} -{CSPUB_DBX_PATH_CN=PKWARE.MVS.CERTSTOR.PATHCN} -{CSPUB_DBX_PATH_EM=PKWARE.MVS.CERTSTOR.PATHEM} -{CSPUB_DBX_PATH_PUBKEY=PKWARE.MVS.CERTSTOR.PATHPUBK} ZPCM011I Processing EXEC PARM parameters ZPCS200I Opening Common Name DB Index (//'PKWARE.MVS.CERTSTOR.PATHCN')
96
ZPEN110I Locating Digital Certificates ... ZPCM023I Digital Certificate Store Configuration {CSCA=1;1;PKWARE.MVS.CERTSTOR.PUBLIC(CAP7)} {CSROOT=1;1;PKWARE.MVS.CERTSTOR.PUBLIC(ROOTP7)} {LDAP=1;192.166.54;4389;1;0;CN=LDAP Administrator;secret;;O=PKWARE;} {CSPUB=4;1;PKWARE.MVS.CERTSTOR.PUBLIC} {CSPRVT=4;1;PKWARE.MVS.CERTSTOR.PRIVATE} {CSPUB_DBX=PKWARE.MVS.CERTSTOR.DBX} {CSPUB_DBX_PATH_CN=PKWARE.MVS.CERTSTOR.PATHCN} {CSPUB_DBX_PATH_EM=PKWARE.MVS.CERTSTOR.PATHEM} {CSPUB_DBX_PATH_PUBKEY=PKWARE.MVS.CERTSTOR.PATHPUBK} ZPCM023C --------------------------------------- ZPCM024I Digital Certificate Request List ZPCM024C Req'd Private Recipient //'PKWARE.MVS.CERTSTOR.PRIVATE(PVT1CERT)' ZPCM024C FILE FOUND *REQUIRED* ZPCM024C -------------------------------- ZPAP900I NO API REQUIRED ZPAM030I INPUT Archive opened: FPD.IVPDB.ZIP ZPCM100I Configuration Manager Shutdown. Posting Main Task: 00000000 ZPEX100I Extract Task { 5} TCB: 008D4678 Started. ZPEN109T BSAFE(R) CryptoC request code= 3594 kPKErr_BSISetKeyInf ZPEX001I tested okay PKWARE/MVS/INSTLIB/$COPYRIT ZPAM140I FILES: TESTED EXCLUDED BYPASSED IN ERROR ZPAM140I 1 0 0 0 ZPAM101I Archive Manager Task { 3} TCB: 008D4A98 shutdown begun. ZPAM109I Archive Manager Task { 3} TCB: 008D4A98 shutdown complete. ZPEX101I Extract Task { 5} TCB: 008D4678 shutdown begun. ZPEX109I Extract Task { 5} TCB: 008D4678 shutdown complete. ZPMT002I PKZIP processing complete. RC=00000000 0(Dec)
Backup and Restore Process SecureZIP for z/OS allows you to perform a backup of your existing local certificate store. Selecting Option 9 will start the process of backup.
Backup and Restore Profile Option ===> Establish the Backup and Restore Profile Fill in the required information below. Then Press ENTER to complete. If you do not place the dataset(s) in quotes your UID will be used as the High Level Qualifer Backup JCL ............: For example: your.jcl.cntl.library(CSBRBJCL) Recovery JCL ..........: For example: your.jcl.cntl.library(CSBRRJCL) Archive Dataset Name: For example: uid.Dmmddyy.CSBKUP.ZIP This would be the dataset used in a restore.
Initial setup screen Initially you will be required to enter the dataset and member information to store the generated JCL for backup and restore along with a dataset name for the created SecureZIP archive used to contain your local certificate store.
97
SECUREZIP OPTION ===> Backup & Restore Profile Profile Information Certstore Profile Dataset.: 'PKWARE.MVS.PROFILES(DBFPD1)' Last Backup Submit Date...: Archive Dataset - Enter V to View: 'FPD.CSBKUP.ZIP' Process Options You can Create, Submit, Edit or View the backup and restore job stream Note: To track the last backup submit date you must use the submit option rather than issue the "SUB" command from an edit or view session Function C - Create, S - Submit, E - Edit, V -View Backup JCL ...............: 'FPD.JCLZ.CNTL(BK1)' Restore JCL ..............: 'FPD.JCLZ.CNTL(RS1)' Archive Allocation Options for Backup Management class . . . PRIVATE (Blank for default management class) Storage class . . . . PRIVATE (Blank for default storage class) Volume serial . . . . FPD003 (Blank for system default volume) Device type . . . . . 3390 (Generic unit or device address) Data class . . . . . . (Blank for default data class) Space units . . . . . CYLINDER (BLKS, TRKS, CYLS) Primary quantity . . 1 (In above units) Secondary quantity . 50 (In above units)
Main Backup and Restore Panel This screen controls the types of processes that you can perform against the local certificate store. If you have done a previous backup, then the ZIP archive name will be displayed along with the date of the last backup. The datasets to be backed up are the datasets pointed to by the certstore profile dataset.
Profile Information This is the certificate store profile dataset that will be used to backup the local certificate store.
Archive Dataset Name of the archive that you wish to create or use in a restore process.
If you select V this will display a VIEWDETAIL of the designated archive dataset.
Process Options The options selected determine the functions performed:
Backup JCL
Enter C to Create the backup job stream Enter S to Submit the backup job stream Enter E to Edit the backup job stream Enter V to View the backup job stream
Restore JCL
Enter C to Create the backup job stream Enter S to Submit the backup job stream Enter E to Edit the backup job stream Enter V to View the backup job stream
98
You may also choose to save the JCL using a different member name or dataset name/member name combination.
Option ===> Certstore Restore Options Fill in the any change information desired. Press ENTER to complete. If you do not change any data then the original values will be used High Level Qualifier...: Specify a different HLQ if desired SMS Classes Managment..........: Storage ...........: Data .. ...........: Restore Volume.........: Specify a different Volser than the original database Restore Unit ..........: Specify a different Unit Name than the original database
Submit of a Restore JOB When you submit the restore JCL this screen will appear and give you the ability to Restore the datasets in the archive using a different high level qualifier and/or different allocation options. If you press ENTER without change the restore will take the default options.
Option ===> Additional Input Control Cards for View Archive Enter any control card(s) desired for the selected View option. You may wish to view an archive using a Private Key Cert. If the certificate is not in your profile you can place an -INCLUDE_CMD in the input stream. Additional Control Card: 1: 2: 3: 4:
Archive Dataset View - V Selecting V to view an existing archive displays a VIEWDETAIL of the designated archive dataset and generates a panel that allows you to place additional SecureZIP for z/OS control cards into the command stream. You can then add private key certificate information if the archive to be viewed has been encrypted.
Backing Up SecureZIP Partner for z/OS An external utility such as DFDSS should be used to perform backup/restore operations for all local certificate store components. All components should be backed up and restored collectively to maintain store integrity.
Sample jobs are provided in INSTLIB(CSDSSBKP) and INSTLIB(CSDSSRST) to perform backup and restore operations respectively.
99
Important: When performing a RESTORE operation, do not rename the data sets. Renaming them will invalidate index references in the certificate store.
Directory Certificate Store Configuration - LDAP
This section assists with defining the network connectivity associated with LDAP compliant directory access. Please note that prior to using LDAP services to locate public key digital certificates for RECIPIENT processing, network connections must be defined.
Command settings will be kept in an LDAP profile member for SecureZIP for z/OS to access during ZIP processing.
The LDAP connection commands can be coded manually, however, a series of panels and tools are provided to assist in properly formatting the command parameters and to test connectivity to the desired LDAP server.
SecureZIP Certificate Store Administration Option ===> Select one of the following options and press Enter: 1 Local Certificate Store Administration 2 LDAP Certificate Store Configuration 3 x.509 Certificate Utilities
To access the LDAP certificate store configuration, enter “2” in the Option field from this panel.
Create/Test LDAP Profile Statements This panel will allow you to create configuration information, validate existing configuration information, and read information from an existing profile, if it is established.
SecureZIP LDAP Configuration Setup Option ===> LDAP Certificate Store Administration 1 Edit Active LDAP Profile 2 Create/Test LDAP Profile Statements Active LDAP Profile: 'PKWARE.MVS.JCL(LDAPPROF)' -{LDAP=1;SCULPTOR1.PKWARE.COM;389;0;0;;;*CN;O=PKWARE}
To edit an existing LDAP profile, use the dataset and member name on the panel or enter a different dataset and/or member name and select “1” from this panel.
To create, test, and save LDAP profile information, select “2” from this panel.
100
Edit existing LDAP profile
File Edit Edit_Settings Menu Utilities Compilers Test Help EDIT PKWARE.MVS.JCL(LDAPPROF) - 01.15 ****** ********************************* Top of Data 000001 -{LDAP=1;SCULPTOR1.PKWARE.COM;389;0;0;;;*CN;O=PKWARE} ****** ******************************** Bottom of Data
The results from selecting “1” are shown in this panel. You can change any information necessary and PF3 out of edit to save the changes.
Create/Test LDAP Link This panel assists the SecureZIP for z/OS administrator in configuring and testing LDAP connections. The following functions are covered:
Create new LDAP Profile Settings
Read values from an existing LDAP Profile with the LOAD command
Test an LDAP connection with PING and TEST commands
Save settings to an LDAP Profile
SecureZIP Create/Test LDAP Link OPTION ===> Active LDAP Profile: 'PKWARE.MVS.JCL(LDAPPROF)' LDAP Number 1 Connect Information * Server Address/IP...: * Server Port.........: 389 Connect USERID......: Connect Password....: Search Timeout......: 0 LDAP Search Configuration Starting Node * > > Default Filter Type.: *CN (*EMAIL,*CN) The following commands may be copied to an LDAP Profile: { ... undefined ...}
Create New LDAP Profile Settings Fill in the required parameters and press ENTER to generate LDAP profile settings. These can then be copied and pasted into a LDAP profile member using the copy and paste functions of your terminal emulator.
You may change fields and press ENTER to generate new settings.
101
SecureZIP Create/Test LDAP Link OPTION ===> More: + Active LDAP Profile: 'PKWARE.MVS.JCL(LDAPPROF)' LDAP Number 1 Connect Information * Server Address/IP...: SCULPTOR1.PKWARE.COM * Server Port.........: 389 Connect USERID......: Connect Password....: Search Timeout......: 0 LDAP Search Configuration Starting Node * > O=PKWARE > Default Filter Type.: *CN (*EMAIL,*CN) The following commands may be copied to an LDAP Profile: -{LDAP=1;SCULPTOR1.PKWARE.COM;389;0;0;;;*CN;O=PKWARE}
Load Existing LDAP Profile With the Load option you read values from an existing LDAP profile.
SecureZIP Create/Test LDAP Link OPTION ===> LOAD More: + Active LDAP Profile: 'PKWARE.MVS.JCL(LDAPPROF)' LDAP Number 1 Connect Information * Server Address/IP...: SCULPTOR1.PKWARE.COM * Server Port.........: 4389 Connect USERID......: Connect Password....: Search Timeout......: 0 LDAP Search Configuration Starting Node * > O=PKWARE > Default Filter Type.: *CN (*EMAIL,*CN) The following commands may be copied to an LDAP Profile: -{LDAP=1;SCULPTOR1.PKWARE.COM;389;0;0;;;*CN;O=PKWARE}
When an active LDAP profile is provided on the LDAP configuration setup screen, then a predefined LDAP command can be retrieved for testing or use as a model for a new setting. Specify the LDAP number, type LOAD into the command OPTION and press ENTER. If that LDAP number is in the active profile, the settings will be loaded into the screen.
Testing the LDAP Connection Once the profile commands have been generated, you may verify that a connection to the intended LDAP Server can be established by using the PING and TEST options:
When creating a configuration for an LDAP server at a new network address, it is recommended that a PING test be performed first.
OPTION ===> PING The PING option will perform a "TSO PING" command to verify that the network address can be resolved and the associated IP address reached. Once completed, a BROWSE of the output
102
will be automatically presented. Be aware that some network administrators may turn off PING response capabilities, so it is possible that the PING may time out even if the network name (e.g. www.pkware.com) can be resolved to an IP address.
************************************************ Attempting PING to SCULPTOR1.PKWARE.COM ************************************************ CS V1R4: Pinging host PKZ4 (193.178.1.64) Ping #1 response took 0.000 seconds.
Possible errors can be:
The network address cannot be resolved by the domain name server
EZZ3111I Unknown host www.unknown-name.com
Network services may be down along the routes to reach the IP address.
HOST unreachable
The specified host may not be up, or is not accepting PING requests.
Timed out
OPTION ===> TEST [optional-filter] [LIST] The TEST option will call utility program PKZLDAPT to perform a bind request with the specified server, logon (if a userid/password combination is required), and then perform a search based on a filter. Once completed, a BROWSE of the output will be automatically presented.
The default LDAP search filter used is (&(userCertificate=*)), which will give a summary count of the total number of LDAP entries containing a userCertificate. An optional filter may be specified with the test command. Note that the requested filter will automatically be surrounded by$(&...) to complete the LDAP syntax. See the samples below for typical syntax.
Specifying LIST causes some detailed information for the LDAP entries to be listed. The default is to display a summary count of the number of LDAP entries located that match the search filter.
Test Program Notes:
Default Filter Type is not used with the test option. It is only used during live SecureZIP for z/OS processing of RECIPIENTS.
The filter is not retained in the LDAP configuration. It is only used for testing the connection during the administration process.
A long delay (up to a few minutes) may occur if network timeout values are set high. You should contact your network technical support staff regarding network timeout settings.
Sample TEST Syntax To count all entries with a common name:
OPTION ===> test (cn=*)
To list all entries with a common name:
103
OPTION ===> test (cn=*) LIST
To restrict the search to common names representing a person:
OPTION ===> test (cn=Joe S*)(objectclass=person) LIST
Output from the TEST Command
PKLDAPTEST LDAP Test Starting 2006/02/05 21:14:26 PKLDAPTEST Parameters:Action<S> - Server<SECZIP.PKWARE.COM> Port<4389> - User<> Password<0> - Start Node<O=PKWARE> - Search Filter<(&(cn=*))> LDAP_intialTest - --LDAP init ..... elasp time 0.000000 seconds LDAP_intialTest - --LDAP bind ..... elasp time 0.000000 seconds LDAP_intialTest - --LDAP Search ..... elasp time 0.000000 seconds LDAP_intialTest - --LDAP Attributes ..... elasp time 0.000000 seconds LDAP_intialTest - Total Entries=15 PKLDAPTEST LDAP Testing Ending RC=0
Common Error Conditions for TEST The bind phase to the server may fail with Can't contact LDAP server for any of the following reasons:
The network/IP address specified is invalid.
Use PING to gather additional information.
The network cannot resolve the route to reach the specified address.
Use PING to gather additional information.
The PORT for the LDAP server is not correct.
Verify the PORT number with the target system's network administrator regarding the LDAP server PORT assignment.
The LDAP server is down.
Output from the TEST Command with Errors
PKLDAPTEST LDAP Test Starting 2005/05/05 21:12:42 PKLDAPTEST Parameters:Action<s> - Server<seczip.pkware.com> Port<389> - User<> Password<0> - Start Node<o=pkware> - Search Filter<(&(userCertificate=*))> LDAP_intialTest - --LDAP init ..... elasp time 0.000000 seconds LDAP_intialTest - could not bind sculptor1.pkware.com for rc=81 <Can't contact LDAP server> PKLDAPTEST LDAP Testing Ending RC=0
104
Save Settings to an LDAP Profile Press PF3 (END) to access the LDAP configuration setup screen. EDIT an LDAP profile member and paste the generated settings. Once you have completed the EDIT, you may return to this screen once again to generate and test additional connections.
Note: The input values will be retained throughout your SecureZIP for z/OS session for reference while working on new configurations. However, they will not be saved for future use once the SecureZIP for z/OS dialog has ended.
Please be aware that the LDAP profile may not contain any certificate validation policies for encryption. If the end user specifies only the LDAP profile without a local certificate store, then the SecureZIP default validation settings of TRUSTED and REVOKED will be enforced for the run. This will cause the job to fail during validation of the trusted certificate path because there are no CA and/or root certificates available for processing. If you wish to execute the SecureZIP job with the LDAP profile only, then you need to include the validation policy in the job stream (see sample below), or add the VALENCRYPT policy statement to the LDAP profile.
-INCLUDE_CMD(PKWARE.MVS.PROFILES(LDAP)) -RECIPIENT(LDAP:CN=PKWARE TEST4,R) -{VALENCRYPT=NOTTRUSTED,EXPIRED,NOTREVOKED}
Runtime Configuration
This panel is used for entering configuration information to be used for the ISPF SECZIP interface. That information includes active load library, default options files, job card and other miscellaneous information.
In SecureZIP for z/OS, an additional panel must be configured. Notice at the bottom of the following panel a message appears infoming you to Hit ENTER to view the SecureZIP Certificate Store Settings.
105
Zip/Unzip Runtime Configuration Panel
SecureZIP Runtime Configuration OPTION ===> More: - Initial Execution Default Command Settings Defaults module.....: ACZDFLT (ACZDFLT) ZIP processing......: 'PKWARE.MVS.INSTLIB(CMDZIP)' UNZIP processing....: 'PKWARE.MVS.INSTLIB(CMDUNZIP)' Foreground Processing Controls Use TSO Prefix : N (Y/N) Lowest Acceptable RC: 4 (0,4,8) SYSPRINT Allocation Type : CYLS (BLKS,TRKS,CYL) Primary : 3 Secondary : 1 Batch Job Card information //FPDCS1 JOB 'ACCOUNTING INFO',CLASS=A,REGION=8M, // MSGCLASS=H,MSGLEVEL=(1,1),NOTIFY=&SYSUID //* Hit ENTER for SecureZIP Certificate Store Settings To EXIT Press PF3 For HELP Press PF1
SecureZIP Runtime Configuration Panel
SecureZIP Runtime Configuration Option ===> Certificate Store Settings ( ENTER to validate PF7/PF8 to scroll) / to Edit the configuration file Private-Cert> 'PKWARE.MVS.JCL(CERTPROF)' DB Profile > 'PKWARE.MVS.JCL(DBPROF)' LDAP Profile> 'PKWARE.MVS.JCL(LDAPPROF)' ------------------------------------------------------------------------------- ***** Top of Data ************************************************************** Private-key Certificate Recipient(s): ===================================== *---------------------------------------------------------------------* * Profile PKWARE.MVS.JCL(certprof) * *---------------------------------------------------------------------* -recipient(db:cn=PKWARE Test02,R,PASSWORD=PKWARE) *-recipient(dsn://'SECZIP.IVP.CERT.ADMIN09.PFX',password=P455W0RD) Local Certificate(DB) Profile: ============================== *---------------------------------------------------------------------* * PROFILE PKWARE.MVS.JCL(DBPROF) * *---------------------------------------------------------------------* * DATABASE ACCESS CONTROL CARDS
This panel is used for entering configuration information to be used for certificate profile information.
That information includes the locations of the private certificate, the data base profile, and the LDAP profile. With the exception of the private certificate location the locations of the DB and
106
LDAP profile will be completed for you by the certificate store administration and configuration option “CS” from the Main SecureZIP for z/OS panel.
SecureZIP Runtime Configuration Panel Undefined
SecureZIP Runtime Configuration Option ===> Certificate Store Settings ( ENTER to validate PF7/PF8 to scroll) / to Edit the configuration file Private-Cert> undefined DB Profile > undefined LDAP Profile> undefined ------------------------------------------------------------------------------- ***** Top of Data ************************************************************** Private-key Certificate Recipient(s): ===================================== Profile: MISSING DATASET NAME Local Certificate(DB) Profile: ============================== Profile: MISSING DATASET NAME LDAP Configuration Profile: =========================== Profile: MISSING DATASET NAME ***** Bottom of Data ***********************************************************
Prior to completing certificate store administration and configuration option “CS”, the configuration panel is undefined. As you complete the “CS” functions the panel will be populated with your runtime settings.
SecureZIP Runtime Configuration Panel with DB Profile Defined
SecureZIP Runtime Configuration Option ===> Certificate Store Settings ( ENTER to validate PF7/PF8 to scroll) / to Edit the configuration file Private-Cert> undefined DB Profile > 'PKWARE.MVS.JCL(CCFGFPD1)' LDAP Profile> undefined ------------------------------------------------------------------------------- ***** Top of Data ************************************************************** Private-key Certificate Recipient(s): ===================================== Profile: Undefined Local Certificate(DB) Profile: ============================== * DATABASE ACCESS CONTROL CARDS -{CSPUB=4;1;PKWARE.MVS.CERTSTOR.PUBLIC} -{CSPRVT=4;1;PKWARE.MVS.CERTSTOR.PRIVATE} -{CSPUB_DBX=PKWARE.MVS.CERTSTOR.DBX} -{CSPUB_DBX_PATH_CN=PKWARE.MVS.CERTSTOR.PATHCN} -{CSPUB_DBX_PATH_EM=PKWARE.MVS.CERTSTOR.PATHEM} -{CSPUB_DBX_PATH_PUBKEY=PKWARE.MVS.CERTSTOR.PATHPUBK}
107
This is an example of how the runtime configuration panel would look after completing the local certificate store configuration
SecureZIP Runtime Configuration Panel with Private Certificate Location
SecureZIP Runtime Configuration Option ===> Certificate Store Settings ( ENTER to validate PF7/PF8 to scroll) / to Edit the configuration file Private-Cert> ‘PKWARE.MVS.JCL(CERTPROF)' DB Profile > 'PKWARE.MVS.JCL(CCFGFPD1)' LDAP Profile> 'PKWARE.MVS.JCL(LDAPFPD1)' ------------------------------------------------------------------------------- ***** Top of Data ************************************************************** Private-key Certificate Recipient(s): ===================================== *---------------------------------------------------------------------* * Profile PKWARE.MVS.JCL(CERTPROF) * *---------------------------------------------------------------------* -recipient(db:cn=PKWARE TEST,R,PASSWORD=PKWARE)
This is the runtime configuration panel with the private certificate identified that will be used to provide the private key to decrypt the archive. Notice that the RECIPIENT location, the requirement to always find the certificate (R), and the password for the private key are displayed as part of the panel information provided.
x.509 Certificate Utilities
This panel is used for working with CA, ROOT, and CRL files. If you receive a file claiming to contain CA or ROOT certificates you can use the List and View features to allow you to review the data within the file. If you are not sure what type of store the file contains, use “BG” as a best guess to simulate and add. The utility will display detail information about each process.
You may view your certificates in a table format, list the data about each certificate in a print format, simulate adding to a store, extract certificates to a temporary store, initialize a store, extract end entity certificates for input to a store, and convert EBCDIC BASE64 to ASCII BASE64.
SecureZIP x.509 Certificate Information Option ===> More: + x.509 Utilities 1 View Certificate(s) - Table Format 2 List Certificate(s) 3 Simulate Certificate Add 4 Work with CRL files 5 Select Certificates from a P7B source 6 Initialize a P7B Store 7 Extract End Entitiy for input to a Public Certificate Store 8 Translate EBCDIC BASE64 Certificate to ASCII BASE64 Enter the Certificate Source file to be used: Data Set Name . . . 'SECZIP.FPD.SEC.PKTICAF.CRT'
108
This panel can be used to identify information about certificate files you have obtained but are not sure of the content, initialize a P7B store, or extract certificates from an existing P7B source file. If you know the source is a Certificate Revocation List then select Option 4 to proceed to CRL processing
The Options
Option 1 - View Certificate(s) This option builds an ISPF table display from the Certificate source file.
-----------------------------------------------------------------------------+ Certificate Source : PKWARE.MVS.INSTLIB2(PKWARERT) Certificate Type : P7B with Best Guess Primary commands:%SORT+. Scroll%RIGHT+or%LEFT+for more info. To EXIT Press%PF3 +For HELP Press%PF1 Type Friendly Name ---------------------------------------------------------------- P7B PKTESTDB Root
Multiple passes will be completed with the input source file. Each pass will be detailed in the Certificate Type area.
Option 2 - List Certificate(s) This option displays details about each certificate in the source file in a BROWSE window.
In the sample below, the store type used to produce the report is identified for each processing attempt. In this instance, P7B was used as the store type.
-----------------------------------------------------------------------------+ ZPCA960I SecureZIP Certificate Administration 4 Mar 2006 09:50:58 ZPCA960I List Certificate Source File 4 Mar 2006 09:50:58 ZPCA960I Certificate Input=PKWARE.MVS.INSTLIB2(PKWARERT) ZPCA960I *************************************************************** ZPCA960I P7B Attempt 4 Mar 2006 09:50:58 ZPCA960I *************************************************************** ZPCA960I Store Detail using DSN=PKWARE.MVS.INSTLIB2(PKWARERT) --- Certificate 1 --- PKTESTDB Root Subject: C=US S=Wisconsin L=Milwaukee O=PKWARE, Inc. OU=PKWARE, Inc. -- for test and evaluation purposes only CN=PKTESTDB Root -----------------------------------------------------------------------------+
Option 3 - Simulate Certificate Add This option displays details about certificates as they are processed by the simulated ADD environment.
109
Multiple passes will be completed with the input source file. Each pass will be detailed in the certificate type area.
You may disregard any error messages that do not relate to the type of certificate that is in the source file. This Simulation does not require you to know exactly what it is that is being processed and, based on that assumption, the process can flag data that is in error when it would not be considered an error if it was used correctly. For example, when you input a certificate P7B, this process will correctly simulate an install to the root store using P7B as the type but will fail using CER as the type.
using P7B -----------------------------------------------------------------------------+ Certificate Source : SECZIP.FPD.SEC.FPDALL.P7B Certificate Type : P7B with Best Guess Primary commands:%SORT+. Scroll%RIGHT+or%LEFT+for more info. To EXIT Press%PF3 +For HELP Press%PF1 Type Friendly Name ---------------------------------------------------------------- CA VeriSign Class 1 CA Individual Subscriber-Persona Not Validate ROOT Class 1 Public Primary Certification Authority -----------------------------------------------------------------------------+ using CER -----------------------------------------------------------------------------+ Command ===> SCROLL ===> CSR Certificate Source : SECZIP.FPD.SEC.PKTICAF.CRT Certificate Type : P7B with Best Guess Primary commands: SORT . Scroll RIGHT or LEFT for more info. To EXIT Press PF3 For HELP Press PF1 Type Friendly Name ----------------------------------------------------------------------- ZPCA990I Simulate Certificate processing 10 Mar 2006 12:59:53 ZPCA990I Cert Input=SECZIP.FPD.SEC.PKTICAF.CRT ZPCA990I ******************************************************************** ZPCA990I CER Attempt 10 Mar 2006 12:59:53 ZPCA990I ******************************************************************** ZPCA990I Store Detail using DSN=SECZIP.FPD.SEC.PKTICAF.CRT ZPCA810E ERROR: Failed to build certificate store '//'SECZIP.FPD.SEC.PKTICAF.CR ZPCA810E ERROR: Cannot continue. Unable to open certificate store. ZPCA810E ERROR: Cannot continue. Unable to process certificate file '//'SECZIP ZPCA991E ******************************************************************** ZPCA991E List Completed with errors 10 Mar 2006 13:05:01 ZPCA991E ********************************************************************
Certain types of errors encountered will present a popup window similar to the one below. To get further information on the error press PF1.
%--------------------------- %-Sim Error-PF1 for detail - %--------------------------- %************************************************************************** %*Sim Error-PF1 for detail - Certificate simulation encountered an error * %*during the add operation. Error text = ZPCA811E ERROR: Cert Wrap failed* %*to open '//'SECZIP.FPD.SEC.FPDALL.P7B''. CW Error = 0x0. Press Enter to * %*continue * %**************************************************************************
110
Option 4 - Work with CRL files The CRL Utilities allow you to view details about installed certificates, simulate the additon of an update list to your CRL store, and update the CRL store.
You may view the revocation lists in a table format, list the data about each revocation list in a print format, simulate adding to a store, and update the CRL store.
1+ View Installed CRLs from Store - Table Format 2+ List Installed CRLs from Store 3+ Update the CRL Store 4+ Simulate Update 5+ Synchronize Data Base For Options 3 and 4 you must specify the input CRL file. Input X.509 Certificate Revocation List File Data Set Name:_crlsrc + File Type :_crltype+!(P7B, CRL or BG for Best Guess)
Option 5 - Select Certificates from a P7B source This option will take a P7B source file and attempt to separate and copy into the respective stores the certificates contained in the input. These separated certificates can then be used as input into the add processes for updating your local certificate stores.
x.509 Utilities Select Certificates from a P7B Store Please note: -- Any existing data in the files will be deleted -- Enter the Sequential File Names to be used for output: These files should be used as temporary stores only CA = 'FPD.PKWARE.STORCSCA' ROOT = 'FPD.PKWARE.STORCSRT' CRL = 'FPD.PKWARE.STORCSRL' CERT Output = 'FPD.PKWARE.STORCSEE'
This option displays details about Certificate as they are processed by the Select environment.
Multiple passes will be completed with the input source file. Each pass will be displayed with detail information and a request box will be displayed where you can stop the process if you are satisfied with the selected certifcates to that point. If you allow the process to continue each subsequent step will reinitalize the ouput stores and any certificates selected previously will be deleted.
111
Here is an unsuccessful example using P7B as the certificate type.
using P7B ZPCA940I Select Certificate processing 10 Mar 2005 14:42:56 ZPCA940I Certificate Input=SECZIP.FPD.SEC.PKTICAF.CRT ZPCA940I P7B Attempt 10 Mar 2006 14:42:56 ZPCA940I ******************************************************************** ZPCA940I Store Detail using DSN=SECZIP.FPD.SEC.PKTICAF.CRT ZPCA811E ERROR: Cert Wrap failed to open '//'SECZIP.FPD.SEC.PKTICAF.CRT''. CW ZPCA850E ERROR: Cannot continue. Unable to open certificate file '//'SECZIP.FP ZPCA850E ERROR: Cannot continue. Unable to determine certificate file count. ZPCA850E ERROR: Cannot continue. Unable to process certificate file '//'SECZIP ZPCA941E ******************************************************************** ZPCA941E Select Completed with errors 10 Mar 2006 14:42:56
The popup box will ask you if you wish to continue. If you press enter the output stores will be overwritten.
%************************************************************** %*PKUT001 ===> * %* * %* Continue with next scenario - CER * %* * %*Press ENTER to continue. * %*Press PF3 or enter CANCEL command to return. * %* * %* * %************************************************************** using CER ZPCA940I CER Attempt 10 Mar 2006 14:44:20 ZPCA940I ******************************************************************** ZPCA940I Store Detail using DSN=SECZIP.FPD.SEC.PKTICAF.CRT ZPCA000I SUCCESS: Added certificate to store '//'FPD.PKWARE.STORCSCA''. DSN= ZPCA000I SUCCESS: Saved certificate store '//'FPD.PKWARE.STORCSCA'' to disk. ZPCA000I Added 1 of a possible 1 certificates to the CA store. ZPCA000I 0 certificates in the CA store before the Add command. ZPCA000I 1 certificates in the CA store after the Add command. ZPCA940I ******************************************************************** ZPCA940I Select Completed rc=0 10 Mar 2006 14:44:23 ZPCA940I ********************************************************************
Notice above that the CER attempt was successsful and if you hit enter the certificates that have been extracted will be overwritten.
If you press enter the output stores will be overwritten.
%************************************************************** %*PKUT001 ===> * %* * %* Continue with next scenario - CRL * %* * %*Press ENTER to continue. * %*Press PF3 or enter CANCEL command to return. * %* * %* * %************************************************************** -----------------------------------------------------------------------------+
112
Option 6 - Initialize a P7B Store This option conditions a dataset for use as a P7B store.
Initialize a P7B Store Please note: -- Any data in the file will be deleted -- Enter the Sequential File Name of the Certificate Store: For example: 'HLQ.CERTSTOR.P7CRL'
Option 7 - Extract End-Entity for Input to a Public Certificate Store This option takes a P7B source file and attempts to copy its end-entity certificates into the destination file. These can then be used as input to the Add Certificate processing to place the certificates in the public key stores.
Please note: The member names generated will always be EE and the certificate number. If you use the same output PDS as a previous attempt the existing members will be replaced with any newly generated members. Enter the PDS File Name to be used for output: Note: This file will be used as input to the add certificate function %EE File = 'FPD.PKWARE.STORCSNE' Please note: -- The member names generated will be composed of the following: EE pos 1 and 2 Generated Cert ID pos 3 thru 8 For example: EE1 for the first extracted certificate EE2 for the second extracted certificate Press%'ENTER'+for next topic
Option 8 - Translate EBCDIC BASE64 Certificate to ASCII BASE64 This option will take an EBCDIC encoded BASE64 certificate and translate to a BASE64 encoded ASCII certificate.
x.509 Utilities Translate EBCDIC Certificate to ASCII Certificate Note: The translation is standard BASE64 conversion with the addition of the SPACE character converted also. Enter the File Name to be used for input: EBCDIC Cert = Enter the File Name to be used for output: ASCII Cert = ENTER To Process, To EXIT Press PF3 For HELP Press PF1
113
Certificate Revocation Lists
SecureZIP Certificate Revocation Lists Option ===> Store Configuration: 'SECZIP.FPD.PROFILES(DB810X)' Active CRL Store: SECZIP.FPD900.CERTSTOR.P7CRL 1 View Installed CRLs from Store - Table Format 2 List Installed CRLs from Store 3 Update the CRL Store 4 Simulate Update 5 Synchronize Data Base Index Information requested below only applies to Option 3 and 4 Input X.509 Certificate Revocation List File Data Set Name: UNDEFINED File Type : CRL (P7B, CRL or BG for Best Guess)
Option 1 - View Installed CRLs from Store This option builds an ISPF table display using the certificate revocation List and the current certificate store.
The information is displayed on six screens. The first three screens represent the public or private certificate that is revoked, and the following three screens represent the certificate authority that issued the revocation list.
Screen 1 -----------------------------------------------------------------------------+ Certificate Store : SECZIP.FPD.CERTSTOR.P7CRL Certificate Type : CRL with Best Guess ASCII Based Certificate Primary commands:%SORT+. Scroll%RIGHT+or%LEFT+for more info. To EXIT Press%PF3 +For HELP Press%PF1 #Revoked Certificate Information Type Serial Number IDHash ------------------------------------------------------------------------- #PVT 01 DA9F053EEF6684FC2BDF63962E24775EE81160ED Scroll%Left~or%Right~for additional information pertaining to the revoked certificates.
Screen 2 -----------------------------------------------------------------------------+ Certificate Store : SECZIP.FPD.CERTSTOR.P7CRL Certificate Type : CRL with Best Guess ASCII Based Certificate Primary commands:%SORT+. Scroll%RIGHT+or%LEFT+for more info. To EXIT Press%PF3 +For HELP Press%PF1 #Revoked Certificate Information Type Common Name ------------------------------------------------------------------------- #PVT PKWARE TEST9 -----------------------------------------------------------------------------+
114
Screen 3 -----------------------------------------------------------------------------+ Certificate Store : SECZIP.FPD.CERTSTOR.P7CRL Certificate Type : CRL with Best Guess ASCII Based Certificate Primary commands:%SORT+. Scroll%RIGHT+or%LEFT+for more info. To EXIT Press%PF3 +For HELP Press%PF1 #Revoked Certificate Information Type Email Address ------------------------------------------------------------------------- #PVT [email protected] -----------------------------------------------------------------------------+
Screen 4 -----------------------------------------------------------------------------+ Certificate Store : SECZIP.FPD.CERTSTOR.P7CRL Certificate Type : CRL Primary commands:%SORT+. Scroll%RIGHT+or%LEFT+for more info. To EXIT Press%PF3 +For HELP Press%PF1 %CRL Issuer Information CertID CRL Friendly Name ------------------------------------------------------------------------- #1 %PKWARE Test Intermediate Cert A -----------------------------------------------------------------------------+
Screen 5 -----------------------------------------------------------------------------+ Certificate Store : SECZIP.FPD.CERTSTOR.P7CRL Certificate Type : CRL Primary commands:%SORT+. Scroll%RIGHT+or%LEFT+for more info. To EXIT Press%PF3 +For HELP Press%PF1 %CRL Issuer Information CertID Organizational Unit ------------------------------------------------------------------------- #1 %PKWARE, INC. -- FOR TEST AND EVALUATION PURPOSES ONLY -----------------------------------------------------------------------------+
Screen 6 -----------------------------------------------------------------------------+ Certificate Store : SECZIP.FPD.CERTSTOR.P7CRL Certificate Type : CRL Primary commands:%SORT+. Scroll%RIGHT+or%LEFT+for more info. To EXIT Press%PF3 +For HELP Press%PF1 %CRL Issuer Information CertID Total Revoked / Last Updated / Next Update ------------------------------------------------------------------------- #1 %1 UNKNOWN UNKNOWN -----------------------------------------------------------------------------+
Option 2 - List Installed CRLs from Store List details about each Certificate Revocation List in your store.
In the sample below, each revocation list is identified by the heading CRL n, where n is the sequential number of the certificate in the store.
Each certificate that is revoked has a SerialNumber= line followed by IDHash= of the CA that issued the certificate. This data is used to identify the public or private key certificate that has
115
been revoked. When you choose Option 1, the information on those certifcates is displayed if it matches public or private key certifcates in your store.
-----------------------------------------------------------------------------+ ZPCA920I SecureZIP Certificate Administration 11 Mar 2006 15:47:19 ZPCA920I List Certificate Revocations 11 Mar 2006 15:47:19 ZPCA920I ********************************************************************* ZPCA920I CRL Input=SECZIP.FPD.CERTSTOR.P7CRL ZPCA920I ********************************************************************* Store Detail using DSN=SECZIP.FPD.CERTSTOR.P7CRL --------- --- CRL 1 --- PKWARE Test Intermediate Cert A Issuer: C=US;S=Wisconsin;L=Milwaukee;O=PKWARE, Inc.;OU=PKWARE, Inc. -- for test and LastUpdate: Unknown NextUpdate: Unknown Revoked Serial Numbers (1): SerialNumber=01; IDHash=DA9F053EEF6684FC2BDF63962E24775EE81160ED; --- CRL 2 --- PKWARE Test Intermediate Cert F Issuer: C=US;S=Wisconsin;L=Milwaukee;O=PKWARE, Inc.;OU=PKWARE, Inc. -- for test and LastUpdate: Tue Feb 8 16:01:09 2005 NextUpdate: Tue Apr 9 16:01:09 2024 Revoked Serial Numbers (1): SerialNumber=01; IDHash=7A0F9161C04890CAAEF123170CCB83227EEBEB30; -----------------------------------------------------------------------------+
Option 3 - Update the CRL Store Allows you to update the P7CRL store used for Certificate Revocation.
Store Configuration:%'SECZIP.FPD.PROFILES(DBPROF)' #Active CRL Store: SECZIP.FPD.CERTSTOR.P7CRL 1 View Installed CRLs from Store - Table Format 2 List Installed CRLs from Store 3 Update the CRL Store 4 Simulate Update 5 Synchronize Data Base Index You must enter the file location of the CRL list you wish to use as the input to the process and the type of data contained within. Input X.509 Certificate Revocation List File ---------------+ #Data Set Name: 'SECZIP.FPD.SEC.CRL1.CRL' # File Type : CRL +(P7B, CRL or BG for Best Guess)
116
You will receive a pop up panel that will ask you the following information.
This panel asks if you want to update the certificate store data base to reflect the revocations in the CRL file. Enter Y or N, and press ENTER. Pressing PF3 or entering the CANCEL command results in the an N being entered for you. Normally, if you are installing a single CRL, you should pick Y, and update the data base. If you are installing multiple CRLs, pick N, and the popup will not appear again until you exit and re-enter Certificate Store Administration. If you pick 'N', you should run the Synchronize Data Base Index after all CRLs are installed. Not updating the data base will allow certificates to be viewed and selected, but they will fail during the associated SECZIP run .
After you have hit Enter, you will receive a notification of completion in the message field of the panel: “Done PF1 for info”
Messages inform whether certificates were added and, if so, how many.
%************************************************************************** %*No added certificates Total Before = 2 Total After = 2 * %**************************************************************************
%************************************************************************** %* Added 1 of a possible 1 Total Before = 2 Total After = 3 * %**************************************************************************
Option 4 – Simulate Update - This option can be used to test installation of a CRL. Below is a sample output of this option.
ZPCA910I SecureZIP Certificate Administration 11 Mar 2006 16:28:55 ZPCA910I Input Processing of 'SECZIP.FPD.SEC.CRL3.CRL' ZPCA910I Validation Processing of SECZIP.FPD.CERTSTOR.P7CA ZPCA910I Output Processing of SECZIP.FPD.CERTSTOR.P7CRL ZPCA000I SUCCESS: Added certificate '//'SECZIP.FPD.SEC.CRL3.CRL'' to store '//' ZPCA846W WARNING: Simulation Requested. Nothing will be saved to the store. ZPCA000I SUCCESS: Saved certificate store '//'SECZIP.FPD.CERTSTOR.P7CRL'' to di ZPCA846W WARNING: Simulation Requested. Nothing will be saved to the store. ZPCA000I Added 0 out of 1 certificates to the CRL store. ZPCA000I 3 entries in the CRL store before the Add command. ZPCA000I 3 entries in the CRL store after the Add command. -----------------------------------------------------------------------------+
117
Option 5 - Synchronize Data Base Index This option displays details about each certificate in the source file. If you specify BG as the store type, two passes are completed on the source file and two sets of listings are displayed. The first is for type CER, and the next is for type P7B. After each listing is displayed, press PF3 to return.
Filename Encryption
How SecureZIP for z/OS Encrypts File Names SecureZIP for z/OS encrypts file names using your current settings for (strong) encryption method and algorithm. File names can be encrypted using either strong password encryption or a recipient list (or both). You must use one of the strong encryption methods: you cannot encrypt file names using traditional, password encryption.
Note: Encrypting names of files and folders in an archive encrypts and hides a good deal of other internal information about the archive as well. To encrypt file names, SecureZIP for z/OS encrypts the archive's central directory, where virtually all such metadata about the archive is stored.
Note: Be aware that archive comments are not encrypted even when you encrypt file names. Do not put sensitive information in an archive comment.
When SecureZIP for z/OS Encrypts File Names With archives that do not already contain encrypted file names:
SecureZIP for z/OS encrypts file names only when you add files to an archive: SecureZIP for z/OS does not encrypt file names when you encrypt files that are already in an archive even if the option to encrypt file names is turned on.
SecureZIP for z/OS encrypts file names only when you add and encrypt files: SecureZIP for z/OS does not encrypt file names when you add files without encrypting them, even if the option to encrypt file names is turned on.
Encrypting File Names When You Update an Archive If you turn on the setting to encrypt file names and then add files to an archive that already contains files with unencrypted file names, SecureZIP for z/OS encrypts the names of all files in the archive.
If the archive contains files whose contents are already encrypted, SecureZIP for z/OS will reject an attempt to add filename encryption.
If you update an archive that already contains files with encrypted file names, SecureZIP for z/OS encrypts the newly added files and their names using the same password or recipient list originally used to encrypt file names in the archive.
Note:
Once file names in an archive are encrypted, you cannot currently remove the encryption or change the password or recipient list used.
You cannot change the encryption on files that are already in an archive that contains encrypted file names.
118
Opening and Viewing an Archive that Has Encrypted File Names To open an archive that contains encrypted file names requires PKZIP for zSeries Enterprise Edition version 8.2 or later, or SecureZIP for zSeries 8.1 with the Advanced Encryption Module.
Input required to View Recipients in a Filename Encrypted Archive To view the recipients of an FNE archive you must place VERBOSE in the input.
//FPDTEST3 JOB '0',CLASS=A,REGION=64M, // MSGCLASS=H,MSGLEVEL=(1,1),NOTIFY=&SYSUID //UNZIP EXEC PGM=SECUNNZIP //STEPLIB DD DISP=SHR,DSN=PKWARE.MVS.LOAD // DD DISP=SHR,DSN=PKWARE.MVS.LOAD //CERT DD DSN=FPD.FPDPVT08.PFX,DISP=SHR //SYSPRINT DD SYSOUT=* //SYSIN DD * -ARCHIVE_DSN(PKWARE.MVS.FNEREC.ZIP) -VERBOSE -ACTION(VIEW) -RECIPIENT(DD:CERT,R,PASSWORD=PKWARE)
View of Recipients in a Filename Encrypted Archive
ZPLI001I SecureZIP(R) for z/OS, Version 9.0 - 06/26/2006 07.22 LVL(0) ZPLI001I Copyright. 1989-2006 PKWARE Inc. All Rights Reserved. ZPLI001I SecureZIP (R) is a trademark of PKWARE, Inc. ZPLI001I Registered, Processor Type=7060 Processor Group=00 Serial Number=00052 ZPLI001I OS Level: HBB7707 SP7.0.6 -INCLUDE_CMD=SECZIP.IVP.JCL(DEVCERT1) -ECHO=N -ARCHIVE_DSN(PKWARE.MVS.FNEREC.ZIP) -VERBOSE -LOGGING_LEVEL(VERBOSE) -ACTION(VIEW) -RECIPIENT(DD:CERT,R,PASSWORD=******) ZPCM011I Processing EXEC PARM parameters ZPEN110I Locating Digital Certificates ... ZPCM023I Digital Certificate Store Configuration {CSPUB=4;1;PKWARE.MVS.CERTSTOR.PUBLIC} {CSPRVT=4;1;PKWARE.MVS.CERTSTOR.PRIVATE} {CSCA=1;1;PKWARE.MVS.CERTSTOR.PUBLIC(CAP7)} {CSROOT=1;1;PKWARE.MVS.CERTSTOR.PUBLIC(ROOTP7)} {CSPUB_DBX=PKWARE.MVS.CERTSTOR.PUBLIC.DBX} {CSPUB_DBX_PATH_CN=PKWARE.MVS.CERTSTOR.PATHCN} {CSPUB_DBX_PATH_EM=PKWARE.MVS.CERTSTOR.PATHEM} {CSPUB_DBX_PATH_PUBKEY=PKWARE.MVS.CERTSTOR.PATHPUBK} {LDAP=1;192.168.1.54;4389;1;0;CN=LDAP Administrator;secret;;O=PKWARE;} ZPCM023C --------------------------------------- ZPCM024I Digital Certificate Request List ZPCM024C Req'd Private Recipient dd:CERT ZPCM024C FILE FOUND *REQUIRED* ZPCM024C -------------------------------- ZPAP900I NO API REQUIRED ZPCM100I Configuration Manager Shutdown. Posting Main Task: 00000000 ZPAM030I INPUT Archive opened: PKWARE.MVS.FNEREC.ZIP ZPAM710I Archive Directory is Compressed 85% ZPAM711I Archive Directory is Encrypted: AES_256 Certificate Only ZPEX100I Extract Task { 5} TCB: 008D0A90 Started. ZPEX004I Archive Central Directory extracted for processing. ZPAM014I 234 file(s) are in the input Archive.
119
ZPAM012I ZIP comment: SecureZIP for z/OS by PKWARE ZPAM013I ********************************************************************************* ZPAM015I Length Method Size Ratio Date Time CRC-32 Name ZPAM016I ------------- ------------ ------------- ----- ---------- ----- -------- ----------------------------------- ZPAM017I 4,183 Deflate-SFST 2,240 46% 08/30/2005 16:24 419ABFDA ! PKWARE/MVS/JCL/ACZDFLT ZPAM017I 4,183 Deflate-SFST 2,256 46% 08/30/2005 16:24 18A324CE ! PKWARE/MVS/JCL/ACZDFL ZPAM017I 1,067 Deflate-SFST 1,536 0% 08/30/2005 16:24 183003D8 ! PKWARE/MVS/JCL/ZIPVIEW ………………… ………………… …………… ZPAM017I 1,067 Deflate-SFST 1,536 0% 08/30/2005 16:24 2F3E1C63 ! PKWARE/MVS/JCL/ZIP12 ZPAM017I 985 Deflate-SFST 1,520 0% 08/30/2005 16:24 5A8D5879 ! PKWARE/MVS/JCL/ZIP123 ZPAM018I ------------- ------------- ----- ZPAM019I 698,546 450,288 36% ZPAM013I ********************************************************************************* ZPAM140I FILES: VIEWED EXCLUDED BYPASSED IN ERROR ZPAM140I 234 0 0 0 ZPAM712I Archive Directory Encryption Recipients: ZPAM320I 4 recipient(s) were designated: ZPAM321I Recipient: PKWARE Test01 ZPAM323I Email: [email protected] ZPAM325I Valid: 07/23/2002-07/23/2003 ZPAM326I Issuer: VeriSign, Inc. ZPAM321I Recipient: PKWARE Test02 ZPAM323I Email: [email protected] ZPAM325I Valid: 11/05/2003-11/04/2004 ZPAM326I Issuer: VeriSign, Inc. ZPAM321I Recipient: PKWARE Test03 ZPAM323I Email: [email protected] ZPAM325I Valid: 07/22/2003-07/21/2004 ZPAM326I Issuer: VeriSign, Inc. ZPAM321I Recipient: PKWARE Test04 ZPAM323I Email: [email protected] ZPAM325I Valid: 07/22/2003-07/21/2004 ZPAM326I Issuer: VeriSign, Inc. ZPAM101I Archive Manager Task { 3} TCB: 008D0E88 shutdown begun. ZPAM109I Archive Manager Task { 3} TCB: 008D0E88 shutdown complete. ZPEX101I Extract Task { 5} TCB: 008D0A90 shutdown begun. ZPEX109I Extract Task { 5} TCB: 008D0A90 shutdown complete. ZPMT002I PKZIP processing complete. RC=00000000 0(Dec)
View Detail of an Archive that Has Encrypted File Names ZPAM711I in the output below identifies the type of encryption used for filename encryption.
ZPAM030I INPUT Archive opened: PKWARE.MVS.FNEREC.ZIP ZPAM710I Archive Directory is Compressed 85% ZPAM711I Archive Directory is Encrypted: AES_256 Certificate Only ZPAM014I 234 file(s) are in the input Archive. ZPAM012I ZIP comment: SecureZIP for z/OS by PKWARE ZPAM013I ************************************************************* ZPAM001I Filename: PKWARE/MVS/JCL/ACZDFLT ZPAM002I File type: TEXT ZPAM003I Date/Time: 30-AUG-2005 16:24:00 ZPAM004I Compression Method: Deflate- Super Fast ZPAM005I Compressed Size: 2,240 ZPAM006I Uncompressed Size: 4,183
120
ZPAM007I 32-bit CRC: 419ABFDA LHDR Offset: 0 ZPAM008I Created by: PK zSeries 9.0 ZPAM009I Needed to extract: ZipSpec 6.1 ZPAM010I Encryption: AES_256 Certificate Key BSAFE(R) ZPAM301I File Type: NONVSAM PDS ZPAM302I File PDS Directory Blocks: 50 ZPAM303I File Record Format: FB ZPAM304I File Allocation Type: CYL ZPAM305I File Primary Space Allocated: 5 ZPAM306I File Secondary Space Allocated: 9 ZPAM307I File Record Size: 80 ZPAM308I File Block Size: 27920 ZPAM309I File Volume(s) Used: FPD002 ZPAM310I File Creation Date: 2005/07/22 ZPAM311I File Referenced Date: 2005/08/30 ZPAM319I SMS Storage Class: PRIVATE ZPAM312I File PDS Extended Directory Information: DIRECTORY INFORMATION FOLLOWS LENGTH=00001E 000000 01040029 0102198F 0102205F 14010033 |........... ....| ) _ 3| 000010 00330000 C6D7C440 40404040 40400000 |....FPD ..| 3 @@@@@@@ | ZPAM312C -SIZE -CREATED-- ------CHANGED------ ---ID-- -INIT VV.MM ZPAM312C 51 2004/07/17 2004/07/24 14:01:29 FPD 51 01.04 ZPAM313I PDS member TTRKZC: 00010700000F ZPAM320I 4 recipient(s) were designated: ZPAM321I Recipient: PKWARE Test03 ZPAM322I Public Key Hash: 07E091CE30862B61663CF9D356863BF84D3DC8D5 ZPAM323I Email: [email protected] ZPAM324I Cert: //'PKWARE.MVS.CERTSTOR.PRIVATE(pkwt03)' ZPAM321I Recipient: PKWARE Test01 ZPAM322I Public Key Hash: 271842663AA344FBC35656BE68B5A46EE7E545F0 ZPAM323I Email: [email protected] ZPAM324I Cert: //'PKWARE.MVS.CERTSTOR.PUBLIC(pkwt01)' ZPAM321I Recipient: PKWARE Test02 ZPAM322I Public Key Hash: 5D9E8B89B5948E9E853338A7250D64C5BED5E9E7 ZPAM323I Email: [email protected] ZPAM324I Cert: //'PKWARE.MVS.CERTSTOR.PUBLIC(pkwt02)' ZPAM321I Recipient: PKWARE Test04 ZPAM322I Public Key Hash: 6E16CFEFFAA093242B89DEE623C7D7428082F3E3 ZPAM323I Email: [email protected] ZPAM324I Cert: //'PKWARE.MVS.CERTSTOR.PUBLIC(pkwt04)' ZPAM013I *************************************************************
Notice in the output above the following fields:
Created by: The program and release level that placed the file in the archive.
Needed To Extract: A program compatible with the listed ZIP file format specification. The number listed is not a version of the SecureZIP for z/OS program but rather a version of the ZIP file format. For example, version 8.1 of the program uses features of the 6.20 ZIP file format that are not available in earlier versions. Preceding versions of the program used earlier versions of the ZIP file format.
Decrypting a Filename Encrypted Archive When opening an archive, SecureZIP for z/OS automatically decrypts file names for anyone on a recipient list for the encrypted file names.
If file names are encrypted using a password (with or without a recipient list), SecureZIP for z/OS requests a password when anyone who is not on the recipient list tries to open the archive. If the correct password is not entered, SecureZIP does not open the archive.
121
5 Security Questions and Solutions
This chapter ccontains answers to questions a system administrator is likely to have about integrating PKZIPz into the operating environment.
Which encryption settings should be chosen?
Various external factors such as legislative requirements or corporate policy may influence your decision to select an algorithm or mode of encryption. However, when operating within those requirements, the following PKZIP and SecureZip information may be of value.
NIST has instructional information regarding password vs. certificate-based (PKI) encryption. In general, Certificate-based encryption is accepted to be more secure than Password-based encryption.
Support is provided for a 56-bit key length for the DES encryption algorithm and for the older 96-bit "Standard" PKZIP ENCRYPTION_METHOD, but key lengths for newer algorithms are supported at a minimum of 128 bits.
PKWARE provides interoperability between OS/390, zOS, OS400, iSeries, UNIX and Windows for all algorithms provided with ENCRYPTION_METHOD with its product set at release 8.0 and above. This includes more advanced algorithms with minimum key lengths of 128 bits.
Older releases of PKZIP products support "Standard" 96-bit encryption for wider cross-platform compatibility when required.
When RECIPIENT PKI exchanges are required, then ENCRYPTION_METHOD must specify algorithms that begin with BSAFE.
Password-based AES encryption is supported by PKWARE products at release 5.5 or higher.
BSAFE_AES and AES Password-based encryption are 100% compatible. Archives created with PKZIP for zSeries release 5.5 can be bi-directionally exchanged with SecureZip or PKZIP products using the BSAFE AES algorithms.
The BSAFE(R) algorithms provided for the OS/390 and zSeries products are high-performance algorithms. The 128-bit BSAFE algorithms even out-perform the older 96-bit PKZIP "Standard" algorithm.
122
The IBM Cryptographic Facilities Integration feature of SecureZIP for z/OS enables the use of a system’s activated IBM Cryptographic Hardware feature through published ICSF APIs to achieve the best cryptographic service performance available for data encryption/decryption and digital signature processing.
How is encryption activated?
Encryption is activated through the use of the PASSWORD (and/or RECIPIENT for SecureZIP) commands. If a value is present for either setting, whether through explicit commands or default settings, then encryption will be attempted in accordance with other applicable settings (such as ENCRYPTION_METHOD).
However, if ENCRYPTION_METHOD=NONE is specified, then encryption will be bypassed.
Note that certificate-based encryption for recipients is supported only by SecureZIP, not PKZIP. This mode of encryption requires that one of the strong ENCRYPTION_METHODs (minimum 128-bit) be selected.
How is ICSF hardware acceleration activated?
ICSF hardware acceleration is discussed in chapter 7, on Cryptographic Facilities. The SecureZIP FACILITY_ENCRYPTDATA, FACILITY_HASH and FACILITY_RANDOM settings permit the use of actively enabled ICSF APIs for IBMHARDWARE and IBMSOFTWARE.
What is the difference between a SecureZIP Encryption Method and an Algorithm?
An encryption algorithm is the fundamental component of a SecureZIP Encryption Method. The name of the algorithm (such as DES, 3DES, AES) is included in the Method name for ease of reference. However, the Method applies additional security mechanisms to the base algorithm processing. One such mechanism is “Cipher Block Chaining” with random data that is unique for each file encryption process. The use of Cipher Block Chaining ensures that the resulting cipher text for two different ZIP runs of the same data and password will be different.
How many recipients can be specified?
The ZIP file format specification allows for a maximum recipient-list size of 3,275. This size can be restricted further by other file attributes associated with the data, and by run-time capacity limitations (such as virtual storage). (Note: Approximately 20 bytes is required for each recipient within the ZIP archive central directory record for each file. This area is limited to 64K in size).
123
What virtual storage is required for certificate-based encryption?
When using recipient-based encryption, plan on an initial increase of 4MB of 31-bit storage for up to 15 recipients. LDAP will require an additional 1MB for every 27 recipients above 15. File-based and local certificate store will require an additional 1MB for every 41 recipients above 15.
How does ENCRYPTION_METHOD affect certificate-based encryption?
Public/private Key encryption using BSAFE(R) is used to digitally envelope the master session Key information. Once the master session Key is determined, an independent file session Key is derived (which is unique for each file) to encrypt the file data with a symmetric algorithm specified by ENCRYPTION_METHOD. Several encryption algorithms are supplied with SecureZip. Any algorithm may be specified for use with PASSWORD. However, only those prefixed with "BSAFE" are valid for use with RECIPIENTs.
How does SecureZIP activate MASTER_RECIPIENT contingency keys?
To meet corporate security policies, SecureZIP provides the ability to use the MASTER_RECIPIENT setting to include one or more master recipient contingency key certificate files in a SecureZIP job when an ENCRYPTION_METHOD specification other than “STANDARD” is activated. The setting causes the data to be encrypted for the master recipient(s) in addition to other recipient or password settings, thereby ensuring that the organization can always decrypt its encrypted data.
The primary MASTER_RECIPIENT can be set directly in the defaults module, or indirectly by specifying MASTER_RECIPIENT in a command stream referenced by SECUREZIP_CONFIG. This default-module-only setting specifies a PDS[E] member that contains SecureZIP certificate store configuration commands to be automatically included in the processing stream. The configuration command values from this member will be included at the start of command input processing prior to //SYSIN statements being read. The data set(member) will be converted into an "INCLUDE_CMD=(pds[e](member)" command internally and will be echoed to the message log in accordance with the ECHO setting. The primary MASTER_RECIPIENT will be reported in the SHOW_SETTINGS report.
Supplemental -MASTER_RECIPIENT commands may be provided via the primary SYSIN input stream, or indirectly from either the SECUREZIP_CONFIG or INCLUDE_CMD specifications. They will be internally converted to RECIPIENT commands for processing.
MASTER_RECIPIENT settings are cumulative. Therefore a setting in the defaults module cannot be overridden or eliminated from an execution.
How does MASTER_RECIPIENT affect activation?
When SecureZIP is being used to encrypt data, either with RECIPIENT or PASSWORD (unless ENCRYPTION_METHOD=STANDARD), a recipient specified by MASTER_RECIPIENT is automatically included. However, a MASTER_RECIPIENT setting does not cause encryption to take place.
124
How do I copy a local certificate store?
Copying a Local Certificate Store: 1. Generate a set of backup/restore jobs - CS.1.8.3 - Generate both a Backup and Restore job 2. Run the backup 3. Copy the Restore job to another file, and edit. - In the UNZIP step, insert an UNZIPPED_DSN command.. Example: -UNZIPPED_DSN(SECZIP.CWB.CS1,SECZIP.CWB.CS2) - Mass change all HLQ’s in the IDCAMS step from the old HLQ to the new one… in this example, SECZIP.CWB.CS1 -> SECZIP.CWB.CS2. Be sure you don’t accidentally change the –ARCHIVE command in the UNZIP step 4. Run the modified Restore job 5. Call up the ZIP panels 6. Option C (config); press ENTER to get the second screen - Certificate Store Settings 7. On the DB Profile line, enter a / to edit the member 8. Once in the member, change all references to the old Cert Store to the new one. 9. Create a new member -- Command create newmem c99999 on the first line 10. Exit without saving the changed member under the old member name (CANCEL command and confirm no save). 11. Select the new DB Profile member on the Config panel, and you’re in business
How do I remove a local certificate store?
When a local certificate store is no longer required, the associated unused components may be deleted. However, be aware that distributed profiles may still reference these data sets. It is highly recommended that a backup of these components be made before deleting them.
An IDCAMS DELETE may be done for:
hlq.CERTSTOR.DBX hlq.CERTSTOR.PRIVATE hlq.CERTSTOR.PUBLIC hlq.CERTSTOR.P7CA hlq.CERTSTOR.P7ROOT hlq.CERTSTOR.P7CRL
Note: The delete for the DBX cluster will automatically delete the alternate index and path components.
Scan PARMLIB and JCL libraries for configuration profile references to the deleted components. Perform cleanup as needed.
How can the contents of an x.509 certificate file be determined?
The PKSCNPRT member located under the INSTLIB dataset is designed to read and report on an end-entity X.509 certificate files. This job works with public key files in CER format (either DER or Base64 encoded), and private key files in PFX or P12 format (either DER or Base64 encoded). See the following sample job:
125
********************************* Top of Data *********************** //SCANCERT JOB (8900),PKWARE,MSGCLASS=H, // CLASS=B,REGION=8M,NOTIFY=&SYSUID // JCLLIB ORDER=PKWARE.MVS.INSTLIB <== VERIFY //JOBLIB DD DSN=PKWARE.MVS.LOAD,DISP=SHR <== VERIFY //*** //* BEFORE RUNNING THIS JOB, EDIT THE FOLLOWING ITEMS: //* //* 1. TAILOR THE JOB CARD TO FIT YOUR INSTALLATION STANDARDS. //* 2. IF NECESSARY, CHANGE HIGH-LEVEL QUALIFIERS FOR THE LOAD //* LIBRARY AND FILES FROM "PKWARE.MVS" TO FIT THE PRODUCT //* INSTALLATION SUPPORT FILES ON YOUR SYSTEM. //* 3. CHANGE THE SECOND PARAMETER OF THE %RMCRTPRT STATEMENT TO //* MATCH YOUR INSTALLED SECUREZIP LOAD LIBRARY. //* 4. THE 3RD PARAMETER, IF PROVIDED IS THE PASSWORD OF THE P12/PFX //* PRIVATE-KEY CERTIFICATE FILE. "*" MAY BE USED TO //* INDICATE THAT THE FILE IS FOR A PUBLIC-KEY CERTIFICATE FILE. //* NOTE: THE PASSWORD IS CASE-SENSITIVE AND MUST BE BRACKETED BY //* DOUBLE QUOTES. I.E. "your password goes here" //*** //LISTCER EXEC PKISPF //SCANIN DD DISP=SHR,DSN=PKWARE.MVS.INSTLIB2(PVT3CERT) <= INPUT X.509 //PKSCNPRT DD SYSOUT=* <= OUTPUT LIST //ISPF.SYSTSIN DD * ISPSTART CMD(RMCRTPRT DD:SCANIN PKWARE.MVS.LOAD "PKWARE" //* ******************************** Bottom of Data *********************
The following is the resulting output of the job above, detailing the end-entity certificate information.
********************************* TOP OF DATA ************************** PKSCANCRT scan(0) file is: dd:SCANIN PKSCANCRT Private Cert will be processed (6) PKSCANCRT --file #1 found (2106) dd:SCANIN Type=1 --- Certificate 1 --- PKWARE Test3 Subject: CN=PKWARE Test3 [email protected] Issuer: C=US S=Wisconsin L=Milwaukee O=PKWARE, Inc. OU=PKWARE, Inc. -- for test and evaluation purposes only CN=PKWARE Test Intermediate Cert [email protected] SerialNumber: 03 NotBefore: Mon Dec 20 09:06:09 2004 NotAfter: Fri Dec 13 09:06:09 2024 KeyUsage: E0 00 SHA-1 Hash of Certificate(Thumbprint): 7B 88 01 52 1B FF 0B B1 2E 42 32 40 03 75 05 0E 60 EE 52 97 Public Key Hash: A7 C6 BB 45 BF 22 98 47 B7 3A FA 74 7C 00 37 8E 91 20 2C 31 End Entity RMCRTPRT - RMCRTPRT - Certificate Details RMCRTPRT - =================== RMCRTPRT - CN= RMCRTPRT - Email= RMCRTPRT - FN=
126
RMCRTPRT - Issuer= RMCRTPRT - Valid Dates= RMCRTPRT - SerialNumber= RMCRTPRT - Usage= RMCRTPRT - Trust= RMCRTPRT - Revoke= RMCRTPRT - ******************************** BOTTOM OF DATA *************************
You may also report on an intermediate CA, trust root CA, and/or a CRL by selecting option 3 (“x.509 Certificate Utilities”) from the SecureZIP Certificate Store Administration panel.
Here you will enter the certificate source file in question and select option 2 (“List Certificates”). This option displays details about each certificate in the source file in a BROWSE window. From here you can determine the contents.
127
6 PKWARE PartnerLink: SecureZIP Partner
This chapter applies only to participants in the PKWARE PartnerLink program. Other readers may skip this section.
PKWARE PartnerLink enables a sponsor organization to give partner organizations that may not have SecureZIP for z/OS the SecureZIP Partner for z/OS application so that sponsor and partner can use SecureZIP for z/OS to securely exchange ZIP archives.
This chapter addresses administration activities unique to the SecureZIP Partner for z/OS application, used by PartnerLink partners.
About SecureZIP Partner for z/OS
SecureZIP Partner for z/OS is a special version of SecureZIP for z/OS. It provides most of the functionality of the full program but works only with archives created by (or for) a sponsor.
SecureZIP Partner has two modes of operation:
Read mode: Read mode enables SecureZIP functionality to extract files from a ZIP archive signed by a sponsor. In this mode, the program can decrypt and decompress files and authenticate digital signatures.
In Read mode, the program only extracts; it does not add files to a new or existing archive and does not compress, encrypt, or sign files. SecureZIP Partner extracts only archives digitally signed by a sponsor.
Write mode: Write mode enables SecureZIP functionality for adding files to a ZIP archive, including commands to compress, encrypt, and digitally sign files.
In Write mode, the program can create and update archives, but only for a designated PartnerLink sponsor and only if the sponsor provides certificates for SecureZIP Partner to use to encrypt. New or updated archives are automatically encrypted for sponsor recipients: only those recipients can decrypt and read the files.
SecureZIP Partner only does certificate-based encryption. It does not do passphrase-based encryption.
See the chapter relating to PartnerLink in the SecureZIP for z/OS User’s Guide for an operational description of the SecureZIP Partner product.
128
If You Are a Sponsor: Sign the Central Directory A sponsor organization uses SecureZIP as usual to work with archives for, or from, a partner. There is just one special requirement when creating an archive for a partner: In order for the partner to be able to extract the archive you must sign the central directory of the archive using a certificate included in the Sponsor Distribution Package. A Sponsor Distribution Package is a package that PKWARE assembles for a sponsor to configure partners of that sponsor.
Terms and Acronyms Used in This Chapter
The PKWARE PartnerLink program introduces some new concepts and terminology:
Sponsor – An installation responsible for initiating and defining a PartnerLink sponsor-partner relationship with one or more other installations. A aponsor uses the full-featured SecureZIP product; a partner uses the special SecureZIP Partner for z/OS version.
Partner – An installation configured using a particular sponsor’s Sponsor Distribution Package (see below) to be a partner of that sponsor. A partner uses SecureZIP Partner for z/OS to work with archives from, or for, the sponsor.
Sponsor Distribution Package – A configuration package distributed to a partner on behalf of a sponsor to define the authorization requirements and provide the certificates needed to process ZIP archives from, or for, the sponsor. The package is digitally signed using a PKWARE-assigned certificate.
Sponsor File – A component file in a Sponsor Distribution Package
Sponsor Imprint – A unique digital representation of a registered sponsor-partner relationship within the PKWARE PartnerLink program. This may represent the unique identification of Distribution Package components or of ZIP archives being read.
Sponsor/Partner Registration ID – A unique registration number that identifies a particular sponsor-partner relationship
Read mode – The mode of SecureZIP Partner UNZIP processing that extracts archives from (and only from) a PartnerLink sponsor configured on the partner’s system
Write mode – The mode of SecureZIP Partner ZIP processing that creates an encrypted ZIP archive for a particular configured PartnerLink sponsor
FF – Acronym for full-featured SecureZIP operations, as distinct from those of SecureZIP Partner
PKWARE PartnerLink Program: Overview
The PKWARE PartnerLink program provides a straightforward, secure way for an organization to exchange sensitive information with outside partners.
A PartnerLink sponsor organization establishes a PartnerLink partner relationship with another organization. As a PartnerLink partner, the external organization receives the SecureZIP Partner program to use to decrypt and extract archives created by the sponsor using the full
129
SecureZIP program. The partner can also use the program to create archives for the sponsor that only the sponsor can decrypt.
The SecureZIP Partner program used by a PartnerLink partner extracts archives only from a sponsor and creates and encrypts archives only for a sponsor.
Decrypting and Extracting Sponsor Data (Read Mode) When SecureZIP Partner is installed at a partner location, a sponsor can create, digitally sign, and encrypt SecureZIP secure containers (ZIP archives) for the partner. In Read mode, the SecureZIP Partner program verifies that the data file received has the appropriate signature from the sponsor and that the signature is valid. This confirms that the data is from the expected sender and that no tampering has occurred. The partner can then decrypt and extract the data.
Creating an Archive for a Sponsor If a sponsor has provided an encryption key, a partner can also use SecureZIP Partner (Write mode) to create encrypted ZIP archives for the sponsor. SecureZIP Partner automatically encrypts any data placed in an archive. The archive can then be transferred to media or transmitted to the sponsor electronically.
Getting Started SecureZIP customers join the PartnerLink program by contacting PKWARE and applying for a PartnerLink sponsorship.
130
A PartnerLink sponsor provides PKWARE with a copy of the public key matching the certificate that will be used to sign secure containers sent to partners. This key enables a partner to authenticate sponsor signatures.
A sponsor may also provide a copy of a public key for the partner to use to encrypt data files for the sponsor, and also a copy of a designated (public) contingency key. These encryption keys are needed only if a sponsor wants to enable partners to create archives for delivery to the sponsor. SecureZIP Partner creates only archives encrypted for a designated sponsor, using sponsor-provided keys. If a sponsor does not provide keys for encryption, a partner cannot use SecureZIP Partner to create archives. SecureZIP Partner does not create unencrypted archives.
PKWARE incorporates the sponsor keys into a PartnerLink Sponsor Distribution Package (SDP). The Sponsor Distribution Package is used to configure a SecureZIP Partner installation to extract SecureZIP secure containers signed by a sponsor and (if encryption keys are provided) to encrypt data files for a sponsor using the sponsor’s public keys. SecureZIP Partner extracts archives only if they are signed by a sponsor. If keys for encryption are included in the SDP, SecureZIP Partner automatically encrypts archives created for the respective sponsor using the included keys. Only the sponsor recipients who own those keys can decrypt and read the files in an archive that SecureZIP Partner encrypts.
Once the Sponsor Distribution Package has been created, a sponsor can invite outside partner, customer, or vendor organizations to participate as PartnerLink partners. The sponsor supplies instructions on how to contact PKWARE to request a copy of the SecureZIP Partner application. After SecureZIP Partner is installed and configured at the partner location, sponsor and partner can exchange data files with confidence that the data is protected.
Co-existence with Other PKWARE Products
The SecureZIP Partner for z/OS product package can be installed alongside other PKZIP for z/OS or SecureZIP for z/OS product releases. If a full-featured SecureZIP for z/OS is also to be run at the same release/maintenance level, a single software installation may be performed, using independent license control data sets and configuration settings to govern the operating characteristics.
Recommendations Installations using both SecureZIP Partner and full-featured SecureZIP for z/OS in
the same system should configure separate local certificate stores for each. Although certificate store components can co-exist in the same Store, care must be taken that full-featured component names assigned by the system administrator do not conflict with names automatically generated by SecureZIP Partner.
Installations using both SecureZIP Partner and full-featured SecureZIP for z/OS in the same system at the same release level may elect to install only one set of execution libraries for ease of maintenance. The license control data set used at run-time (as controlled by the defaults module LICENSE_HLQ parameter) can be used to select the appropriate mode of operation.
When other releases of SecureZIP for z/OS or PKZIP for z/OS are operating in the same system, only one set of libraries may be installed in the system LINKLST. The other release of software must be run with an JOBLIB/STEPLIB for the load library.
131
If separation of software operation is required, separate ISPF startup dialogs should be configured in the system (Ref: PKZSTART startup exec) with the associated LIBDEF information.
PartnerLink Certificate Store Administration and Configuration
Certificate administration and use in the SecureZIP Partner operating environment differ slightly from the case with full-featured SecureZIP for z/OS.
Whereas all digital key components are individually administered in a full-function installation, SecureZIP Partner components are pre-packaged for distribution and installation into a Sponsor Distribution Package. Many features of SecureZIP SecureZIP Partner work the same as in full-featured SecureZIP, but some features work differently and use special components of a Sponsor Distribution Package instead of standard SecureZIP components.
The following table indicates which components of the SecureZIP for z/OS local certificate store are used in relationship with the mode of operation.
Certificate Use Full Feature SecureZIP SecureZIP Partner
Archive Signature Authentication Full Certificate Store* Sponsor Distribution Package SPONSOR AUTH/auth.p7
File Signature Authentication “ Full Certificate Store
Archive Signing “ Full Certificate Store
File Signing “ Full Certificate Store
Encryption “ Sponsor Distribution Package SPONSOR RECIPIENT/recip.p7
Decryption “ Full Certificate Store
* A fully functional certificate store includes public-key and/or private-key X.509 certificate files along with their associated certificate authority trust chain and an optional certificate revocation list. To set up a certificate store, use the SecureZIP for z/OS certificate store administration tool. You are responsible for obtaining the appropriate digital certificate resources.
Choosing a Configuration Model Depending on your installation’s business requirements for segregated process controls, you may choose to coordinate the operation of sponsor profiles from a centralized certificate store, or segregate the configurations entirely.
Components supporting a sponsor profile are installed as members of partitioned data sets with the unique sponsor/partner registration control number used as a relational index.
Shared Certificate Store for Multiple Sponsor Profiles The SecureZIP for z/OS certificate store supports the ability to install and configure multiple sponsor profiles within a single store. This centralized approach may be the simplest to manage.
132
Segregated Certificate Store for Individual Sponsor Profiles If segregated access to sponsor information is desired, then multiple independent stores may be defined to provide data set level access control to the resources.
Configured Sponsor Package Components When a Sponsor Distribution Package is installed, various components are configured within the certificate store. The following table describes the components and how they are used.
Component Usage Location
Sponsor Authentication Configuration Setting
-{SPONSOR_AUTH=1;0;dsname}
Used to access an input ZIP archive (via -AUTHCHK=ARCHIVE) by a SecureZIP Partner execution. Multiple Sponsor Authentication Configuration Settings commands are accepted, thereby permitting access to a ZIP archive that is from one of many possible sponsors.
dsname references an installed Sponsor Authentication File
The SPONSOR_AUTH parameter has the same format as the other Certificate Store files (e.g. CSCA=…)
dsname:
hlq.CERTSTOR.SPONSOR.INFO
(Accccccc)
Where hlq is the high level qualified of the configured Local Certificate Store
Where ccccccc is the Sponsor ID
SecureZIP Partner Recipient Command
-RECIPIENT(DSN:’dsname’)…
Used to create a ZIP archive by a SecureZIP Partner execution.
dsname references an installed SecureZIP Partner Authorized Recipient File.
Only 1 SecureZIP Partner RECIPIENT configuration command will be accepted for processing per ZIP pass.
dsname:
hlq.CERTSTOR.SPONSOR.INFO
(Rccccccc)
Where hlq is the high level qualified of the configured Local Certificate Store
Where ccccccc is the Sponsor ID
Sponsor Authentication File
PKCS#7 file identifying a list of authentication public-key/certificates to validate the source of an input ZIP archive
Referred to by the Sponsor Authentication Configuration Setting supplied to the SecureZIP Partner run.
dsname:
hlq.CERTSTOR.SPONSOR.AUTH
(Accccccc)
Where hlq is the high level qualified of the configured Local Certificate Store
Where ccccccc is the Sponsor ID
133
Component Usage Location
SecureZIP Partner Authorized Recipient File
PKCS#7 file identifying a list of Sponsor-provided public-key/certificates that can be used to encrypt new data being added to a ZIP archive.
Referred to by the SecureZIP Partner Recipient Command supplied to the SecureZIP Partner run.
dsname:
hlq.CERTSTOR.SPONSOR.RECIP
(Rccccccc)
Where hlq is the high level qualified of the configured Local Certificate Store
Where ccccccc is the Sponsor ID
Package Information File
An XML file containing the Sponsor Package description. Used by package list and installation processes.
hlq.CERTSTOR.SPONSOR.INFO
(Xccccccc)
Where hlq is the high level qualified of the configured Local Certificate Store
Where ccccccc is the Sponsor ID
Local Certificate Store Index
Certificate Store index records are written to represent the Sponsor Authentication File and the SecureZIP Partner Authorized Recipient File. They are represented in the ISPF certificate table display as record types READ and SLNK respectively.
CSPUB_DBX Local Certificate Store Index
During package installation, ISPF statistics will be set for component members to reflect the following:
The Created Date will reflect the Sponsor Package create date (from inside the XML informational description).
The Changed Date/Time will reflect the installation date/time on the local system.
The ID will reflect the User ID associated with the installing job/session.
Installing a Sponsor Distribution Package Although the SecureZIP Partner for z/OS software license is provided with the product package, the ability to operate with ZIP archives is activated through the use of sponsor configuration components.
Note: Before continuing with steps in this section, ensure that the Software Activation License has been applied.
Sponsor Distribution Package Installation Steps A Sponsor Distribution Package is installed as a configuration to an existing local certificate store. The following steps define the process to configure SecureZIP Partner for operations with a related sponsor.
Note: It is highly recommended that a copy of the original Sponsor Distribution Package be retained after the installation is complete in support of a subsequent installation to a certificate store of a different name or location.
134
1. Verify that the PartnerLink SecureZIP Partner software license has been applied.
Refer to chapter 2, “SecureZIP Partner License Activation.”
2. Verify that the Certificate Store has been created.
Reference chapter 4, “Create a New Local Certificate Store DB.”
3. If not already done, perform a binary transfer of the Sponsor Distribution Package to the system.
4. View the Sponsor Package using the SecureZIP Certificate Store Administration and Configuration ISPF dialog (option CS) for PartnerLink Administration.
Note the Sponsor Name and ID information.
5. Install the package
o Foreground install: Use the SecureZIP Certificate Store Administration and Configuration ISPF dialog (option CS) for PartnerLink Administration (option 4.3).
o Batch install: Use the SecureZIP Certificate Store Administration and Configuration ISPF dialog (option CS) for PartnerLink Administration to generate a batch job and submit.
Use the SecureZIP Certificate Store Administration and Configuration ISPF dialog (option CS) for PartnerLink Administration (option 4.1) to view the installed Sponsor configuration.
Sample PKWARE Sponsor Distribution Package A sample Sponsor Distribution Package has been included in INSTLIB2(PLIVPPKG) to assist you in understanding the process for Sponsor Distribution Package installation and to verify the certificate store setup.
1. Verify that the PartnerLink SecureZIP Partner software license has been applied.
Refer to chapter 2, “SecureZIP Partner License Activation.”
2. Verify that the Certificate Store has been created.
Reference chapter 4, “Create a New Local Certificate Store DB.”
3. Use the SecureZIP Certificate Store Administration and Configuration ISPF dialog (option CS) for PartnerLink Administration (option 4.2) to list sponsor package in seczip.mvs.INSTLIB2(PLIVPPKG).
4. Install the test package
o Foreground install: Use the SecureZIP Certificate Store Administration and Configuration ISPF dialog (option CS) for PartnerLink Administration (option 4.3) to install the test Sponsor package from seczip.mvs.INSTLIB2(PLIVPPKG).
o Batch install: Use the SecureZIP Certificate Store Administration and Configuration ISPF dialog (option CS) for PartnerLink Administration to generate a batch job for seczip.mvs.INSTLIB2(PLIVPPKG) and submit.
5. Use the SecureZIP Certificate Store Administration and Configuration ISPF dialog (option CS) for PartnerLink Administration (option 4.1) to view the installed Sponsor configuration. The following entries should be displayed:
135
Type Common Name SLNK PKWARE, Inc. READ PKWARE, Inc.
6. Modify and run the test job in seczip.mvs.INSTLIB(PLIVPZIP) to verify the use of the test Sponsor configuration.
Updating a Sponsor Distribution Package A currently configured Sponsor in the local certificate store can be updated with a newer version by following the normal steps for installing a Sponsor Distribution Package.
The installation procedure will check the creation date (as contained in the XML data) of the input package against the previously installed package information.
If the creation date of the input package is later than the previously installed package, then the old components will be removed, and the new package components installed (both foreground and batch processing).
When running the installation process via the foreground dialog and the creation date of the input package is equal to or older than the currently installed package, the administering user will be prompted to confirm the installation.
When running the installation process via a batch job and the creation date of the input package is equal to or older than the currently installed package, installation will be halted. The administering user may then choose to do one of the following:
o Leave the existing package in place
o Remove the existing package and then retry the install
Removing a Sponsor Distribution Package 1. Use the SecureZIP Certificate Store Administration and Configuration ISPF dialog
(option CS) for PartnerLink Administration (option 4.1) to view the list of installed Sponsors.
2. Use the “D” line command for either the “SLNK” or “READ” table row. All components for the associated Sponsor ID will be removed.
Providing a Sponsor Configuration for Execution The certificate store where the Sponsor Distribution Package components were installed must be provided (for Read access) to the executing Read (UNZIP) or Write (ZIP) jobs. In addition, specific configuration components will be required for the associated processing request.
Read-Mode Configuration In addition to the basic certificate store configuration settings, one or more -{SPONSOR_AUTH…} command settings as generated in the SPONSOR.INFO must be provided for proper authentication of the input ZIP archive. The UNZIP run-time process may include these command settings in the standard command input streams (SYSIN, INCLUDE_CMD), or as part of the SECUREZIP_CONFIG setting in the defaults module.
136
Write-Mode Configuration One SecureZIP Partner RECIPIENT command must be provided at ZIP run time to designate the sponsor the archive is being created for with data encryption. It may be specified by any of the following means:
The SecureZIP Run Time Configuration DB Profile settings
Included commands from the defaults SECUREZIP_CONFIG
Indirect commands via INCLUDE_CMD
Additional command line at the bottom of the screen for ZIP processing.
Note: Only one RECIPIENT command is permitted per run. Care should be taken to ensure that only one RECIPIENT request is made when combining the RECIPIENT command with other configuration settings or using it with implicit includes.
137
7 Cryptographic Facility Utility - PKCRYUTL
This chapter applies only to SecureZIP installations
The SecureZIP for z/OS IBM Cryptographic Facilities Integration feature enables the selection of locally activated IBM cryptographic facilities to complete cryptographic service requests for data encryption and digital signature processing. (See “SecureZIP ICSF Operations” in the “System Requirements” section of chapter 1.)
Cryptographic Facility Categories SecureZIP for z/OS automatically determines which facilities are available for use when a cryptographic service is required. It also selects which facility to use based on configurable preference lists specified through either the defaults module or a command.
Facilities are organized into sets of similar cryptographic functionality. For example, all symmetric data encryption methods, such as DES and AES, fall into the ENCRYPTDATA facility category. Digital signature creation or authentication requires a cryptographic HASH facility.
(See also the FACILITY_ENCRYPTDATA, FACILITY_HASH, and FACILITY_RANDOM commands in the SecureZIP for z/OS User’s Guide).
Assessing a System’s Cryptographic Capabilities with PKCRYUTL
Available ICSF APIs and underlying facilities (hardware or software emulation) vary across system configurations (see the table “ICSF feature/facility requirements” in chapter 1). The PKCRYUTL utility program provided with the product can help the administrator or user select the most appropriate facility settings when planning to employ cryptographic features of SecureZIP for z/OS.
The simplest choice for facility settings is to allow SecureZIP to choose a facility based on the default settings distributed with product. As distributed, SecureZIP gives preference first to ICSF hardware services, then to ICSF software emulation, and finally to software cryptographic facilities native to the SecureZIP product. This order of precedence generally provides the best performance when used in conjunction with the default ENCRYPTION_METHOD and SIGN_HASHALG algorithm settings and ensures that at least one facility can be selected to complete the processing request.
138
PKCRYUTL can also be used to verify that alternative facility preference or algorithm settings will run on a target system.
PKCRYUTL Execution The SecureZIP product provides sample batch JCL in INSTLIB(PKCRYUTL) that will execute a report step for each cryptographic category.
The SecureZIP Administration Services ISPF dialog has a “Cryptographic Services Utility” selection that provides an options panel for foreground execution. Online help is also accessible in the dialog.
PKCRYUTL Reporting The utility is intended to be run once for a facility category to be assessed. Multiple processing phases are performed by the utility during the run to:
Report on the basic operating environment
Report active ICSF facilities
Report which API facilities are available for SecureZIP to use
Run timing tests for available facilities
Report throughput rates for various algorithm/facility combinations
Indicate which facility would be selected for a properly licensed SecureZIP product
PKCRYUTL Sample Report
ZPEN350I PKCRYUTL 1.4 Cryptographic API Review Utility ZPEN350I Copyright (C) 1989-2006 PKWARE, Inc. All rights reserved. ZPEN350I Program and Output used by permission only. PKWARE, Inc. ZPEN378I Testing with 1048571 Bytes Active ZPEN336I CSRSI Query IBM Type(2066) Mod(0A2) #(000000000001824A) ZPEN300I OSname<z/OS> OS Ver(01) Rel(06) Mod( ) HWclass<Z/X00 > ZPEN307I ICSF is Active/CCVTACT ZPEN308I ICSF is at a proper level for CSFIQF ZPEN309I z/Architecture Hardware Available -Z/X00 ZPEN313I CSNBSYE (AES) System Capable with ICSF when available. ZPEN314I AES Software Only Available -Z/X00 ZPEN320I CryptoAPI Facilities HW SW SecureZIP ZPEN321I 96 Bit Encryption --- --- PKW ZPEN321I AES 128 Encryption --- SYE BSAFE ZPEN321I AES 192 Encryption --- SYE BSAFE ZPEN321I AES 256 Encryption --- SYE BSAFE ZPEN321I 3DES Encryption ENC --- BSAFE ZPEN321I DES Encryption ENC --- BSAFE ZPEN321I RC4 Encryption --- --- BSAFE ZPEN321I CRC32 Hashing --- --- PKW ZPEN321I SHA1 Hashing OWH --- BSAFE ZPEN321I MD5 Hashing --- OWH BSAFE ZPEN321I SHA256 Hashing --- --- --- ZPEN321I Random Data Gen RNG --- PKW ZPEN322I Facility Encryptdata Seq: IBMHW(1) IBMSW(2) PKW(3) ZPEN322I Facility Hash (Signature) Seq: IBMHW(1) IBMSW(2) PKW(3) ZPEN322I Facility Randomdata Seq: IBMHW(1) IBMSW(2) PKW(3)
139
ZPEN340I /--------Encryptdata Matrix (01) --------/ ZPEN341I 0001(96 Bit Encryption ) Select (10/10) SecureZIP ZPEN342I Status-IBMHW(-NotCap-) IBMSW(-NotCap-) PKW( PKW ) ZPEN341I 6801(RC4 Encryption ) Select (10/10) SecureZIP ZPEN342I Status-IBMHW(-NotCap-) IBMSW(-NotCap-) PKW( BSAFE ) ZPEN341I 660E(AES 128 Encryption) Select (20/70) IBM Software ZPEN342I Status-IBMHW( -NoAPI-) IBMSW(SYE/SYD ) PKW( BSAFE ) ZPEN341I 660F(AES 192 Encryption) Select (20/70) IBM Software ZPEN342I Status-IBMHW( -NoAPI-) IBMSW(SYE/SYD ) PKW( BSAFE ) ZPEN341I 6610(AES 256 Encryption) Select (20/70) IBM Software ZPEN342I Status-IBMHW( -NoAPI-) IBMSW(SYE/SYD ) PKW( BSAFE ) ZPEN341I 6603(3DES Encryption ) Select (40/70) IBM Hardware ZPEN342I Status-IBMHW(ENC/DEC ) IBMSW( -NoAPI-) PKW( BSAFE ) ZPEN341I 6601(DES Encryption ) Select (40/70) IBM Hardware ZPEN342I Status-IBMHW(ENC/DEC ) IBMSW( -NoAPI-) PKW( BSAFE ) ********************************************** ZPEN370I *************Start of Testing***************** *************Nbr of Bytes=1048571************* *************Nbr of MEG= 1******************** Test Summary Results CPU Usage ZPEN383I Crypto Facilities HW SW BSAFE/PKW ZPEN384I 96 Bit Encryption N/A N/A N/A ZPEN384I AES 128 Encryption ------ 0.113* 0.167 ZPEN384I AES 192 Encryption ------ 0.132* 0.191 ZPEN384I AES 256 Encryption ------ 0.150* 0.218 ZPEN384I 3DES Encryption 0.058* ------ 1.102 ZPEN384I DES Encryption 0.042* ------ 0.378 ZPEN384I RC4 Encryption ------ ------ 0.072* Test Summary Results Megabytes/CP Second ZPEN383I Crypto Facilities HW SW BSAFE/PKW ZPEN384I 96 Bit Encryption N/A N/A N/A ZPEN384I AES 128 Encryption ------ 8.83* 5.98 ZPEN384I AES 192 Encryption ------ 7.58* 5.23 ZPEN384I AES 256 Encryption ------ 6.68* 4.60 ZPEN384I 3DES Encryption 17.19* ------ 0.91 ZPEN384I DES Encryption 23.74* ------ 2.65 ZPEN384I RC4 Encryption ------ ------ 13.85* ZPEN385I-Testing Completed Total CPU Seconds(2.625) Total Elapsed Seconds(3) ZPEN374I-Completing with rc=0 -------------------------------
PKCRYUTL Interpretation Report lines are generated in standard SecureZIP message format. This section includes basic explanatory information for the majority of the messages. Additional information for each message, including system and user response, can be found in the SecureZIP Messages Guide as well as in the online Message section of the SecureZIP ISPF Dialog.
ZPEN300I OSname<oooo> OS Ver(vv) Rel(rr) Mod(mm) HWclass<cccccccc> A request was made to report on the available cryptographic facilities for the current operating
140
environment. The operating system level and hardware platform govern which cryptographic facilities may be available for use. Classification of hardware. S/390 Pre-zArchitecture, possibly with G5/G6 Z/X00 zArchitecture z800/z900, possibly with CCF Z/X90 zArchitecture z890/z990, with CPACF Z9 zArchitecture z9-109 or equivalen, with CPACF ZPEN301E-AMUTCQRY Error Occurred: A request was made to report on the available cryptographic facilities for the current operating environment. An attempt was made to determine the what cryptographic facilities are available through ICSF, but required ICSF and/or hardware facilities are not operative. ZPEN320I The CCVT is not built by ICSF. The Cryptographic Communications Vector Table is the major control block used in the operating system to govern ICSF service requests. It appears that ICSF has not been started in the operating environment. ZPEN303I Either ICSF is not up, or it is up in PCF mode. It appears that ICSF is not currently running, or an older PCF service is running. ZPEN304I There are no valid cryptographic units ACTIVE. Although ICSF is operating, there are no active hardware cryptographic components in the system. Although one or more may show as ONLINE, they are not usable by ICSF due to configuration settings. ZPEN305E-Unknown ICSF Error Code: +2+H+ A request was made to report on the available cryptographic facilities for the current operating environment. An attempt was made to determine the what cryptographic facilities are available through ICSF, but required ICSF and/or hardware facilities are not operative. ZPEN306I State Error Found <State=%02X/Error=%02X> The Cryptographic Communications Vector Table is the major control block used in the operating system to govern ICSF service requests.
141
When ICSF environmental conditions are determined to be inappropriate to ICSF operations through SecureZIP this message may be issued. State Flags: x'80' - An error has been detected (See Error Flags) x'40' - ICSF is active in the system x'20' - The ICSF level supports CSFIQF x'10' - z/Architecture hardware is present x'08' - CPACF Crypto Assist Hardware is present x'04' - CSNBSYE/CSNBSYD API services are available Error Flags: x'80' - The CCVT has never been initialized by ICSF x'40' - ICSF is not up in an appropriate mode x'20' - There are no hardware crypto devices available Sample State/Error codes: State=80/Error=80 - ICSF was never started. No other info is available (no CCVT) State=B4/Error=40 - ICSF is in the process of starting but has not completed initialization. State=B4/Error=60 - ICSF has been shut down. ZPEN307I ICSF is [not] Active/CCVTACT A request was made to report on the available cryptographic facilities for the current operating environment. ICSF (which is required for IBMHARDWARE and IBMSOFTWARE cryptographic facility use) is active in the system. ZPEN308I ICSF is [not] at a proper level for CSFIQF A request was made to report on the available cryptographic facilities for the current operating environment. ICSF (which is required for IBMHARDWARE and IBMSOFTWARE cryptographic facility use) is at a release level that supports the ICSF Query Facility CSFIQF. This is necessary to determine whether more advanced cryptographic services (such as Hardware-based AES) are available for use. ZPEN309I z/Architecture Hardware Available %s The Cryptographic Communications Vector Table is the major control block used in the operating system to govern ICSF service requests. The hardware classification is also shown. - CCF (Cryptographic Coprocessor Feature) may be available with Z/X00 or S/390 systems. - CPACF (CP Assist for Cryptographic Functions) may be active on Z/X90 or Z9 systems ZPEN310I CP Assist For Crytographic Functions Available The Cryptographic Communications Vector Table is the major control block used in the operating system to govern ICSF service requests.
142
CPACF hardware acceleration is available for select service requests. ZPEN313I CSNBSYE (AES) System capable with ICSF when available. ICSF AES symmetric data encryption can be performed on this system if the IBM Hardware Cryptographic feature is enabled. The CSNBSYE API will be used to access the IBMSOFTWARE or IBMHARDWARE facility depending on the system hardware available. ZPEN314I AES Software Only Available [system_classification] Some systems (hardware) do not support hardware-based AES processing. ICSF will provide CSNBSYE API software emulation. Classification of hardware. S/390 Pre-zArchitecture, possibly with G5/G6 Z/X00 zArchitecture z800/z900, possibly with CCF Z/X90 zArchitecture z890/z990, with CPACF Z9 zArchitecture z9-109 or equivalen, with CPACF ZPEN320I Crypto Facilities HW SW SecureZIP A request was made to report on the available cryptographic facilities for the current operating environment. A list of supported cryptographic algorithms follows indicating which API facilities are available for use by SecureZIP. The cryptographic API facilities are categorized into one of the following groups: HW - IBM Cryptographic Hardware SW - IBM Cryptographic Software SecureZIP - Software algorithms ZPEN321I [crypto_algorithm] [hw_API] [sw_API] [SecureZIP_API] A request was made to report on the available cryptographic facilities for the current operating environment. A separate report line is listed for each algorithm to indicate which (if any) API is available for use by SecureZIP before dynamic evaluation. A subsequent check of each algorithm will be performed based on run-time options and environmental characteristics. [crypto_algorithm] The [crypto_algorithm] name will also identify the use type for the algorithm. Symmetric Data Encryption algorithms: 96 Bit Encryption AES 128 Encryption AES 192 Encryption AES 256 Encryption 3DES Encryption DES Encryption
143
RC4 Encryption Data Integrity and Digital Signature algorithms: CRC32 Hashing SHA1 Hashing MD5 Hashing SHA256 Hashing [hw_API] [sw_API] The IBM Cryptographic facilities are accessed through one if the following ICSF APIs (hardware and software). ENC- CSNBENC/CSNBDEC Encipher/Decipher SYE- CSNBSYE/CSNBSYD Symmetric Key Encrypt/Decrypt OWH- CSNBOWH One way hash RNG- CSNBRNG Random Number Generation [SecureZIP_API] SecureZIP provides software algorithms using one of the following services. BSAFE-RSA BSAFE CryptoC PKW -PKWARE internal routine "------" indicates that no service facility could be identified under the API service category for the algorithm. ZPEN322I [Facility Category] Seq: IBMHW(x) IBMSW(x) PKW(x) As part of the CryptoAPI report (see also ZPEN320I), the specified FACILITY sequence is displayed. [x] - The preferred facility order of choice. 0 - Not included in the FACILITY list 1 - First selection if available for use 2 - Second selection if available for use 3 - Third selection if available for use [Facility Category] Encryptdata Algorithms associated with symmetric data encryption. HASH (Signature) Algorithms associated with hashing. Uses include digital signature creation and authentication. RandomData Algorithms associated with creating random data for encryption extensions (such as Cipher Block Chaining) ZPEN340I /--------[Facility_Category] Matrix ([type_code]) --------/ A request was made to report on the available cryptographic facilities for the current operating environment. A separate report is listed for each category of cryptographic service. All associated algorithms are included in the report along with resulting selection results. [Facility_Category]
144
Encryptdata Algorithms associated with symmetric data encryption. HASH (Signature) Algorithms associated with hashing. Uses include digital signature creation and authentication. ZPEN341I [alg_id]([algorithm_name]) Select ([code]) [Facility Category] A request was made to report on the available cryptographic facilities for the current operating environment. A separate report line is listed for each algorithm to indicate which (if any) API is selected for use by SecureZIP after dynamic evaluation. Each algorithm is validated against requested FACILITY settings, licensing and facilities reported by ICSF. [Facility Category] The final facility chosen is shown. NONE FOUND No viable facility could be identified for use. This algorithm cannot be serviced with the current configuration. IBM Hardware The CryptoAPI identified in ZPEN321I (HW) will be used IBM Software The CryptoAPI identified in ZPEN321I (SW) will be used SecureZIP The CryptoAPI identified in ZPEN321I (PKW) will be used ZPEN342I Status-IBMHW([APIstate]) IBMSW([APIstate]) PKW([APIstate]) A request was made to report on the available cryptographic facilities for the current operating environment. A separate report line is listed for each algorithm to indicate which (if any) API is available for use by SecureZIP after dynamic evaluation. Each algorithm is validated against requested FACILITY settings, licensing and facilities reported by ICSF. [APIstate] The state of each facility type is reported for the algorithm reported in the preceeding ZPEN341I message. State definitions are as follows: -NotCap- The facility category is not capable of servicing this algorithm, and is therefore not available for use. -NoAPI- No API could be identified as being available for use in the current run-time environment.
145
-NoFacil- This facility was not listed in the associated FACILITY setting, and is not available for use. -NoLic- The product does not have the appropriate SecureZIP feature license code enabled to make use of this facility category. -NotSup- This algorithm is not supported under the current release of SecureZIP. BSAFE BSAFE(r) CryptoC routines included with the SecureZIP product has been identified as being viable for use. ENC/DEC For the system platform being executed on, the ICSF CSNBENC(encipher) and CSNBDEC(decipher) API calls were identified as viable for use. SYE/SYD For the system platform being executed on, the ICSF CSNBSYE(symmetric key encipher) and CSNBSYD(symmetric key decipher) API calls were identified as viable for use. PKW A PKWARE proprietary routine was identified as viable for use. OWH For the system platform being executed on, the ICSF CSNBOWH(One Way Hash) API call was identified as viable for use. ZPEN383I Crypto Facilities HW SW SecureZIP A request was made to produce a timing report for supported cryptographic facilities in the current operating environment. A list of supported cryptographic algorithms follows indicating which API facilities are available for use by SecureZIP. A list of supported cryptographic algorithms follows showing timing test values for each. A preceding header line will indicate whether this report is for raw TCB CPU time, or a computed throughput rate in megabytes per CP Second. ZPEN384I [crypto_algorithm] [hw_API] [sw_API] [SecureZIP_API] A request was made to produce a timing report for supported cryptographic facilities in the current operating environment. A value will be listed for each facility category associated with the correlated facility API listed in ZPEN321I. An "*" following a timing value indicates that the corresponding API will be selected based on the facility preference list shown in ZPEN322I. A preceding header line will indicate whether this report
146
is for raw TCB CPU time, or a computed throughput rate in megabytes per CP Second. Note: The "96 bit encryption" algorithm will not have timings run. The SecureZIP(PKW) facility API will always be selected for use when ENCRYPTION_METHOD(STANDARD) is specified.
147
Glossary
This glossary provides definitions for items that may have been referenced in the PKZIPz
documentation. It is not meant to be exhaustive. There are excellent sources of documentation for computing terms on the Internet. For example:
IBM’s Terminology Web Site
http://www.networking.ibm.com/nsg/nsgmain.htm
Absolute Path Name
A string of characters that is used to refer to an object, starting at the highest level (or root) of the directory hierarchy. The absolute path name must begin with a slash (/), which indicates that the path begins at the root. This is in contrast to a Relative Path Name.
Access Method
A technique that is used to read a record from, or to write a record into, a file. Usually either: SAM (Sequential Access Method - where records are processed one after another in the order in which they appear in the file), or random (the individual records can be processed in any order) such as VSAM ).
AES
The Advanced Encryption Standard is the official US Government encryption standard for customer data.
Alternate Index
An index of a file based on a key different from the base. It allows the file to be processed in a secondary key order.
American Standard Code for Information Interchange (ASCII)
The ASCII code (American Standard Code for Information Interchange) was developed by the American National Standards Institute for information exchange among data processing systems, data communications systems, and associated equipment, and is the standard character set used on Windows and many UNIX-based operating systems. In a ZIP archive, ASCII is used as the normal character set for compressed text files. The ASCII character set consists of 7-bit control characters and symbolic characters, plus a single parity bit. Since ASCII is used by most microcomputers and printers,
148
text-only files can be transferred easily between different kinds of computers and operating systems. While ASCII code does include characters to indicate backspace, carriage return, etc., it does not include accents and special letters that are not used in English. To accommodate those special characters, Extended ASCII has additional characters (128-255). Only the first 128 characters in the ASCII character set are standard on all systems. Others may be different for a given language set. It may be necessary to create a different translation tables (see Translation Table) to create standard translation between ASCII and other character sets.
American National Standards Institute (ANSI)
An organization sponsored by the Computer and Business Equipment Manufacturers Association for establishing voluntary industry standards.
Application Programming Interface (API)
An interface between the operating system (or systems-related program) that allows an application program written in a high-level language to use specific data or services of the operating system or the program. The API also allows you to develop an application program written in a high-level language to access SECZIP data and/or functions of the SECZIP system.
Application System/400 (iSeries)
A family of general purpose computing systems from IBM which run Operating System/400 (OS/400).
Archive
(1) The act of transferring files from the computer into a long-term storage medium. Archived files are often compressed to save space.
(2) An individual file or group of files which must be extracted and decompressed in order to be used.
(3) A file stored on a computer network, which can be retrieved by a file transfer program (FTP) or other means.
(4) The SECZIP file that holds the compressed/zipped data file.
Batch Job
A unit of work defining one or more execution steps submitted to the Job Entry Subsystem (JES) with a JOB statement.
Big ENDIAN
A binary (hexadecimal) representation of numeric data in which the most significant byte is on the left. In the context of bit flags, the most significant bit is on the left.
Binary File
A file that is to be handled in its native form without text translation.
149
Block
(1) A group of records that are recorded or processed as a unit.
(2) A set of adjacent records stored as a unit on a disk, diskette, or magnetic tape.
Cipher Block Chain (CBC)
Cipher Block Chaining refers to a method of encryption of blocks of data that involves an initialization vector that is put together with the first block of data and the encryption key. This method of encryption makes sure that each block of data thereafter is uniquely modified, further protecting the data from fraudulent access.
Code Page
A specification of code points for each graphic character set or for a collection of graphic character sets. Within a given code page, a code point can have only one specific meaning. A code page is also sometimes known as a code set.
Command Line Interface
An operating environment interface where a textual command and its associated parameters may be entered.
Configuration File
(1) A file that specifies the way a program functions.
(2) In SECZIP, the file that contains the default values needed for the system to run. These can usually be respecified to meet local user requirements.
Contingency Key
An ordinary cryptographic key from a digital certificate that is designated as a master recipient for use, in addition to any other recipients, whenever SecureZIP does strong encryption. Including a master recipient contingency key in a list of recipients ensures that the organization that owns the key can decrypt the encrypted files.
CP Assist for Cryptographic Functions (CPACF)
A set of cryptographic instructions available on all central processors. These are available in varying degrees on zSeries z/890, z/990, and System z9 platforms.
Cryptographic Coprocessor Feature (CCF)
A method of protecting data. Cryptographic services include data encryption and message authentication. These are available on systems supporting the G5/G6 chipsets, including MP2000, MP3000, 9672, as well as z-architecture systems z800 and z900.
Cryptography
(1) A method of protecting data. Cryptographic services include data encryption and
150
message authentication.
(2) In cryptographic software, the transformation of data to conceal its meaning; secret code.
(3) The transformation of data to conceal its information content, to prevent its undetected modification, or to prevent its unauthorized use.
Cyclic Redundancy Check (CRC)
A Cyclic Redundancy Check is a number derived from a block of data, and stored or transmitted with the data in order to detect any errors in transmission. This can also be used to check the contents of a ZIP archive. It is similar in nature to a checksum. A CRC may be calculated by adding words or bytes of the data. Once the data arrives at the receiving computer, a calculation and comparison is made to the value originally transmitted. If the calculated values are different, a transmission error is indicated. The CRC information is called redundant because it adds no significant information to the transmission or archive itself. It is only used to check that the contents of a ZIP archive are correct. When a file is compressed, the CRC is calculated and a value is calculated based upon the contents and using a standard algorithm. The resulting value (32 bits in length) is the CRC that is stored with that compressed file. When the file is decompressed, the CRC is recalculated (again, based upon the extracted contents), and compared to the original CRC. Error results will be generated showing any file corruption that may have occurred.
Data Compression
The reduction in size (or space taken) of data volume on the media when performing a save or store operations.
Data Integrity
(1) The condition that exists as long as accidental or intentional destruction, alteration, or loss of data does not occur.
(2) Within the scope of a unit of work, either all changes to the database management systems are completed or none of them are. The set of change operations are considered an integral set.
Delimiter
A character or sequence of characters that marks the beginning or end of a unit of data. This is commonly used in non-record data streams in workstation and UNIX-based systems.
Double-byte Character Set (DBCS)
A set of characters in which each character is represented by 2 bytes. Languages such as Japanese, Chinese, and Korean, which contain more symbols than can be represented by 256 code points, require double-byte character sets. Because each character requires 2 bytes, the typing, displaying, and printing of DBCS characters requires hardware and programs that support DBCS. Four double-byte character sets
151
are supported by the system: Japanese, Korean, Simplified Chinese, and Traditional Chinese. See also the Single-Byte Character Set (SBCS).
Dump
In problem analysis and resolution, to write, at a particular instant, all or part of the contents of main or auxiliary storage onto another data medium (such as tape, printer, or spool) for the purpose of protecting the data or collecting error information.
Dynamic Allocation (DYNALLOC)
Dynamic Allocation (DYNALLOC) is a facility utilizing the SVC99 function which allows a program to directly access a dataset without the need for corresponding JCL statements.
Encryption
The transformation of data into an unintelligible form so that the original data either cannot be obtained or can be obtained only by decryption.
Enqueue
The Enqueue macro (ENQ) is used to restrict access to a resource, so that only the appropriate number of users with the appropriate mode gain access to the resource at one time. It is commonly used to "lock" a resource to prevent modifications from multiple sources to cancel out each other.
Extended Attribute
Information attached to an object that provides a detailed description about the object to an application system or user.
Extended Binary Coded Decimal Interchange Code (EBCDIC)
The Extended Binary Coded Decimal Interchange Code a coded character set of 256 8 bit characters. EBCDIC is similar in nature to ASCII code, which is used on many other computers. When ZIP programs compress a text file, they translate data from EBCDIC to ASCII characters within a ZIP archive using a translation table.
FIPS
Federal Information Processing Standards defining information processing standards for use within government agencies. Information regarding specific standards definitions are available online from the Computer Security Resource Center at csrc.nist.gov using keyword “FIPS”.
Fixed-Length
A dataset or data definition characteristic in which all of the records are the same length. See also Variable Length.
152
GDG
Generation Data Groups.
GNU
A recursive acronym for the name of the Free Software Foundation's freely distributable replacement for UNIX.
Greenwich Mean Time (GMT)
A synonym for Universal Time Coordinated (UTC) which is the mean solar time of the meridian of Greenwich, England, and is the prime basis of standard time throughout the world.
GZIP
GZIP (also known as GNU zip) is a compression utility designed to use a different standard for handling compressed file data in an Archive.
ICF
Integrated Catalog Facility.
IDCAMS
The utility program used by IBM’s Access Method Services to create and manage VSAM datasets.
Installation Verification Procedure (IVP)
A sample application, script, or jobstream provided to verify successful installation of a product (may be either software or hardware).
iSeries
AS400 Operating environments.
JCL
Job Control Language is a command language for mainframes and minicomputers, used for launching applications.
Job Entry Subsystem (JES)
An IBM licensed program that receives jobs into the system and processes all output data produced by the jobs. Commonly known as JES2 or JES3
Julian Date
A date format that contains the year in positions 1 and 2, and the day in positions 3 through 5. The day is represented as 1 through 366, right-adjusted, with zeros in the
153
unused high-order positions. For example, the Julian date for April 6, 1987 is 87096.
Kanji
Characters originating from the Chinese characters used in the Japanese written language.
Keyed Sequence
An order in which records are retrieved based on the contents of key fields in records. For example, a bank name and address file might be in order and keyed by the account number.
Keyword
(1) A mnemonic (abbreviation) that identifies a parameter in a command.
(2) A user-defined word used as one of the search values to identify a document during a search operation.
(3) In COBOL, a reserved word that is required by the syntax of a COBOL statement or entry.
(4) In DDS, a name that identifies a function.
(5) In REXX, a symbol reserved for use by the language processor in a certain context. Keywords include the names of the instructions and ELSE, END, OTHERWISE, THEN, and WHEN.
(6) In query management, one of the predefined words associated with a query command.
(7) A name that identifies a parameter used in an SQL statement. Also see parameter.
LBI (Large Block Interface)
The set of BSAM, BPAM, and QSAM interfaces that deal with block sizes in 4-byte fields instead of 2-byte fields. This mode of operation is device and system-dependent.
Lempel-Ziv (LZ)
A technique for compressing data. This technique replaces some character strings, which occur repeatedly within the data, with codes. The encoded character strings are then kept in a common dictionary, which is created as the data is being sent.
Library Lookaside
An operating system facility intended to improve the performance of module fetching through the LLA started task. Related terms include LNKLST, Link List.
Linkage Editor
A system-related program that resolves cross-references between separately compiled object modules and then assigns final storage addresses to create a single load
154
module.
Little ENDIAN
A binary (hexadecimal) representation of numeric data in which the least significant byte is on the left. In the context of bit flags, the least significant bit is on the left.
MVS
Multiple Virtual Storage is the generic name for the portion of the OS/390 and z/OS operating systems which runs non Unix-System-Services workloads such as batch and TSO/E. It is in this environment that PKZIPz executes.
New ZIP Archive
A New ZIP archive is the archive created by a compression program when either an old ZIP archive is updated or when files are compressed and no ZIP archive currently exists. It may be thought of as the “receiving” archive. Also see Old ZIP Archive.
NIST
National Institute of Standards and Technology is a part of the U.S. Department of Commerce, formerly called the National Bureau of Standards, that defines standards for voice, data, and video transmissions, encryption, and other kinds of technology.
Null Value
A parameter which has no value assigned.
Old ZIP Archive
An Old ZIP archive is an existing archive which is opened by a compression program to be updated or for its contents to be extracted. It may be thought of as the “sending” archive. Also see New ZIP Archive.
Packed Decimal Format
A decimal value in which each byte within a field represents two numeric digits except the far right byte, which contains one digit in bits 0 through 3 and the sign in bits 4 through 7. For all other bytes, bits 0 through 3 represent one digit; bits 4 through 7 represent one digit. For example, the decimal value +123 is represented as 0001 0010 0011 1111 (or 123F in hexadecimal).
Parameter
(1) A value supplied to a command or program that is used either as input or to control the actions of the command or program.
(2) In COBOL, a variable or a constant that is used to pass values between calling and called programs.
(3) In the Integrated Language Environment (ILE), an identifier that defines the types
155
of arguments that are passed to a called procedure.
(4) In REXX, information entered with a command name to define the data on which a command processor operates and to control the execution of the command.
(5) In DB2 UDB for iSeries SQL, the keywords and values that further define SQL precompiler commands and SQL statements. Also see keyword.
Parameter List
A list of values in a calling program that corresponds exactly to a list in a called program for the purposes of providing addressability and data exchange. It contains parameter names and the order in which they are to be associated in the calling and called program.
Partitioned Dataset
A Partitioned Dataset (PDS) is a dataset in direct access storage that is divided into partitions (which are called members), each of which can contain a program, part of a program, JCL, parameters, or other forms of data. When a compression program is compressing a PDS, each member is treated as a separate file within the resultant ZIP archive. When an archive is decompressed to a PDS, each file within the archive creates a separate member within the PDS.
Path Name
(1) A string of characters used to refer to an object. The string can consist of one or more elements, each separated by a slash (/), and may begin with a slash. Each element is typically a directory or equivalent, except for the last element, which can be a directory or another object (such as a file).
(2) A sequence of directory names followed by a file name, each separated by a slash.
Programming Language/I (PL/I)
A programming language designed for use in a wide range of commercial and scientific computer applications.
Program Temporary Fix (PTF)
A temporary solution to (or a bypass of) a problem that is necessary to provide a complete solution to correct a defect in a current unaltered release of a program. May also be used to provide an enhancement to a product before a new release of the product is available. Generally, PTFs are incorporated in a future release of the product.
RDW
Record Descriptor Word.
Record
A group of related data, words, or fields treated as a single unit, such as a name,
156
address, and social security number.
Record Format
A document or display that names each part of a file and provides specific information for each field such as length and type of information contained within the field.
Relative Path Name
A string of characters that is used to refer to an object, starting at some point in the directory hierarchy other than the root. A relative path name does not begin with a slash (/). The starting point is frequently a user's current directory. This is in contrast to an absolute path name and path name.
Return Code
A value generated by operating system software to a program to indicate the results of an operation by that program. The value may also be generated by the program and passed back to the operator.
Rijindael
The combined name of the two researchers that developed the Advanced Encryption Standard (AES) for the US Government (Dr. Joan Daemen and Dr. Vincent Rijmen).
Sequential Dataset
A sequential dataset holds a single file of records which are organized on the basis of their successive physical positions, such as on magnetic tape.
Single-Byte Character Set (SBCS)
A coded character set in which each character is represented by a one-byte code point. A one-byte code point allows representation of up to 256 characters. Languages that are based on an alphabet, such as the Latin alphabet (as contrasted with languages that are based on ideographic characters) are usually represented by a single-byte coded character set. For example, the Spanish language can be represented by a single-byte coded character set. Also see the Double-Byte Character Set (DBCS).
Spanned Record
A logical record that stored across more than one block. This is commonly used to get around system limitations that blocks cannot be larger than x number of bytes. With spanned records, one record spans two or more blocks.
Translation Table
Translation tables are used by the SECZIP and SECUNZIP programs for translating characters in compressed text files between the ASCII character sets used within a ZIP archive and the EBCDIC character set used on IBM-based systems. These tables may be created and modified by you as documented in the user's guide.
157
Truncate
To cut off or delete the data that will not fit within a specified line width or display. This may also be attributed to data that does not fit within the specified length of a field definition.
Universal Time Coordinated (UTC)
A synonym for Greenwich Mean Time (GMT) which is the mean solar time of the meridian of Greenwich, England, and is the prime basis of standard time throughout the world.
Variable-Length
A characteristic of a file in which the individual records (and/or the file itself) can be of varying length. Also see Fixed-Length.
Virtual Storage Access Method
The Virtual Sequential Access Method (VSAM) is an access method for the direct or sequential processing of fixed-length and variable-length records on direct access devices. The records in a VSAM dataset or file can be organized in logical sequence by a key field (key sequence dataset or KSDS), in the physical sequence in which they are written on the dataset or file (entry-sequence or PS), or by relative-record number (RR). The datasets are managed by the IDCAMS utility program and is used by commands and macros from within application programs.
ZIP Archive
A ZIP archive is used to refer to a single dataset that contains a number of files compressed into a much smaller physical space by PKZIPz software.
158
Index
$
$INSTLIC, 38
3
3DES, 24
A
Activating the ISPF Interface, 55 ACZDFLT, 37 AES, 24 ARCHIVE_STORCLASS, 38 ARCHIVE_UNIT, 38 ARCHIVE_VOLUMES, 38 ASMDFLT, 37 ASMSAFE, 38 authentication, 18, 20
B
BASIC, 44
C
CAPACITY, 44 certificate authority, 20 certificate stores, 21, 23 certificates, 19, 20, 23
root, 21 Conditional Use, 51 cryptographic services, 137 Current Use License, 47
D
Defaults Module, 37 DEMO, 44 DES, 24 DISASTER RECOVERY, 44
E
EBCDIC, 38 encryption, 17, 26, 137
algorithms, 24 certificate-based, 27 password, 26
enhanced tape processing, 14 ENTERPRISE, 44
F
facilities, 137 FEATURES, 44 FIPS, 24
I
IBM Cryptographic Facilities Integration, 137 IBM’s Terminology Web Site, 147 ICSF, 10 Installation Overview, 29 Integrated Cryptographic Service Facility. See ICSF ISPF Main Menu, 56 ISR@PRIM, 56
K
keys, 17, 19, 26
L
Library Lookaside, 56 LICENSE_HLQ, 38 Licensed Types, 43 Licensing and Initializing the Demo, 40, 51 LICPRINT, 47 LICSHSYS, 50 LICxxxx, 38
M
Media Distribution for Installation, 29
O
OUTFILE_STORCLASS, 38 OUTFILE_UNIT, 38 OUTFILE_VOLUMES, 38
P
PartnerLink, 17, 70, 127 passwords, 26 PEM, 23 PKCRYUTL, 137 PKCS#12, 23 PKCS#7, 23 PKI, 18, 19 PKZALLOC, 56 private key, 19, 21, 27
159
Product Features, 44 Protecting Files with the SAFETYEX Module, 38 public key, 19, 21
R
RC4, 25 Reporting, 47 Running a Disaster Recovery Test, 54
S
SAFETYEX, 38 SAFETYEX Module, 38 SecureZIP Partner, 17, 43, 70, 98, 127 Self-Extracting ZIP File, 30 Show System Information, 50 signing, 20 Specific Changes, 36, 37 sponsor, 127 Sponsor Distribution Package, 128 SYSEXEC, 55
SYSPROC, 55
T
Tailoring Site Specific Changes, 36, 37 TEMP_STORCLASS, 38 TEMP_UNIT, 38 TEMP_VOLUMES, 38 TIME-DELIMITED, 44 translation controls, 38 Trial Period, 40 Triple DES, 24 Type of Media Distribution for Installation, 29
V
VSAM_STORCLASS, 38 VSAM_VOLUMES, 38
X
X.509, 20