IBM United States Software Announcement
210-008
IBM is a registered trademark of International Business Machines Corporation
14
(ECDSA), and Hashed Message Authentication Mode (HMAC)), as well as z/OS
Communications Server support for IKEv2 and Federal Information Processing
Standard (FIPS) 140-2.
• Digital certificates are used in managing and working with private key/public key
encryption and are often required as part of security and compliance guidelines.
They can be used by applications to establish secure communication sessions or
to configure virtual private network (VPN) sessions, and to authenticate users and
objects. z/OS PKI Services is a complete digital certificate authority included in the
base of z/OS at no additional charge. Relatively few z/OS resources can be used
to generate thousands, even hundreds of thousands of digital certificates. Reduce
risk and reduce cost by generating and managing your own digital certificates
from z/OS.
For z/OS V1.12 z/OS PKI Services is planned to be enhanced with several usability
enhancements which are expected to reduce the amount of time and number
of manual tasks associated with finding certificate serial numbers, and issuing
renewal and revocation e-mails. New standards, such as Certificate Management
Protocol (CMP), mean devices can now request, revoke, suspend, and resume
certificates from z/OS PKI Services directly and automatically. Certificates
generated by z/OS PKI Services can also be customized for use with Microsoft
Exchange and smart card readers.
• Authentication, auditing, and compliance are growing concerns. Many laws
and standards have been recently refined, enacted, or created, governing the
protection and access of data. z/OS has a long history of resource access and
reporting capabilities built into the platform that can be useful for administering z/
OS security, monitoring for threats, and auditing usage and policy compliance. z/
OS V1.12 is planned to have significant updates for Tivoli Directory Server (LDAP)
in support of new password policy rules, improved logging, and new extensions for
access control lists.
Details on the security enhancements intended for z/OS V1.12:
• ICSF is planned to provide support for translation of external RSA tokens wrapped
with key encrypting keys into one of three smart card formats. A new callable
service, PKA Key Translate (CSNDPKT), is designed to translate an existing RSA
private key in CCA external format into a specified smart card (SC) format in
support of VISA, or the common ME or CRT format. To use this new function, you
will need an IBM System z9® or System z10 server with the Crypto Express2
feature with a minimum driver and microcode level. This function is also available
on z/OS V1.8 and higher with the z/OS V1.8, z/OS V1.9 or z/OS V1.10 with the
Cryptographic Support for z/OS V1R8-V1R10 and z/OS.e V1R8 Web deliverable
and PTF UA46713.
• An enhancement to Central Processor Assist to Cryptographic Function (CPACF)
on IBM System z10 servers with the CEX3C feature is designed to help facilitate
the continued privacy of cryptographic key material when used by the CPACF
for high-performance data encryption. Leveraging the unique z/Architecture®,
protected key CPACF is designed to help ensure that key material is not visible to
applications or operating systems when used for encryption operations. Protected
key CPACF is designed to provide significant throughput improvements for
large volumes of data and low latency for small blocks of data. In z/OS V1.12,
ICSF is planned to exploit the enhancements made to the CPACF in support of
separate key wrapping keys for DES/TDES and AES. This is designed to provide
the same functions available using the PCI card, but with the advantage of CPACF
performance.
• There are a number of improvements planned for PKI Services.
– In z/OS V1.12, PKI Services is planned to allow you to create and sign
certificates with ECC keys, in addition to RSA and DSA keys.
– RACF and PKI Services will be designed to support longer distinguished names
in digital certificates. This is intended to support your use of certificates with
very long distinguished names.
– Certain events, such as restoring a prior level of the security database, or
removing and reinstalling the Certificate Authority (CA) certificate, can cause
the security manager to return serial numbers to be used for new certificates
that have been used before. PKI Services will be designed to detect this and
