IBM United States Software Announcement
210-008
IBM is a registered trademark of International Business Machines Corporation
17
• IBM Tivoli Directory Server for z/OS is planned to provide support for the
syntaxes and matching rules currently supported by IBM Tivoli Directory Server.
This support will be designed to allow migration and replication of schema
and directory entries using these syntaxes and matching rules from IBM Tivoli
Directory Server on other platforms.
• TSO/E will be designed to accept passwords that include one or more special
characters. This is intended to leave the checking for acceptable password
characters to an external security manager such as RACF.
• z/OS Communications Server is planned to introduce trusted TCP connections,
to enable sockets programs to retrieve sysplex-specific connection routing
information and partner security credentials for connected sockets. Partner
security credentials can be retrieved if both endpoints of a TCP connection reside
in the same z/OS image, z/OS sysplex, or z/OS subplex, and the endpoints are
within the same security domain. In such a topology, partner programs can use
trusted connections to authenticate each other as an alternative to using an SSL/
TLS connection with digital certificates for client and server authentication.
• Internet Key Exchange version 2 (IKEv2) is the latest version of the Internet Key
Exchange (IKE) protocol specified by RFC 4306. IKE is used by peer nodes to
perform mutual authentication and to establish and maintain security associations
(SAs). In z/OS V1.12 the Communications Server IKE daemon (IKED) is planned
to be enhanced to support IKEv2, in addition to its existing IKEv1 support. The z/
OS Communications Server support for IKEv2 is planned to include:
– IPv4 and IPv6 support
– A new identity type called KeyId
– Authentication using pre-shared keys or digital certificates; certificates may use
RSA or elliptic curve (ECDSA) keys
– Re-keying and re-authentication of IKE SAs and child SAs
– Hash and URL specification of certificates and certificate bundles
– A new certbundle command which can create certificate bundles as specified by
RFC 4306
• z/OS Communications Server is planned to introduce these enhancements to the
network security services daemon (NSSD) IPSec Certificate Services:
– IKEv2 support: X.509 certificate-based signature creation and validation for
IKEv2
– Elliptic Curve Digital Signature Algorithm (ECDSA) support: X.509 certificates
that contain ECDSA keys may be utilized for IKEv2 digital signature creation and
verification
– X.509 certificate trust chain support: The entire X.509 trust chain will be
taken into consideration during IKEv1 or IKEv2 digital signature creation and
verification
– Certificate Revocation List (CRL) support: CRLs may be retrieved via HTTP and
consulted during IKEv1 or IKEv2 digital signature verification
– Hash and URL support: Certificates and certificate bundles specified using the
Hash and URL format specified in RFC 4306 may be utilized during IKEv2 digital
signature creation and verification
The z/OS Internet Key Exchange daemon (IKED) is planned to be enhanced to use
these new NSSD functions when a stack is configured as a network security client.
• z/OS Communications Server is planned to introduce these enhancements to
IPSec and IKE support for cryptographic currency:
– Support for the Advanced Encryption Standard (AES) algorithm in Cipher Block
Chaining (CBC) using 256-bit keys, an addition to the previously existing 128-
bit key support. You can use the longer key length for more-sensitive data.
– Support for the Advanced Encryption Standard (AES) algorithm in Galois
Counter Mode (GCM) and in Galois Message Authentication Code (GMAC)
mode. AES in GCM is intended to provide both confidentiality and data origin
authentication. AES-GCM is a very efficient algorithm for high-speed packet
networks. AES in GMAC mode is intended to provide data origin authentication
but does not provide confidentiality. AES-GMAC, like AES-GCM, is also a very
efficient algorithm for high-speed packet networks. z/OS V1.12 Communications
