Securezip™ for Zseries (OS/390 and Z/OS)

SecureZIP™ for zSeries (OS/390 and z/OS)

System Administrators Guide SZZSA-V8R1000

PKWARE Inc.

PKWARE Inc. 9009 Springboro Pike Miamisburg, Ohio 45342

Sales: 937-847-2374 Support: 937-847-2687 Fax: 937-847-2375 Web Site: http://www.pkware.com Sales - E-Mail: [email protected] Support - http://www.pkware.com/support

8.1 Edition (2005)

SecureZIP for zSeries™, PKZIP for zSeries™, PKZIP for MVS™, SecureZIP for iSeries™, PKZIP for iSeries™, PKZIP for OS/400™, PKZIP for VSE™, PKZIP for UNIX™, SecureZIP for Windows™, and PKZIP for Windows™ are just a few of the many members in the PKZIP® family. PKWARE Inc. would like to thank all the individuals and companies -- including our customers, resellers, distributors, and technology partners -- who have helped make PKZIP® the industry standard for Trusted ZIP solutions. PKZIP® enables our customers to efficiently and securely transmit and store information across systems of all sizes, ranging from desktops to mainframes.

This edition applies to the following PKWARE Inc. licensed program: SecureZIP for zSeries™ (Version 8, Release 1, 2005)

PKZIP(R) is a registered trademark of PKWARE(R) Inc. SecureZIP is a registered trademark of PKWARE(R) Inc. Other product names mentioned in this manual may be a trademark or registered trademarks of their respective companies and are hereby acknowledged.

Any reference to licensed programs or other material, belonging to any company, is not intended to state or imply that such programs or material are available or may be used. The copyright in this work is owned by PKWARE Inc., and the document is issued in confidence for the purpose only for which it is supplied. It must not be reproduced in whole or in part or used for tendering purposes except under an agreement or with the consent in writing of PKWARE Inc., and then only on condition that this notice is included in any such reproduction. No information as to the contents or subject matter of this document or any part thereof either directly or indirectly arising there from shall be given or communicated in any manner whatsoever to a third party being an individual firm or company or any employee thereof without the prior consent in writing of PKWARE Inc.

Contents

PREFACE...... 1 Notices...... 1 About this Manual...... 1 Conventions Used in this Manual ...... 1 Related Publications ...... 2 Related IBM Publications...... 2 Related Information on the Internet...... 3 User Help and Contact Information ...... 3

1 SYSTEM PLANNING AND ADMINISTRATION...... 4 Planning for Administration Activities ...... 5 SecureZIP Model Environments...... 7 Encryption ...... 7 Signing and Authentication ...... 7 Security Concepts ...... 7 Encryption ...... 7 Signing and Authentication ...... 8 Public Key Infrastructure and Digital Certificates...... 8 Setting Up Stores for Digital Certificates on zOS ...... 11 Types of Encryption Algorithms ...... 13 FIPS 46-3, Data Encryption Standard (DES)...... 13 Triple DES algorithm (3DES) ...... 14 Advanced Encryption Standard (AES)...... 14 Comparison of the 3DES and AES Algorithms...... 14 RC4 ...... 15 Standard...... 15 Key Management ...... 16 Passwords and PINS...... 16 Recipient-Based Encryption...... 16

iii

Integrity of Public and Private Keys ...... 17 Data Encryption ...... 17

2 INSTALLATION, LICENSING, AND CONFIGURATION...... 19 Installation Overview...... 19 Type of Media Distribution for Installation...... 19 Installation from Downloaded File or CD ...... 20 Non-SMP/E Installation...... 20 SMP/E Installation...... 22 Installing from 3490 Tape ...... 26 Initializing the License ...... 27 Evaluation Period...... 27 Release Licensing...... 27 Show System Information ...... 27 Reporting the SecureZIP for zSeries License...... 28 Applying a License Key or Authorization Code...... 29 SecureZIP for zSeries Grace Period ...... 29 Running a Disaster Recovery Test ...... 29 Tailoring Site Specific Changes to the Defaults Module...... 30 Protecting Files with the SAFETYEX Module ...... 31 SMS Dataclass Considerations...... 31 Note for users of PKZIP for MVS and PKZIP for zSeries 5.6 ...... 32 Considerations when Exporting Private Keys using RACDCERT ...... 32 Activating the ISPF Interface...... 32 ISPF Main Menu ...... 33 Verifying the Installation...... 34

3 SECURITY ADMINISTRATION OVERVIEW ...... 35 Keywords, Phrases, and Acronyms Used...... 35 Accessing Certificates ...... 36 Public Key Certificate...... 36 Private Key Certificates...... 37 Certificate Authority and Root Certificates...... 37 Configuration Profile...... 37 Contents of the Configuration Profile...... 37 Data Base (DB) Profile (Local Certificate Store)...... 38 LDAP Profile (Networked Certificate Store)...... 38 Recipient Searches...... 39 Local Certificate Stores...... 39 Access x.509 Public and Private Key Certificates ...... 39 Authentication and Certificate Validation Policies...... 41 Other Profile Commands ...... 43

4 CERTIFICATE STORE MANAGEMENT...... 45 SecureZIP Main Panel—Access to the Certificate Stores...... 45 SecureZIP Certificate Store Administration and Configuration...... 45 Local Certificate Store Administration...... 46 SecureZIP Local Certificate Store...... 47 Create a New Local Certificate Store DB ...... 47 Certificate Validation Options...... 49 Generated JCL to Build the Initial Certificate Store ...... 50 View Data Base Certificate Entries...... 51 List Data Base Certificate Entries ...... 56 Add a Certificate to the Local Store ...... 58 Add a New Certificate to the CA Store...... 60 Add a New Trusted Root Certificate to the Root Store...... 60 Delete a Certificate from the Local Store...... 62 Synchronize the Index for the Local Certificate Store...... 63 Generated JCL for Synchronization...... 65 CA, Root, and CRL Verification ...... 66 Report DB Statistics...... 66 Edit Active DB Profile...... 68 Backup and Restore Process ...... 73 Directory Certificate Store Configuration - LDAP ...... 75 Create/Test LDAP Profile Statements ...... 76 Edit existing LDAP profile ...... 76 Create/Test LDAP Link ...... 76 Create New LDAP Profile Settings ...... 77 Load Existing LDAP Profile...... 78 Testing the LDAP Connection...... 78 Runtime Configuration...... 81 Zip/Unzip Runtime Configuration Panel...... 81 SecureZIP Runtime Configuration Panel...... 81 SecureZIP Runtime Configuration Panel Undefined ...... 82 SecureZIP Runtime Configuration Panel with DB Profile Defined...... 82 SecureZIP Runtime Configuration Panel with Private Certificate Location ...... 83 x.509 Certificate Utilities ...... 83 The Options...... 84 Certificate Revocation Lists ...... 89 Filename Encryption ...... 93

5 SECURITY QUESTIONS AND SOLUTIONS...... 97 Which encryption settings should be chosen?...... 97 How is encryption activated? ...... 98 How many recipients can be specified?...... 98 What are the virtual storage requirements to run certificate-based encryption? ....98 How does ENCRYPTION_METHOD pertain to recipient or password encryption?98 How do we activate a MASTER_RECIPIENT or “contingency recipient”?...... 98 How does MASTER_RECIPIENT affect activation?...... 99 How copy a local certificate store? ...... 99 How remove a local certificate store?...... 99 How can the contents of an x.509 certificate file be determined? ...... 100

GLOSSARY...... 102

Preface

The PKWARE family of products consists of high performance data compression software. The archives resulting from compression by the SECZIP program can be transported or transmitted to other operating system platforms where they will undergo decompression by the SECUNZIP program or an acceptable substitute.

Notices

Licensing requirements have changed for this release. See Chapter 2 for current information.

About this Manual

This manual provides information to help a system administrator install and use SecureZIP for zSeries in an operational environment. It is assumed that anyone using this manual has a good understanding of JCL and dataset processing. The manual applies to the following operating systems: • OS/390 – Version 2.10 and above. • z/OS - all releases.

Conventions Used in this Manual

Throughout this manual, the following conventions are used: • The use of the Courier font indicates text that may be found in job control language (JCL), parameter controls, or printed output. • The use of italics indicates a value that must be substituted by the user, for example, a dataset name. It may also be used to indicate the title of an associated manual or the title of a chapter within this manual. • Bullets (•) indicate items (or instructions) in a list. • The use of in a command definition indicates a mandatory parameter. • The use of [square brackets] in a command definition indicates an optional parameter. • A vertical bar (|) in a command definition is used to separate mutually exclusive parameter options or modifiers.

Related Publications

SecureZIP for zSeries product manuals include: • SecureZIP for zSeries System Administrator's Guide - Provides detailed information to assist the system administrator with the installation and administrative requirements necessary to use SecureZIP for zSeries in an operational environment. • SecureZIP for zSeries User's Guide - Provides detailed information on the product set in OS/390 and z/OS operating environments. Also provided is a general introduction to data compression, SECZIP specific data compression, and an overview on how to use SecureZIP for zSeries, SECZIP control cards, and parameters. • SecureZIP for zSeries Messages and Codes - This provides information on the messages and codes that are displayed on the consoles, printed outputs, and associated terminals.

Related IBM Publications

IBM Manuals relating to the SecureZIP for zSeries product include: System Codes - Documents the completion codes issued by the operating system when it terminates a task or an address space. Describes the wait state codes placed in the program status word (PSW) when the system begins a wait state. Describes the causes of loops. System Messages - Documents the messages issued by the OS/390 operating system. The descriptions explain why the component issued the message, give the actions of the operating system, and suggest responses by the applications programmer, system programmer, and/or operator. JES2 Messages - Documents the messages issued by the JES2 subsystem. The descriptions explain why the component issued the message, give the actions of the operating system, and suggest responses by the applications programmer, system programmer, and/or operator. JCL User's Guide - Describes the job control tasks needed to enter jobs into the operating system, control the system's processing of jobs, and request the resources needed to run jobs. To perform the tasks, programmers code job control statements. The user's guide assists in deciding how to perform job control tasks. JCL Reference - Describes the job control tasks needed to enter jobs into the operating system, control the system's processing of jobs, and request the resources needed to run jobs. To perform the tasks, programmers code job control statements. The reference guide; is designed to be used while coding the statements. Access Methods Services - Documents the functions that are available with Virtual Storage Access Method (VSAM) and describes the IDCAMS commands that can be issued to control VSAM datasets. TSO/E Command Reference - Documents the functions of the TRANSMIT and RECEIVE Command Facility used for the distribution and allocation of SecureZIP for zSeries installation libraries.

Related Information on the Internet

PKWARE, Inc. www.pkware.com FTP site Product Downloads Product Manuals

National Institutes of Standards Computer Security Resource Center - http://csrc.ncsl.nist.gov Information on the AES development - http://csrc.nist.gov/encryption/aes/ Information on Key Management - http://csrc.nist.gov/CryptoToolkit/tkkeymgmt.html/

RSA BSAFE® Content Library – http://www.rsasecurity.com/content_library.asp

User Help and Contact Information

For Licensing, please contact the Sales Division at 937-847-2374 or email [email protected]. For Technical Support assistance, please contact the Product Services Division at 937-847- 2687 or visit the support web site

1 System Planning and Administration

With its advanced password and certificate-based security features, SecureZIP for zSeries offers multiple methods of encryption and is an excellent choice for securing data and data transfers. However, it is important that system administrators carefully plan in advance the design, development, and testing tasks required to successfully integrate SecureZIP for zSeries as a secure solution into a production environment. The following sections chart the production and pre-production planning activities for administration and discuss SecureZIP model environments and important concepts for the systems administrator. They also describe encryption, types of algorithms in use, information about specific mandates requiring the use of secure data, and how SecureZIP for zSeries will secure that data.

Planning for Administration Activities

Pre-Production Administration Activities

Design Development Test

Analyze Finalize Analysis Application Workload Package And Function

Gather Generate Verify Definition Design System and Online Requirements Prepare JCL Design

Plan Coordinate Verify Network Network Network Network Requirements Generation Availability

Analyze Establish Verify Security Protection Security System Requirements Procedures Access

Analyze Develop Test Operations System Operations Operations/ Requirements Procedures Recovery

Develop Monitor Monitoring Monitoring During Strategy Test

Establish Test Predict Performance Response Critical Workload Criteria Responses

Production Administration Activities Production Maintenance Application Modifications

Assess and Assess Analysis Schedule Impact Changes

Revise Redesign Definition System and Test Definition

Change Review Network Network Network Configuration Configuration

Security Audit Maintain Add to Security Security Security Problems Design Design

Audit Revise Analyze Operations Operations Operations Operations and Service Procedures Requirements

Monitor Revise Monitoring and Gather Monitoring Statistics Strategy

Performance Interpret Apply System Tuning Performance Challenges

SecureZIP Model Environments

Encryption SecureZIP for zSeries comes with strong password-based encryption that can be implemented simply by adding a password and encryption method to any job stream. However, to use recipient-based encryption takes definitive planning and design to ensure a secure and well organized environment. SecureZIP for zSeries requires a system administrator to create and manage a local certificate store and/or LDAP server to house the designated digital certificate key pairs. Easy-to-follow menus and instructions enable system administrators to add, delete, backup, restore, and report on both key pairs and database profiles. In all, this allows for simple and secure methods for administrators to create and maintain a certificate-based encryption environment.

Signing and Authentication With the implementation of signing and authentication, SecureZIP for zSeries allows customers to ensure data received internally and/or externally is thoroughly secured. As with the security administration used for a certificate-based encryption environment, signing and authentication requires design, development and testing prior to implementing into production. Aside from the Certificate Store, Certificate Authority trust and revocation of various key pairs must be maintained throughout. SecureZIP for zSeries provides menu driven administration within the Local Certificate Store to add and/or revoke trusted CA and root certificates. PKWARE recommends System Administration adhere to your factility’s security policies and implement them accordingly into the SecureZIP application.

Security Concepts

Encryption Encryption provides confidentiality for data. The data to be protected is called plaintext. Encryption transforms the plaintext data into an unreadable form, called ciphertext, using an encryption key. Decryption transforms the ciphertext back into plaintext using a decryption key. Several algorithms have been approved in FIPS for the encryption of general purpose data. Each of these algorithms is a symmetric key algorithm, where the encryption key is the same as the decryption key. In order to maintain the confidentiality of the data encrypted by a key, the key must be known only by the entities that are authorized to access the data. These symmetric key algorithms are commonly known as block cipher algorithms, because the encryption and decryption processes each operate on blocks (chunks) of data of a fixed size. FIPS 46-3 and FIPS 197 have been approved for the encryption of general-purpose data. The protection of keys is discussed below under Key Management. SecureZIP for zSeries uses symmetric key algorithms when encrypting user data.

Signing and Authentication Signing files and/or archives is a way to attach signatures from different people to common file(s) or an archive. It provides a way for users to digitally sign a file/archive (which can be treated as legally binding) without specifically handwriting their signature. One or more people can sign files in an archive, but only one person can sign the archive itself. If a signed file or archive is modified in any way, the attached signatures become invalid, thus calling attention to the change. By the same token, a valid signature warrants that the signed item is unchanged and really comes from the signer. Authentication provides an independent validation of a data stream’s integrity. Within the ZIP archive, data integrity validation can be applied to user data and/or the archive directory. Authentication is a separate feature from data encryption. Whereas encryption is concerned with preventing parties from accessing sensitive data (such as private medical or financial information), authentication is like a notarization that attests that information actually comes unchanged from the purported source. (For example, financial or policy information to be publically released might be worth authenticating).

Public Key Infrastructure and Digital Certificates

PKI PKI is not simply software or hardware. It is an infrastructure, that is, a combination of products, services, facilities, policies, procedures, agreements, and people that provide for and sustain secure interactions on open networks such as the Internet. It is not a single monolithic entity, but a distributed system in which the component elements may include public key infrastructures that are interoperable and interconnected. The infrastructure provides assurances that information is protected while being entered, during transit, and when stored. PKI can be likened to elements of the telephone network. When one wants to contact someone else, it is necessary to access a phone directory or an information operator to get that person’s telephone number — analogous to the role that a directory (run by the CA or some other entity) plays in supplying a digital certificate of the person to be contacted. When someone moves to a new location and changes telephone numbers, the infrastructure must adjust its information to reflect that fact. When you want to know the number of the person who has dialed you, “caller-id” provides that — another part of the telephone network infrastructure analogous to the authentication process in public key technology. Public key technology and a PKI depend upon complicated mathematical concepts, but their effects are simple and understandable. When an organization (or employees of) starts to use the PKI, the organization begins with a pair of “keys,” which look like very long character strings and are actually digital representations of very large numbers. These keys are usually generated by a trustworthy mechanisms subject to certain mathematical requirements. One of these keys is secret (private) and the other is published (public). The essence of public key technology is that messages or transactions authenticated or encrypted using one of those keys can only be verified or decrypted using the other key. Thus, when the public key is used to encrypt a file digitally, only the person who possesses the corresponding private key can decrypt the file. The PKI uses special digitally signed messages (called “certificates”) to bind the identity of an individual to a public key. A digital certificate is issued by a trusted “Certification Authority”

(CA) and signed using that CA’s private signature key. When you want to be certain that a public key belongs to an individual, you do so by comparing the signature on the certificate to that available from a certificate associated with the issuing Certificate Authority (a “root” certificate). Where or how the certificate is obtained is not important - they can be obtained from the individual directly, or from an online “repository” for certificates, or from some other location such as the originator’s homepage on the World Wide Web; once the individual’s certificate is obtained from whatever source, the individual’s certificate can be by validated using the CA’s digital signature. You now know the individual’s certificate is linked to that individual with certainty and can decrypt any file sent to them encrypted with the public key in that certificate. These transactions may be conducted with assurance even though the you and receiving individual have never met. To validate the CA’s signature on the originators certificate, the recipient must first know the public key of the originators CA. The recipient always knows the public key of at least one CA that they trust. CAs may issue certificates to each other. If the recipient does not know the public key of originator’s CA, they may still be able to find a certificate issued by a CA whose key they do know, that certifies the public key of the originators CA. In essence, a CA the recipient trusts “vouches” for one they do not know. Much of the challenge of building a robust global PKI is in the management of certificates between CAs, as well as the software and infrastructure that automate the process of building and validating these trust chains of certificates. x.509 X.509 is an ITU-T standard for PKI (public key infrastructure). X.509 specifies, amongst other things, standard formats for public key certificates. A public key certificate consists of the public portion of an asymmetric cryptographic key (the “public key”) together with identity information, such as a person’s name, all of which is signed by a certificate authority (CA). The CA essentially guarantees that the public key belongs to the named entity. ITU-T is the telecom standardization organization of the International Telecommunication Union (ITU). It was previously known as CCITT, or Comité Consultatif International Téléphonique et Télégraphique (Consultative Committee for International Telegraphy and Telephony).

Digital Certificates The digital certificates (which bind the identity of a party to his, her, or its public key) can be used to support authentication, encryption, nonrepudiation, and data integrity. Web servers frequently have digital certificates issued to them which can be used to authenticate the server to a user and create an encrypted communications session that can be used to protect any shared secret information including Personal Identification Numbers (PINs) or passwords. Such an “encrypted session” can prevent a malefactor from taking it over (sometimes called “hijacking”) after the session has begun. When web servers and clients both have digital certificates, mutual strong authentication can be achieved, and each party can authenticate itself to the other. A document or file may be digitally signed using a party’s private signature key, creating a “digital signature” that is stored with the document. At a later date, anyone can validate the signature on the document using the public key from the digital certificate issued to the signer. Validating the digital signature not only confirms who signed it, but also ensures that there have been no alterations to the document since it was signed.

Similarly, an e-mail message may be digitally signed using commonly available client software that implements an open standard for this purpose, such as Secure Multipurpose Internet Mail Extensions (S/MIME). Validating the signature on the e-mail can help the recipient know with confidence who sent it, and that it was not altered during transmission. SecureZIP for zSeries performs a process called Digital Enveloping using digital certificates when encrypting data for specified public key recipients. See “Recipient-Based Encryption,” below. SecureZIP for zSeries can also digitally sign files when you add them to a ZIP archive. Securezip for zSeries supports the X.509 Version 3 standard for digital certificates, which provides that specific bits in a certificate can be set to ensure that the certificate is used only for specific services (notably, encryption and/or signing). SecureZIP for zSeries does not restrict use of certificates based on the use flags. Along with the DER format, SecureZIP also supports public-key, end-entity CER Base64 (ASCII and EBCDIC) formats. To use PKI technology for encryption in SecureZIP for zSeries you must have a digital certificate. To learn how to get a digital certificate and to use certificates for encryption, see Chapter 3.

Certificate Authority (CA). Usually a company that, for a fee, will issue a public key certificate. A public key certificate consists of the public portion of an asymmetric cryptographic key (the “public key”), together with identity information, such as a person’s name, all of which is signed by a certificate authority. The CA essentially guarantees that the public key belongs to the named entity.

Private Key A certificate consists of the both the private and public portions of an asymmetric cryptographic key together with identity information, such as a person's name, all of which is signed by a certificate authority (CA). The CA essentially guarantees that the certificate belongs to the named entity. SecureZIP uses the private key of a certificate for decryption and signing operations. The public key can be used for encryption and authentication operations. A private key is intended to be held and protected by the sole owner of the certificate because it represents that person and provides access to encrypted data intended only for the owner. SecureZIP for zSeries uses a private key maintained in x.509 PKCS#12 format. This means that the private key cannot be accessed unless a password is entered for each SecureZIP request.

Public Key A public key consists of the public portion of an asymmetric cryptographic key together with identity information, such as a person's name, all of which is signed by a certificate authority (CA). The CA essentially guarantees that the certificate belongs to the named entity. SecureZIP uses the public key certificate for encryption and authentication operations.

Certificate Authority and Root Certificates Certificates that contain public and private keys are also known as end entity certificates and are created at the end of the hierarchy of certificate authorities. Each certificate is signed by

its CA issuer and is identified in the “Issued By” field in the end certificate. In turn, a CA certificate can also be issued by a higher level CA. Such certificates are known as intermediate CA certificates. At the top of the issuing chain is a self-signed certificate known as the root. SecureZIP uses the certificates for signing and authentication operations. SecureZIP for zSeries makes use of these certificates in PKCS#7 format. The intermediate CA certificates are maintained independently from the ROOT certificates.

Setting Up Stores for Digital Certificates on zOS To use certificates for encryption/decryption or digital signing/authentication, SecureZIP needs to access the keys in the certificates. Unlike Windows, zOS does not have a native facility for storing digital certificates and converting them into a form that SecureZIP can use. To address this, SecureZIP provides a utility program to set up and manage certificate stores on zOS for use with SecureZIP.

Setting Up the Certificate Stores The PKWARE utility used to administer the local certificate store is accessed through an ISPF dialog. The CREATE option assists you in setting up the store and imports certificates you want SecureZIP to use. For detailed instructions on creating certificate stores on zOS please refer to Chapter 4 below. The utility procedure maintains the stores described in the following table.

Store Description Public A store for end-entity certificates used to identify encryption recipients or for authentication of digital signatures. Certificate files in this store contain only public keys; they do not contain private keys. SecureZIP for zSeries represents these certificates held in the local certificate store through the ISPF interface as “CER” entries. Other system types may refer to this store as “Other People” or “Address Book” Private A store for end-entity certificate files with their respective private keys. Private keys are used to decrypt files or perform digital signing. SecureZIP for zSeries represents these certificates held in the local certificate store through the ISPF interface as “PFX” entries. (Private keys in the this store are encrypted using PKCS#8 format and PKCS#5 version 2.) Other system types may refer to this store as “Personal” or “MY Store” Intermediate A store of issuing certificates files associated with the end-entity Certificate certificates. These certificates are used to authenticate the Authority validity of an end-entity digital signature on a receiving system. They are also included in a SecureZIP archive when a signing operation is performed. Other system types may refer to this store as “CA” Trusted Root A store of issuing certificates that are classified as “self signed,” Certificate meaning that each one is at the top of a hierarchy of issuing Authority CAs. These certificates are used to authenticate the validity of an end-entity digital signature on a receiving system. They are deemed to be “trusted” by virtue of their installation on an authenticating system. They are also included in a SecureZIP archive when a signing operation is performed. Other system types may refer to this store as “ROOT”

The local certificate store administrative utility sets up the certificate stores as physical files containing X.509 certificates, with a VSAM index structure providing search and selection capabilities. A SecureZIP for zSeries “create” dialog is provided to lead a systems administrator through the steps needed to allocate and prime a new local certificate store. Sample test certificates are installed to each store type, making it ready for use. In addition, a configuration file is generated that should be made accessible for SecureZIP users for encryption, decryption, signing, and authentication requests. The configuration file may be included explicity through an INCLUDE_CMD command, or implicitly by activating it through the PARMLIB configuration of the SecureZP defaults module. A set of high-level qualifiers is used to control the allocation of the physical store data sets and index components. This permits multiple distinct local certificate stores to be created, administered and accessed independently within a system. This is useful for segregating test from production, or other departmental separation. Data set protection can then be applied to various components to control update or read access as needed. RACF ALTER authority (or equivalent) must be granted to the systems administrator responsible for creating a new certificate store. This authority is also required for creating

backups, performing recovery operations, or performing some synchronization tasks which re- allocate components.

Updating the Certificate Stores X.509 certificates can be added to the local certificate store with the SecureZIP local certificate store administration tool. These certificates are frequently obtained on another platform and transferred (binary) to the operational zOS system for installation.

Important: All X.509 certificates should be transferred to the local zOS environment in binary mode with no translation.

When certificates are added, the certificate administration tool determines the appropriate store location based on the certificate type specified and dynamically builds an index entry for future search and selection. SecureZIP can import certificates and keys in the following file formats:

Format Description PEM Contains a single end-entity public-key certificate. It may be in Base-64 encoded (ascii text with ascii headers) or DER-encoded binary format. Common file extensions: .pem, .cer, .key PKCS#12 Contains a single end-entity private-key certificate (which also contains and its public keys). By definition, it is in binary format. Common file extensions: .pfx, .p12 PKCS#7 Contains one or more CA (and or Root) certificates Common file extension: .p7b

You must tell the certificate store administrative dialog what certificate file type and key type to import. The utility copies the existing certificates and keys from their specified location and adds them to the appropriate store locations. When transferring certificates to the zOS environment in preparation for an import to the local certificate store, be sure to allocate the file they are stored in as sequential, with a DCB RECFM of F, FB, V or VB. RACF UPDATE authority (or equivalent) must be granted to the systems administrator responsible for altering the certificate store. This authority is also required when performing the online Synchronize function.

Types of Encryption Algorithms

FIPS 46-3, Data Encryption Standard (DES) FIPS 46-3 specifies the DES algorithm. It was originally adopted in 1977 as FIPS 46, and reaffirmed in 1983 and 1987 as FIPS 46-1 and FIPS 46-2 with changes to the allowed embodiment of the algorithm. In 1999, the standard was affirmed as FIPS 46-3, adopting the Triple DES algorithm (3DES) as specified in the American National Standards Institute (ANSI)

X9.52 standard, and continuing to allow [single] DES for legacy systems, as specified in FIPS 46-2. As of the 2004 review of FIPS 46-3, single DES is no longer be approved for Federal Government applications. Therefore, neither new applications nor current legacy systems including systems using cryptographic modules previously validated against FIPS 140-1 and 2, will be approved for using single DES after 2004. However, 3DES and AES (the algorithm specified in FIPS 197; see below) will continue to be approved for all systems.

Triple DES algorithm (3DES) This is a method for encrypting data in 64-bit blocks using three 56-bit keys by combining three successive invocations of the DES algorithm. ANSI X9.52 specifies seven modes of operation for 3DES and three keying options: 1) the three keys may be identical (one key 3DES), 2) the first and third key may be the same but different from the second key (two key 3DES), or 3) all three keys may be different (three key 3DES). One key 3DES is equivalent to DES under the same key; therefore, one key 3DES, like DES, will not be approved after 2004. Two key 3DES provides more security than one key 3DES (or DES), and three key 3DES achieves the highest level of security for 3DES. NIST recommends the use of three different 56-bit keys in Triple DES for Federal Government sensitive/unclassified applications. SecureZIP for zSeries uses three key 3DES when Triple DES is selected as the data encryption algorithm.

Advanced Encryption Standard (AES) FIPS 197, Advanced Encryption Standard (AES). The encryption algorithm specified in FIPS 197 is the result of a multiyear, worldwide competition to develop a replacement algorithm for DES. The winning algorithm (originally known as Rijndael, but hereafter referred to as the AES algorithm) was announced in 2000 and adopted in FIPS 197 in 2001. The AES algorithm encrypts and decrypts data in 128-bit blocks, with three possible key sizes: 128, 192, or 256 bits. The nomenclature for the AES algorithm for the different key sizes is AES-x, where x is the size of the AES key. NIST considers all three AES key sizes adequate for Federal Government sensitive/unclassified applications. Please see http://www.nist.gov/public_affairs/releases/g00-176.htm a press release recapping NIST’s position SecureZIP for zSeries uses AES as the default encryption algorithms.

Comparison of the 3DES and AES Algorithms Both algorithms are considered to be secure for the foreseeable future. The following is a comparison of the algorithms. 1. 3DES builds on DES implementations and is readily available in many cryptographic products and protocols. The AES algorithm is new; although many implementers are quickly adding the algorithm to their products, and protocols are being modified to incorporate the algorithm, it may be several years before the AES algorithm is as pervasive as 3DES. 2. The AES algorithm was designed to provide better performance (e.g., faster speed) than 3DES.

3. Although the security of block cipher algorithms is difficult to quantify, the AES algorithm, at any of the key sizes, appears to provide greater security than 3DES. In particular, the best attack known against AES-128 is to try every possible 128-bit key (i.e., perform an exhaustive key search, also known as a brute force attack)). By contrast, although three key 3DES has a 168-bit key, there is a “shortcut” attack on 3DES that is comparable, in the number of required operations, to performing an exhaustive key search on 112-bit keys. However, unlike exhaustive key search, this shortcut attack requires a lot of memory. Assuming that such shortcut attacks are not discovered for the AES algorithm, the uses of the AES algorithm may be more appropriate for the protection of high-risk or long-term data. 4. The smallest AES key size is 128 bits; the recommended key size for 3DES is 168 bits. The smaller key size means that fewer resources are needed for the generation, exchange, and storage of key bits. 5. The AES block size is 128 bits; the 3DES block size is 64 bits. For some constrained environments, the smaller block size may be preferred; however, the larger AES block size is more suitable for cryptographic applications, especially those requiring data authentication on large amounts of data. Please see http://www.nist.gov/public_affairs/releases/g00-176.htm a press release recapping NIST’s position Modes of Operation. With a block cipher algorithm, the same plaintext block will always encrypt to the same ciphertext block whenever the same key is used. If the multiple blocks in a typical message were to be encrypted separately, an adversary could easily substitute individual blocks, possibly without detection. Furthermore, data patterns in the plaintext would be apparent in the ciphertext. Cryptographic modes of operation have been defined to alleviate these problems by combining the basic cryptographic algorithm with a feedback of the information derived from the cryptographic operation. FIPS 81, DES Modes of Operation, defines four confidentiality (encryption) modes for the DES algorithm specified in FIPS 46-3: the Electronic Codebook (ECB) mode, the Cipher Block Chaining (CBC) mode, the Cipher Feedback (CFB) mode, and the Output Feedback (OFB) mode. SecureZIP for zSeries uses Cipher Block Chaining for data encryption.

RC4 RC4 is a stream cipher designed by Rivest for RSA Security. It is a variable key-size stream cipher with byte-oriented operations. The algorithm is based on the use of a random permutation. Analysis shows that the period of the cipher is overwhelmingly likely to be greater than 10100. Eight to sixteen machine operations are required per output byte, and the cipher can be expected to run very quickly in software. Independent analysts have scrutinized the algorithm and it is considered secure. RC4 is used for secure communications, as in the encryption of traffic to and from secure web sites using the SSL protocol.

Standard RC4 is a stream cipher designed by Rivest for RSA Security. It is a variable key-size stream cipher with byte

Key Management

The proper management of cryptographic keys is essential to the effective use of cryptography for security. Keys are analogous to the combination of a safe. If the combination becomes known to an adversary, the strongest safe provides no security against penetration. Similarly, poor key management may easily compromise strong algorithms. Ultimately, the security of information protected by cryptography directly depends on the strength of the keys, the effectiveness of mechanisms and protocols associated with keys, and the protection afforded the keys. Cryptography can be rendered ineffective by the use of weak products, inappropriate algorithm pairing, poor physical security, and the use of weak protocols. All keys need to be protected against modification, and secret and private keys need to be protected against unauthorized disclosure. Key management provides the foundation for the secure generation, storage, distribution, and destruction of keys. Another role of key management is key maintenance, specifically, the update/replacement of keys. Further information is available on Key Management at the NIST Computer Security Resource Center web site, http://csrc.nist.gov/CryptoToolkit/tkkeymgmt.html

Passwords and PINS

FIPS 112, Password Usage, provides guidance on the generation and management of passwords that are used to authenticate the identity of a system user and, in some instances, to grant or deny access to private or shared data. This standard recognizes that passwords are widely used in computer systems and networks for these purposes, although passwords are not the only method of personal authentication, and the standard does not endorse the use of passwords as the best method. The password used to encrypt a file with SecureZIP for zSeries may be from 1 to 200 characters in length. Different passwords may be used for various files within a ZIP archive, although only one password may be specified per run. The password is not stored in the ZIP archive and, as a result, care must be taken to keep passwords secure and accessible by some other source.

Recipient-Based Encryption

Password-based encryption depends on both the sender and receiver knowing, and providing intellectual input (the password) in clear text. The password is used to derive a binary master session key for each decryption run. No key information is kept within the ZIP archive, so both parties must retain the password in an external location. Recipient-based encryption provides a means by which the master session key (MSK) information can be hidden, protected, and carried within the ZIP archive. This is done by using technique known as digital enveloping with public key encryption. The technique requires that the creating process have a copy of the recipient's public key digital certificate, which is used to protect and store the MSK. In addition, the receiving side must have a copy of the recipient's private key digital certificate. With these two pieces of information in place, there is no need for users to retain or recall a password for decryption.

Integrity of Public and Private Keys

Public and private keys must be managed properly to ensure their integrity. The key owner is responsible for protecting private keys. The private signature key must be kept under the sole control of the owner to prevent its misuse. The integrity of the public key, by contrast, is established through a digital certificate issued by a Certification Authority (CA, discussed further below) that cryptographically binds the individual’s identity to his or her public key. Binding the individual’s identity to the public key corresponds to the protection afforded to an individual’s private signature key. A PKI includes the ability to recover from situations where an individual’s private signature key is lost, stolen, compromised, or destroyed; this is done by revoking the digital certificate that contains the private signature key’s corresponding public key (discussed further below). The user then creates or is issued a new public/private signature key pair, and receives a new digital certificate for the new public key. The certification authority (CA) plays a critical role in ensuring the integrity of public keys in the PKI. Upon being presented with proper evidence of identity (usually through a separate entity called a registration authority), the CA issues a digital certificate which contains the applicant’s public key, identity, and other information (such as duration of the certificate), all signed by the CA’s private signature key. The certificate may then be distributed or placed in publicly available databases, called repositories. The CA operates under a certificate policy (CP) and certification practices statement (CPS) that collectively describe the CA’s responsibilities and duties to its customers and trading partners. These policies include how the CA is conducting its affairs in compliance with its contracts and, where applicable, Federal or State laws. The uses for which a certificate may be employed depend upon the requirements surrounding its issuance; for example, the method of identity proofing by the RA before certificate issuance and how well the private signature key is protected.

Data Encryption

SecureZIP for zSeries security functions include strong encryption tools using RSA BSAFE ® and the PKWARE implementation of the Advanced Encryption Standard. SecureZIP for zSeries provides the option for password encryption using RC4, DES, 3DES and AES. RSA High-Quality Security - RSA Security submits its Crypto-C products for FIPS 140 testing and validation. FIPS 140-1 and FIPS 140-2 are U.S. Government standards which specify the security requirements to be satisfied by a cryptographic module. RSA Security supports this testing and certification with over 20 years of experience in the security industry. SecureZIP for zSeries uses a multi-layer key generation process, based on a user-specified password of up to 200 characters, and/or a user’s digital certificate, that creates a unique internal key for each file being processed. In addition, the same password will result in a different system generated key for each file. SecureZIP for zSeries also implements the use of cipher block chaining (CBC) to further enhance industry standard encryption algorithms. This feature ensures that each block of data is uniquely modified, further protecting the data from fraudulent access. SecureZIP for zSeries encryption is activated through the use of the PASSWORD and/or RECIPIENT commands. If a value is present for either setting, whether through commands or

default settings, then encryption will be attempted in accordance with other settings (for example, ENCRYPTION_METHOD). However, if ENCRYPTION_METHOD=NONE is specified, then encryption will be bypassed.

2 Installation, Licensing, and Configuration

Installation Overview

The installation of SecureZIP for zSeries is accomplished by following the instructions as summarized below: • Select the media to be used in installing SecureZIP for zSeries. • Install from downloaded file, CD or tape. • Review the README.TXT file for recent information updates. • Evaluate system requirements. • Edit the supplied job control (JCL) with appropriate parameter changes for your data center. • Review the present chapter on installation, license, and configuration in this manual and proceed accordingly. • Run the installation verification jobs and test product features by modifying the sample JCL supplied in SECZIP.MVS.INSTLIB. • Begin using the product. Details of these summarized instructions may be found below.

Type of Media Distribution for Installation

The SecureZIP for zSeries may be received and installed from a variety of media types: • Downloaded from the PKWARE web site http://www.pkware.com/downloads • Received from PKWARE on compact disc (CD). • Received from PKWARE on magnetic cartridge.

Installation from Downloaded File or CD

Non-SMP/E Installation If you have downloaded SecureZIP for zSeries from PKWARE’s Web site, ftp site, or have received the product on CD, then the file you need to start with is the self-extracting zip file called SZzSeries.exe. The SZzSeries.exe file contains the binary XMIT files needed for installation along with various other supporting text and documentation. The files extracted from SZzSeries.exe include:

Documentation (distributed in Adobe® Acrobat® .PDF format) SecureZIP for zSeries SYSTEM ADMINISTRATOR’S GUIDE.PDF SecureZIP for zSeries MESSAGES AND CODES.PDF SecureZIP for zSeries USER'S GUIDE.PDF

Text Files GLOBAL CONTACTS.TXT A list of domestic and international resellers LICENSE.TXT PKWARE's license agreement README.TXT Installation and Configuration ALLOC.JCL Allocation JCL (IEFBR14) RECEIVE.JCL Receive the transmitted files WHATSNEW.TXT A text file documenting product changes

Product Binaries Data Set Name Distribution Library SECZIP.XMIT.CEXEC Compiled REXX Library SECZIP.XMIT.HELP Help Library SECZIP.XMIT.INSTLIB Install Library SECZIP.XMIT.INSTLIB2 Install Library 2 SECZIP.XMIT.LOAD Load Library SECZIP.XMIT.MACLIB Macro Library SECZIP.XMIT.SPKZCLIB REXX Exec Library SECZIP.XMIT.SPKZMLIB Message Library SECZIP.XMIT.SPKZPLIB Panel Library SECZIP.XMIT.SPKZSLIB Skeleton Library SECZIP.XMIT.SPKZTLIB Table Library

You should review the installation instructions found below if you are installing from download or CD. If the software was received on magnetic cartridge, please see “Installing from 3490 Tape”, below, for the installation JCL, or download the JCL from our Web site. In either case, follow the instructions applicable to your installation method before continuing through this document. You should have downloaded or copied a file on your PC called SZzSeries.exe. This is a self- extracting ZIP file. Once you double-click on the file, the files, by default, will extract to C:\PKWARE\SZzSeries\*. There should be a total of twenty (20) files. Below are the step-by-step non-smp/e installation instructions.

I. TRANSFERRING THE TEXT FILES TO THE HOST 1. Transfer the text file "ALLOC.JCL" to the host. You may transfer the file into an existing PDS, or you may use the allocation in step 2 below: o Convert the data from ASCII to EBCDIC o Insert CR/LF's 2. A suitable allocation for "ALLOC.JCL" is as follows: SPACE UNITS: BLKS BLKS: 5 (PRI) 1 (SEC) DIRBLKS: 0 RECFM: FB LRECL: 80 BLKSIZE: 3120 DSORG: PS 3. Follow the same procedure for the "RECEIVE.JCL" provided file.

II. RUNNING THE ALLOC JCL The “ALLOC” job contains JCL that will perform an IEFBR14 for the eleven (11) binary dataset allocations. You will need to edit the ALLOC JCL with the appropriate variables in order to achieve a RC=00. 1. Before you submit the ALLOC JCL (ALLOC.JCL), you will need to supply a job card. You will also need to modify the job variables. As an example: // CEXEC DD DSN={seczip}.XMIT.CEXEC,DISP=(NEW,CATLG), // UNIT={sysda},VOL=SER={seczip1},SPACE=(CYL,(2,2)), // DCB=(RECFM=FB,LRECL=80,BLKSIZE=3120) 2. {seczip} is the name of the pre-allocated dataset that is being created by this job. These are the target datasets that you transfer the binary files into. 3. {sysda} is the unit where SecureZIP for zSeries files will reside. 4. {seczip1} is the volume where the SecureZIP for zSeries files reside 5. Submit the job, and review and correct any non-zero return codes. 6. Your eleven (11) target datasets have successfully been allocated.

III. TRANSFERRING THE BINARY FILES TO THE HOST Before you transfer the files to the host, it is imperative that you do not perform any kind of translation of the data from ASCII to EBCDIC or append CR/LF's. If you do, your uploaded datasets will be corrupted. 1. Transfer the binary files (SECZIP.XMIT.*) from your PC into the target datasets that you created in Step II: o Do not translate the data o Do not insert CR/LF's 2. Be sure to transfer all eleven binaries, and then move onto the next step.

IV. RUNNING THE RECEIVE JCL The “RECEIVE” job contains JCL that will perform an IKJEFT01 for the eleven binary datasets. You will need to edit the RECEIVE JCL with the appropriate variables in order to achieve a RC=00. 1. Before you submit the RECEIVE JCL, you will need to supply a job card. You will also need to modify the job variables. As an example: RECEIVE INDSN('{dsnhlq}.XMIT.CEXEC') DSNAME('{dsnhlq}.CEXEC') 2. INDSN {dsnhlq} is the high-level qualifier of the XMIT'd dataset you transferred from the PC to the host. 3. DSNAME {dsnhlq} is the DSN that gets created by this job. It’s what you want to call the installed SecureZIP product libraries. 4. Submit the job, and review and correct any non-zero return codes. 5. Your eleven binary datasets have successfully been converted to a trial-ready version of SecureZIP!

V. Licensing SecureZIP for zSeries Please refer to “Initializing the License” below for required information and procedures to properly license your copy of SecureZIP for zSeries. This ends the installation of SecureZIP if you are installing from SZzSeries.exe. If you are performing a SMP/E installation or installing from a 3490 cartridge, then continue on to the next section.

SMP/E Installation The installation and software management of SecureZIP for zSeries can also be accomplished with SMP/E. Although the product requires no operating system modifications or authorized routines, the ability to manage the software is enhanced using IBM’s SMP/E facilities. The SZzSeriessmp.exe file contains the binary files needed for installation, along with text files, a README.TXT, and other files that have sample JCL to process the files for implementation. The files are listed in the following tables.

Text Files GLOBAL CONTACTS.TXT A list of domestic and international resellers LICENSE.TXT PKWARE's license agreement README.TXT Installation and Configuration RECEIVE.JCL Receive the transmitted files ALLOC.JCL Allocation JCL (IEFBR14) SMPALCSI.TXT This job allocates the VSAM files needed to build a new SMP/E environment. If SecureZIP for zSeries is being installed in an existing SMP/E CSI, this job will not be needed. SMPALPDS.TXT This job allocates the Partitioned Data Set files needed to build an SMP/E environment. SMPAPPLY.TXT This job applies the elements of the FUNCTION PKZIP57. A return code of four (RC=4) is expected in the listings from IEBCOPY for zSeries load modules. SMPRECV.TXT This job receives the FUNCTION PKZIP57. All of the ++ MCS elements are in the input file SECZIP.MVS.SMP.MCS. SMPUCLIN.TXT This job updates the SMP/E CSI environment to prepare for the install of SecureZIP for zSeries. WHATSNEW.TXT A text file documenting product changes

Product Binaries Data Set Name Distribution Library SECZIP.XMIT.SMP.DCEXE Compiled REXX Library SECZIP.XMIT.SMP.DHELP Help Library SECZIP.XMIT.SMP.DINST Install Library SECZIP.XMIT.SMP.DINST2 Install Library 2 SECZIP.XMIT.SMP.DLOAD Common Load Module SECZIP.XMIT.SMP.DMACL Macro Library SECZIP.XMIT.SMP.DCLIB REXX Exec Library SECZIP.XMIT.SMP.DMLIB Message Library SECZIP.XMIT.SMP.DPLIB Panel Library SECZIP.XMIT.SMP.DSLIB Skeleton Library SECZIP.XMIT.SMP.DTLIB Table Library SECZIP.XMIT.SMP.MCS SMP MCS Control Cards

You should have downloaded or copied a file on your PC called SZzSeriesSMP.exe. This is a self-extracting ZIP file. Once you double click on the file, the files, by default, will extract to C:\PKWARE\SZzSeriesSMP\*. There should be a total of twenty-six (26) files. The following are the step-by-step SMP/E installation instructions. Please note than an understanding of SMP/E is recommended prior to using this approach. I. TRANSFERRING THE TEXT FILES TO THE HOST 1. Transfer the text file "ALLOC.JCL" to the host. You may transfer the file into an existing PDS or you may use the allocation in step "2" below: o Convert the data from ASCII to EBCDIC o Insert CR/LF's 2. A suitable allocation for "ALLOC.JCL" is as follows: SPACE UNITS: BLKS BLKS: 5 (PRI) 1 (SEC) DIRBLKS: 0 RECFM: FB LRECL: 80 BLKSIZE: 3120 DSORG: PS 3. Follow the same procedure for the "RECEIVE.JCL" provided file.

II. RUNNING THE ALLOC JCL The “ALLOC” job contains JCL that will perform an IEFBR14 for the twelve binary dataset allocations. You will need to edit the ALLOC JCL with the appropriate variables in order to achieve a RC=00.

1. Before you submit the ALLOC JCL (ALLOC.JCL), you will need to supply a job card. You will also need to modify the job variables. As an example: // CEXEC DD DSN={seczip}.XMIT.SMP.DCEXE,DISP=(NEW,CATLG), // UNIT={sysda},VOL=SER={seczip1},SPACE=(CYL,(2,2)), // DCB=(RECFM=FB,LRECL=80,BLKSIZE=3120) 2. {seczip} is the name of the preallocated dataset that is being created by this job. These are the target datasets that you transfer the binary files into. 3. {sysda} is the unit where SecureZIP for zSeries files will reside. 4. {seczip1} is the volume where the SecureZIP for zSeries files reside 5. Submit the job, and review and correct any non-zero return codes. 6. Your twelve target datasets have successfully been allocated.

III. TRANSFERRING THE BINARY FILES TO THE HOST Before you transfer the files to the host, it is imperative that you do not perform any kind of translation of the data from ASCII to EBCDIC or append CR/LF's. If you do, your uploaded datasets will be corrupted. 1. Transfer the binary files (SECZIP.XMIT.*) from your PC into the target datasets that you created in step IV. o Do not translate the data o Do not insert CR/LF's 2. Be sure to transfer all twelve binaries, and then move onto the next step.

IV. RUNNING THE RECEIVE JCL The "RECEIVE" job contains JCL that will perform an IKJEFT01 for the twelve binary datasets. You need to edit the RECEIVE JCL with the appropriate variables in order to achieve a RC=00. 1. Before you submit the RECEIVE JCL, you will need to supply a job card. You will also need to modify the job variables. As an example: RECEIVE INDSN('{dsnhlq}.XMIT.SMP.DCEXE') DSNAME('{dsnhlq}.SMP.DCEXE') 2. INDSN {dsnhlq} is the high level qualifier of the XMIT'd dataset you transferred from the PC to the host. 3. DSNAME {dsnhlq} is the DSN that gets created by this job. 4. Submit the job, and review and correct any non-zero return codes. 5. Your twelve binary datasets have successfully been converted to a distribution package for the SMP installation.

V. SMP/E INSTALLATION: The installation and software management of SecureZIP for zSeries can be accomplished with SMP/E. Although the product requires no operating system modifications or authorized routines, the ability to manage the software is enhanced using IBM’s SMP/E facilities.

The file SECZIP.MVS.SMP.MCS is the SMPPTFIN DD file for the RECEIVE processing. This file contains all of the control information to build the SecureZIP for zSeries environment. After running the RECEIVE JCL, all of the necessary files that you need to start the SMP process have been allocated on your system. The included five (SMP*.JCL files) jobs allocate, define, and build SecureZIP for zSeries and must be run in the following sequence: SMPALPDS.JCL SMPALCSI.JCL SMPUCLIN.JCL SMPRECV.JCL SMPAPPLY.JCL Please note that user-specific customization may be required if you choose to install SecureZIP for zSeries in an existing SMP/E CSI. Consideration has been given to this possibility, but it is up to each individual site to verify that there are no problems with duplicate DDDEF, library structures, or utility definitions that may prevent these job streams from completing successfully.

VI. Licensing SecureZIP for zSeries Please refer to the section “Initializing the License,” below, for required information and procedures to properly license your copy of SecureZIP for zSeries. This ends the installation of SecureZIP if you are installing from SZzSeriesSMP.exe. If you are installing from a 3490 cartridge, then continue on to the next section.

Installing from 3490 Tape

If you have received SecureZIP for zSeries on a 3490 cartridge, the installation is as simple as an IEBCOPY of the SecureZIP for zSeries libraries from tape to DASD. The screen below shows the first step of the IEBCOPY, one of the steps needed to complete the installation of SecureZIP for zSeries from tape.

//JS010 EXEC PGM=IEBCOPY //* //SYSUT1 DD DSN=PKWARE.MVS.CEXEC, // UNIT=tape,LABEL=(,SL), <=== // DISP=OLD,VOL=(,RETAIN,,,SER=seczip1) <=== //* //SYSUT2 DD DSN=seczip.mvs.CEXEC, <=== // DISP=(NEW,CATLG,DELETE), // SPACE=(CYL,(2,1,52)), // UNIT=disk, <=== // VOL=SER=volume <=== //* //SYSUT3 DD UNIT=sysda,SPACE=(CYL,(5,5)) <=== //SYSUT4 DD UNIT=sysda,SPACE=(CYL,(5,5)) <=== //* //SYSPRINT DD SYSOUT=* //* //SYSIN DD * COPY INDD=SYSUT1,OUTDD=SYSUT2 /*

If you prefer not to type this entire job stream, you may download the COPYCART.TXT JCL from our Web site and upload it to a data set or member. Remember to perform an ASCII or TEXT transfer to convert the data from ASCII to EBCDIC, modify the JCL, and submit.

Initializing the License

Evaluation Period License generation for a trial of the product allowing full use is a simple process of obtaining a key from the Sales Division. Once this process is completed SecureZIP for zSeries will allow access to all options for a period of 30 days. At some time during this process you must contact PKWARE to obtain licensing to allow use beyond the initial period. For Licensing, please contact the Sales Division at 937-847-2374 or email [email protected]. For Technical Support assistance, please contact the Product Services Division at 937-847- 2687 or go to http://www.pkware.com/support. When you receive the license control card information from PKWARE you will build the license dataset using the build license program. There is a sample job stream in member LICUPDAT in the Installation Dataset (INSTLIB). By executing this job stream the LICENSE dataset will be updated and a report will be produced that will reflect the state of SecureZIP for zSeries at your location.

Release Licensing Each release of SecureZIP for zSeries requires that a new license key be obtained from Customer Service and that a new license record be generated. The new release will fail with ZPLI901E Product License is Invalid message if the License dataset is used from a previous release.

Show System Information To display hardware and software information at your location, run the sample job stream in member LICSHSYS in the Installation Dataset (SECZIP.mvs.INSTLIB). By executing this job stream a Show System Information report will be displayed. Following is a sample of the report:

ZPLI210I PKWARE - Display System Information - Version 8.1 SecureZIP(TM) is a trademark of PKWARE (R), Inc. PKZIP (R) is a registered trademark of PKWARE (R), INC. For Licensing, please contact the Sales Division at 937-847-2374 or email [email protected] For Technical Support assistance, please contact the Product Services Division at 937-847-2687 or go on-line at http://www.pkware.com/support

Thursday 03/18/2004 (2004.078) 09:20:31 CPU model 2066 with 1 online Service units per second per online CPU is 5612.07. Approximate total MIPS (SUs/SEC / 48.5 * #CPUs) is 115.71.

Central Processing Complex (CPC) Node Descriptor:

CPC ND = 002066.0B1.IBM.02.00000001263B CPC ID = 00 Type(002066) Model(0B1) Manufacturer(IBM) Plant(02) Seq Num(00000001263B) CPU serial number for CPU 0 is 04263B2066 (4263B), version code 00, Model(0B1). JES2 z/OS 1.4 DFSMS z/OS 1.3.0 Model from CPC SI

Reporting the SecureZIP for zSeries License The procedures below describe how to obtain this report. • Edit the *.MVS810.INSTLIB(LICPRINT) member, supply a job card, and substitute the following default line: 000400 //LICENSE PROC HLVL=SECZIP.MVS “SECZIP.MVS” represents the high level qualifier for your installation. Submit this job and the output should give you a return code of zero (RC=00) and the following additional lines.

ZPLI200I A LICENSE REPORT HAS BEEN REQUESTED ON 02/02/05 AT 9:56am VER: 8.1 IN SECZIP.MVS.LICENSE ZPLI200I For Technical Support assistance, please contact Product Services Division ZPLI200I at 937-847-2687 or go on-line at http://www.pkware.com/support ******************************************************************************************* ZPLI200I SecureZIP (TM) IS LICENSED TO CUSTOMER # 000012805 ZPLI200I - CUSTOMER NAME - PKWARE, INC ZPLI200I CPU model 2066 with 1 online ZPLI200I Service units per second per online CPU is 5612.07 ZPLI200I Approximate total MIPS (SUs/SEC / 48.5 * #CPUs) is 115.71 ZPLI200I CEC MSU per hour capacity is 20 - LPAR MSU per hour capacity is 20 ZPLI200I Central Processing Complex (CPC) Node Descriptor: CPC ND = 002066.0B1.IBM.02.00000001263B ZPLI200I CPC ID = 00 Type(002066) Model(0B1) Manufacturer(IBM) Plant(02) Seq Num(00000001263B) ZPLI200I CPU serial number for CPU 0 is 04263B2066 (4263B), version code 00, model 0B1. ZPLI200I Model from CPC SI ******************************************************************************************* ZPLI200I COMPRESSION IS LICENSED ON THE FOLLOWING PROCESSORS ZPLI200I SERIAL# *0263B PROCESSOR TYPE 2066 VERSION/MODEL 0B1 WITH AN EXPIRATION DATE OF 02/28/2400 ZPLI200I DECOMPRESSION IS LICENSED ON THE FOLLOWING PROCESSORS ZPLI200I SERIAL# *0263B PROCESSOR TYPE 2066 VERSION/MODEL 0B1 WITH AN EXPIRATION DATE OF 02/28/2400 ZPLI200I DECRYPTION IS LICENSED ON THE FOLLOWING PROCESSORS ZPLI200I SERIAL# *0263B PROCESSOR TYPE 2066 VERSION/MODEL 0B1 WITH AN EXPIRATION DATE OF 02/28/2400 ZPLI200I GZIP SUPPORTED FILES LICENSED ON THE FOLLOWING PROCESSORS ZPLI200I SERIAL# *0263B PROCESSOR TYPE 2066 VERSION/MODEL 0B1 WITH AN EXPIRATION DATE OF 02/28/2400 ZPLI200I ISPF IS LICENSED ON THE FOLLOWING PROCESSORS ZPLI200I SERIAL# *0263B PROCESSOR TYPE 2066 VERSION/MODEL 0B1 WITH AN EXPIRATION DATE OF 02/28/2400 ZPLI200I COMMAND LINE INTERFACE IS LICENSED ON THE FOLLOWING PROCESSORS ZPLI200I SERIAL# *0263B PROCESSOR TYPE 2066 VERSION/MODEL 0B1 WITH AN EXPIRATION DATE OF 02/28/2400 ZPLI200I ADVANCED ENCRYPTION MODULE IS LICENSED ON THE FOLLOWING PROCESSORS ZPLI200I SERIAL# *0263B PROCESSOR TYPE 2066 VERSION/MODEL 0B1 WITH AN EXPIRATION DATE OF 02/28/2400 ZPLI200I DIRECTORY INTEGRATION MODULE IS LICENSED ON THE FOLLOWING PROCESSORS

ZPLI200I SERIAL# *0263B PROCESSOR TYPE 2066 VERSION/MODEL 0B1 WITH AN EXPIRATION DATE OF 02/28/2400 ZPLI200I SELF EXTRACTION CREATOR IS LICENSED ON THE FOLLOWING PROCESSORS ZPLI200I SERIAL# *0263B PROCESSOR TYPE 2066 VERSION/MODEL 0B1 WITH AN EXPIRATION DATE OF 02/28/2400

Applying a License Key or Authorization Code • Transfer the license file, provided by PKWARE, from the PC to the host. Be sure to convert the data from ASCII to EBCDIC and insert CR/LF’s. Copying the authorization code from the text file and pasting it to the LICENSE member of the INSTLIB is an acceptable alternative. • After the file has been transferred or copied to the host, edit the INSTLIB(LICUPDAT) member, supply a job card, and modify the following line of JCL: 000400 //LICENSE PROC HLVL=SECZIP.MVS,URUNIT=SYSDA,URVOL=WORK01 “SECZIP.MVS” is your high level qualifier for your installation. URUNIT and URVOL are the target unit and volume for the installed SECZIP product.

SecureZIP for zSeries Grace Period

PKWARE recognizes that there may be periods where the licensing environment established by the customer is no longer valid. Circumstances such as disaster recovery processing or the installation or upgrade of new processors will affect the environment. To accommodate the installation, SecureZIP for zSeries has a process that will allow you to continue to use the product for a grace period of five days when the established licensing environment is no longer valid. Note that the user must have write authority on the license dataset to invoke the grace period. This authority is only required the first time PKZIP/PKUNZIP is run after a CPU change has occurred; it is not required after the grace period has been successfully invoked (this is one time per CPU, not one time per IPL). During the grace period, error messages will be displayed on the console (and the printout) for each execution of SecureZIP for zSeries. At the end of the period, if the license is not updated, the product will no longer function for the new CPUs except to VIEW an archive. The five-day grace period is designed so that the program will not cease to function on a weekend or the Monday following the five-day grace period. You must contact PKWARE at [email protected] during the grace period to obtain licensing to allow extended use.

Running a Disaster Recovery Test There are no special procedures necessary in order for you to use SECZIP during a Disaster Recovery Test. Because SECZIP licensing allows for such contingencies, the user can perform the following process to have SECZIP run at the DR site with a RC=00. 1. First, copy the production image of SECZIP from the production system over to the Disaster Recovery system. 2. Once on the system, simply run SECZIP from the CPU you want, and SECZIP will run conditionally for 5 days with a RC=00.

Again, it is important to contact PKWARE [email protected] to resolve the licensing conflict within this time frame, if necessary.

Tailoring Site Specific Changes to the Defaults Module

The configuration defaults module, *.MVS.LOAD(ACZDFLT), is provided with the product. It is coded to allow for execution in a generic MVS environment. However, to make changes to the defaults, you will need to modify the *.MVS.INSTLIB(ACZDFLT) module. YOU MUST MODIFY THIS MODULE BEFORE YOU PROCEED TO USE SECZIP. It is recommended that the values defined in the module be reviewed before running in a production setting. Upgrade note: Installations suppressing the //SYSIN PDS member verification for performance reasons with PROC_OPT1=N (available with 5.0.10 maintenance and above) in ACZDFLT should change to CHECK_SYSIN_MEMBER=N in the assembly of ACZDFLT. PROC_OPT1 will no longer be used for this purpose in Release 5.5 and above.

MCZDFLTS TYPE=CSECT, * LICENSE_HLQ=SECZIP.MVS, * Í== Change this to reflect your installation PARMLIB_DSNAME_ZIP=NULLFILE * PARMLIB_DSNAME_UNZIP=NULLFILE, *

Once you have, at minimum, modified the LICENSE_HLQ statement to reflect your installation, you will need to assemble these changes via the ASMDFLT member in the *.MVS.INSTLIB to assist in creating a customized defaults module. You may modify the other values in this module, or you may add to it. At minimum, the above three lines need to be modified or validated. The table below represents the contents of the SecureZIP for zSeries defaults module. This table explains, in brief, the default parameters of the ACZDFLT’s member and their relevance.

LICENSE_HLQ The high-level qualifiers of the xxx.LICENSE dataset. LICENSE_HLQ= must be the same as the high-level qualifier used for the SecureZIP for zSeries installation. The default qualifier is SECZIP.MVS. See also: $INSTLIC and LICxxxx members. ARCHIVE_UNIT Device types to use during dynamic allocation request for non-VSAM files. OUTFILE_UNIT TEMP_UNIT ARCHIVE_STORCLASS In DF/SMS environment, dynamic allocation information in lieu of volume OUTFILE_STORCLASS allocation specifications. TEMP_STORCLASS VSAM_STORCLASS ARCHIVE_VOLUMES Dynamic allocation target volumes for non-DF/SMS datasets. These are OUTFILE_VOLUMES optional for non-VSAM datasets but are TEMP_VOLUMES required for VSAM DEFINE CLUSTER control cards. VSAM_VOLUMES

Protecting Files with the SAFETYEX Module

As delivered, the SAFETYEX module will protect SECUNZIP from overwriting SYS1. dataset names. If you would like to remove this restriction or add additional restrictions, you will need to edit the SAFETYEX source member in *.MVS.INSTLIB, make and save your changes, and run the ASMSAFE member of the *.MVS.INSTLIB to protect any files you specify from UNZIP overwrite processing. If you do not want to make any changes to this module, then there is nothing that you need to do.

SMS Dataclass Considerations

SecureZIP parameters overlap with several SMS Data Class parameters. In general, SMS Data Class specifications will provide default values in place of SecureZIP default settings. Explicit SecureZIP commands (SYSIN, PARMLIB, included command streams and EXEC PARM values) will be presented to Dynamic Allocation as overrides for any default setting. Due to the way DFSMS handles override requests, sub-groups of parameters are defined in SecureZIP to assist with control of where default values should come from. These subgroups are: • Allocation SPACE • Directory Blocks • Volume Count

• DCB Attributes DFSMS Data Classes may or may not contain values for all of the attribute sets above. SecureZIP provides a means of identifying which sets of attributes should be expected to be handled by SMS Data Classes so that SecureZIP does not specify its own default values. (DFSMS receives control after SecureZIP has built its list and does not provide a means by which SecureZIP can systematically pre-determine which values will be provided by SMS). DFSMS groups allocation type (Cylinders, Tracks, etc.), primary space, and secondary space into a category. If even one of these values is provided in an allocation request, then SMS will not provide its default values for the remaining entries. For example, if ARCHIVE_SPACE_PRIMARY is provided as a command, then SecureZIP needs to supply the TYPE and SECONDARY default values even if a DATACLASS is specified. DFSMS treats the Directory Block allocation value separately from other space parameters. In the previous example, SecureZIP will not provide its default ARCHIVE_DIRBLKS value even though it provides the other allocation attributes. This is consistent with SMS Data Class operations. SecureZIP makes use of temporary files during various phases of processing that have very specific DCB attribute requirements. For this reason, SecureZIP will specify the necessary overrides regardless of TEMPFILE_DATACLASS usage.

Note for users of PKZIP for MVS and PKZIP for zSeries 5.6 Previous levels of maintenance for release 5.6 specified a volume count even if it was 1. The maintenance level associated with fix TT1777 eliminated VOLCNT=1 from the allocation request. In addition, the maximum number specified for any of the MULTIVOL=Y commands is now 59 to be consistent with system limitations for DASD devices. If a unit type other than DASD is assigned (either explicitly or indirectly through SMS), and a volume count greater than 59 is desired, then MULTIVOL=N should be specified in PKZIP, and an SMS Data Class should be designated which can assign the desired volume count.

Considerations when Exporting Private Keys using RACDCERT If X.509 certificate information is to be obtained through RACDCERT for subsequent import processing to the SecureZIP Local Certificate Store, then PTF UW94302 associated with APAR OW56418 must be installed prior to the RACDCERT EXPORT action. (OW56418: RACDCERT EXPORT CREATING PKCS#12 PACKAGES THAT DO NOT CONFORM TOASN.1 STANDARD THEREFORE CANNOT BE IMPORTED.)

Activating the ISPF Interface

Activation of the SecureZIP for zSeries ISPF interface is accomplished as follows: During product installation, the SecureZIP for zSeries ISPF libraries are loaded to disk. The high level qualifiers (dsnhlq) are selected by the user during the installation process. To configure the SecureZIP Certificate Store Processing and ISPF Panels, the user will need to make a few modifications to the SECZIP.MVS.INSTLIB(PKISPF) and SECZIP.MVS.INSTLIB(PKZSTART) members.

For Certificate Store Processing you must edit the PKISPF member and make the following changes to reflect your installation: • Change the value of ‘HLVL' to reflect the high level qualifier for your installation. This defaults to 'SECZIP.MVS'. HLVL=SECZIP.MVS • Change the value of 'ISP' to reflect the high level qualifier for your system ISPF files. This defaults to 'ISP'. ISP=ISP • Change the value of 'SYSDA' to indicate the unit type for temporary files. The default is 'SYSDA'. SYSDA=SYSDA To prepare the SecureZIP ISPF panels you must edit the PKZSTART member and make the following changes to reflect your installation: • If the user environment can not support compiled REXX, change the value of ’env’ to 'EXEC'. If your environment does support compiled REXX, then you do not have to change anything on this line. This defaults to 'CEXEC'. env = 'CEXEC' • Change the value of 'ispfhlq' to reflect the high level qualifier for your installation. This defaults to 'SECZIP.MVS'. ispfhlq = 'SECZIP.MVS' • Change the value of 'llib' to indicate the name of the installed load library. The default is 'SECZIP.MVS.LOAD'. llib = 'SECZIP.MVS.LOAD' Now save your changes to the PKZSTART member. To quickly test whether the user configuration has worked, simply type "EXEC" next to the PKZSTART member. If everything has gone accordingly during the installation, after typing in “EXEC”. the user should be prompted to enter the configuration screen for SecureZIP for zSeries. You may choose to add the PKZSTART member to a REXX exec in your SYSEXEC or SYSPROC concatenation that will initialize the ISPF interface. If the user prefers to activate the SecureZIP for zSeries ISPF from your ISPF main menu, add an entry that will activate SecureZIP for zSeries. Both methods are explained in the following paragraphs. Significant performance improvements can be achieved by using the compiled REXX exec.

ISPF Main Menu

To execute SECZIP from an ISPF menu panel you must add an entry to the main menu for ISPF. This is normally a panel named (ISR@PRIM). Add the following line (or whatever the user deems appropriate) to the BODY section of the panel definition: P SecureZIP for zSeries 8.1 ISPF Add the following line to the PROC section:

P,'CMD(%PKZSTART)' Replace the ‘P’ with whatever main menu option you added in the BODY section of the panel definition. The user will notice that the PKZSTART exec has an argument passed to it. The argument ‘CEXEC’ causes the libraries containing the compiled REXX routines to be allocated. The user will gain significant increases in performance by using these libraries. If your operating system release or any other reason might prevent you from using the compiled REXX, then call PKZSTART with the argument of ‘EXEC’ and the normal interpreted REXX libraries will be used. PKZSTART is the initial exec that starts the interface and it also allocates the necessary ISPF application libraries. Consequently, it must be modified to reflect the installed library names (as it was documented in the previous section).

Verifying the Installation

To ensure proper design and implementation has taken place, it is crucial for the system administrator to run the installation verification procedures that ship with SecureZIP for zSeries. Once the product has completed installation and is properly licensed, you can run the pre-defined IVP streams. Instructions for customizing these jobs to the standards of your facility are included in comments at the beginning of each job’s JCL stream. The pre-packaged IVP streams located under the *.INSTLIB dataset are as follows: IVPBASIC – Demonstrates the compression, viewing, testing, and decompression of a catalog listing to an archive contained in a PDS member. IVPLMOD – Compresses LOAD module members and then views, tests, and rebuilds the LOAD library from the archive. IVPSECUR – Sample strong encryption jobs to compress 1MB, 10MB, 100MB, and 1GB data files and to test and decompress the files from the archives. IVPVSAM – Demonstrates the compression, viewing, testing, and decompression of a VSAM KSDS to a VSAM archive. (Non-VSAM files and archives can be mixed with VSAM. This job simply shows that VSAM can be used for either.) IVPVSPAN – Sample job to IEBCOPY-Unload a PDS, ZIP it, and reload it to verify the operation of variable spanned files. Recipient-based encryption, signing and authentication can also be tested from the Local Certificate Store main menu. Option 8 (Run Installation Verification Job) prompts the user with the IVP JCL stream that has been customized for the signing and authentication standards of your facility. This job demonstrates the compression, encryption, signing, and authentication of an archive using SecureZIP for zSeries. The expected return code is zero for each of the IVP job runs. To report any unexpected job results when running the various IVP streams, contact the PKWARE Technical Support team at www.pkware.com/support/contact or call 937.847.2687.

3 Security Administration Overview

This section discusses how you utilize SecureZIP for zSeries to secure your data. Elements that are required to make a SecureZIP for zSeries archive are discussed in detail. These elements, when selectively used, combine to create a SecureZIP for zSeries archive or allow the extraction of a file or files from a SecureZIP for zSeries created archive. A series of ISPF panels are used to assist you in building and maintaining the SecureZIP Certificate Store. These panels are not part of the separately licensed feature “ISPF”. They are standard with SecureZIP for zSeries. The ISPF screens and SecureZIP commands that are used to accomplish these task are shown in this chapter, along with notes and comments.

Keywords, Phrases, and Acronyms Used

SecureZIP for zSeries introduces new terminology to users that are familiar with PKZIP. These expressions directly relate to the security features inherent in SecureZIP for zSeries. • Public key certificate(s) • Private key certificate(s) • Data base profile (local certificate store) • LDAP profile (networked certificate store) • Password • RECIPIENT • MASTER RECIPIENT • Configuration profile • Certificate store • Common name • Path • Cert configuration • PING • TCPIP • User certificate

• Certificate authority • Recipient database • Recipient searches • Filename encryption • Authentication • File Signing • Archive signing • Root certificates • CA certificates • Certificate revocation list • Authentication • File Signing • Archive signing • Root certificates • CA certificates • Certificate revocation list

Accessing Certificates

SecureZIP for zSeries provides access to Certificates through a sets of local files, either sequential, PDS or PDSE, and VSAM index paths when control card requests are present. In addition, RECIPIENT(LDAP"...) requests are resolved through configured network definitions.

Public Key Certificate Certificate-based encryption allows the exchange of encrypted data without the exposure of also exchanging or retaining a password. This form of encryption uses a Public-key digital certificate when creating and it then uses a corresponding Private-key certificate by the recipient to decrypt. Digital certificates may be identified and selected by naming information, such as "Common Name" or and email address. To do this SecureZIP for zSeries performs a process called “Digital Enveloping” using digital certificates when encrypting data for specified public key recipients. Access the Secure .ZIP Envelopes whitepaper at the PKWARE web site. The Public Key Certificate consists of the public portion of an asymmetric cryptographic key (the "public key"), together with identity information, such as a person's name, all of which is signed by a certificate authority Certificate authority (CA). The CA essentially guarantees that the public key belongs to the named entity

Private Key Certificates To UNZIP a file that has been encrypted with a Public-key certificate, the receiver must supply a matching Private-key certificate. This is done by including RECIPIENT commands that specify the location of the Private-key certificate along with its associated access password. Note this password is not a password used to encrypt a file, but rather a password that is used to access the Private Key Certificate. -RECIPIENT commands may be included in the command input stream directly, or be included through the INCLUDE CMD command. A Private-Cert profile designates a saved repository of the private key certificates. When SecureZIP for zSeries dialogs prepare batch JCL or UNZIP call streams, these commands will be automatically included when File Decryption is requested.

Certificate Authority and Root Certificates End entity certificates and their related keys are used for signing and authentication. They are created at the end of the hierarchy of certificate authorities. Each certificate is signed by its CA issuer and is identified in the “Issued By” field in the end certificate. In turn, a CA certificate can also be issued by a higher level CA. Such certificates are known as intermediate CA certificates. At the top of the issuing chain is a self-signed certificate known as the root. SecureZIP uses the certificates for signing and authentication operations. SecureZIP for zSeries makes use of these certificates in PKCS#7 format. The intermediate CA certificates are maintained independently from the ROOT certificates.

Configuration Profile

A configuration profile is a collection of SecureZIP for zSeries commands that describe the necessary environment. At execution time this profile is read to locate the appropriate stores and index. SecureZIP provides various means by which the configuration information can be supplied. Contact your technical support staff for instructions regarding access to the configuration.

Contents of the Configuration Profile Execution configuration values may be supplied in any of the following ways. It is highly recommended that the command sources be coordinated in logical groups (Local Cert Store settings, or LDAP settings) so that overrides are not overly complex. Direct commands in the SYSIN stream. When accepted, these commands take precedence over other sources. • INCLUDE_CMD indirect reading of profile commands. This is the method employed when you specify a file location through the SecureZIP Active DB Profile: field. When accepted, these commands take precedence over profiles read by the Defaults module, but may be overridden by SYSIN commands.

• Defaults module indirect reading of profile commands. This is the method employed when you specify UNDEFINED in the SecureZIP Active DB Profile: field.

Data Base (DB) Profile (Local Certificate Store) During SecureZIP for zSeries processing, that requires encryption intended for a RECIPIENT, associated Public-key certficate(s) must be located. One way of designating which Public-key recipients to include is through the DB: form of the RECIPIENT command. This allows for recipient selection based on name or email address through a configured database of certificates on the system that is executing SecureZIP for zSeries. Your technical support staff is responsible for configuring the local Certificate Store and should provide you with information on which profile dataset, typically a member of a Partitioned Data Set, to use. Below is a sample of the contents of the Data Base Profile.

* ------* * Local zSeries development certificate store * * ------* -{CSPUB=4;1;SECZIP.CERTSTOR.PUBLIC} -{CSPRVT=4;1;SECZIP.CERTSTOR.PRIVATE} -{CSCA=1;1;SECZIP.CERTSTOR.PUBLIC(CAP7)} -{CSROOT=1;1;SECZIP.CERTSTOR.PUBLIC(ROOTP7)} -{CSPUB_DBX=SECZIP.CERTSTOR.PUBLIC.DBX} -{CSPUB_DBX_PATH_CN=SECZIP.CERTSTOR.PATHCN} -{CSPUB_DBX_PATH_EM=SECZIP.CERTSTOR.PATHEM} -{CSPUB_DBX_PATH_PUBKEY=SECZIP.CERTSTOR.PATHPUBK}

LDAP Profile (Networked Certificate Store) During SecureZIP for zSeries processing that requires encryption intended for a RECIPIENT the associated Public-key certficate(s) must be located. One way of designating which Public-key recipients to include is through the LDAP interface to a directory server: form of the RECIPIENT command. This allows for recipient selection based on name, email address or other installation-configured LDAP fields. One or more LDAP compliant servers may be configured for searching. The technical support staff responsible for configuring the LDAP compliant directory that stores certificates will provide you with information of which profile dataset, which is typically a member of a Partitioned Data Set, to use. Below is a sample of the contents of the file.

* ------* * zSeries LDAP access * * ------* * --- * Primary LDAP * --- -{LDAP=1;192.168.9.12;389;0;0;;;*EMAIL;| o=pkware,c=US,cn=user,dc=cosmos,dc=securezip,dc=com} * ---

Recipient Searches When RECIPIENT requests are made for either the Local Certificate Store ("DB:"), an LDAP ("LDAP:") or both, ("SYSTEM:"), a set of search criteria are provided. The search criteria of E- mail address ("EM=" or "mail=") and Common Name ("CN=") are accepted by both the DB: and LDAP: service providers. When multiple RECIPIENT requests are made, it is possible that two or more search criteria may resolve to the same recipient certificate. For example, if both EM= and CN= are used in different RECIPIENT (or MASTER_RECIPIENT) requests, then the same public key certificate may be found. The first entry found will be used, and any duplicate copies of the same certificate will be ignored, resulting in only one representation of that certificate. A search for an individual by name or e-mail address may result in multiple digital certificates being located, whether from the same Certificate Store source or not. This means that more than one representation of an individual can be included in the run. LDAP searching can be accomplished with direct RECIPIENT requests via "RECIPIENT(LDAP:search_criteria)" or implicitly with "-RECIPIENT(*system:search_criteria)". In both cases, the Certificate Store Configuration settings define the order in which the LDAP servers are to be searched. However, in the case of using "*system", local Certificate Stores are searched prior to any of the configured LDAPs. When multiple stores are to be searched (*system: or LDAP:), all RECIPIENT requests are searched in one store before the next store is referenced. If a RECIPIENT request has one or more entries found in one Store, then subsequent Stores are not searched for that request. This means that it is possible for generic LDAP search criteria to bypass entries defined in subsequent LDAP servers. RECIPIENT requests that were not satisfied at all by the higher- level Store search will continue to be searched for.

Example: Search LDAP’s for RECIPIENT matches LDAP #1 0 entries 0 matches LDAP #2 3 entries 3 matches Add entry LDAP #1 has an entry added matching RECIPIENT LDAP #1 1 entry 1 match LDAP #2 3 entries 0 matches

Local Certificate Stores

Access x.509 Public and Private Key Certificates SecureZIP for zSeries introduces a new subtask, CSERV, that utilizes RSA’s BSAFE Cert-C Toolkit to access X.509 Public and Private key certificates. The access to the various certificate stores by this task is governed by various forms of the RECIPIENT, SIGN_ARCHIVE, SIGN_FILES and AUTHCHK commands, as well as by a suite of configuration commands. The configuration commands are read either through SYSIN, INCLUDE_CMD(parmlib) or SECUREZIP_CONFIG specifications. The syntax of the commands is -{ ... }. The semi-colon (;) is used as a parameter delimiter.

-{CSPUB=type;Seq;string PUB} -{CSPRVT=type;Seq;string Prvt} -{CSCA=type;Seq;string CA} -{CSROOT=type;Seq;string Root}

-{CSPUB_DBX=vsam_cluster_base_index} -{CSPUB_DBX_PATH_CN=vsam_path_through_AIX_for_Common_Name} -{CSPUB_DBX_PATH_EM=vsam_path_through_AIX_for_Email_address} -{CSPUB_DBX_PATH_PUBKEY=vsam_path_through_AIX_for_PublicKey}

-{AUTHENTICATE=TRUSTED,EXPIRED,REVOKED,TAMPERCHECK} -{VALSIGN=TRUSTED,EXPIRED,NOTREVOKED} -{VALENCRYPT=TRUSTED,EXPIRED,NOTREVOKED}

-{RESET}

Where: • type (*PATH 0) (FILE 1) (*DB 2) (*LDAP 3) (*PDS 4) • Seq 0 through 9 (Cert Store search order) • LDAP - timeout of 0 results in system settings • user of NULL or ";;" will use "anonymous" login

Certificate Store References –{CSxxx} If not supplied through configuration changes, the defaults are:

{CSPUB=1;9;DUMMY} {CSPRVT=1;9;DUMMY} {CSCA=1;9;DUMMY} {CSROOT=1;9;DUMMY} {CSPUB_DBX=SECZIP.CERTSTOR.PUBLIC.DBX} {CSPUB_DBX_PATH_CN=SECZIP.CERTSTOR.PATHCN} {CSPUB_DBX_PATH_EM=SECZIP.CERTSTOR.PATHEM} {CSPUB_DBX_PATH_PUBKEY=SECZIP.CERTSTOR.PATHPUBK}

The local zSeries certificate store for public key certificates (configuration settings for {CSPUB_...}), can be built as a PDS[E] indexing scheme for common name and email address searches. This is accomplished through a VSAM base cluster and a set of alternate index paths to access the appropriate field types. The PDS[E] and the VSAM suite are managed as a unit and should not be manipulated independently from the supplied SecureZIP utilities. When no Public Key Store (CSPUB=) PDS[E] is specified, then the indexing (CSPUB_DBX...) files are not accessed. The CSCA (Certificate Authority) and CSROOT (Trusted Root Certificate Authority) certificates are maintained in repective sequential files in X.509 PKCS#7 format. Overrides to {CSxxx…} or {LDAP…} configuration commands can be done through input command streams or included members. However care must be taken to coordinate overrides so that intermixed PATHS do not result in different databases or indexes being used when resolving the various search criteria.

Authentication and Certificate Validation Policies Certificate validation may be done when activities in the following functional areas are performed: • Recipient based encryption • Archive or file signing • Authentication of digital signatures for files and/or archive directory Validation policies are passed to SECZIP and SECUNZIP to govern various aspects of certificate validation at execution time. The policies are defined in configuration profile settings, and may also be included as override commands for individual executions of SECZIP and SECUNZIP. The policy command settings are coded in the same format as other certificate store profile commands, with the syntax -{...} Each functional area supports a single policy statement with its associated settings. The CERTSTORE Policy Setup panel will generate a policy statement for each functional area for use in the certificate store profile. • -{AUTHENTICATE=...} • -{VALENCRYPT=...} • -{VALSIGN=...}

{AUTHENTICATE} Policy The {AUTHENTICATE} setting can be used within an include member that contains configuration commands, or within the standard command stream. It defines the level of processing that AUTHCHK commands will perform. The last AUTHENTICATE command found in the input stream will be used for processing and fully defines the signature authentication elements to be verified. The default settings may be changed by the SecureZIP administrator at any time. However, if this command is not supplied, all supported elements default to being checked. Elements include: • [NO]TAMPERCHECK – The signature associated with the archive or file(s) involved will be used to verify that the content has not been altered since the archive was built. • [NOT]EXPIRED – The digital certificates used to originally perform the signing operation contain internal date ranges of validity. The AUTHCHK operation will fail if any of the certificates in the trust chain are not found to be within their stated data range. Note that an end-certificate may have expired at the time that the archive is being accessed, and NOTEXPIRED may be used to continue processing. • [NOT]REVOKED – A certificate owner may request that the issuing certificate authority declare a certificate to be revoked and thereby no longer consider that certificate to be valid. The AUTHCHK operation will fail if any of the certificates in the trust chain are found to have been revoked or if the revocation status could not be determined. • [NOT]TRUSTED – Each end-certificate used in the signature must be traced back to a trusted root certificate. The CACA and CSROOT stores on the local system performing the authentication check will be accessed to determine if the entire certificate chain can be trusted. Although the Root (“self-signed”) certificate may be included within the archive, it MUST also exist in the CSROOT store to complete the TRUSTED state.

{VALSIGN} Policy The {VALSIGN} setting can be used within an include member that contains configuration commands, or within the standard command stream. It defines the level of processing that SIGN_FILES and SIGN_ARCHIVE commands will perform during SECZIP execution. The last VALSIGN command found in the input stream will be used for processing and fully defines the signing certificate elements to be verified. The default settings may be changed by the SecureZIP administrator at any time. However, if this command is not supplied, all supported elements default to being checked. Elements include: • [NOT]EXPIRED – The digital certificates used to originally perform the signing operation contain internal date ranges of validity. The AUTHCHK operation will fail if any of the certificates in the trust chain are not found to be within their stated data range. Note that an end-certificate may have expired at the time that the archive is being accessed, and NOTEXPIRED may be used to continue processing. • [NOT]REVOKED – A certificate owner may request that the issuing certificate authority declare a certificate to be revoked and thereby no longer consider that certificate to be valid. The AUTHCHK operation will fail if any of the certificates in the trust chain are found to have been revoked or if the revocation status could not be determined. • [NOT]TRUSTED – Each end-certificate used in the signature must be traced back to a trusted root certificate. The CACA and CSROOT stores on the local system performing the authentication check will be accessed to determine if the entire certificate chain can be trusted. Although the Root (“self-signed”) certificate may be included within the archive, it MUST also exist in the CSROOT store to complete the TRUSTED state.

{VALENCRYPT} Policy The {VALENCRYPT} setting can be used within an include member that contains configuration commands, or within the standard command stream. It defines the level of processing that RECIPIENT-based encryption requests will perform during SECZIP execution. The last VALENCRYPT command found in the input stream will be used for processing and fully defines the signing certificate elements to be verified. The default settings may be changed by the SecureZIP administrator at any time. However, if this command is not supplied, all supported elements default to being checked. Elements include: • [NOT]EXPIRED – The digital certificates used to originally perform the signing operation contain internal date ranges of validity. The AUTHCHK operation will fail if any of the certificates in the trust chain are not found to be within their stated data range. Note that an end-certificate may have expired at the time that the archive is being accessed, and NOTEXPIRED may be used to continue processing. • [NOT]REVOKED – A certificate owner may request that the issuing certificate authority declare a certificate to be revoked and thereby no longer consider that certificate to be valid. The AUTHCHK operation will fail if any of the certificates in the trust chain are found to have been revoked or if the revocation status could not be determined. • [NOT]TRUSTED – Each end-certificate used in the signature must be traced back to a trusted root certificate. The CACA and CSROOT stores on the local system performing the authentication check will be accessed to determine if the entire certificate chain can be trusted. Although the Root (“self-signed”) certificate may be included within the archive, it MUST also exist in the CSROOT store to complete the TRUSTED state.

Be aware there are some conditions under which a certificate validation will fail because superfluous certificates are selected during a DB: search request. By marking a certificate entry in the local certificate store as "Suspended", DB: search requests will filter out the suspended entry from the request. For example, assume the following: • A recipient command has been used with "DB:CN=Joe Smith,R", thereby requiring the certificate to be available for use for ZIP encryption. • VALENCRYPT=EXPIRED is active • The original certificate for Joe Smith is about to expire, and a new certificate for the same common name is acquired and installed to the certificate store The older certificate may remain in the certificate store to resolve references to that recipient when viewing older archives. However, the sample DB: search request will return both certificates in the search for new encryption requests. Since the request is marked as “Required,” the older certificate will fail the validation and the ZIP encryption will fail. By marking the older certificate as “Suspended” when the newer certificate is installed, subsequent DB: requests will only return the currently active certificate. The older one will still be available for VIEW processing of older archives that used it as a recipient.

Other Profile Commands

{RESET} Clearing the Active Configuration The {RESET} command can be used at the beginning of an include member that contains configuration commands, or within the standard command stream to “clear” all existing {CSxxx…} and {LDAP…} configuration commands that may have been previously loaded. This will help avoid mixed entries if an incomplete set of overrides is present. Remember that the defaults module may include settings for the configuration commands even if commands are not explicitly coded at run-time. The default settings may be changed by the SecureZIP administrator at any time.

Execution Time SecureZIP for zSeries is commonly run as a batch job step utility to place one or more files into a SecureZIP container (archive) prior to subsequent processing (such as transporting to an off-board system). Processing considerations when utilizing Recipient-based Encryption include: • Using INCLUDE_CMD to reference the Local Certificate Store configuration control records (created by the initial setup in Certificate Store Administration) in the SYSIN command stream • Using the RECIPIENT command to trigger certificate-based encryption. (Optionally, the RECIPIENT command used for extraction (decryption) may be referenced via INCLUDE_CMD to protect the password information contained within it). • Having dataset-level READ authority (via RACF or equivalent product) to the private- key certificate and referenced command files necessary to access the certificate

• Performing JCL return code checking within the job stream after the SECZIP program has completed to test the success of Encryption/Decryption processing

Security Considerations To ensure the continued integrity of private-key certificates within an organization, special attention should be paid to protecting access to them. The X.509 PKCS#12 certificate format supported by SecureZIP has an inherent security mechanism designed to protect the private keys within the transportable certificate by way of an access password. This means that without the appropriate password, the private keys cannot be accessed from the private-key PKCS#12 digital certificate (on any system or location). RACF READ authority (or equivalent) must be granted to the job accessing certificate store, X.509 certificate file and the referenced input stream containing the command having the certificate request (and password for a private-key certificate). To perform a decryption operation, SecureZIP for zSeries requires read access to the PKCS#12 private-key certificate (file or PDS member), as well as a command (RECIPIENT) containing the corresponding password. Similarly, the signing and authentication commands (SIGN_ARCHIVE, SIGN_FILES and AUTCHK) may reference private keys. The following should be considered when using SecureZIP to access private keys: • Password information will be masked out in SecureZIP SYSPRINT output. • If jobstream inputs can be viewed by operational staff members, then an indirect reference to the command(s) containing the password should be considered. • Read protection of command files containing passwords • Read protection of PKCS#12 certificate files • Optionally use ECHO=N within the command sequence to eliminate the command from showing in the SYSPRINT output. SecureZIP administrative certificate files are located within the INSTLIB2 dataset and must be available for some administrative functions. Read access should be provided to the SecureZIP administrator for this library as the create and verification processes will fail if the library is not accessible.

4 Certificate Store Management

The ISPF panels in this chapter are used to build and maintain the SecureZIP for zSeries certificate store. These panels are not part of the separately licensed feature “ISPF”. They are standard with SecureZIP for zSeries.

SecureZIP Main Panel—Access to the Certificate Stores

SecureZIP Version 8.1

Option ===>

C Config Modify Run-time Configuration Settings ZD Zip Defaults Modify Default ZIP Command Settings UD Unzip Defaults Modify Default UNZIP Command Settings U Unzip Decompress File(s) Stored in a Zip Archive V View Display the Contents of a Zip Archive Z Zip Compress File(s) and Store in a Zip Archive

S Sysprint Browse Log of Last Foreground Execution M Messages Message ID lookup L License Display License Information CS Cert Store Certificate Store Administration and Configuration

W What's New Browse Information on Changes Since Last Release P Contact PKWARE Browse Information on How to Contact PKWARE

X EXIT

For HELP Press PF1

To access the certificate store administration and configuration, enter “CS” in the Option field from the main SecureZIP panel.

SecureZIP Certificate Store Administration and Configuration • Local certificate store SecureZIP for zSeries provides access to both public and private key certificates through a set of local files, either PDS or PDSE, and VSAM index paths. The composite of these elements is known as recipient database access.

• LDAP certificate store SecureZIP for zSeries also provides access to public key certificates located in an external LDAP (Light Weight Directory Access Protocol) server via a TCPIP network connection. • x.509 certificate information SecureZIP for zSeries also provides identification of and simulation with certificates prior to including them in your local certificate store. Each certificate store is described in detail below.

Local Certificate Store Administration

This section assists with allocating the components necessary to support the local DB, as well as administer the certificates within it. SecureZIP for zSeries provides access to both public and private key certificates through a set of local files, PDS or PDSE, and index paths. The files and VSAM indexing components (Cluster, Alternate Indexes and Paths) must be allocated and synchronized. Two administration phases should be planned for: • Initial Setup: A one-time initialization of the local certificate store datasets. This is initiated through the SecureZIP ISPF Dialogs and is performed by a generated batch job stream. Certificate store datasets are allocated and initialized for future use. In addition, a set of run-time configuration control records is generated for run-time access by SecureZIP. • Certificate Administration: The addition of new certificates to be used for encryption must be periodically performed as new exchange partners are identified. Installation of the certificates may be performed either through ISPF dialog foreground (manual) processing, or via a batch job stream. The following certificate administration actions must be accounted for: • One or more public-key certificates must be available for use when a RECIPIENT encryption operation is performed (when updating an archive). These digital certificates may either be placed into MVS datasets (or PDS members) on the system that will be used to perform the encryption. • A private-key certificate must be available for use when a decryption operation is performed (either during extract processing, or when accessing an archive that has been protected with Filename Encryption). Corresponding RECIPIENT command instructions with the associated private-key certificate password must also be prepared for run-time access. In order to complete the above tasks, digital certificate data must be made available to the activating system in the form of sequential files: • Private-key certificates in PKCS#12 format (.PFX DSN suffix) • Certificate Authority and Root Certificates in DER or B64 format (.CER DSN suffix)

A configuration profile is a collection of SecureZIP for zSeries commands that describe the collection of components. At execution time this profile is read to locate the appropriate stores and index.

SecureZIP Certificate Store Administration

Option ===>

Select one of the following options and press Enter:

1 Local Certificate Store Administration 2 LDAP Certificate Store Configuration 3 x.509 Certificate Utilities

To access the local certificate store administration and configuration, enter “1” in the Option field.

SecureZIP Local Certificate Store

SecureZIP Local Certificate Store Option ===>

Local Certificate Store Administration

1 View Certificate Entries (ISPF Table) 2 List Certificate Entries 3 Add new Certificates 4 Delete a Certificate 5 Synchronize/Verify Local Store Certificates 6 Report Statistics 7 Edit Active Profile 8 Supplemental Administration Utilities

Create Define and Initialize a New Local Certificate Store CRL Work with Certificate Revocation Lists

Active Store Configuration: 'SECZIP.MVS.JCL(DBPROF)' -{CSPUB=4;1;SECZIP.CERTSTOR.PUBLIC} -{CSPRVT=4;1;SECZIP.CERTSTOR.PRIVATE} -{CSPUB_DBX=SECZIP.CERTSTOR.DBX} -{CSPUB_DBX_PATH_CN=SECZIP.CERTSTOR.PATHCN} -{CSPUB_DBX_PATH_EM=SECZIP.CERTSTOR.PATHEM} -{CSPUB_DBX_PATH_PUBKEY=SECZIP.CERTSTOR.PATHPUBK}

This is the main local certificate store panel. It will guide you in establishing your local certstore environment. To create a new local certificate store database, enter “CREATE” in the Option field.

Create a New Local Certificate Store DB

SecureZIP Local Certificate Store Option ===>

Create and Prime New Local Certificate Store

Fill in the required information below using the DOWN PFK to complete all fields, including storage management options if necessary. Then Press ENTER to generate the create JCL.

Batch Job Card information: //SECZIP81 JOB 'SEZIP81',CLASS=A,REGION=8M, // MSGCLASS=H,MSGLEVEL=(1,1),NOTIFY=&SYSUID //*

High-Level Qualifier(s): SECZIP.MVS (up to 20 characters) A set of PDS/PDSE datasets, VSAM Clusters, Alternate Indexes and PATHs will be allocated by the JOB. All components of the store must be allocated in the form: hlqs...CERTSTOR.type

New Store Configuration Profile: 'SECZIP.MVS.JCL(DBPROF)' For example: 'SECZIP.MVS.PARMLIB(CERTCFG1)' Specify the PDS and member where the run-time configuration commands are to be placed for SecureZIP.

The PDS dataset and/or member will be allocated if they do not already exist. If the PDS member already exists, it will be overwritten.

This member is to be referenced in SecureZIP runs requiring requests from the Local Certificate Store via -RECIPIENT=DB This may be achieved in one of the following ways: 1. Use -INCLUDE_CMD=dsname(member) in the command stream for an individual run. 2. Specify this dataset in the DB Profile field of each user's SecureZIP Runtime Configuration panel. 3. Specify this dataset in the SECUREZIP_CONFIG= parameter of the SecureZIP defaults module (ACZDFLT) to make it effective as a default for all users.

Specify SMS/non-SMS allocation parameters

Management class . . . (Blank for default management class) Storage class . . . . (Blank for default storage class) Data class ...... (Blank for default data class) Volume serial . . . . (Specify for NON sms volume) Device type . . . . . (Specify for NON sms volume)

This panel will set up the job stream to create the public, private, CA and root certificate stores, the data base, all corresponding paths, and the data base profile. The public, private, CA and root certificate stores, and the DB profile are PDS files. The data base is a VSAM cluster with alternate index paths. The certificate stores are initialized with 1 CA, 1 root, four public and four private certificates in their respective stores. The password for those private certificates is PKWARE.

New Data Base Profile The profile is used to read the configuration commands to allow access to the certificates during execution of SecureZIP for zSeries in either ZIP or UNZIP operations. If the data base profile does not exist, one will be dynamically allocated. If it exists you will see the message “Profile Exists” in the upper right corner of the screen. The data base profile follows the standard PDS dataset name format: datasetname(membername).

High-Level Qualifier The high-level qualifier (hlq) is used to prefix the certificate stores as well as all components of the database. Multiple nodes are acceptable.

For the certificates, the PDS names are: hlq.CERTSTOR.PUBLIC hlq.CERTSTOR.PRIVATE For the Data Base, the names are: hlq.CERTSTOR.DBX hlq.CERTSTOR.DBXCN hlq.CERTSTOR.DBXEM hlq.CERTSTOR.DBXPUBK hlq.CERTSTOR.PATHCN hlq.CERTSTOR.PATHEM, hlq.CERTSTOR.PATHPUBK hlq.CERTSTOR.P7CA hlq.CERTSTOR.P7ROOT hlq.CERTSTOR.P7CRL

Batch Job Card information This is the JOB Card to be used for the batch run.

Certificate Validation Options When you are satisfied with the parameters you have entered, press ENTER and enter Y or N into the associated certificate validation fields.

SECUREZIP CERTSTORE Policy Setup Command ===>

Specify whether certificate validation should be performed for each phase of processing ( Y or N ). Press PF1 for detailed information.

Encryption: Y Trusted Y Expired Y Revoked

Signing: Y Trusted Y Expired Y Revoked

Authentication: Y Trusted Y Expired Y Revoked Y Tampercheck

The configuration profile for certificate store access also defines default policy settings to be used for certificate validation. Certificates may be validated for use during RECIPIENT selection for Encryption, Signing Certificate selection (SIGN FILES/SIGN ARCHIVE), and Authentication (AUTHCHK) processing.

Generated JCL to Build the Initial Certificate Store When you are satisfied with the parameters you have entered you would then press ENTER. An Edit session will be created for you to review and submit to generate the certificate store.

File Edit Edit_Settings Menu Utilities Compilers Test Help ------****** ********************************* Top of Data **************** 000001 //FPDCS1 JOB 'ACCOUNTING INFO',CLASS=A,REGION=8M, 000002 // MSGCLASS=H,MSGLEVEL=(1,1),NOTIFY=&SYSUID 000003 //* 000004 //****************************************************************** 000005 //* PLEASE BE SURE PROCEDURE PKISPF IN INSTLIB HAS BEEN TAILORED * 000006 //* TO MEET YOUR SITES SPECIFICATIONS. * 000007 //****************************************************************** 000008 // JCLLIB ORDER=SECZIP.MVS.INSTLIB 000009 //JOBLIB DD DISP=SHR,DSN='SECZIP.MVS.LOAD' 000010 //* 000011 //* GENERATED JCL TO BUILD INITIAL CERTIFICATE STORE 000012 //* DELETE OLD CERTIFICATE STORE 000013 //DELCERT EXEC PGM=IEFBR14 000014 //DPUB DD DISP=(MOD,DELETE,DELETE),SPACE=(TRK,(0)), 000015 // DSN=SECZIP.MVS.CERTSTOR.PUBLIC 000016 //DPRV DD DISP=(MOD,DELETE,DELETE),SPACE=(TRK,(0)), 000017 // DSN=SECZIP.MVS.CERTSTOR.PRIVATE 000018 //* CREATE PUBLIC CERTIFICATE STORE 000019 //COPYIN EXEC PGM=IEBCOPY ……………………………………. ………………………………….

After you have SUBmitted the JOB and then pressed PF3 to end the Edit session, the following screen appears.

****************************** Top of Data ******************************* *** * LOCAL CERTIFICATE STORE CONFIGURATION CONTROL * * Include this member in SecureZIP runs requiring Local Certificate * Store RECIPIENTS, SIGN_ARCHIVE, SIGN_FILES and AUTHCHK signatories. *** -{CSPUB=4;1;RCE1.MVS810.CERTSTOR.PUBLIC} -{CSPRVT=4;1;RCE1.MVS810.CERTSTOR.PRIVATE} -{CSPUB_DBX=RCE1.MVS810.CERTSTOR.DBX} -{CSPUB_DBX_PATH_CN=RCE1.MVS810.CERTSTOR.PATHCN} -{CSPUB_DBX_PATH_EM=RCE1.MVS810.CERTSTOR.PATHEM} -{CSPUB_DBX_PATH_PUBKEY=RCE1.MVS810.CERTSTOR.PATHPUBK} -{CSCA=1;0;RCE1.MVS810.CERTSTOR.P7CA} -{CSROOT=1;0;RCE1.MVS810.CERTSTOR.P7ROOT} -{CSCRL=1;0;RCE1.MVS810.CERTSTOR.P7CRL} -{AUTHENTICATE=TRUSTED,EXPIRED,REVOKED,TAMPERCHECK} -{VALSIGN=TRUSTED,EXPIRED,REVOKED} -{VALENCRYPT=TRUSTED,EXPIRED,REVOKED} ****************************** Bottom of Data ****************************

This is the data base profile that will be saved in the dataset and member you specified. It is used to read the configuration commands to allow access to the certificates during execution of SecureZIP for zSeries in either ZIP or UNZIP operations.

View Data Base Certificate Entries You can view details about a certificate.

SecureZIP Local Certificate Store Option ===>

View Data Base Certificate Entries

Active Store Configuration: 'SECZIP.MVS.JCL(DBPROF)’

Select one or more types for viewing: (Default is all) Public Private Certificate-Authority Root

Optional Search Criteria: Search String: Search Fields: ALL (CN/EM/ALL) Case Sensitive: N (Y/N)

Filters: Exclusion - Do not show certificates with the following characterstics. Revoked Suspended Expired Not Trusted Inclusion - Show certificates only having the specific indicators. Encryption Signing

This panel will create a data base table display using the criteria entered in the fields. The table view will provide an opportunity to select individual entries for various actions.

Active Store Configuration The data base to be operated upon.

Select Types: This is a report filter that you can use to select the types of certificates to report on. You may report on all certificates in the store by pressing Enter (Default) or selecting a specific type(s). • Public key (CER) end-entity certificates will be included from the certificate store index. • Private key (PFX) end-entity certificates will be included from the certificate store index. • Certificate-authority (P7B) intermediate issuing certificates will be displayed from the active x.509 CA store data set. • Root (P7B) self-signed issuing certificates will be displayed from the active x.509 root store data set.

Search String Enter a string of characters to be used as a filter, listing only those certificates containing a match for the string. Leave this field blank if no filtering is desired.

Search Fields Enter ALL, CN (common name) or EM (Email address).

Case Sensitive Specifiy whether the search string should be case sensitive.

Filters Filters can be useful in viewing qualified certificates in the local certificate store. The filters may be used in combination with other type and search criteria to further restrict the number of entries returned. The Exclusion filters will eliminate entries known to have failed the specified characteristic (based on the information held in the index). For example, index entries marked as “Revoked” by the System Administration Validate function will fail the “Revoked” policy test when an attempt is made to use them for signing or encryption. This filter will assist in locating certificate entries that are known to have never failed the Validation test. However, it does not guarantee that the trust chain is currently intact within the certificate store configuration. (The system administrator may not have run the Validate service request against the certificate). The Inclusion filters will assist in identifying certificates issued for a specific purpose. However, certificates issued without the designated use flag will be eliminated from the display. Your enterprise must obtain certificates specific to the qualifications from a certificate authority for this filter to be of use. Be aware that when a certificate validation policy is set for a given SecureZIP action such as Encryption, Signing or Authentication, a dynamic check against the live certificate store is performed in lieu of the database index record settings. This means that multiple certificates identified by a CN= or EMAIL= search may still be identified at run-time and be flagged as unusable based on the policy in force. When records are no longer desired to be referenced at run-time because they are Expired, Revoked, or Not Trusted, the system administrator should mark the entries as Suspended.

PKCSV001 SecureZIP View Certificate Store Row 1 to 10 Command ===> SCROLL ===> CSR Certificate Database: 'SECZIP.NEWDB.CERTSTOR.DBX'

Primary commands: LOCATE , SORT and SAVE. Scroll RIGHT or LEFT for more information. Enter line command or '/' for list of valid line commands.

Cmd Type Common Name ------/_ CER Al Smith __ CER Bill Jones __ CER Kevin Johnson __ CER Mark Arrow __ CER Matt Brewster __ CER Michael Stanley __ CER PKWARE Test1 __ PFX PKWARE Test1 __ CER PKWARE Test2 __ PFX PKWARE Test2

Valid Line Commands

SecureZIP Certstore Line Commands Command ==>

Action: I D Delete Certificate I Detailed Certificate Information

EX Edit Certificate Index information VAL Validate Certificate RC Generate -RECIPIENT command based on Common Name RE Generate -RECIPIENT command based on Email Address SAC Generate -SIGN_ARCHIVE command based on Common Name SAE Generate -SIGN_ARCHIVE command based on Email Address SFC Generate -SIGN_FILES command based on Common Name SFE Generate -SIGN_FILES command based on Email Address AAC Generate -AUTHCHK archive command based on Common Name AAE Generate -AUTHCHK archive command based on Email Address AFC Generate -AUTHCHK files command based on Common Name AFE Generate -AUTHCHK files command based on Emain Address SUS Suspend a certificate from use The Generate option(s) will place the commands to a memory clipboard for a subsequent SAVE command.

Specifying “D” to delete the certificate you will remove the specified certificate from your local store. Please be aware that deleting certificate authority and/or root certificates will prevent authentication processing from completing a TRUST check operation. Before permanently removing the certificate from the local store, SecureZIP will prompt the user with the following screen:

Confirm Certificate Delete

Active DB Profile: 'SECZIP.MVS.PROFILE(CERTCFG1)'

Certificate to be deleted: Location= 1 Name = Class 3 Public Primary Certification Authority Serial #= 02CDBA356FFDWE4BC54FE22ACBA72A325

Note: Certificates that are issued by the certification authorities or any lower level certification authorities will no longer be trusted. Press ENTER to continue or PF3 to exit without deleting the certificate.

Press ENTER to continue or PF3 to exit without deleting the certificate

By requesting “I” for additional information about the certificate, a report will be generated and displayed.

Certificate Summary ======Certificate Location //'SECZIP.NEWDB.CERTSTOR.PUBLIC(PUB1CERT)' Installed: 2004/10/20 by: INSTALL -RECIPIENT(DB:CN=PKWARE Test1,PASSWORD=-)

CN=PKWARE Test1 [email protected] Issuer= Valid Dates=04/14/2004-04/13/2024

Certificate Details ======PKDecode64_Certs found Dcode

--- Certificate --- PKWARE Test1

Subject: C=US OU=Certification Services CN=PKWARE Test1 [email protected] Issuer: C=US OU=Certification Services CN=PKWARE Test1 [email protected] SerialNumber: 00 NotBefore: Wed Apr 14 13:20:41 2004 NotAfter: Sat Apr 13 13:20:41 2024 SHA-1 Hash of Certificate: DF 31 1E 8D DF 02 BD 0C 7C 4A 75 72 00 CA 03 6D 68 95 49 C9 Public Key Hash: 83 0A 0A E9 DB F0 49 69 54 76 38 62 12 6E CE 7A 34 BB 7A 56 Self Signed

The following table explains fields of certificate details in the display.

Heading Description Subject Information about the entity to whom the certificate was issued. Issuer Information about the entity that issued the certificate Serial Number Serial number of the certificate NotBefore/NotAfter Date range for which the certificate is valid SHA-1 Hash of Certificate The SHA-1 algorithm hash, or “thumbprint,” of the certificate Public Key Hash The hash or “thumbprint,” of the public key Key Usage Key usage flags that determine how the certificate was intended to be used.

The public key hash value is the prime key used in the local certificate store index. The Issuer fields are composed of several x.509 subfields. The exact set varies; the following table describes some of the most commonly used.

Code Description O Organization OU Organizational Unit CN Common Name E Email address C Country ST State or Province L Locality or City

The Common Name (CN) and Email (E) fields can be searched to identify Recipients. By entering “EX” from the SecureZIP Line Commands panel, you may edit the certificate index information such as the certificate member name. See resulting screen below:

Edit Certificate Index Information

Active DB Profile: 'SECZIP.MVS.PROFILE(CERTCFG1)' Certificate Path: //'SECZIP.MVS.CERTSTOR.PUBLIC(PUB4CERT)' Common Name: PKWARE Test4 Email Address: [email protected]

Certificate PDS member name: PUB4CERT The member name may be changed here. The Certificate Store index will be updated to reflect the new location.

Press ENTER to process, or END to return.

If you request “VAL” SecureZIP for will look to validate the certificate by using the current -{VALENCRYPT=...} setting in the profile. It validates the certificate by generating a -RECIPIENT(...,R,PASSWORD=pppppp) command, and running SECUREZIP for both ZIP and TEST. Please be aware that, if -{VALENCRYPT=} is not active, the certificate will always pass the validation check. You may also generate and save commands for the RECIPIENT, SIGN_ARCHIVE, SIGN_FILES and AUTHCHK (archive and/or file) parameters. For example, by selecting RC, you will see the –RC appear on the far right of the screen (see below):

Command ===> SCROLL ===> PAGE Certificate Database: 'SECZIP.MVS.CERTSTOR.DBX' Selection Mode: Administration

Primary commands: LOCATE , SORT and SAVE. Scroll RIGHT or LEFT for more info. Enter line command or '/' for list of valid line commands.

Cmd Type Common Name ------CER PKWARE Test4 -RC

Enter SAVE on the command line to save the command string to a PDS member where you will decide if the saved command is to be used for ZIP or UNZIP processing (see below):

Command ===>

Select (/) the recipient list store you wish to use: Member names can be changed on the next screen.

/ ZIP ==> 'SECZIP.PKWARE.PROFILE($RECIPS)' UNZIP/View==> UNDEFINED (Also used for View)

Press ENTER to process - Enter END or press PF3 to exit

Upon selecting the appropriate data set and member name, insert a forward slash “/” next to the desired options (see below):

Save a Recipient Li Command ===>

Save Recipient List in: Data set name ==> 'SECZIP.PKWARE.PROFILE' Member Name ==> $RECIPS Enter "/" to select options Replace an existing member Member list Edit/View the saved list / Make this list your active list.

Press ENTER to process - Enter END or press PF3 to exit

Once you’ve made your selection(s), press ENTER, and you will have successfully saved the RECIPIENT command to a PDS member:

BROWSE SECZIP.PKWARE.PROFILE($RECIPS) - 01.01 Command ===> ****** ******************************* Top of Data ************************************ 000001 -RECIPIENT(DB:CN=PKWARE Test4) ****** ****************************** Bottom of Data **********************************

By requesting SUS, you effectively suspend a certificate from use. As discussed above, if certificates are no longer desired to be referenced at run-time because they are expired, revoked, or not trusted, the system administrator should mark the entries as “Suspended.” To re-enable or “unsuspend” the certificate, enter “UNS” next to the appropriate certificate. Please note that a suspended certificate is still available for VIEW processing of older archives that used it as a recipient.

List Data Base Certificate Entries

SecureZIP Local Certificate Store Option ===>

List Data Base Certificate Entries

Active DB Profile: 'SECZIP.MVS.JCL(CERTCFG1)'

List Public, Private or Both: BOTH For filtering report, output can be limited to Public or Private. Default is both (no filtering).

Sort Report by; Common name, Email, Path: Enter CN for Common Name, EM for Email, PA for Path. Default is physical order of database (public hash).

Press ENTER to continue.

This panel will run the data base report of the selected data base using the criteria entered in the fields. The report will be run in foreground and an ISPF browse session will be invoked to allow you to review the report.

Active Data Base Profile The data base to be reported upon.

List Public, Private or Both This is a report filter that you can use to select the type of report. You may report on all certificates in the store by specifying “BOTH”, only the private certificates by specifying “PRIVATE”, or only the public certificates by specifying “PUBLIC”. Each command can be abbreviated down to the first two characters.

Sort Report The report can be sorted by common name, email, path, or be allowed to default to public hash, in which case no actual sort takes place. The commands can be abbreviated as follows: Common Name - CN, Email - EM, Path - PA.

Example of a report in physical order (no sort)

000001 IDC0005I NUMBER OF RECORDS PROCESSED WAS 4 000002 Certificate Data Base Report for 'SECZIP.MVS.CERTSTOR.DBX' 000003 ------000004 Public Certificate 000005 Public Key Hash 39A01D5F31B3455B69195AE3A1AF81BED3B28C51 000006 Common Name PKWARE Test2 000007 Common Name Hash 6DE947807CDCFF6B2996BEA359BF39FEB009958B 000008 Email [email protected] 000009 Email Hash 1C6D2FBA039AE4B91E4199E0F9A71B4F46D30AF1 000010 Path //'SECZIP.MVS.CERTSTOR.PUBLIC(PUB2CERT)' 000011 ------000012 Public Certificate 000013 Public Key Hash 830A0AE9DBF0496954763862126ECE7A34BB7A56 000014 Common Name PKWARE Test1 000015 Common Name Hash F8D28D6D8291BBB2BC69561188EADAC9DCE01858 000016 Email [email protected] 000017 Email Hash A236B17D27B439CAB2EBB8FCE98500D10332E157 000018 Path //'SECZIP.MVS.CERTSTOR.PUBLIC(PUB1CERT)' 000019 ------000020 Private Certificate 000021 Public Key Hash 39A01D5F31B3455B69195AE3A1AF81BED3B28C51 000022 Common Name PKWARE Test2 000023 Common Name Hash 6DE947807CDCFF6B2996BEA359BF39FEB009958B 000024 Email [email protected] 000025 Email Hash 1C6D2FBA039AE4B91E4199E0F9A71B4F46D30AF1 000026 Path //'SECZIP.MVS.CERTSTOR.PRIVATE(PVT2CERT)' 000027 ------000028 Private Certificate 000029 Public Key Hash 830A0AE9DBF0496954763862126ECE7A34BB7A56 000030 Common Name PKWARE Test1

000031 Common Name Hash F8D28D6D8291BBB2BC69561188EADAC9DCE01858 000032 Email [email protected] 000033 Email Hash A236B17D27B439CAB2EBB8FCE98500D10332E157 000034 Path //'SECZIP.MVS.CERTSTOR.PRIVATE(PVT1CERT)' 000035 ------

Example of a report in order by Email address

****** ******************************************************* Top of Da 000001 IDC0005I NUMBER OF RECORDS PROCESSED WAS 4 000002 Certificate Data Base Report for 'SECZIP.MVS.CERTSTOR.DBX' 000003 ------000004 Public Certificate 000005 Public Key Hash 830A0AE9DBF0496954763862126ECE7A34BB7A56 000006 Common Name PKWARE Test1 000007 Common Name Hash F8D28D6D8291BBB2BC69561188EADAC9DCE01858 000008 Email [email protected] 000009 Email Hash A236B17D27B439CAB2EBB8FCE98500D10332E157 000010 Path //'SECZIP.MVS.CERTSTOR.PUBLIC(PUB1CERT)' 000011 ------000012 Private Certificate 000013 Public Key Hash 830A0AE9DBF0496954763862126ECE7A34BB7A56 000014 Common Name PKWARE Test1 000015 Common Name Hash F8D28D6D8291BBB2BC69561188EADAC9DCE01858 000016 Email [email protected] 000017 Email Hash A236B17D27B439CAB2EBB8FCE98500D10332E157 000018 Path //'SECZIP.MVS.CERTSTOR.PRIVATE(PVT1CERT)' 000019 ------000020 Private Certificate 000021 Public Key Hash 39A01D5F31B3455B69195AE3A1AF81BED3B28C51 000022 Common Name PKWARE Test2 000023 Common Name Hash 6DE947807CDCFF6B2996BEA359BF39FEB009958B 000024 Email [email protected] 000025 Email Hash 1C6D2FBA039AE4B91E4199E0F9A71B4F46D30AF1 000026 Path //'SECZIP.MVS.CERTSTOR.PRIVATE(PVT2CERT)' 000027 ------000028 Public Certificate 000029 Public Key Hash 39A01D5F31B3455B69195AE3A1AF81BED3B28C51 000030 Common Name PKWARE Test2 000031 Common Name Hash 6DE947807CDCFF6B2996BEA359BF39FEB009958B 000032 Email [email protected] 000033 Email Hash 1C6D2FBA039AE4B91E4199E0F9A71B4F46D30AF1 000034 Path //'SECZIP.MVS.CERTSTOR.PUBLIC(PUB2CERT)' 000035 ------

Add a Certificate to the Local Store The following instructions detail how to add new public and private keys to the local certificate store. Please note that when performing certificate administration add or delete activities, SecureZIP will write change activity messages to the ISPF LOG if it is active. If an historical record of certificate store changes is desired, be sure to set the ISPF log data set defaults in the Log/List Settings panel to allocate and retain the LOG data set.

Add New Certificate to the Local Store SecureZIP Local Certificate Store Option ===>

Add new Certificate to the Local Store

Active Store Configuration: 'SECZIP.FPD.PROFILES(DBPROF)'

Specify Certificate sub-store to be updated:

1 - Public Certificate Store - "CER" 2 - Private Certificate Store - "PFX" 3 - Intermediate Certificate Authorities - "CER" or "P7B" 4 - Trusted Root Certificate Authorities - "CER" or "P7B"

Press ENTER to identify the certificate source file.

The Local Certificate Store is organized into 4 sub-stores. When importing new certificates, you must indicate which section is to be updated based on the type of x.509 certificate file is being used as input. The annotated suffixes are provided as a guide to help identify the type of source file being imported. The suffix of the data set name is not required, nor is it analyzed during the import process.

This panel is used to select the type of certificate to be added to the local certificate store.

Specify Certificate sub-store to be updated Enter the number representing the certificate to be added.

SecureZIP Local Certificate Store Option ===>

Add new Public Key Certificate to the Local Store

Active Store Configuration: 'SECZIP.FPD.PROFILES(DBPROF)'

Input Certificate PDS/File: Enter the full PDS/Sequential file name of the source certificate.

Certificate PDS member name: Enter an optional member name for ease of reference, such as 3 initials plus the year that the certificate was issued in. If left blank, a name will be generated of the form GENnnnnn.

Press ENTER to continue.

This panel is for adding public key certificates to the local cert store and Data Base.

Input Certificate PDS or File A sequential file or member of a PDS can be used as input. All members of a PDS can be copied by entering (*) for the member name.

For private Certificate(s), enter password Password is required for private certificate store.

Output Certificate PDS member name For a sequential file or a single PDS member addition, the certificate store member name can be chosen; otherwise the store member name will be generated. If an entire PDS is used as input then the inputted PDS member names will be used.

Add a New Certificate to the CA Store This panel is for adding certificate authority certificates to the store.

Active Store Configuration:|PKSDBPRF

Input Certificate File:_srcfile Enter the full file name of the source certificate(s). For example: your.instlib2.library(castore) Input Certificate Type :_pksctype Enter the file type to be imported. Either CER or P7B

Note: Before you install this certificate you must verify that the certificate is actually from the certification authority and can be trusted. You should install the certificate only once you have confirmed its authenticity. Once you install the certificate, SecureZIP will use it to complete future certificate Trust Chain validation processing associated with the certification authority.

If you install this certificate without confirming the autheticity you may be creating a security risk.

Press ENTER to continue or PF3 to exit without adding the certificate

Add a New Trusted Root Certificate to the Root Store This panel is for adding trusted root certificates to the store.

Add new Trusted Root to the Local Store More: + Warning: The certificates are from a certification authority (CA) claiming to represent the organizations that will be displayed on the next screen. Once you install the certificate, SecureZIP will use it to complete future certificate Trust Chain validation processing associated with the certification authority. Note: Before you install the certificate you must verify that the certificate is actually from the certification authority and can be trusted. You should install the certificate only once you have confirmed its authenticity. To do this, you should contact the CA listed to verify the certificate autheticity. To help you in your verification please use the Thumbprint HASH. If you install this certificate without confirming the authenticity you may be creating a security risk. Input Certificate File: 'SECZIP.FPD.SEC.PKTICAF.CRT' Enter the full Sequential file name of the source certificate(s). For example: your.instlib2.library(rtstore) Input Certificate Type : Enter the file type to be imported. Either CER or P7B

Backup Copy . . . : N ( Y - Copy Store Before Update, N - No Copy) Backup DSN. . . : 'FPD.PKWARE.BACKUP.CERTSTOR' Press ENTER to continue or PF3 to exit without adding the certificate

The following message will appear prior to adding any root certificate: Warning: The certificates are from a certification authority (CA) claiming to represent the organizations that will be displayed on the next screen. Once you install the certificate, SecureZIP will use it to complete future certificate Trust Chain validation processing associated with the certification authority.

Review the warning and enter the source file of the root certificate along with the type of certificate. If you would like to backup your existing root store, place a Y+ in the Backup Copy field and enter a dataset to be used to hold the root store. After reviewing the data presented on the next screen, you will then enter SAVE to process the root certiificate. A table of certificates to be added will be displayed. You will use this information to verify the authenticity of the certificates. Once that has been completed, enter SAVE on the command line, or press PF3 to stop the add.

Certificate Source:#tbsource CA Store :#tbcsca ROOT Store :#tbcsroot

If you install the certificate(s) without confirming the autheticity you may be creating a security risk.

Enter%SAVE~to continue adding the ROOT Certificate, Else%PF3~to end

!Scroll%RIGHT!or%LEFT!for more info.

+Type Friendly Name +------

Please note that once all certificate chain components for a private-key certificate are installed to the local certificate store, a verification of the trust chain should be performed to ensure that future signing operations will carry the necessary certificate store information for authentication processing. This can be accomplished by performing the following steps: 1. Perform a ZIP SIGN_ARCHIVE run with the private-key certificate 2. Perform an UNZIP VIEWDETAIL run against the archive from the previous step with the following command settings: -AUTHCHK(ARCHIVE) -VERBOSE -{AUTHENTICATE=ALL} 3. Perform a manual check on the reported signature certificates saved in the archive to ensure that the root certificate is in the list. 4. Review the messages to ensure that the authentication check passed with message ZPEN035I ZPEN035I Archive Directory Authentication Succeeded ZPAM700I Archive was digitally signed by PKWARE Test3 ZPAM329I 3 Signature Certificates were saved in the archive: ZPAM321I Cert Name: PKWARE Test3 ZPAM323I Email: [email protected] ZPAM325I Valid: 12/20/2004-12/13/2024 ZPAM326I Issuer: PKWARE, Inc. ZPAM321I Cert Name: PKTESTDB Root ZPAM323I Email: [email protected] ZPAM325I Valid: 12/20/2004-12/19/2024 ZPAM326I Issuer: PKWARE, Inc.

ZPAM321I Cert Name: PKWARE Test Intermediate Cert ZPAM323I Email: [email protected] ZPAM325I Valid: 12/20/2004-12/14/2024 ZPAM326I Issuer: PKWARE, Inc. To assist in performing this process, the Local Certificate Administration "View Certificate Entries" table display provides a VAL line command. Selecting this command line option will cause a ZIP/UNZIP sequence to run in the foreground and will analyze the results for display.

Delete a Certificate from the Local Store

SecureZIP Local Certificate Store OPTION ===>

Delete a Certificate from the Local Store

Active Store Configuration: 'SECZIP.FPD.PROFILES(DBPSTD)'

Specify Certificate sub-store to be updated:

1 - Public Certificate Store - "CER" 2 - Private Certificate Store - "PFX"

- Intermediate Certificate Authorities - "CER" or "P7B" - Trusted Root Certificate Authorities - "CER" or "P7B"

The Local Certificate Store is sub-divided into 4 sub-stores. When deleting certificates, you must indicate which section is to be updated based on the type of x.509 certificate file being used.

The Intermediate Certificate Authorities and the Trusted Root Certificate Authorities must be deleted from the View Certificate Entries (ISPF Table) Panel - Option 1

Press ENTER to process.

This panel is used to select the type of certificate to be deleted from the local certificate store.

Specify Certificate sub-store to be updated Enter the number representing the certificate to be deleted.

SecureZIP Local Certificate Store OPTION ===>

Delete a Public Certificate from the Local Store

Active Store Configuration: 'SECZIP.FPD.PROFILES(DBPROF)'

Certificate PDS member to Delete: PDS member in the certificate store to delete. This delete process will also delete the Database entry and all corresponding paths. Only the member name should be entered, which can be found by performing option 2 List DB Certificate Entries

Press ENTER to continue.

This panel is for deleting a public certificate from the local certificate store and data base. Certificates are deleted individually.

Certificate PDS member to Delete Enter the PDS member name to be deleted from the certificate store. Contents of a particular certificate can be derived from the data base report.

SecureZIP Local Certificate Store OPTION ===>

Delete a Private Certificate from the Local Store

Active Store Configuration: 'SECZIP.FPD.PROFILES(DBPROF)'

Enter the password for the Private Certificate:

Password entry indicates that a private-key certificate is to be deleted. WARNING: Once a private certificate is deleted, any files in archives encrypted with only that certificate can never be opened.

Press ENTER to continue.

This panel is for deleting a private certificate from the local certificate store and data base. Certificates are deleted individually.

Certificate PDS member to Delete Enter the PDS member name to be deleted from the certificate store. Contents of a particular certificate can be derived from the Data Base report.

Enter password A password is required to delete a private certificate. WARNING: Once a private certificate is deleted, any files that are in archives encrypted with only that certificate can never be opened.

Synchronize the Index for the Local Certificate Store

SecureZIP Local Certificate Store Option ===>

Synchronize the Index of the Local Store

Active DB Profile: 'SECZIP.MVS.JCL(NEWDB)'

Enter "/" to generate batch full index rebuild

- OR -

Enter "/" to select foreground option(s) / Remove unmatched index entries

/ Index unresolved certificates / Process Private-key Certificates (password prompt when required) / Delete duplicate-key Certificates

This panel directs you to the types of stores to be processed. Select 1 or 2 and press “Enter”

SecureZIP Local Certificate Store Option ===>

Synchronize the Index of the Local Store

Active DB Profile: 'SECZIP.MVS.JCL(NEWDB)'

_ Enter "/" to generate batch full index rebuild

- OR -

Enter "/" to process foreground option(s) Remove Unmatched Index Entries Index Unresolved Certificate Information Process Private-key Certificates (password prompt when required) Delete Duplicate-key Certificates Refresh existing fields from certificate data

This panel (Option 1) serves two functions: • Rebuilds the Database index in batch from an existing public-key store. • Performs specific foreground index synchronization tasks.

Batch rebuild When selecting to rebuild the database in batch, all of the index components are deleted and redefined. The index entries are rebuilt by opening each certificate in the store and parsing the appropriate information. A separate job step is required (see job step 'BUILD SEQ DATABASE FROM PRIVATE STORE') for each separate password represented in the private store.

Warning: Without the correct password for each private-key certificate, the index entries cannot be rebuilt and will be lost. The index entries may be restored by providing the correct password through a Foreground synchronization.

Foreground Operations In the event that individual certificates or index entries require synchronization, the following cleanup tools are available: • Remove unmatched index entries Select this option to remove index entries for which there is no matching certificate (as, for example, when a certificate member is manually removed from the PDS). This feature removes the index entry if the associated PDS or member does not exist. • Index Unresolved Certificates Select this option when certificates for which there is currently no index entry have

been added manually to the PDS store. The certificate(s) will be identified from a member list and scanned as if a certificate Add function had been requested. • Process Private-key Certificates (password prompt when required) A sub-option of "Index Unresolved Certificates": Select this option in conjunction with the previous option to index unresolved certificates. A password prompt will be presented for each private-key certificate that has not yet been indexed so that the certificate may be opened. An opportunity is given to bypass each certificate for which the password is not known. • Delete Duplicate-key Certificates A sub-option of "Index Unresolved Certificates": Select this option to physically delete certificates for which there is already a matching index. (It is recommended that any potential orphan index entries first be deleted by using the option "Remove unmatched index entries" to avoid deleting certificates which do not have a true duplicate). • Refresh existing fields from certificate data This option invokes a re-read of the certificate to parse field data and update the index record information. Updated field information includes: o Valid Date Range o Serial number o Use Flags o Trust Status (conditionally updated) o Revocation Status (conditionally updated)

Generated JCL for Synchronization

****** ********************************* Top of Data **************************** 000001 //FPDCS1 JOB 'ACCOUNTING INFO',CLASS=A,REGION=8M, 000002 // MSGCLASS=H,MSGLEVEL=(1,1),NOTIFY=&SYSUID 000003 //* 000004 //****************************************************************** 000005 //* PLEASE BE SURE PROCEDURE PKISPF IN INSTLIB HAS BEEN TAILORED * 000006 //* TO MEET YOUR SITES SPECIFICATIONS. * 000007 //****************************************************************** 000008 // JCLLIB ORDER=SECZIP.MVS.INSTLIB 000009 //JOBLIB DD DISP=SHR,DSN='SECZIP.MVS.LOAD' 000010 //* 000011 //* GENERATED JCL TO BUILD DATA BASE FROM CERTIFICATE STORE 000012 //* BUILD SEQ DATABASE FROM PUBLIC STORE 000013 //PDS2DBPB EXEC PKISPF 000014 //STDOUT DD SYSOUT=* 000015 //STDERR DD SYSOUT=* 000016 //ISPF.SYSTSIN DD * 000017 ISPSTART CMD(%RMPDS2DB SECZIP.MVS.CERTSTOR.PUBLIC + 000018 FPD.CERT.SEQDBPUB.TEMP ) 000019 //* BUILD SEQ DATABASE FROM PRIVATE STORE 000020 //PDS2DBPV EXEC PKISPF 000021 //STDOUT DD SYSOUT=* ……………………….. …………………………….

Review and SUBmit the JOB.

CA, Root, and CRL Verification

SecureZIP Local Certificate Store Command ===>

Verify CA / Root / Revocation List Store

Active Store Configuration: 'SECZIP.FPD.PROFILES(DBPSTD)'

Select Store for viewing: (Default is all) Certificate-Authority Root Revocation List

Press ENTER to continue.

This panel (Option 2) is used to select the type of store. Place a “Y” for CA, Root, or CRL or simply press “Enter” to verify the stores.

*********************************************************** Top of Data PKCSDEL - Verify CA / Root / CRL Store 2 Feb 2005 12:07:18 PKCSDEL - CA=SECZIP.FPDSTD.CERTSTOR.P7CA SUCCESS: CA Store '//'SECZIP.FPDSTD.CERTSTOR.P7CA'' verified successfully. 1 certificates found.

PKCSDEL - ROOT=SECZIP.FPDSTD.CERTSTOR.P7ROOT SUCCESS: Root Store '//'SECZIP.FPDSTD.CERTSTOR.P7ROOT'' verified successfully. 1 certificates found.

The panel above is the output from the verify process.

Report DB Statistics

SecureZIP Local Certificate Store Option ===>

Local Certificate Store Administration

1 Create and Prime New Local Certificate Store DB 2 List DB Certficate Entries 3 Add new Certificates to the Local Store 4 Delete a Certificate from the Local Store 5 Re-synchronize the Index for the Local Store 6 Report DB Statistics 7 Edit Active DB Profile 8 Supplemental Administration Utilties

Option 6 – Report DB Statistics Generates a view of the local certificate store information. This view will contain details on the certificate datasets, the local store data base, and the path/alternate indexes to the local store data base.

000001 Public Certificate Dataset Information 000002 Data Set Name = SECZIP.MVS.CERTSTOR.PUBLIC 000003 Number of certificates = 2

000004 000005 Dataset Organization = PDS 000006 Record Format = VB 000007 Logical Record Length = 27994 000008 Block Size = 27998 000009 Space Type = CYLINDER 000010 Primary Allocation = 10 000011 Secondary Allocation = 1 000012 Total Allocated = 10 000013 Allocated extents = 1 000014 Used Extents = 1 000015 Directory Blocks 000016 Allocated = 400 000017 Used = 1 000018 000019 Private Certificate Dataset Information 000020 Data Set Name = SECZIP.MVS.CERTSTOR.PRIVATE 000021 Number of certificates = 2 000022 000023 Dataset Organization = PDS 000024 Record Format = VB 000025 Logical Record Length = 27994 000026 Block Size = 27998 000027 Space Type = CYLINDER 000028 Primary Allocation = 10 000029 Secondary Allocation = 1 000030 Total Allocated = 10 000031 Allocated extents = 1 000032 Used Extents = 1 000033 Directory Blocks 000034 Allocated = 400 000035 Used = 1 000036 000037 Public Certificate Store DataBase Information 000038 Data Set Name = SECZIP.MVS.CERTSTOR.DBX 000039 Cluster Name = SECZIP.MVS.CERTSTOR.DBX 000040 000041 Data Name = SECZIP.MVS.CERTSTOR.DBX.DATA 000042 Space Type = CYLINDER 000043 Primary Allocation = 1 000044 Secondary Allocation = 2 000045 Percent Free Space = 98 000046 Total Records = 4 000047 High Allocated RBA = 829440 000048 High Used RBA = 829440 000049 000050 Index Name = SECZIP.MVS.CERTSTOR.DBX.INDEX 000051 Space Type = TRACK 000052 Primary Allocation = 1 000053 Secondary Allocation = 1 000054 Total Records = 1 000055 High Allocated RBA = 33792 000056 High Used RBA = 1024 000057 000058 Public Certificate Store DataBase Alternate Indexes with Path 000059 Alternate Index Name = SECZIP.MVS.CERTSTOR.DBXCN 000060 Cluster Name = SECZIP.MVS.CERTSTOR.DBX 000061 000062 Data Name = SECZIP.MVS.CERTSTOR.DBXCN.DATA 000063 Space Type = CYLINDER 000064 Primary Allocation = 1 000065 Secondary Allocation = 1 000066 Percent Free Space = 98 000067 Total Records = 2 000068 High Allocated RBA = 829440 000069 High Used RBA = 829440 000070 000071 Index Name = SECZIP.MVS.CERTSTOR.DBXCN.INDEX

000072 Space Type = TRACK 000073 Primary Allocation = 1 000074 Secondary Allocation = 1 000075 Total Records = 1 000076 High Allocated RBA = 25088 000077 High Used RBA = 512 000078 000079 Path Name = SECZIP.MVS.CERTSTOR.PATHCN 000080 000081 Public Certificate Store DataBase Alternate Indexes with Path 000082 Alternate Index Name = SECZIP.MVS.CERTSTOR.DBXEM 000083 Cluster Name = SECZIP.MVS.CERTSTOR.DBX 000084 000085 Data Name = SECZIP.MVS.CERTSTOR.DBXEM.DATA 000086 Space Type = CYLINDER 000087 Primary Allocation = 1 000088 Secondary Allocation = 1 000089 Percent Free Space = 98 000090 Total Records = 2 000091 High Allocated RBA = 829440 000092 High Used RBA = 829440 000093 000094 Index Name = SECZIP.MVS.CERTSTOR.DBXEM.INDEX 000095 Space Type = TRACK 000096 Primary Allocation = 1 000097 Secondary Allocation = 1 000098 Total Records = 1 000099 High Allocated RBA = 25088 000100 High Used RBA = 512 000101 000102 Path Name = SECZIP.MVS.CERTSTOR.PATHEM 000103 000104 Public Certificate Store DataBase Alternate Indexes with Path 000105 Alternate Index Name = SECZIP.MVS.CERTSTOR.DBXPUBK 000106 Cluster Name = SECZIP.MVS.CERTSTOR.DBX 000107 000108 Data Name = SECZIP.MVS.CERTSTOR.DBXPUBK.DATA 000109 Space Type = CYLINDER 000110 Primary Allocation = 1 000111 Secondary Allocation = 1 000112 Percent Free Space = 98 000113 Total Records = 2 000114 High Allocated RBA = 829440 000115 High Used RBA = 829440 000116 000117 Index Name = SECZIP.MVS.CERTSTOR.DBXPUBK.INDEX 000118 Space Type = TRACK 000119 Primary Allocation = 1 000120 Secondary Allocation = 1 000121 Total Records = 1 000122 High Allocated RBA = 25088 000123 High Used RBA = 512 000124 000125 Path Name = SECZIP.MVS.CERTSTOR.PATHPUBK 000126

Edit Active DB Profile

Option 7 – Edit Active DB Profile SecureZIP for zSeries uses a set of configuration commands to determine the location of Public and Private Certificates via an index. The commands can be grouped together within a PDS or PDSE member as a Data Base profile.

Specify the dataset (and member) of a saved DB profile.

File Edit Edit_Settings Menu Utilities Compilers Test Help ------EDIT SECZIP.FPD.PROFILES(DBPROF) - 01.00 Columns 00001 00080 Command ===> Scroll ===> CSR ****** ********************************* Top of Data ********************************** 000001 *** 000002 * LOCAL CERTIFICATE STORE CONFIGURATION CONTROL 000003 * 000004 * Include this member in SecureZIP runs requiring Local Certificate 000005 * Store RECIPIENTS, SIGN_ARCHIVE, SIGN_FILES and AUTHCHK signatories. 000006 *** 000007 -{CSPUB=4;1;SECZIP.FPD.CERTSTOR.PUBLIC} 000008 -{CSPRVT=4;1;SECZIP.FPD.CERTSTOR.PRIVATE} 000009 -{CSPUB_DBX=SECZIP.FPD.CERTSTOR.DBX} 000010 -{CSPUB_DBX_PATH_CN=SECZIP.FPD.CERTSTOR.PATHCN} 000011 -{CSPUB_DBX_PATH_EM=SECZIP.FPD.CERTSTOR.PATHEM} 000012 -{CSPUB_DBX_PATH_PUBKEY=SECZIP.FPD.CERTSTOR.PATHPUBK} 000013 -{CSCA=1;0;SECZIP.FPD.CERTSTOR.P7CA} 000014 -{CSROOT=1;0;SECZIP.FPD.CERTSTOR.P7ROOT} 000015 -{AUTHENTICATE=TRUSTED,EXPIRED,NOTREVOKED,TAMPERCHECK} ****** ******************************** Bottom of Data ********************************

Option 8 – Supplemental Administration Utilities Included within the Supplemental Administration Utilities option you will see the ability to run report statistics (1), run the installation verification job (2) and the backup and restore process (3).

Report Statistics See Option 6 “Report Statistics” above.

Run Installation Verification Job By selecting this option SecureZIP for zSeries will validate your configuration. Submit the job and review the output.

File Edit Edit_Settings Menu Utilities Compilers Test Help ------EDIT FPD.SPFTEMP4.CNTL Columns 00001 Command ===> Scroll ****** ********************************* Top of Data 000001 //FPDCS1 JOB 'ACCOUNTING INFO',CLASS=A,REGION=8M, 000002 // MSGCLASS=H,MSGLEVEL=(1,1),NOTIFY=&SYSUID 000003 //* 000004 //****************************************************************** 000005 //* PLEASE BE SURE PROCEDURE PKISPF IN INSTLIB HAS BEEN TAILORED * 000006 //* TO MEET YOUR SITE'S SPECIFICATIONS. * 000007 //****************************************************************** 000008 // JCLLIB ORDER=SECZIP.MVS.INSTLIB 000009 //JOBLIB DD DISP=SHR,DSN='SECZIP.MVS.LOAD' 000010 //* 000011 //*** 000012 //* CLEANUP RESIDUAL WORK ARCHIVE 000013 //* STORE. 000014 //*** 000015 //CLEAN1 EXEC PGM=IEFBR14 000016 //DEL DD DISP=(MOD,DELETE),DSN=FPD.IVPDB.ZIP,SPACE=(TRK,(0)) 000017 //***

000018 //* ZIP A TEST FILE USING A -RECIPIENT FROM THE LOCAL CERTIFICATE 000019 //* STORE. 000020 //*** 000021 //SECZIP EXEC PGM=SECZIP

CS IVP Sample Output Output from SecureZIP for zSeries CS IVP steps.

ZPGE001T ZIP STARTUP STORAGE QUERY: 24BIT= 8208K 31BIT= 32768K CACHE= ZPLI001I SecureZIP(TM) for zSeries, Version 8.1Beta - 02/25/05 12.45 ZPLI001I Copyright 1989-2005 PKWARE Inc. All rights reserved. ZPLI001I SecureZIP(TM) is a trademark of PKWARE (R), Inc. ZPLI001I Registered, Processor Type=2066 Processor Group=00 Serial Number= ZPLI001I OS Level: HBB7707 SP7.0.4 -INCLUDE_CMD=SECZIP.IVP.JCL(DEVCERT1) -ECHO=N -INFILE_DD(INFILE) -ARCHOUTDD(ARCHOUT) -RECIPIENT(DB:CN=PKWARE TEST1,R) -BSAFE_AES128 -ENCRYPTION_METHOD(BSAFE_AES128) -VERBOSE -LOGGING_LEVEL(VERBOSE) -INCLUDE_CMD=SECZIP.MVS.JCL(DBPROF) ZPCM027I Including commands from SECZIP.MVS.JCL(DBPROF) *------* * PROFILE SECZIP.MVS.JCL(DBPROF) * *------* * DATABASE ACCESS CONTROL CARDS -{CSPUB=4;1;SECZIP.MVS.CERTSTOR.PUBLIC} -{CSPRVT=4;1;SECZIP.MVS.CERTSTOR.PRIVATE} -{CSPUB_DBX=SECZIP.MVS.CERTSTOR.DBX} -{CSPUB_DBX_PATH_CN=SECZIP.MVS.CERTSTOR.PATHCN} -{CSPUB_DBX_PATH_EM=SECZIP.MVS.CERTSTOR.PATHEM} -{CSPUB_DBX_PATH_PUBKEY=SECZIP.MVS.CERTSTOR.PATHPUBK} ZPCM011I Processing EXEC PARM parameters ZPCS200I Opening Common Name DB Index (//'SECZIP.MVS.CERTSTOR.PATHCN') ZPEN110I Locating Digital Certificates ... ZPCM023I Digital Certificate Store Configuration {CSCA=1;1;SECZIP.MVS.CERTSTOR.PUBLIC(CAP7)} {CSROOT=1;1;SECZIP.MVS.CERTSTOR.PUBLIC(ROOTP7)} {LDAP=1;192.168.1.54;4389;1;0;CN=LDAP Administrator;secret;;O=PKWARE;} {CSPUB=4;1;SECZIP.MVS.CERTSTOR.PUBLIC} {CSPRVT=4;1;SECZIP.MVS.CERTSTOR.PRIVATE} {CSPUB_DBX=SECZIP.MVS.CERTSTOR.DBX} {CSPUB_DBX_PATH_CN=SECZIP.MVS.CERTSTOR.PATHCN} {CSPUB_DBX_PATH_EM=SECZIP.MVS.CERTSTOR.PATHEM} {CSPUB_DBX_PATH_PUBKEY=SECZIP.MVS.CERTSTOR.PATHPUBK} ZPCM023C ------ZPCM024I Digital Certificate Request List ZPCM024C Req'd Public Recipient //'SECZIP.MVS.CERTSTOR.PUBLIC(PUB1CERT)' ZPCM024C FILE FOUND *REQUIRED* ZPCM024C ------ZPCM025I Digital Certificates Found: 1 ZPCM025C PKWARE Test1;[email protected]; ZPCM025C ------ZPAP900I NO API REQUIRED ZPAM030I OUTPUT Archive opened: FPD.IVPDB.ZIP ZPCM017I A total of 1 ADD/UPDATE candidate file(s) were identified. ZPCO100I Compression Task { 5} TCB: 008D4698 Started. ZPCM100I Configuration Manager Shutdown. Posting Main Task: 00000000 ZPAM253I ADDED File SECZIP.MVS.INSTLIB($COPYRIT) ZPAM254I as SECZIP/MVS/INSTLIB/$COPYRIT ZPAM255I (DEFLATED 31%/30%) SecureZIP(TM): BSAFE_AES128 ORIG. SIZE 1,280; ZIP

ZPAM140I FILES: ADDED EXCLUDED BYPASSED IN ERROR ZPAM140I 1 0 0 0 ZPAM101I Archive Manager Task { 3} TCB: 008D4A98 shutdown begun. ZPAM109I Archive Manager Task { 3} TCB: 008D4A98 shutdown complete. ZPCO101I Compression Task { 5} TCB: 008D4698 shutdown begun. ZPCO109I Compression Task { 5} TCB: 008D4698 shutdown complete. ZPMT002I PKZIP processing complete. RC=00000000 0(Dec) ZPGE001T UNZIP STARTUP STORAGE QUERY: 24BIT= 8208K 31BIT= 32768K CACHE= ZPLI001I SecureZIP(TM) for zSeries, Version 8.1Beta - 02/25/05 12.45 ZPLI001I Copyright 1989-2005 PKWARE Inc. All rights reserved. ZPLI001I SecureZIP(TM) is a trademark of PKWARE (R), Inc. ZPLI001I Registered, Processor Type=2066 Processor Group=00 Serial Number= ZPLI001I OS Level: HBB7707 SP7.0.4 -INCLUDE_CMD=SECZIP.IVP.JCL(DEVCERT1) -ECHO=N -ARCHINDD(ARCHIN) -VIEWDETAIL -ACTION(VIEWDETAIL) -VERBOSE -LOGGING_LEVEL(VERBOSE) -INCLUDE_CMD=SECZIP.MVS.JCL(DBPROF) ZPCM027I Including commands from SECZIP.MVS.JCL(DBPROF) *------* * PROFILE SECZIP.MVS.JCL(DBPROF) * *------* * DATABASE ACCESS CONTROL CARDS -{CSPUB=4;1;SECZIP.MVS.CERTSTOR.PUBLIC} -{CSPRVT=4;1;SECZIP.MVS.CERTSTOR.PRIVATE} -{CSPUB_DBX=SECZIP.MVS.CERTSTOR.DBX} -{CSPUB_DBX_PATH_CN=SECZIP.MVS.CERTSTOR.PATHCN} -{CSPUB_DBX_PATH_EM=SECZIP.MVS.CERTSTOR.PATHEM} -{CSPUB_DBX_PATH_PUBKEY=SECZIP.MVS.CERTSTOR.PATHPUBK} ZPCM011I Processing EXEC PARM parameters ZPAP900I NO API REQUIRED ZPCM100I Configuration Manager Shutdown. Posting Main Task: 00000000 ZPAM030I INPUT Archive opened: FPD.IVPDB.ZIP ZPAM014I 1 file(s) are in the input Archive. ZPAM012I ZIP comment: SecureZIP for zSeries by PKWARE ZPAM013I ********************************************************************************* ZPAM001I Filename: SECZIP/MVS/INSTLIB/$COPYRIT ZPAM002I File type: TEXT ZPAM003I Date/Time: 11-JUN-2004 05:24:00 ZPAM004I Compression Method: Deflate- Super Fast ZPAM005I Compressed Size: 900 ZPAM006I Uncompressed Size: 1,313 ZPAM007I 32-bit CRC: A6B5182A LHDR Offset: 0 ZPAM008I Created by: PK zSeries 8.1 ZPAM009I Needed to extract: PKUNZIP 6.1 ZPAM010I Encryption: AES_128 Certificate Key BSAFE(R) ZPAM301I File Type: NONVSAM PDS ZPAM302I File PDS Directory Blocks: 25 ZPAM303I File Record Format: FB ZPAM304I File Allocation Type: BLK ZPAM305I File Primary Space Allocated: 78 ZPAM306I File Secondary Space Allocated: 20 ZPAM307I File Record Size: 80 ZPAM308I File Block Size: 27920 ZPAM309I File Volume(s) Used: DEV002 ZPAM310I File Creation Date: 2002/07/23 ZPAM311I File Referenced Date: 2004/06/11 ZPAM319I SMS Storage Class: DEV ZPAM312I File PDS Extended Directory Information: DIRECTORY INFORMATION FOLLOWS LENGTH=00001E 000000 01010006 0104161F 0104161F 11480010 |...... | H | 000010 00100000 D4C1E240 40404040 40400000 |....MAS ..| @@@@@@@ | ZPAM313I PDS member TTRKZC: 00210300000F

ZPAM320I 1 recipient(s) were designated: ZPCS200I Opening Public Key DB Index (//'SECZIP.MVS.CERTSTOR.PATHPUBK') ZPAM321I Recipient: PKWARE Test1 ZPAM322I Public Key Hash: 830A0AE9DBF0496954763862126ECE7A34BB7A56 ZPAM323I Email: [email protected] ZPAM324I Cert: //'SECZIP.MVS.CERTSTOR.PUBLIC(PUB1CERT)' ZPAM013I ********************************************************************************* ZPAM140I FILES: VIEWED EXCLUDED BYPASSED IN ERROR ZPAM140I 1 0 0 0 ZPAM101I Archive Manager Task { 3} TCB: 008D4A98 shutdown begun. ZPAM109I Archive Manager Task { 3} TCB: 008D4A98 shutdown complete. ZPMT002I PKZIP processing complete. RC=00000000 0(Dec) ZPGE001T UNZIP STARTUP STORAGE QUERY: 24BIT= 8208K 31BIT= 32768K CACHE= ZPLI001I SecureZIP(TM) for zSeries, Version 8.1Beta - 02/25/05 12.45 ZPLI001I Copyright 1989-2005 PKWARE Inc. All rights reserved. ZPLI001I SecureZIP(TM) is a trademark of PKWARE (R), Inc. ZPLI001I Registered, Processor Type=2066 Processor Group=00 Serial Number= ZPLI001I OS Level: HBB7707 SP7.0.4 -INCLUDE_CMD=SECZIP.IVP.JCL(DEVCERT1) -ECHO=N -ARCHINDD(ARCHIN) -RECIPIENT(DB:CN=PKWARE TEST1,R,PASSWORD=******) -TEST -ACTION(TEST) -VERBOSE -LOGGING_LEVEL(VERBOSE) -INCLUDE_CMD=SECZIP.MVS.JCL(DBPROF) ZPCM027I Including commands from SECZIP.MVS.JCL(DBPROF) *------* * PROFILE SECZIP.MVS.JCL(DBPROF) * *------* * DATABASE ACCESS CONTROL CARDS -{CSPUB=4;1;SECZIP.MVS.CERTSTOR.PUBLIC} -{CSPRVT=4;1;SECZIP.MVS.CERTSTOR.PRIVATE} -{CSPUB_DBX=SECZIP.MVS.CERTSTOR.DBX} -{CSPUB_DBX_PATH_CN=SECZIP.MVS.CERTSTOR.PATHCN} -{CSPUB_DBX_PATH_EM=SECZIP.MVS.CERTSTOR.PATHEM} -{CSPUB_DBX_PATH_PUBKEY=SECZIP.MVS.CERTSTOR.PATHPUBK} ZPCM011I Processing EXEC PARM parameters ZPCS200I Opening Common Name DB Index (//'SECZIP.MVS.CERTSTOR.PATHCN') ZPEN110I Locating Digital Certificates ... ZPCM023I Digital Certificate Store Configuration {CSCA=1;1;SECZIP.MVS.CERTSTOR.PUBLIC(CAP7)} {CSROOT=1;1;SECZIP.MVS.CERTSTOR.PUBLIC(ROOTP7)} {LDAP=1;192.166.54;4389;1;0;CN=LDAP Administrator;secret;;O=PKWARE;} {CSPUB=4;1;SECZIP.MVS.CERTSTOR.PUBLIC} {CSPRVT=4;1;SECZIP.MVS.CERTSTOR.PRIVATE} {CSPUB_DBX=SECZIP.MVS.CERTSTOR.DBX} {CSPUB_DBX_PATH_CN=SECZIP.MVS.CERTSTOR.PATHCN} {CSPUB_DBX_PATH_EM=SECZIP.MVS.CERTSTOR.PATHEM} {CSPUB_DBX_PATH_PUBKEY=SECZIP.MVS.CERTSTOR.PATHPUBK} ZPCM023C ------ZPCM024I Digital Certificate Request List ZPCM024C Req'd Private Recipient //'SECZIP.MVS.CERTSTOR.PRIVATE(PVT1CERT)' ZPCM024C FILE FOUND *REQUIRED* ZPCM024C ------ZPAP900I NO API REQUIRED ZPAM030I INPUT Archive opened: FPD.IVPDB.ZIP ZPCM100I Configuration Manager Shutdown. Posting Main Task: 00000000 ZPEX100I Extract Task { 5} TCB: 008D4678 Started. ZPEN109T BSAFE(R) CryptoC request code= 3594 kPKErr_BSISetKeyInf ZPEX001I tested okay SECZIP/MVS/INSTLIB/$COPYRIT

ZPAM140I FILES: TESTED EXCLUDED BYPASSED IN ERROR ZPAM140I 1 0 0 0 ZPAM101I Archive Manager Task { 3} TCB: 008D4A98 shutdown begun. ZPAM109I Archive Manager Task { 3} TCB: 008D4A98 shutdown complete. ZPEX101I Extract Task { 5} TCB: 008D4678 shutdown begun. ZPEX109I Extract Task { 5} TCB: 008D4678 shutdown complete. ZPMT002I PKZIP processing complete. RC=00000000 0(Dec)

Backup and Restore Process SecureZIP for zSeries allows you to perform a backup of your existing local certificate store. Selecting Option 9 will start the process of backup.

Backup and Restore Profile Option ===>

Establish the Backup and Restore Profile

Fill in the required information below. Then Press ENTER to complete.

If you do not place the dataset(s) in quotes your UID will be used as the High Level Qualifer

Backup JCL ...... : For example: your.jcl.cntl.library(CSBRBJCL) Recovery JCL ...... : For example: your.jcl.cntl.library(CSBRRJCL)

Archive Dataset Name: For example: uid.Dmmddyy.CSBKUP.ZIP This would be the dataset used in a restore.

Initial setup screen Initially you will be required to enter the dataset and member information to store the generated JCL for backup and restore along with a dataset name for the created SecureZIP archive used to contain your local certificate store.

SECUREZIP OPTION ===> Backup & Restore Profile

Profile Information Certstore Profile Dataset.: 'SECZIP.MVS.PROFILES(DBFPD1)' Last Backup Submit Date...: Archive Dataset - Enter V to View: 'FPD.CSBKUP.ZIP' Process Options You can Create, Submit, Edit or View the backup and restore job stream Note: To track the last backup submit date you must use the submit option rather than issue the "SUB" command from an edit or view session Function C - Create, S - Submit, E - Edit, V -View Backup JCL ...... : 'FPD.JCLZ.CNTL(BK1)' Restore JCL ...... : 'FPD.JCLZ.CNTL(RS1)'

Archive Allocation Options for Backup Management class . . . PRIVATE (Blank for default management class) Storage class . . . . PRIVATE (Blank for default storage class) Volume serial . . . . FPD003 (Blank for system default volume) Device type . . . . . 3390 (Generic unit or device address)

Data class ...... (Blank for default data class) Space units . . . . . CYLINDER (BLKS, TRKS, CYLS) Primary quantity . . 1 (In above units) Secondary quantity . 50 (In above units)

Main Backup and Restore Panel This screen controls the types of processes that you can perform against the local certificate store. If you have done a previous backup, then the ZIP archive name will be displayed along with the date of the last backup. The datasets to be backed up are the datasets pointed to by the certstore profile dataset.

Profile Information This is the certificate store profile dataset that will be used to backup the local certificate store.

Archive Dataset Name of the archive that you wish to create or use in a restore process. If you select V this will display a VIEWDETAIL of the designated archive dataset.

Process Options The options selected determine the functions performed: • Backup JCL Enter C to Create the backup job stream Enter S to Submit the backup job stream Enter E to Edit the backup job stream Enter V to View the backup job stream • Restore JCL Enter C to Create the backup job stream Enter S to Submit the backup job stream Enter E to Edit the backup job stream Enter V to View the backup job stream You may also choose to save the JCL using a different member name or dataset name/member name combination.

Option ===>

Certstore Restore Options

Fill in the any change information desired. Press ENTER to complete.

If you do not change any data then the original values will be used

High Level Qualifier...: Specify a different HLQ if desired SMS Classes Managment...... : Storage ...... : Data ...... :

Restore Volume...... : Specify a different Volser than the original database Restore Unit ...... : Specify a different Unit Name than the original database

Submit of a Restore JOB When you submit the restore JCL this screen will appear and give you the ability to Restore the datasets in the archive using a different high level qualifier and/or different allocation options. If you press ENTER without change the restore will take the default options.

Option ===>

Additional Input Control Cards for View Archive

Enter any control card(s) desired for the selected View option. You may wish to view an archive using a Private Key Cert. If the certificate is not in your profile you can place an -INCLUDE_CMD in the input stream.

Additional Control Card: 1: 2: 3: 4:

Archive Dataset View - V Selecting V to view an existing archive displays a VIEWDETAIL of the designated archive dataset and generates a panel that allows you to place additional SecureZIP for zSeries control cards into the command stream. You can then add private key certificate information if the archive to be viewed has been encrypted.

Directory Certificate Store Configuration - LDAP

This section assists with defining the network connectivity associated with LDAP compliant directory access. Please note that prior to using LDAP services to locate public key digital certificates for RECIPIENT processing, network connections must be defined. Command settings will be kept in an LDAP profile member for SecureZIP for zSeries to access during ZIP processing. The LDAP connection commands can be coded manually, however, a series of panels and tools are provided to assist in properly formatting the command parameters and to test connectivity to the desired LDAP server.

SecureZIP Certificate Store Administration

Option ===>

Select one of the following options and press Enter:

1 Local Certificate Store Administration 2 LDAP Certificate Store Configuration 3 x.509 Certificate Utilities

To access the LDAP certificate store configuration, enter “2” in the Option field from this panel.

Create/Test LDAP Profile Statements This panel will allow you to create configuration information, validate existing configuration information, and read information from an existing profile, if it is established.

SecureZIP LDAP Configuration Setup Option ===>

LDAP Certificate Store Administration

1 Edit Active LDAP Profile 2 Create/Test LDAP Profile Statements

Active LDAP Profile: 'SECZIP.MVS.JCL(LDAPPROF)'

-{LDAP=1;SCULPTOR4.PKWARE.COM;389;0;0;;;*CN;O=PKWARE}

To edit an existing LDAP profile, use the dataset and member name on the panel or enter a different dataset and/or member name and select “1” from this panel. To create, test, and save LDAP profile information, select “2” from this panel.

Edit existing LDAP profile

File Edit Edit_Settings Menu Utilities Compilers Test Help EDIT SECZIP.MVS.JCL(LDAPPROF) - 01.15 ****** ********************************* Top of Data 000001 -{LDAP=1;SCULPTOR4.PKWARE.COM;389;0;0;;;*CN;O=PKWARE} ****** ******************************** Bottom of Data

The results from selecting “1” are shown in this panel. You can change any information necessary and PF3 out of edit to save the changes.

Create/Test LDAP Link This panel assists the SecureZIP for zSeries administrator in configuring and testing LDAP connections. The following functions are covered: • Create new LDAP Profile Settings

• Read values from an existing LDAP Profile with the LOAD command • Test an LDAP connection with PING and TEST commands • Save settings to an LDAP Profile

SecureZIP Create/Test LDAP Link OPTION ===>

Active LDAP Profile: 'SECZIP.MVS.JCL(LDAPPROF)' LDAP Number 1 Connect Information * Server Address/IP...: * Server Port...... : 389 Connect USERID...... : Connect Password....: Search Timeout...... : 0 LDAP Search Configuration Starting Node * > > Default Filter Type.: *CN (*EMAIL,*CN)

The following commands may be copied to an LDAP Profile: { ... undefined ...}

Create New LDAP Profile Settings Fill in the required parameters and press ENTER to generate LDAP profile settings. These can then be copied and pasted into a LDAP profile member using the copy and paste functions of your terminal emulator. You may change fields and press ENTER to generate new settings.

SecureZIP Create/Test LDAP Link OPTION ===> More: + Active LDAP Profile: 'SECZIP.MVS.JCL(LDAPPROF)' LDAP Number 1 Connect Information * Server Address/IP...: SCULPTOR1.PKWARE.COM * Server Port...... : 389 Connect USERID...... : Connect Password....: Search Timeout...... : 0 LDAP Search Configuration Starting Node * > O=PKWARE > Default Filter Type.: *CN (*EMAIL,*CN)

The following commands may be copied to an LDAP Profile: -{LDAP=1;SCULPTOR4.PKWARE.COM;389;0;0;;;*CN;O=PKWARE}

Load Existing LDAP Profile With the Load option you read values from an existing LDAP profile.

SecureZIP Create/Test LDAP Link OPTION ===> LOAD More: + Active LDAP Profile: 'SECZIP.MVS.JCL(LDAPPROF)' LDAP Number 1 Connect Information * Server Address/IP...: SCULPTOR4.PKWARE.COM * Server Port...... : 4389 Connect USERID...... : Connect Password....: Search Timeout...... : 0 LDAP Search Configuration Starting Node * > O=PKWARE > Default Filter Type.: *CN (*EMAIL,*CN)

The following commands may be copied to an LDAP Profile: -{LDAP=1;SCULPTOR4.PKWARE.COM;389;0;0;;;*CN;O=PKWARE}

When an active LDAP profile is provided on the LDAP configuration setup screen, then a predefined LDAP command can be retrieved for testing or use as a model for a new setting. Specify the LDAP number, type LOAD into the command OPTION and press ENTER. If that LDAP number is in the active profile, the settings will be loaded into the screen.

Testing the LDAP Connection Once the profile commands have been generated, you may verify that a connection to the intended LDAP Server can be established by using the PING and TEST options: When creating a configuration for an LDAP server at a new network address, it is recommended that a PING test be performed first.

OPTION ===> PING The PING option will perform a "TSO PING" command to verify that the network address can be resolved and the associated IP address reached. Once completed, a BROWSE of the output will be automatically presented. Be aware that some network administrators may turn off PING response capabilities, so it is possible that the PING may time out even if the network name (e.g. www.pkware.com) can be resolved to an IP address.

************************************************ Attempting PING to SCULPTOR4.PKWARE.COM ************************************************ CS V1R4: Pinging host ASI4 (192.168.1.54) Ping #1 response took 0.000 seconds.

Possible errors can be: • The network address cannot be resolved by the domain name server EZZ3111I Unknown host www.unknown-name.com • Network services may be down along the routes to reach the IP address.

HOST unreachable • The specified host may not be up, or is not accepting PING requests. Timed out

OPTION ===> TEST [optional-filter] [LIST] The TEST option will call utility program PKZLDAPT to perform a bind request with the specified server, logon (if a userid/password combination is required), and then perform a search based on a filter. Once completed, a BROWSE of the output will be automatically presented. The default LDAP search filter used is (&(userCertificate=*)), which will give a summary count of the total number of LDAP entries containing a userCertificate. An optional filter may be specified with the test command. Note that the requested filter will automatically be surrounded by$(&...) to complete the LDAP syntax. See the samples below for typical syntax. Specifying LIST causes some detailed information for the LDAP entries to be listed. The default is to display a summary count of the number of LDAP entries located that match the search filter. Test Program Notes: Default Filter Type is not used with the test option. It is only used during live SecureZIP for zSeries processing of RECIPIENTS. The filter is not retained in the LDAP configuration. It is only used for testing the connection during the administration process. A long delay (up to a few minutes) may occur if network timeout values are set high. You should contact your network technical support staff regarding network timeout settings.

Sample TEST Syntax To count all entries with a common name: OPTION ===> test (cn=*) To list all entries with a common name: OPTION ===> test (cn=*) LIST To restrict the search to common names representing a person: OPTION ===> test (cn=Joe S*)(objectclass=person) LIST

Output from the TEST Command

PKLDAPTEST LDAP Test Starting 2004/05/05 21:14:26

PKLDAPTEST Parameters:Action - Server Port<4389> - User<> Password<0> - Start Node - Search Filter<(&(cn=*))> LDAP_intialTest - --LDAP init ..... elasp time 0.000000 seconds LDAP_intialTest - --LDAP bind ..... elasp time 0.000000 seconds

LDAP_intialTest - --LDAP Search ..... elasp time 0.000000 seconds LDAP_intialTest - --LDAP Attributes ..... elasp time 0.000000 seconds LDAP_intialTest - Total Entries=15 PKLDAPTEST LDAP Testing Ending RC=0

Common Error Conditions for TEST The bind phase to the server may fail with Can't contact LDAP server for any of the following reasons: The network/IP address specified is invalid. Use PING to gather additional information. The network cannot resolve the route to reach the specified address. Use PING to gather additional information. The PORT for the LDAP server is not correct. Verify the PORT number with the target system's network administrator regarding the LDAP server PORT assignment. The LDAP server is down.

~~Output from the TEST Command with Errors~~

~~PKLDAPTEST LDAP Test Starting 2004/05/05 21:12:42~~

PKLDAPTEST Parameters:Action - Server Port<389> - User<> Password<0> - Start Node - Search Filter<(&(userCertificate=*))> LDAP_intialTest - --LDAP init ..... elasp time 0.000000 seconds LDAP_intialTest - could not bind sculptor4.pkware.com for rc=81 PKLDAPTEST LDAP Testing Ending RC=0

Save Settings to an LDAP Profile Press PF3 (END) to access the LDAP configuration setup screen. EDIT an LDAP profile member and paste the generated settings. Once you have completed the EDIT, you may return to this screen once again to generate and test additional connections. Note: The input values will be retained throughout your SecureZIP for zSeries session for reference while working on new configurations. However, they will not be saved for future use once the SecureZIP for zSeries dialog has ended. Please be aware that the LDAP profile may not contain any certificate validation policies for encryption. If the end user specifies only the LDAP profile without a local certificate store, then the SecureZIP default validation settings of TRUSTED and REVOKED will be enforced for the run. This will cause the job to fail during validation of the trusted certificate path because there are no CA and/or root certificates available for processing. If you wish to execute the SecureZIP job with the LDAP profile only, then you need to include the validation policy in the job stream (see sample below), or add the VALENCRYPT policy statement to the LDAP profile.

~~-INCLUDE_CMD(SECZIP.MVS.PROFILES(LDAP)) -RECIPIENT(LDAP:CN=PKWARE TEST4,R) -{VALENCRYPT=NOTTRUSTED,EXPIRED,NOTREVOKED}~~

~~Runtime Configuration~~

This panel is used for entering configuration information to be used for the ISPF SECZIP interface. That information includes active load library, default options files, job card and other miscellaneous information. In SecureZIP for zSeries, an additional panel must be configured. Notice at the bottom of the following panel a message appears infoming you to Hit ENTER to view the SecureZIP Certificate Store Settings.

~~Zip/Unzip Runtime Configuration Panel~~

SecureZIP Runtime Configuration OPTION ===> More: - Initial Execution Default Command Settings Defaults module.....: ACZDFLT (ACZDFLT) ZIP processing...... : 'SECZIP.MVS.INSTLIB(CMDZIP)' UNZIP processing....: 'SECZIP.MVS.INSTLIB(CMDUNZIP)'

~~Foreground Processing Controls Use TSO Prefix : N (Y/N) Lowest Acceptable RC: 4 (0,4,8)~~

~~SYSPRINT Allocation Type : CYLS (BLKS,TRKS,CYL) Primary : 3 Secondary : 1~~

Batch Job Card information //FPDCS1 JOB 'ACCOUNTING INFO',CLASS=A,REGION=8M, // MSGCLASS=H,MSGLEVEL=(1,1),NOTIFY=&SYSUID //*

~~Hit ENTER for SecureZIP Certificate Store Settings To EXIT Press PF3 For HELP Press PF1~~

~~SecureZIP Runtime Configuration Panel~~

~~SecureZIP Runtime Configuration Option ===> Certificate Store Settings ( ENTER to validate PF7/PF8 to scroll)~~

/ to Edit the configuration file Private-Cert> 'SECZIP.MVS.JCL(CERTPROF)' DB Profile > 'SECZIP.MVS.JCL(DBPROF)' LDAP Profile> 'SECZIP.MVS.JCL(LDAPPROF)' ------***** Top of Data ************************************************************** Private-key Certificate Recipient(s): ======*------*

* Profile SECZIP.MVS.JCL(certprof) * *------* -recipient(db:cn=PKWARE Test02,R,PASSWORD=PKWARE) *-recipient(dsn://'SECZIP.IVP.CERT.ADMIN09.PFX',password=P455W0RD)

~~Local Certificate(DB) Profile: ======*------* * PROFILE SECZIP.MVS.JCL(DBPROF) * *------* * DATABASE ACCESS CONTROL CARDS~~

This panel is used for entering configuration information to be used for certificate profile information. That information includes the locations of the private certificate, the data base profile, and the LDAP profile. With the exception of the private certificate location the locations of the DB and LDAP profile will be completed for you by the certificate store administration and configuration option “CS” from the Main SecureZIP for zSeries panel.

~~SecureZIP Runtime Configuration Panel Undefined~~

~~SecureZIP Runtime Configuration Option ===> Certificate Store Settings ( ENTER to validate PF7/PF8 to scroll)~~

/ to Edit the configuration file Private-Cert> undefined DB Profile > undefined LDAP Profile> undefined ------***** Top of Data ************************************************************** Private-key Certificate Recipient(s): ======Profile: MISSING DATASET NAME

~~Local Certificate(DB) Profile: ======Profile: MISSING DATASET NAME~~

~~LDAP Configuration Profile: ======Profile: MISSING DATASET NAME~~

~~***** Bottom of Data ***********************************************************~~

Prior to completing certificate store administration and configuration option “CS”, the configuration panel is undefined. As you complete the “CS” functions the panel will be populated with your runtime settings.

~~SecureZIP Runtime Configuration Panel with DB Profile Defined~~

~~SecureZIP Runtime Configuration Option ===> Certificate Store Settings ( ENTER to validate PF7/PF8 to scroll)~~

~~/ to Edit the configuration file Private-Cert> undefined~~

DB Profile > 'SECZIP.MVS.JCL(CCFGFPD1)' LDAP Profile> undefined ------***** Top of Data ************************************************************** Private-key Certificate Recipient(s): ======Profile: Undefined

Local Certificate(DB) Profile: ======* DATABASE ACCESS CONTROL CARDS -{CSPUB=4;1;SECZIP.MVS1.CERTSTOR.PUBLIC} -{CSPRVT=4;1;SECZIP.MVS1.CERTSTOR.PRIVATE} -{CSPUB_DBX=SECZIP.MVS1.CERTSTOR.DBX} -{CSPUB_DBX_PATH_CN=SECZIP.MVS1.CERTSTOR.PATHCN} -{CSPUB_DBX_PATH_EM=SECZIP.MVS1.CERTSTOR.PATHEM} -{CSPUB_DBX_PATH_PUBKEY=SECZIP.MVS1.CERTSTOR.PATHPUBK}

~~This is an example of how the runtime configuration panel would look after completing the local certificate store configuration~~

~~SecureZIP Runtime Configuration Panel with Private Certificate Location~~

~~SecureZIP Runtime Configuration Option ===> Certificate Store Settings ( ENTER to validate PF7/PF8 to scroll)~~

/ to Edit the configuration file Private-Cert> ‘SECZIP.MVS.JCL(CERTPROF)' DB Profile > 'SECZIP.MVS.JCL(CCFGFPD1)' LDAP Profile> 'SECZIP.MVS.JCL(LDAPFPD1)' ------***** Top of Data ************************************************************** Private-key Certificate Recipient(s): ======*------* * Profile SECZIP.MVS.JCL(CERTPROF) * *------* -recipient(db:cn=PKWARE TEST,R,PASSWORD=PKWARE)

This is the runtime configuration panel with the private certificate identified that will be used to provide the private key to decrypt the archive. Notice that the RECIPIENT location, the requirement to always find the certificate (R), and the password for the private key are displayed as part of the panel information provided. x.509 Certificate Utilities

This panel is used for working with CA, ROOT, and CRL files. If you receive a file claiming to contain CA or ROOT certificates you can use the List and View features to allow you to review the data within the file. If you are not sure what type of store the file contains, use “BG” as a best guess to simulate and add. The utility will display detail information about each process. You may view your certificates in a table format, list the data about each certificate in a print format, simulate adding to a store, extract certificates to a temporary store, initialize a store,

~~extract end entity certificates for input to a store, and convert EBCDIC BASE64 to ASCII BASE64.~~

~~SecureZIP x.509 Certificate Information Option ===> More: + x.509 Utilities~~

1 View Certificate(s) - Table Format 2 List Certificate(s) 3 Simulate Certificate Add 4 Work with CRL files 5 Select Certificates from a P7B source 6 Initialize a P7B Store 7 Extract End Entitiy for input to a Public Certificate Store 8 Translate EBCDIC BASE64 Certificate to ASCII BASE64

~~Enter the Certificate Source file to be used: Data Set Name . . . 'SECZIP.FPD.SEC.PKTICAF.CRT'~~

This panel can be used to identify information about certificate files you have obtained but are not sure of the content, initialize a P7B store, or extract certificates from an existing P7B source file.

~~If you know the source is a Certificate Revocation List then select Option 4 to proceed to CRL processing~~

~~The Options~~

~~Option 1 - View Certificate(s) This option builds an ISPF table display from the Certificate source file.~~

~~------+ Certificate Source : SECZIP.MVS.INSTLIB2(PKWARERT) Certificate Type : P7B with Best Guess Primary commands:%SORT+. Scroll%RIGHT+or%LEFT+for more info. To EXIT Press%PF3 +For HELP Press%PF1~~

~~Type Friendly Name ------P7B PKTESTDB Root~~

~~Multiple passes will be completed with the input source file. Each pass will be detailed in the Certificate Type area.~~

Option 2 - List Certificate(s) This option displays details about each certificate in the source file in a BROWSE window. In the sample below, the store type used to produce the report is identified for each processing attempt. In this instance, P7B was used as the store type.

------+ ZPCA960I SecureZIP Certificate Administration 4 Mar 2005 09:50:58 ZPCA960I List Certificate Source File 4 Mar 2005 09:50:58 ZPCA960I Certificate Input=SECZIP.MVS.INSTLIB2(PKWARERT) ZPCA960I ***************************************************************

ZPCA960I P7B Attempt 4 Mar 2005 09:50:58 ZPCA960I *************************************************************** ZPCA960I Store Detail using DSN=SECZIP.MVS.INSTLIB2(PKWARERT) --- Certificate 1 --- PKTESTDB Root Subject: C=US S=Wisconsin L=Milwaukee O=PKWARE, Inc. OU=PKWARE, Inc. -- for test and evaluation purposes only CN=PKTESTDB Root

~~------+~~

Option 3 - Simulate Certificate Add This option displays details about certificates as they are processed by the simulated ADD environment. Multiple passes will be completed with the input source file. Each pass will be detailed in the certificate type area. You may disregard any error messages that do not relate to the type of certificate that is in the source file. This Simulation does not require you to know exactly what it is that is being processed and, based on that assumption, the process can flag data that is in error when it would not be considered an error if it was used correctly. For example, when you input a certificate P7B, this process will correctly simulate an install to the root store using P7B as the type but will fail using CER as the type.

using P7B ------+ Certificate Source : SECZIP.FPD.SEC.FPDALL.P7B Certificate Type : P7B with Best Guess Primary commands:%SORT+. Scroll%RIGHT+or%LEFT+for more info. To EXIT Press%PF3 +For HELP Press%PF1

~~Type Friendly Name ------CA VeriSign Class 1 CA Individual Subscriber-Persona Not Validate ROOT Class 1 Public Primary Certification Authority ------+~~

~~using CER~~

------+ Command ===> SCROLL ===> CSR Certificate Source : SECZIP.FPD.SEC.PKTICAF.CRT Certificate Type : P7B with Best Guess Primary commands: SORT . Scroll RIGHT or LEFT for more info. To EXIT Press PF3 For HELP Press PF1

Type Friendly Name ------ZPCA990I Simulate Certificate processing 10 Mar 2005 12:59:53 ZPCA990I Cert Input=SECZIP.FPD.SEC.PKTICAF.CRT ZPCA990I ******************************************************************** ZPCA990I CER Attempt 10 Mar 2005 12:59:53 ZPCA990I ******************************************************************** ZPCA990I Store Detail using DSN=SECZIP.FPD.SEC.PKTICAF.CRT ZPCA810E ERROR: Failed to build certificate store '//'SECZIP.FPD.SEC.PKTICAF.CR

~~ZPCA810E ERROR: Cannot continue. Unable to open certificate store.~~

~~ZPCA810E ERROR: Cannot continue. Unable to process certificate file '//'SECZIP~~

ZPCA991E ******************************************************************** ZPCA991E List Completed with errors 10 Mar 2005 13:05:01 ZPCA991E ********************************************************************

~~Certain types of errors encountered will present a popup window similar to the one below. To get further information on the error press PF1.~~

%------%-Sim Error-PF1 for detail - %------%************************************************************************** %*Sim Error-PF1 for detail - Certificate simulation encountered an error * %*during the add operation. Error text = ZPCA811E ERROR: Cert Wrap failed* %*to open '//'SECZIP.FPD.SEC.FPDALL.P7B''. CW Error = 0x0. Press Enter to * %*continue * %**************************************************************************

Option 4 - Work with CRL files The CRL Utilities allow you to view details about installed certificates, simulate the additon of an update list to your CRL store, and update the CRL store. You may view the revocation lists in a table format, list the data about each revocation list in a print format, simulate adding to a store, and update the CRL store.

~~1+ View Installed CRLs from Store - Table Format 2+ List Installed CRLs from Store 3+ Update the CRL Store 4+ Simulate Update 5+ Synchronize Data Base~~

~~For Options 3 and 4 you must specify the input CRL file.~~

~~Input X.509 Certificate Revocation List File Data Set Name:_crlsrc + File Type :_crltype+!(P7B, CRL or BG for Best Guess)~~

Option 5 - Select Certificates from a P7B source This option will take a P7B source file and attempt to separate and copy into the respective stores the certificates contained in the input. These separated certificates can then be used as input into the add processes for updating your local certificate stores.

~~x.509 Utilities Select Certificates from a P7B Store~~

~~Please note: -- Any existing data in the files will be deleted --~~

Enter the Sequential File Names to be used for output: These files should be used as temporary stores only CA = 'FPD.PKWARE.STORCSCA' ROOT = 'FPD.PKWARE.STORCSRT' CRL = 'FPD.PKWARE.STORCSRL' CERT Output = 'FPD.PKWARE.STORCSEE'

This option displays details about Certificate as they are processed by the Select environment. Multiple passes will be completed with the input source file. Each pass will be displayed with detail information and a request box will be displayed where you can stop the process if you are satisfied with the selected certifcates to that point. If you allow the process to continue each subsequent step will reinitalize the ouput stores and any certificates selected previously will be deleted. Here is an unsuccessful example using P7B as the certificate type.

~~using P7B~~

ZPCA940I Select Certificate processing 10 Mar 2005 14:42:56 ZPCA940I Certificate Input=SECZIP.FPD.SEC.PKTICAF.CRT ZPCA940I P7B Attempt 10 Mar 2005 14:42:56 ZPCA940I ******************************************************************** ZPCA940I Store Detail using DSN=SECZIP.FPD.SEC.PKTICAF.CRT ZPCA811E ERROR: Cert Wrap failed to open '//'SECZIP.FPD.SEC.PKTICAF.CRT''. CW ZPCA850E ERROR: Cannot continue. Unable to open certificate file '//'SECZIP.FP ZPCA850E ERROR: Cannot continue. Unable to determine certificate file count. ZPCA850E ERROR: Cannot continue. Unable to process certificate file '//'SECZIP ZPCA941E ******************************************************************** ZPCA941E Select Completed with errors 10 Mar 2005 14:42:56

~~The popup box will ask you if you wish to continue. If you press enter the output stores will be overwritten.~~

%************************************************************** %*PKUT001 ===> * %* * %* Continue with next scenario - CER * %* * %*Press ENTER to continue. * %*Press PF3 or enter CANCEL command to return. * %* * %* * %************************************************************** using CER

ZPCA940I CER Attempt 10 Mar 2005 14:44:20 ZPCA940I ******************************************************************** ZPCA940I Store Detail using DSN=SECZIP.FPD.SEC.PKTICAF.CRT ZPCA000I SUCCESS: Added certificate to store '//'FPD.PKWARE.STORCSCA''. DSN= ZPCA000I SUCCESS: Saved certificate store '//'FPD.PKWARE.STORCSCA'' to disk. ZPCA000I Added 1 of a possible 1 certificates to the CA store. ZPCA000I 0 certificates in the CA store before the Add command. ZPCA000I 1 certificates in the CA store after the Add command. ZPCA940I ******************************************************************** ZPCA940I Select Completed rc=0 10 Mar 2005 14:44:23 ZPCA940I ********************************************************************

~~Notice above that the CER attempt was successsful and if you hit enter the certificates that have been extracted will be overwritten. If you press enter the output stores will be overwritten~~

%************************************************************** %*PKUT001 ===> * %* * %* Continue with next scenario - CRL *

%* * %*Press ENTER to continue. * %*Press PF3 or enter CANCEL command to return. * %* * %* * %**************************************************************

~~------+~~

~~Option 6 - Initialize a P7B Store This option conditions a dataset for use as a P7B store.~~

~~Initialize a P7B Store~~

~~Please note: -- Any data in the file will be deleted --~~

~~Enter the Sequential File Name of the Certificate Store:~~

~~For example: 'HLQ.CERTSTOR.P7CRL'~~

Option 7 - Extract End-Entity for Input to a Public Certificate Store This option takes a P7B source file and attempts to copy its end-entity certificates into the destination file. These can then be used as input to the Add Certificate processing to place the certificates in the public key stores.

Please note: The member names generated will always be EE and the certificate number. If you use the same output PDS as a previous attempt the existing members will be replaced with any newly generated members.

~~Enter the PDS File Name to be used for output: Note: This file will be used as input to the add certificate function~~

~~%EE File = 'FPD.PKWARE.STORCSNE'~~

Please note: -- The member names generated will be composed of the following: EE pos 1 and 2 Generated Cert ID pos 3 thru 8 For example: EE1 for the first extracted certificate EE2 for the second extracted certificate

~~Press%'ENTER'+for next topic~~

~~Option 8 - Translate EBCDIC BASE64 Certificate to ASCII BASE64 This option will take an EBCDIC encoded BASE64 certificate and translate to a BASE64 encoded ASCII certificate.~~

x.509 Utilities Translate EBCDIC Certificate to ASCII Certificate Note: The translation is standard BASE64 conversion with the addition of the SPACE character converted also. Enter the File Name to be used for input: EBCDIC Cert =

~~Enter the File Name to be used for output: ASCII Cert =~~

~~ENTER To Process, To EXIT Press PF3 For HELP Press PF1~~

~~Certificate Revocation Lists~~

~~SecureZIP Certificate Revocation Lists Option ===>~~

~~Store Configuration: 'SECZIP.FPD.PROFILES(DB810X)' Active CRL Store: SECZIP.FPD810.CERTSTOR.P7CRL~~

~~1 View Installed CRLs from Store - Table Format 2 List Installed CRLs from Store 3 Update the CRL Store 4 Simulate Update 5 Synchronize Data Base Index~~

~~Information requested below only applies to Option 3 and 4 Input X.509 Certificate Revocation List File Data Set Name: UNDEFINED File Type : CRL (P7B, CRL or BG for Best Guess)~~

Option 1 - View Installed CRLs from Store This option builds an ISPF table display using the certificate revocation List and the current certificate store. The information is displayed on six screens. The first three screens represent the public or private certificate that is revoked, and the following three screens represent the certificate authority that issued the revocation list.

Screen 1 ------+ Certificate Store : SECZIP.FPD.CERTSTOR.P7CRL Certificate Type : CRL with Best Guess ASCII Based Certificate Primary commands:%SORT+. Scroll%RIGHT+or%LEFT+for more info. To EXIT Press%PF3 +For HELP Press%PF1 #Revoked Certificate Information Type Serial Number IDHash ------#PVT 01 DA9F053EEF6684FC2BDF63962E24775EE81160ED

~~Scroll%Left~or%Right~for additional information pertaining to the revoked certificates.~~

Screen 2 ------+ Certificate Store : SECZIP.FPD.CERTSTOR.P7CRL Certificate Type : CRL with Best Guess ASCII Based Certificate Primary commands:%SORT+. Scroll%RIGHT+or%LEFT+for more info. To EXIT Press%PF3 +For HELP Press%PF1 #Revoked Certificate Information

~~Type Common Name ------#PVT PKWARE TEST9 ------+~~

Screen 3 ------+ Certificate Store : SECZIP.FPD.CERTSTOR.P7CRL Certificate Type : CRL with Best Guess ASCII Based Certificate Primary commands:%SORT+. Scroll%RIGHT+or%LEFT+for more info. To EXIT Press%PF3 +For HELP Press%PF1 #Revoked Certificate Information Type Email Address ------#PVT [email protected] ------+

Screen 4 ------+ Certificate Store : SECZIP.FPD.CERTSTOR.P7CRL Certificate Type : CRL Primary commands:%SORT+. Scroll%RIGHT+or%LEFT+for more info. To EXIT Press%PF3 +For HELP Press%PF1 %CRL Issuer Information CertID CRL Friendly Name ------#1 %PKWARE Test Intermediate Cert A ------+

Screen 5 ------+ Certificate Store : SECZIP.FPD.CERTSTOR.P7CRL Certificate Type : CRL Primary commands:%SORT+. Scroll%RIGHT+or%LEFT+for more info. To EXIT Press%PF3 +For HELP Press%PF1 %CRL Issuer Information CertID Organizational Unit ------#1 %PKWARE, INC. -- FOR TEST AND EVALUATION PURPOSES ONLY ------+

Screen 6 ------+ Certificate Store : SECZIP.FPD.CERTSTOR.P7CRL Certificate Type : CRL Primary commands:%SORT+. Scroll%RIGHT+or%LEFT+for more info. To EXIT Press%PF3 +For HELP Press%PF1 %CRL Issuer Information CertID Total Revoked / Last Updated / Next Update ------#1 %1 UNKNOWN UNKNOWN ------+

Option 2 - List Installed CRLs from Store List details about each Certificate Revocation List in your store. In the sample below, each revocation list is identified by the heading CRL n, where n is the sequential number of the certificate in the store. Each certificate that is revoked has a SerialNumber= line followed by IDHash= of the CA that issued the certificate. This data is used to identify the public or private key certificate that has been revoked. When you choose Option 1, the information on those certifcates is displayed if it matches public or private key certifcates in your store.

------+ ZPCA920I SecureZIP Certificate Administration 11 Mar 2005 15:47:19 ZPCA920I List Certificate Revocations 11 Mar 2005 15:47:19 ZPCA920I ********************************************************************* ZPCA920I CRL Input=SECZIP.FPD.CERTSTOR.P7CRL ZPCA920I ********************************************************************* Store Detail using DSN=SECZIP.FPD.CERTSTOR.P7CRL ------CRL 1 --- PKWARE Test Intermediate Cert A Issuer: C=US;S=Wisconsin;L=Milwaukee;O=PKWARE, Inc.;OU=PKWARE, Inc. -- for test and LastUpdate: Unknown NextUpdate: Unknown Revoked Serial Numbers (1): SerialNumber=01; IDHash=DA9F053EEF6684FC2BDF63962E24775EE81160ED; --- CRL 2 --- PKWARE Test Intermediate Cert F Issuer: C=US;S=Wisconsin;L=Milwaukee;O=PKWARE, Inc.;OU=PKWARE, Inc. -- for test and LastUpdate: Tue Feb 8 16:01:09 2005 NextUpdate: Tue Apr 9 16:01:09 2024 Revoked Serial Numbers (1): SerialNumber=01; IDHash=7A0F9161C04890CAAEF123170CCB83227EEBEB30;

~~------+~~

~~Option 3 - Update the CRL Store Allows you to update the P7CRL store used for Certificate Revocation.~~

~~Store Configuration:%'SECZIP.FPD.PROFILES(DBPROF)' #Active CRL Store: SECZIP.FPD.CERTSTOR.P7CRL~~

~~1 View Installed CRLs from Store - Table Format 2 List Installed CRLs from Store 3 Update the CRL Store 4 Simulate Update 5 Synchronize Data Base Index~~

~~You must enter the file location of the CRL list you wish to use as the input to the process and the type of data contained within.~~

~~Input X.509 Certificate Revocation List File ------+~~

~~#Data Set Name: 'SECZIP.FPD.SEC.CRL1.CRL' # File Type : CRL +(P7B, CRL or BG for Best Guess)~~

~~You will receive a pop up panel that will ask you the following information.~~

This panel asks if you want to update the certificate store data base to reflect the revocations in the CRL file. Enter Y or N, and press ENTER. Pressing PF3 or entering the CANCEL command results in the an N being entered for you.

Normally, if you are installing a single CRL, you should pick Y, and update the data base. If you are installing multiple CRLs, pick N, and the popup will not appear again until you exit and re-enter Certificate Store Administration.

~~If you pick 'N', you should run the Synchronize Data Base Index after all CRLs are installed.~~

~~Not updating the data base will allow certificates to be viewed and selected, but they will fail during the associated SECZIP run .~~

~~After you have hit Enter, you will receive a notification of completion in the message field of the panel: “Done PF1 for info” Messages inform whether certificates were added and, if so, how many.~~

%************************************************************************** %*No added certificates Total Before = 2 Total After = 2 * %**************************************************************************

%************************************************************************** %* Added 1 of a possible 1 Total Before = 2 Total After = 3 * %**************************************************************************

~~Option 4 – Simulate Update - This option can be used to test installation of a CRL. Below is a sample output of this option.~~

ZPCA910I SecureZIP Certificate Administration 11 Mar 2005 16:28:55 ZPCA910I Input Processing of 'SECZIP.FPD.SEC.CRL3.CRL' ZPCA910I Validation Processing of SECZIP.FPD.CERTSTOR.P7CA ZPCA910I Output Processing of SECZIP.FPD.CERTSTOR.P7CRL ZPCA000I SUCCESS: Added certificate '//'SECZIP.FPD.SEC.CRL3.CRL'' to store '//'

~~ZPCA846W WARNING: Simulation Requested. Nothing will be saved to the store.~~

~~ZPCA000I SUCCESS: Saved certificate store '//'SECZIP.FPD.CERTSTOR.P7CRL'' to di~~

~~ZPCA846W WARNING: Simulation Requested. Nothing will be saved to the store.~~

~~ZPCA000I Added 0 out of 1 certificates to the CRL store.~~

~~ZPCA000I 3 entries in the CRL store before the Add command.~~

~~ZPCA000I 3 entries in the CRL store after the Add command. ------+~~

Option 5 - Synchronize Data Base Index This option displays details about each certificate in the source file. If you specify BG as the store type, two passes are completed on the source file and two sets of listings are displayed. The first is for type CER, and the next is for type P7B. After each listing is displayed, press PF3 to return.

~~Filename Encryption~~

How SecureZIP for zSeries Encrypts File Names SecureZIP for zSeries encrypts file names using your current settings for (strong) encryption method and algorithm. File names can be encrypted using either strong password encryption or a recipient list (or both). You must use one of the strong encryption methods: you cannot encrypt file names using traditional, password encryption. Note: Encrypting names of files and folders in an archive encrypts and hides a good deal of other internal information about the archive as well. To encrypt file names, SecureZIP for zSeries encrypts the archive's central directory, where virtually all such metadata about the archive is stored. Note: Be aware that archive comments are not encrypted even when you encrypt file names. Do not put sensitive information in an archive comment.

When SecureZIP for zSeries Encrypts File Names With archives that do not already contain encrypted file names: SecureZIP for zSeries encrypts file names only when you add files to an archive: SecureZIP for zSeries does not encrypt file names when you encrypt files that are already in an archive even if the option to encrypt file names is turned on. SecureZIP for zSeries encrypts file names only when you add and encrypt files: SecureZIP for zSeries does not encrypt file names when you add files without encrypting them, even if the option to encrypt file names is turned on.

Encrypting File Names When You Update an Archive If you turn on the setting to encrypt file names and then add files to an archive that already contains files with unencrypted file names, SecureZIP for zSeries encrypts the names of all files in the archive. If the archive contains files whose contents are already encrypted, SecureZIP for zSeries will reject an attempt to add filename encryption. If you update an archive that already contains files with encrypted file names, SecureZIP for zSeries encrypts the newly added files and their names using the same password or recipient list originally used to encrypt file names in the archive. Note: Once file names in an archive are encrypted, you cannot currently remove the encryption or change the password or recipient list used. You cannot change the encryption on files that are already in an archive that contains encrypted file names.

~~Opening and Viewing an Archive that Has Encrypted File Names An archive that contains encrypted file names requires PKZIP for zSeries 8.1 or SecureZIP for zSeries 8.1 or later to open it.~~

~~Input required to View Recipients in a Filename Encrypted Archive To view the recipients of an FNE archive you must place VERBOSE in the input.~~

//FPDTEST3 JOB '0',CLASS=A,REGION=64M, // MSGCLASS=H,MSGLEVEL=(1,1),NOTIFY=&SYSUID //UNZIP EXEC PGM=SECUNNZIP //STEPLIB DD DISP=SHR,DSN=SECZIP.MVS.LOAD // DD DISP=SHR,DSN=SECZIP.MVS.LOAD //CERT DD DSN=FPD.FPDPVT08.PFX,DISP=SHR //SYSPRINT DD SYSOUT=* //SYSIN DD * -ARCHIVE_DSN(SECZIP.MVS.FNEREC.ZIP) -VERBOSE -ACTION(VIEW) -RECIPIENT(DD:CERT,R,PASSWORD=PKWARE)

~~View of Recipients in a Filename Encrypted Archive~~

ZPGE001T ZIP STARTUP STORAGE QUERY: 24BIT= 8208K 31BIT= 32768K CACHE= ZPLI001I SecureZIP(TM) for zSeries, Version 8.1Beta - 02/25/05 12.45 ZPLI001I Copyright 1989-2005 PKWARE Inc. All rights reserved. ZPLI001I SecureZIP(TM) is a trademark of PKWARE (R), Inc. ZPLI001I Registered, Processor Type=2066 Processor Group=00 Serial Number= ZPLI001I OS Level: HBB7707 SP7.0.4 - INCLUDE_CMD=SECZIP.IVP.JCL(DEVCERT1) -ECHO=N -ARCHIVE_DSN(SECZIP.MVS.FNEREC.ZIP) -VERBOSE -LOGGING_LEVEL(VERBOSE) -ACTION(VIEW) -RECIPIENT(DD:CERT,R,PASSWORD=******) ZPCM011I Processing EXEC PARM parameters ZPEN110I Locating Digital Certificates ... ZPCM023I Digital Certificate Store Configuration {CSPUB=4;1;SECZIP.MVS.CERTSTOR.PUBLIC} {CSPRVT=4;1;SECZIP.MVS.CERTSTOR.PRIVATE} {CSCA=1;1;SECZIP.MVS.CERTSTOR.PUBLIC(CAP7)} {CSROOT=1;1;SECZIP.MVS.CERTSTOR.PUBLIC(ROOTP7)} {CSPUB_DBX=SECZIP.MVS.CERTSTOR.PUBLIC.DBX} {CSPUB_DBX_PATH_CN=SECZIP.MVS.CERTSTOR.PATHCN} {CSPUB_DBX_PATH_EM=SECZIP.MVS.CERTSTOR.PATHEM} {CSPUB_DBX_PATH_PUBKEY=SECZIP.MVS.CERTSTOR.PATHPUBK} {LDAP=1;192.168.1.54;4389;1;0;CN=LDAP Administrator;secret;;O=PKWARE;} ZPCM023C ------ZPCM024I Digital Certificate Request List ZPCM024C Req'd Private Recipient dd:CERT ZPCM024C FILE FOUND *REQUIRED* ZPCM024C ------ZPAP900I NO API REQUIRED ZPCM100I Configuration Manager Shutdown. Posting Main Task: 00000000 ZPAM030I INPUT Archive opened: SECZIP.MVS.FNEREC.ZIP ZPAM710I Archive Directory is Compressed 85% ZPAM711I Archive Directory is Encrypted: AES_256 Certificate Only ZPEX100I Extract Task { 5} TCB: 008D0A90 Started. ZPEX004I Archive Central Directory extracted for processing. ZPAM014I 234 file(s) are in the input Archive. ZPAM012I ZIP comment: SecureZIP for zSeries by PKWARE

ZPAM013I ********************************************************************************* ZPAM015I Length Method Size Ratio Date Time CRC-32 Name ZPAM016I ------ZPAM017I 4,183 Deflate-SFST 2,240 46% 08/30/2004 16:24 419ABFDA ! SECZIP/MVS/JCL/ACZDFLT ZPAM017I 4,183 Deflate-SFST 2,256 46% 08/30/2004 16:24 18A324CE ! SECZIP/MVS/JCL/ACZDFL ZPAM017I 1,067 Deflate-SFST 1,536 0% 08/30/2004 16:24 183003D8 ! SECZIP/MVS/JCL/ZIPVIEW ………………… ………………… ……………

ZPAM017I 1,067 Deflate-SFST 1,536 0% 08/30/2004 16:24 2F3E1C63 ! SECZIP/MVS/JCL/ZIP12 ZPAM017I 985 Deflate-SFST 1,520 0% 08/30/2004 16:24 5A8D5879 ! SECZIP/MVS/JCL/ZIP123 ZPAM018I ------ZPAM019I 698,546 450,288 36% ZPAM013I ********************************************************************************* ZPAM140I FILES: VIEWED EXCLUDED BYPASSED IN ERROR ZPAM140I 234 0 0 0 ZPAM712I Archive Directory Encryption Recipients: ZPAM320I 4 recipient(s) were designated: ZPAM321I Recipient: PKWARE Test01 ZPAM323I Email: [email protected] ZPAM325I Valid: 07/23/2002-07/23/2003 ZPAM326I Issuer: VeriSign, Inc. ZPAM321I Recipient: PKWARE Test02 ZPAM323I Email: [email protected] ZPAM325I Valid: 11/05/2003-11/04/2004 ZPAM326I Issuer: VeriSign, Inc. ZPAM321I Recipient: PKWARE Test03 ZPAM323I Email: [email protected] ZPAM325I Valid: 07/22/2003-07/21/2004 ZPAM326I Issuer: VeriSign, Inc. ZPAM321I Recipient: PKWARE Test04 ZPAM323I Email: [email protected] ZPAM325I Valid: 07/22/2003-07/21/2004 ZPAM326I Issuer: VeriSign, Inc. ZPAM101I Archive Manager Task { 3} TCB: 008D0E88 shutdown begun. ZPAM109I Archive Manager Task { 3} TCB: 008D0E88 shutdown complete. ZPEX101I Extract Task { 5} TCB: 008D0A90 shutdown begun. ZPEX109I Extract Task { 5} TCB: 008D0A90 shutdown complete. ZPMT002I PKZIP processing complete. RC=00000000 0(Dec)

~~View Detail of an Archive that Has Encrypted File Names ZPAM711I in the output below identifies the type of encryption used for filename encryption.~~

ZPAM030I INPUT Archive opened: SECZIP.MVS.FNEREC.ZIP ZPAM710I Archive Directory is Compressed 85% ZPAM711I Archive Directory is Encrypted: AES_256 Certificate Only ZPAM014I 234 file(s) are in the input Archive. ZPAM012I ZIP comment: SecureZIP for zSeries by PKWARE ZPAM013I ************************************************************* ZPAM001I Filename: SECZIP/MVS/JCL/ACZDFLT ZPAM002I File type: TEXT ZPAM003I Date/Time: 30-AUG-2004 16:24:00 ZPAM004I Compression Method: Deflate- Super Fast ZPAM005I Compressed Size: 2,240 ZPAM006I Uncompressed Size: 4,183 ZPAM007I 32-bit CRC: 419ABFDA LHDR Offset: 0

ZPAM008I Created by: PK zSeries 8.1 ZPAM009I Needed to extract: ZipSpec 6.1 ZPAM010I Encryption: AES_256 Certificate Key BSAFE(R) ZPAM301I File Type: NONVSAM PDS ZPAM302I File PDS Directory Blocks: 50 ZPAM303I File Record Format: FB ZPAM304I File Allocation Type: CYL ZPAM305I File Primary Space Allocated: 5 ZPAM306I File Secondary Space Allocated: 9 ZPAM307I File Record Size: 80 ZPAM308I File Block Size: 27920 ZPAM309I File Volume(s) Used: FPD002 ZPAM310I File Creation Date: 2003/07/22 ZPAM311I File Referenced Date: 2004/08/30 ZPAM319I SMS Storage Class: PRIVATE ZPAM312I File PDS Extended Directory Information: DIRECTORY INFORMATION FOLLOWS LENGTH=00001E 000000 01040029 0102198F 0102205F 14010033 |...... | ) _ 3| 000010 00330000 C6D7C440 40404040 40400000 |....FPD ..| 3 @@@@@@@ | ZPAM312C -SIZE -CREATED------CHANGED------ID-- -INIT VV.MM ZPAM312C 51 2002/07/17 2002/07/24 14:01:29 FPD 51 01.04 ZPAM313I PDS member TTRKZC: 00010700000F ZPAM320I 4 recipient(s) were designated: ZPAM321I Recipient: PKWARE Test03 ZPAM322I Public Key Hash: 07E091CE30862B61663CF9D356863BF84D3DC8D5 ZPAM323I Email: [email protected] ZPAM324I Cert: //'SECZIP.MVS.CERTSTOR.PRIVATE(pkwt03)' ZPAM321I Recipient: PKWARE Test01 ZPAM322I Public Key Hash: 271842663AA344FBC35656BE68B5A46EE7E545F0 ZPAM323I Email: [email protected] ZPAM324I Cert: //'SECZIP.MVS.CERTSTOR.PUBLIC(pkwt01)' ZPAM321I Recipient: PKWARE Test02 ZPAM322I Public Key Hash: 5D9E8B89B5948E9E853338A7250D64C5BED5E9E7 ZPAM323I Email: [email protected] ZPAM324I Cert: //'SECZIP.MVS.CERTSTOR.PUBLIC(pkwt02)' ZPAM321I Recipient: PKWARE Test04 ZPAM322I Public Key Hash: 6E16CFEFFAA093242B89DEE623C7D7428082F3E3 ZPAM323I Email: [email protected] ZPAM324I Cert: //'SECZIP.MVS.CERTSTOR.PUBLIC(pkwt04)' ZPAM013I *************************************************************

Notice in the output above the following fields: • Created by: The program and release level that placed the file in the archive. • Needed To Extract: A program compatible with the listed ZIP file format specification. The number listed is not a version of the SecureZIP for zSeries program but rather a version of the ZIP file format. For example, version 8.1 of the program uses features of the 6.20 ZIP file format that are not available in earlier versions. Preceding versions of the program used earlier versions of the ZIP file format.

Decrypting a Filename Encrypted Archive When opening an archive, SecureZIP for zSeries automatically decrypts file names for anyone on a recipient list for the encrypted file names. If file names are encrypted using a password (with or without a recipient list), SecureZIP for zSeries requests a password when anyone who is not on the recipient list tries to open the archive. If the correct password is not entered, SecureZIP does not open the archive.

~~5 Security Questions and Solutions~~

~~This chapter ccontains answers to questions a system administrator is likely to have about integrating SecureZIP for zSeries into the operating environment.~~

Which encryption settings should be chosen? Various external factors such as legislative requirements or corporate policy may influence your decision to select an algorithm or mode of encryption. However, when operating within those requirements, the following PKZIP and SecureZip information may be of value. • NIST has instructional information regarding password vs. certificate-based (PKi) encryption. In general, Certificate-based encryption is accepted to be more secure than Password-based encryption. • With the exception of supporting the older 96-bit "Standard" PKZIP ENCRYPTION_METHOD, newer algorithms are provided at a minimum of 128 bits. • PKWARE provides interoperability between OS/390, zOS, OS400, iSeries, UNIX and Windows for all algorithms provided with ENCRYPTION_METHOD with its product set at release 8.0 and above. This includes more advanced algorithms with minimum key lengths of 128 bits. • Older releases of PKZIP products, including PKZIP for VSE and PKZIP for VM support "Standard" 96-bit encryption for wider cross-platform compatibility when required. • When RECIPIENT PKI exchanges are required, then ENCRYPTION_METHOD must specify algorithms that begin with BSAFE. • Password-based AES encryption is supported by PKWARE products at release 5.5 or higher. • BSAFE_AES and AES Password-based encryption are 100% compatible. Archives created with PKZIP for zSeries release 5.5 can be bi-directionally exchanged with SecureZip or PKZIP products using the BSAFE AES algorithms. • The BSAFE(R) algorithms provided for the OS/390 and zSeries products are high- performance algorithms. The 128-bit BSAFE algorithms even out-perform the older 96-bit PKZIP "Standard" algorithm.

How is encryption activated? Encryption is activated through the use of the PASSWORD (and/or RECIPIENT for SecureZIP) commands. If a value is present for either setting, whether through explicit commands or default settings, then encryption will be attempted in accordance with other applicable settings (such as ENCRYPTION_METHOD). However, if ENCRYPTION_METHOD=NONE is specified, then encryption will be bypassed. Note that certificate-based encryption for recipients is supported only by SecureZIP, not PKZIP. This mode of encryption requires that one of the strong ENCRYPTION_METHODs (minimum 128-bit) be selected.

How many recipients can be specified? The ZIP file format specification allows for a maximum recipient-list size of 3,275. This size can be restricted further by other file attributes associated with the data, and by run-time capacity limitations (such as virtual storage). (Note: Approximately 20 bytes is required for each recipient within the ZIP archive central directory record for each file. This area is limited to 64K in size).

What are the virtual storage requirements to run certificate-based encryption? When using recipient-based encryption, plan on an initial increase of 4MB of 31-bit storage for up to 15 recipients. LDAP will require an additional 1MB for every 27 recipients above 15. File- based and local certificate store will require an additional 1MB for every 41 recipients above 15.

How does ENCRYPTION_METHOD pertain to recipient or password encryption? Public/private Key encryption using BSAFE(R) is used to digitally envelope the master session Key information. Once the master session Key is determined, an independent file session Key is derived (which is unique for each file) to encrypt the file data with a symmetric algorithm specified by ENCRYPTION_METHOD. Several algorithms are supplied with SecureZip. Any algorithm may be specified for use with PASSWORD. However, only those prefixed with "BSAFE" are valid for use with RECIPIENTs.

How do we activate a MASTER_RECIPIENT or “contingency recipient”? To meet corporate security policies, SecureZIP provides the ability to include a “contingency” or master recipient certificate in a SECZIP job when strong encryption is activated through the MASTER_RECIPIENT setting. The MASTER_RECIPIENT may be set directly in the defaults module, or indirectly by specifying MASTER_RECIPIENT in a command stream referenced by SECUREZIP_CONFIG. This default- module-only setting specifies a PDS[E] member that contains SecureZIP certificate store configuration commands to be automatically included in the processing stream. The configuration command values from this member will be included at the start of command

input processing prior to //SYSIN statements being read. The data set(member) will be converted into an "INCLUDE_CMD=(pds[e](member)" command internally and will be echoed to the message log in accordance with the ECHO setting. SecureZIP certificate store configuration commands entered from other sources such as //SYSIN will override the values read in from this source. This ensures the organization will always be able to extract and/or decrypt the secured archive/data using the “global” private key certificate.

How does MASTER_RECIPIENT affect activation? When SecureZIP is being used to encrypt data, either with RECIPIENT or PASSWORD, a recipient specified by MASTER_RECIPIENT is automatically included. However, MASTER_RECIPIENT does not trigger encryption to take place.

~~How copy a local certificate store?~~

~~Copying a Local Certificate Store:~~

1. Generate a set of backup/restore jobs - CS.1.8.3 - Generate both a Backup and Restore job 2. Run the backup 3. Copy the Restore job to another file, and edit. - In the UNZIP step, insert an UNZIPPED_DSN command.. Example: -UNZIPPED_DSN(SECZIP.CWB.CS1,SECZIP.CWB.CS2) - Mass change all HLQ’s in the IDCAMS step from the old HLQ to the new one… in this example, SECZIP.CWB.CS1 -> SECZIP.CWB.CS2. Be sure you don’t accidentally change the –ARCHIVE command in the UNZIP step 4. Run the modified Restore job 5. Call up the ZIP panels 6. Option C (config); press ENTER to get the second screen - Certificate Store Settings 7. On the DB Profile line, enter a / to edit the member 8. Once in the member, change all references to the old Cert Store to the new one. 9. Create a new member -- CommandÎ create newmem c99999 on the first line 10. Exit without saving the changed member under the old member name (CANCEL command and confirm no save). 11. Select the new DB Profile member on the Config panel, and you’re in business

How remove a local certificate store? When a local certificate store is no longer required, the associated unused components may be deleted. However, be aware that distributed profiles may still reference these data sets. It is highly recommended that a backup of these components be made before deleting them. An IDCAMS DELETE may be done for: hlq.CERTSTOR.DBX hlq.CERTSTOR.PRIVATE hlq.CERTSTOR.PUBLIC hlq.CERTSTOR.P7CA hlq.CERTSTOR.P7ROOT hlq.CERTSTOR.P7CRL

Note: The delete for the DBX cluster will automatically delete the alternate index and path components. Scan PARMLIB and JCL libraries for configuration profile references to the deleted components. Perform cleanup as needed.

How can the contents of an x.509 certificate file be determined? The PKSCNPRT member located under the INSTLIB dataset is designed to read and report on an end-entity X.509 certificate files. This job works with public key files in CER format (either DER or Base64 encoded), and private key files in PFX or P12 format (either DER or Base64 encoded). See the following sample job:

********************************* Top of Data *********************** //SCANCERT JOB (8900),PKWARE,MSGCLASS=H, // CLASS=B,REGION=8M,NOTIFY=&SYSUID // JCLLIB ORDER=SECZIP.MVS.INSTLIB <== VERIFY //JOBLIB DD DSN=SECZIP.MVS.LOAD,DISP=SHR <== VERIFY //*** //* BEFORE RUNNING THIS JOB, EDIT THE FOLLOWING ITEMS: //* //* 1. TAILOR THE JOB CARD TO FIT YOUR INSTALLATION STANDARDS. //* 2. IF NECESSARY, CHANGE HIGH-LEVEL QUALIFIERS FOR THE LOAD //* LIBRARY AND FILES FROM "SECZIP.MVS" TO FIT THE PRODUCT //* INSTALLATION SUPPORT FILES ON YOUR SYSTEM. //* 3. CHANGE THE SECOND PARAMETER OF THE %RMCRTPRT STATEMENT TO //* MATCH YOUR INSTALLED SECUREZIP LOAD LIBRARY. //* 4. THE 3RD PARAMETER, IF PROVIDED IS THE PASSWORD OF THE P12/PFX //* PRIVATE-KEY CERTIFICATE FILE. "*" MAY BE USED TO //* INDICATE THAT THE FILE IS FOR A PUBLIC-KEY CERTIFICATE FILE. //* NOTE: THE PASSWORD IS CASE-SENSITIVE AND MUST BE BRACKETED BY //* DOUBLE QUOTES. I.E. "your password goes here" //*** //LISTCER EXEC PKISPF //SCANIN DD DISP=SHR,DSN=SECZIP.MVS.INSTLIB2(PVT3CERT) <= INPUT X.509 //PKSCNPRT DD SYSOUT=* <= OUTPUT LIST //ISPF.SYSTSIN DD * ISPSTART CMD(RMCRTPRT DD:SCANIN SECZIP.MVS.LOAD "PKWARE" //* ******************************** Bottom of Data *********************

~~The following is the resulting output of the job above, detailing the end-entity certificate information.~~

********************************* TOP OF DATA ************************** PKSCANCRT scan(0) file is: dd:SCANIN PKSCANCRT Private Cert will be processed (6) PKSCANCRT --file #1 found (2106) dd:SCANIN Type=1 --- Certificate 1 --- PKWARE Test3 Subject: CN=PKWARE Test3 [email protected] Issuer: C=US S=Wisconsin L=Milwaukee O=PKWARE, Inc. OU=PKWARE, Inc. -- for test and evaluation purposes only CN=PKWARE Test Intermediate Cert [email protected] SerialNumber:

~~100~~

03 NotBefore: Mon Dec 20 09:06:09 2004 NotAfter: Fri Dec 13 09:06:09 2024 KeyUsage: E0 00 SHA-1 Hash of Certificate(Thumbprint): 7B 88 01 52 1B FF 0B B1 2E 42 32 40 03 75 05 0E 60 EE 52 97 Public Key Hash: A7 C6 BB 45 BF 22 98 47 B7 3A FA 74 7C 00 37 8E 91 20 2C 31 End Entity RMCRTPRT - RMCRTPRT - Certificate Details RMCRTPRT - ======RMCRTPRT - CN= RMCRTPRT - Email= RMCRTPRT - FN= RMCRTPRT - Issuer= RMCRTPRT - Valid Dates= RMCRTPRT - SerialNumber= RMCRTPRT - Usage= RMCRTPRT - Trust= RMCRTPRT - Revoke= RMCRTPRT - ******************************** BOTTOM OF DATA *************************

You may also report on an intermediate CA, trust root CA, and/or a CRL by selecting option 3 (“x.509 Certificate Utilities”) from the SecureZIP Certificate Store Administration panel. Here you will enter the certificate source file in question and select option 2 (“List Certificates”). This option displays details about each certificate in the source file in a BROWSE window. From here you can determine the contents.

~~101~~

~~Glossary~~

This glossary provides definitions for items that may have been referenced in the SecureZIP for zSeries documentation. It is not meant to be exhaustive. There are excellent source of documentation for computing terms on the Internet. For example:

~~IBM’s Terminology http://www.networking.ibm.com/nsg/nsgmain.htm Web Site~~

Absolute Path Name A string of characters that is used to refer to an object, starting at the highest level (or root) of the directory hierarchy. The absolute path name must begin with a slash (/), which indicates that the path begins at the root. This is in contrast to a Relative Path Name.

Access Method A technique that is used to read a record from, or to write a record into, a file. Usually either: SAM (Sequential Access Method - where records are processed one after another in the order in which they appear in the file), or random (the individual records can be processed in any order) such as VSAM ).

~~AES The Advanced Encryption Standard is the official US Government encryption standard for customer data.~~

~~Alternate Index An index of a file based on a key different from the base. It allows the file to be processed in a secondary key order.~~

American Standard Code for Information Interchange (ASCII) The ASCII code (American Standard Code for Information Interchange) was developed by the American National Standards Institute for information exchange among data processing systems, data communications systems, and associated equipment, and is the standard character set used on MS-DOS and UNIX-based operating systems. In a ZIP archive, ASCII is used as the normal character set for compressed text files. The ASCII character set consists of 7-bit control characters and symbolic characters, plus a single parity bit. Since ASCII is used by most microcomputers and printers, text-only

~~102~~

files can be transferred easily between different kinds of computers and operating systems. While ASCII code does include characters to indicate backspace, carriage return, etc., it does not include accents and special letters that are not used in English. To accommodate those special characters, Extended ASCII has additional characters (128-255). Only the first 128 characters in the ASCII character set are standard on all systems. Others may be different for a given language set. It may be necessary to create a different translation tables (see Translation Table) to create standard translation between ASCII and other character sets.

~~American National Standards Institute (ANSI) An organization sponsored by the Computer and Business Equipment Manufacturers Association for establishing voluntary industry standards.~~

~~ANSI See “American National Standards Institute.”~~

Application Programming Interface (API) An interface between the operating system (or systems-related program) that allows an application program written in a high-level language to use specific data or services of the operating system or the program. The API also allows you to develop an application program written in a high-level language to access SECZIP data and/or functions of the SECZIP system.

~~Application System/400 (iSeries) One of a family of general purpose systems with a single operating system, Operating System/400, that provides application portability across all models.~~

Archive (1) The act of transferring files from the computer into a long-term storage medium. Archived files are often compressed to save space. (2) An individual file or group of files which must be extracted and decompressed in order to be used. (3) A file stored on a computer network, which can be retrieved by a file transfer program (FTP) or other means. (4) The SECZIP file that holds the compressed/zipped data file.

~~Authorized Program Analysis Report (APAR) A request for correction of a defect in a current release of an IBM-supplied program.~~

~~Batch Job A predefined group of processing actions submitted to the system to be performed with little or no interaction between you and the system. This is in contrast to an Interactive Job.~~

~~103~~

~~Big ENDIAN A binary data format in which the most significant bit comes first.~~

~~Binary File A file that contains codes that are not part of the ASCII character set. Binary files can use all 256 possible values for each byte in the file.~~

~~Block (1) A group of records that are recorded or processed as a unit. (2) A set of adjacent records stored as a unit on a disk, diskette, or magnetic tape.~~

Cipher Block Chain (CBC) Cipher Block Chaining refers to a method of encryption of blocks of data that involves an initialization vector that is put together with the first block of data and the encryption key. This method of encryption makes sure that each block of data thereafter is uniquely modified, further protecting the data from fraudulent access.

Code Page A specification of code points for each graphic character set or for a collection of graphic character sets. Within a given code page, a code point can have only one specific meaning. A code page is also sometimes known as a code set.

~~Common Business Oriented Language (COBOL) A high-level programming language, based on English, that is used primarily for commercial data processing.~~

~~Command Line The blank line on a display console where commands, option numbers, or selections can be entered.~~

Configuration File (1) A file that specifies the way a program functions. (2) In SECZIP, the file that contains the default values needed for the system to run. These can usually be respecified to meet local user requirements.

Cryptography (1) A method of protecting data. Cryptographic services include data encryption and message authentication. (2) In cryptographic software, the transformation of data to conceal its meaning; secret code. (3) The transformation of data to conceal its information content, to prevent its

~~104~~

~~undetected modification, or to prevent its unauthorized use.~~

Customer Information Control System (CICS) An IBM licensed program that enables transactions entered at remote workstations to be processed concurrently by user-written application programs. The licensed program includes functions for building, using, and maintaining databases, and for communicating with CICS programs on other operating systems.

Cyclic Redundancy Check (CRC) A Cyclic Redundancy Check is a number derived from a block of data, and stored or transmitted with the data in order to detect any errors in transmission. This can also be used to check the contents of a ZIP archive. It is similar in nature to a checksum. A CRC may be calculated by adding words or bytes of the data. Once the data arrives at the receiving computer, a calculation and comparison is made to the value originally transmitted. If the calculated values are different, a transmission error is indicated. The CRC information is called redundant because it adds no significant information to the transmission or archive itself. It is only used to check that the contents of a ZIP archive are correct. When a file is compressed, the CRC is calculated and a value is calculated based upon the contents and using a standard algorithm. The resulting value (32 bits in length) is the CRC that is stored with that compressed file. When the file is decompressed, the CRC is recalculated (again, based upon the extracted contents), and compared to the original CRC. Error results will be generated showing any file corruption that may have occurred.

~~Data Compression The reduction in size (or space taken) of data volume on the media when performing a save or store operations.~~

Data Integrity (1) The condition that exists as long as accidental or intentional destruction, alteration, or loss of data does not occur. (2) Within the scope of a unit of work, either all changes to the database management systems are completed or none of them are. The set of change operations are considered an integral set.

Delimiter A character or sequence of characters that marks the beginning or end of a unit of data. This is commonly used in non-record data streams in workstation and UNIX- based systems. It is used in the SECZIP TEXT data format.

Double-byte Character Set (DBCS) A set of characters in which each character is represented by 2 bytes. Languages such as Japanese, Chinese, and Korean, which contain more symbols than can be represented by 256 code points, require double-byte character sets. Because each

~~105~~

character requires 2 bytes, the typing, displaying, and printing of DBCS characters requires hardware and programs that support DBCS. Four double-byte character sets are supported by the system: Japanese, Korean, Simplified Chinese, and Traditional Chinese. See also the Single-Byte Character Set (SBCS).

Dump In problem analysis and resolution, to write, at a particular instant, all or part of the contents of main or auxiliary storage onto another data medium (such as tape, printer, or spool) for the purpose of protecting the data or collecting error information.

Dynamic Allocation (DYNALLOC) Dynamic Allocation (DYNALLOC) is a facility utilizing the SVC99 function which allows a program to directly access a dataset without the need for corresponding JCL statements.

~~Encryption The transformation of data into an unintelligible form so that the original data either cannot be obtained or can be obtained only by decryption.~~

Enqueue The Enqueue macro (ENQ) is used to restrict access to a resource, so that only the appropriate number of users with the appropriate mode gain access to the resource at one time. It is commonly used to "lock" a resource to prevent modifications from multiple sources to cancel out each other.

~~Extended Attribute Information attached to an object that provides a detailed description about the object to an application system or user.~~

Extended Binary Coded Decimal Interchange Code (EBCDIC) The Extended Binary Coded Decimal Interchange Code a coded character set of 256 8 bit characters. EBCDIC is similar in nature to ASCII code, which is used on many other computers. When ZIP programs compress a text file, they translate data from EBCDIC to ASCII characters within a ZIP archive using a translation table.

~~Fixed-Length A dataset or data definition characteristic in which all of the records are the same length. See also Variable Length.~~

~~GDG Generation Data Groups.~~

~~106~~

~~GNU A recursive acronym for the name of the Free Software Foundation's freely distributable replacement for UNIX.~~

Greenwich Mean Time (GMT) A synonym for Universal Time Coordinated (UTC) which is the mean solar time of the meridian of Greenwich, England, and is the prime basis of standard time throughout the world.

~~GZIP GZIP (also known as GNU zip) is a compression utility designed to use a different standard for handling compressed file data in an Archive.~~

~~ICF Integrated Catalog Facility.~~

~~IDCAMS The utility program used by IBM’s Access Method Services to create and manage VSAM datasets.~~

Installation Verification Procedure (IVP) A sample application, script, or jobstream provided to verify successful installation of a product (may be either software or hardware). iSeries AS400 Operating environments.

~~JCL Job Control Language is a command language for mainframes and minicomputers, used for launching applications.~~

~~Job Entry Subsystem (JES) An IBM licensed program that receives jobs into the system and processes all output data produced by the jobs. Commonly known as JES2 or JES3~~

Julian Date A date format that contains the year in positions 1 and 2, and the day in positions 3 through 5. The day is represented as 1 through 366, right-adjusted, with zeros in the unused high-order positions. For example, the Julian date for April 6, 1987 is 87096.

~~107~~

~~Kanji Characters originating from the Chinese characters used in the Japanese written language.~~

~~Keyed Sequence An order in which records are retrieved based on the contents of key fields in records. For example, a bank name and address file might be in order and keyed by the account number.~~

Keyword (1) A mnemonic (abbreviation) that identifies a parameter in a command. (2) A user-defined word used as one of the search values to identify a document during a search operation. (3) In COBOL, a reserved word that is required by the syntax of a COBOL statement or entry. (4) In DDS, a name that identifies a function. (5) In REXX, a symbol reserved for use by the language processor in a certain context. Keywords include the names of the instructions and ELSE, END, OTHERWISE, THEN, and WHEN. (6) In query management, one of the predefined words associated with a query command. (7) A name that identifies a parameter used in an SQL statement. Also see parameter.

Lempel-Ziv (LZ) A technique for compressing data. This technique replaces some character strings, which occur repeatedly within the data, with codes. The encoded character strings are then kept in a common dictionary, which is created as the data is being sent.

~~Linkage Editor A system-related program that resolves cross-references between separately compiled object modules and then assigns final storage addresses to create a single load module.~~

~~Little ENDIAN A binary data format in which the least significant bit is on the left.~~

MVS Multiple Virtual Storage is the generic name for the portion of the OS/390 and z/OS operating systems which runs non Unix-System-Services workloads such as batch and TSO/E. It is in this environment that SecureZIP for zSeries executes.

~~108~~

New ZIP Archive A New ZIP archive is the archive created by a compression program when either an old ZIP archive is updated or when files are compressed and no ZIP archive currently exists. It may be thought of as the “receiving” archive. Also see Old ZIP Archive.

NIST National Institute of Standards and Technology is a part of the U.S. Department of Commerce, formerly called the National Bureau of Standards, that defines standards for voice, data, and video transmissions, encryption, and other kinds of technology.

~~Null Value A parameter which has no value assigned.~~

Old ZIP Archive An Old ZIP archive is an existing archive which is opened by a compression program to be updated or for its contents to be extracted. It may be thought of as the “sending” archive. Also see New ZIP Archive.

Packed Decimal Format A decimal value in which each byte within a field represents two numeric digits except the far right byte, which contains one digit in bits 0 through 3 and the sign in bits 4 through 7. For all other bytes, bits 0 through 3 represent one digit; bits 4 through 7 represent one digit. For example, the decimal value +123 is represented as 0001 0010 0011 1111 (or 123F in hexadecimal).

Parameter (1) A value supplied to a command or program that is used either as input or to control the actions of the command or program. (2) In COBOL, a variable or a constant that is used to pass values between calling and called programs. (3) In the Integrated Language Environment (ILE), an identifier that defines the types of arguments that are passed to a called procedure. (4) In REXX, information entered with a command name to define the data on which a command processor operates and to control the execution of the command. (5) In DB2 UDB for iSeries SQL, the keywords and values that further define SQL precompiler commands and SQL statements. Also see keyword.

Parameter List A list of values in a calling program that corresponds exactly to a list in a called program for the purposes of providing addressability and data exchange. It contains parameter names and the order in which they are to be associated in the calling and called program.

~~109~~

Partitioned Dataset A Partitioned Dataset (PDS) is a dataset in direct access storage that is divided into partitions (which are called members), each of which can contain a program, part of a program, JCL, parameters, or other forms of data. When a compression program is compressing a PDS, each member is treated as a separate file within the resultant ZIP archive. When an archive is decompressed to a PDS, each file within the archive creates a separate member within the PDS.

Path Name (1) A string of characters used to refer to an object. The string can consist of one or more elements, each separated by a slash (/), and may begin with a slash. Each element is typically a directory or equivalent, except for the last element, which can be a directory or another object (such as a file). (2) A sequence of directory names followed by a file name, each separated by a slash.

~~Programming Language/I (PL/I) A programming language designed for use in a wide range of commercial and scientific computer applications.~~

Program Temporary Fix (PTF) A temporary solution to (or a bypass of) a problem that is necessary to provide a complete solution to correct a defect in a current unaltered release of a program. May also be used to provide an enhancement to a product before a new release of the product is available. Generally, PTFs are incorporated in a future release of the product.

~~RDW Record Descriptor Word.~~

~~Record A group of related data, words, or fields treated as a single unit, such as a name, address, and social security number.~~

~~Record Format A document or display that names each part of a file and provides specific information for each field such as length and type of information contained within the field.~~

Relative Path Name A string of characters that is used to refer to an object, starting at some point in the directory hierarchy other than the root. A relative path name does not begin with a slash (/). The starting point is frequently a user's current directory. This is in contrast to an absolute path name and path name.

~~110~~

Return Code A value generated by operating system software to a program to indicate the results of an operation by that program. The value may also be generated by the program and passed back to the operator.

~~Rijindael The combined name of the two researchers that developed the Advanced Encryption Standard (AES) for the US Government (Dr. Joan Daemen and Dr. Vincent Rijmen).~~

~~Sequential Dataset A sequential dataset holds a single file of records which are organized on the basis of their successive physical positions, such as on magnetic tape.~~

Single-Byte Character Set (SBCS) A coded character set in which each character is represented by a one-byte code point. A one-byte code point allows representation of up to 256 characters. Languages that are based on an alphabet, such as the Latin alphabet (as contrasted with languages that are based on ideographic characters) are usually represented by a single-byte coded character set. For example, the Spanish language can be represented by a single-byte coded character set. Also see the Double-Byte Character Set (DBCS).

Spanned Record A logical record that stored across more than one block. This is commonly used to get around system limitations that blocks cannot be larger than x number of bytes. With spanned records, one record spans two or more blocks.

Translation Table Translation tables are used by the SECZIP and SECUNZIP programs for translating characters in compressed text files between the ASCII character sets used within a ZIP archive and the EBCDIC character set used on IBM-based systems. These tables may be created and modified by you as documented in the user's guide.

Truncate To cut off or delete the data that will not fit within a specified line width or display. This may also be attributed to data that does not fit within the specified length of a field definition.

Universal Time Coordinated (UTC) A synonym for Greenwich Mean Time (GMT) which is the mean solar time of the meridian of Greenwich, England, and is the prime basis of standard time throughout the world.

~~111~~

~~Variable-Length A characteristic of a file in which the individual records (and/or the file itself) can be of varying length. Also see Fixed-Length.~~

Virtual Storage Access Method The Virtual Sequential Access Method (VSAM) is an access method for the direct or sequential processing of fixed-length and variable-length records on direct access devices. The records in a VSAM dataset or file can be organized in logical sequence by a key field (key sequence dataset or KSDS), in the physical sequence in which they are written on the dataset or file (entry-sequence or PS), or by relative-record number (RR). The datasets are managed by the IDCAMS utility program and is used by commands and macros from within application programs.

~~ZIP Archive A ZIP archive is used to refer to a single dataset that contains a number of files compressed into a much smaller physical space by SECZIP software.~~

~~112~~