PKZIP®/SecureZIP™ for zSeries (OS/390 and z/OS)
User’s Guide SZZU-V8R2000
PKWARE Inc.
PKWARE Inc. 648 N Plankinton Avenue, Suite 220 Milwaukee, WI 53203
Sales: 937-847-2374 Sales - Email: pksales@pkware.com Support: 937-847-2687 Support - http://www.pkware.com/business_and_developers/support Fax: 414-289-9789 Web Site: http://www.pkware.com
8.2 Edition (2005)
SecureZIP for zSeries™, PKZIP for zSeries™, PKZIP for MVS™, SecureZIP for iSeries™, PKZIP for iSeries™, PKZIP for OS/400™, PKZIP for UNIX™, SecureZIP for Windows™, and PKZIP for Windows™ are just a few of the many members in the PKZIP® family. PKWARE Inc. would like to thank all the individuals and companies -- including our customers, resellers, distributors, and technology partners -- who have helped make PKZIP® the industry standard for Trusted ZIP solutions. PKZIP® enables our customers to efficiently and securely transmit and store information across systems of all sizes, ranging from desktops to mainframes.
This edition applies to the following PKWARE Inc. licensed programs: PKZIP for zSeries™ (Version 8, Release 2, 2005) SecureZIP™ for zSeries (Version 8, Release 2, 2005) SecureZIP™ for zSeries Reader (Version 8, Release 2, 2005) SecureZIP™ for zSeries SecureLink (Version 8, Release 2, 2005)
PKZIP(R) is a registered trademark of PKWARE(R) Inc. SecureZIP is a trademark of PKWARE(R) Inc. Other product names mentioned in this manual may be a trademark or registered trademarks of their respective companies and are hereby acknowledged.
Any reference to licensed programs or other material, belonging to any company, is not intended to state or imply that such programs or material are available or may be used. The copyright in this work is owned by PKWARE Inc., and the document is issued in confidence for the purpose only for which it is supplied. It must not be reproduced in whole or in part or used for tendering purposes except under an agreement or with the consent in writing of PKWARE Inc., and then only on condition that this notice is included in any such reproduction. No information as to the contents or subject matter of this document or any part thereof either directly or indirectly arising there from shall be given or communicated in any manner whatsoever to a third party being an individual firm or company or any employee thereof without the prior consent in writing of PKWARE Inc.
Copyright © 1989 - 2005 PKWARE Inc. All rights reserved.
Contents
PREFACE...... 1 Notices...... 1 About this Manual...... 1 Conventions Used in This Manual ...... 3 PKZIP and SecureZIP Manuals...... 3 Related Publications ...... 4 Related Information on the Internet...... 5 User Help and Contact Information ...... 5
1 AN INTRODUCTION TO PKZIP AND SECUREZIP FOR ZSERIES ...... 6 Data Compression...... 7 ZIP Archives ...... 7 Cyclic Redundancy Check...... 8 Distinctive Features of PKZIP and SecureZIP for zSeries...... 8 Distinctive Features of SecureZIP for zSeries...... 9 Encryption Using Passwords and/or Digital Certificates...... 10 Cross Platform Compatibility ...... 10
2 INTRODUCTION TO DATA SECURITY ...... 12 SecureZIP for zSeries Security Basics...... 12 Operating System Levels...... 13 Digital Certificate Formats...... 13 SecureZIP for Windows Compatibility...... 13 General Information to Help You Get Started...... 14 How do we activate MASTER_RECIPIENT Contingency Keys? ...... 14 Encryption ...... 17 Authentication...... 17
iii
Data Integrity...... 18 Digital Signature Validation...... 18 Digital Signature Source Validation ...... 19 Public-Key Infrastructure and Digital Certificates ...... 19 Public-Key Infrastructure (PKI) ...... 19 x.509 ...... 20 Digital Certificates ...... 20 Certificate Authority (CA) ...... 20 Private Key...... 20 Public Key ...... 21 Certificate Authority and Root Certificates...... 21 Setting Up Stores for Digital Certificates on zOS ...... 21 Setting Up the Certificate Stores...... 21 Updating the Certificate Stores ...... 23 Types of Encryption Algorithms ...... 23 FIPS 46-3, Data Encryption Standard (DES)...... 23 Triple DES Algorithm (3DES)...... 24 Advanced Encryption Standard (AES)...... 24 Comparison of the 3DES and AES Algorithms...... 24 RC4 ...... 25 Key Management ...... 25 Passwords and PINS...... 26 Recipient Based Encryption...... 26 Random Number Generation...... 26 Integrity of Public and Private Keys ...... 27
3 PKZIP AND SECUREZIP FOR ZSERIES RELEASE INFORMATION...... 28 Release Summary...... 28 New Products...... 28 New Features...... 28 New Commands and Defaults ...... 31 Command Changes ...... 34 Message Changes ...... 36 Enhancements for Secure Data...... 36 Restrictions for PKZIP and SecureZIP for zSeries...... 36 Region Size and Storage...... 38 SMS Dataclass Considerations...... 39 Note for users of PKZIP for MVS and PKZIP for zSeries 5.6 ...... 40 Reserved DDNAMEs...... 40 SYSPRINT ...... 41 PKSPRINT ...... 41 PKNODUMP ...... 41 Use of System Utilities...... 41 SORT ...... 41 Access Method Services...... 41
iv
IEBGENER...... 42 GRS/ENQ...... 42
4 LICENSING ...... 43 Operating Requirements...... 43 Change of Release Licensing ...... 43 Grace Period...... 43 Initializing the License ...... 43
5 GETTING STARTED WITH PKZIP AND SECUREZIP...... 44 Introduction to PKZIP and SecureZIP for zSeries ...... 44 Invoking PKZIP/SECZIP or PKUNZIP/SECUNZIP Using JCL...... 45 Return Codes ...... 46 Compressing a Dataset...... 46 Notes for Dataset Compression...... 47 Viewing the Contents of an Archive ...... 47 Notes for Viewing the Contents of an Archive ...... 48 ACTION(VIEWDETAIL) ...... 48 Decompressing a Dataset...... 49 Notes for Decompressing a Dataset...... 49 Updating or Refreshing a File ...... 50 Invoking the PKZIP and SecureZIP for zSeries Utility ...... 50 Invoking PKZIP/SecureZIP from JCL (Batch or Started Task) ...... 50 Invoking PKZIP/SecureZIP as Called Programs Under TSO ...... 51 Invoking ZIP or UNZIP TSO Command Line Interface...... 51 Valid ZIP Actions ...... 52 Valid ZIP Options...... 53 Valid UNZIP Actions ...... 53 Invoking the PKZIP and SecureZIP for zSeries ISPF Panel Interface ...... 55 Configuration Manager ...... 55 Making Changes to the Defaults...... 56 Assembling Your Changes ...... 56 Inputs ...... 56 Configuration Manager Processing: Managing Control Statements ...... 57 Control Statement Definitions ...... 57 Troubleshooting ...... 58 PKZIP and SecureZIP for zSeries Messages...... 58 Debugging Controls ...... 58
6 ABOUT SECURITY, CERTIFICATES AND ENCRYPTION...... 59 Terms and Acronyms Used in This Chapter...... 59 Accessing Certificates ...... 60
v
Configuration Profile...... 60 Contents of the Configuration Profile...... 61 Data Base (DB) Profile (Local Certificate Store)...... 61 LDAP Profile (Networked Certificate Store)...... 61 Recipient Searches...... 62 Local Certificate Stores...... 63 Access x.509 Public and Private Key Certificates ...... 63 Authentication and Certificate Validation Policies...... 64 Other Profile Commands ...... 66 SecureZIP Certificate Store Administration and Configuration...... 67 Run-Time Configuration...... 68 Runtime Configuration Panel ...... 68 Runtime Configuration Panel: Certificate Stores ...... 68 SecureZIP Runtime Configuration Panel Undefined ...... 70 SecureZIP Runtime Configuration Panel with DB Profile Defined...... 70 SecureZIP Runtime Configuration Panel with Private Certificate Location ...... 71 Filename Encryption ...... 71 How SecureZIP for zSeries Encrypts File Names ...... 71 When SecureZIP for zSeries Encrypts File Names ...... 72 Encrypting File Names When You Update an Archive ...... 72 Opening and Viewing an Archive That Has Encrypted File Names ...... 72 Input Required To View Recipients in a Filename Encrypted Archive ...... 73 View of Recipients in a Filename Encrypted Archive ...... 73 View Detail of an Archive that Has Encrypted File Names...... 74 Decrypting a Filename-Encrypted Archive ...... 75 Security Examples...... 76 SecureZip using Recipients or Combo ...... 76 Zip Compress File(s) to an Archive FIle (Option ‘Z’ ) Using Recipients ...... 77 SecureZIP Encryption Using Individual Recipients as Input...... 77 SecureZIP Certificate Report Option ...... 79 SecureZIP Verification Window ...... 79 SecureZIP Encryption Using Individual Recipients-Generated JCL...... 79 SecureZIP Encryption Using Recipient Job Output Listing with VERBOSE...... 80 SecureZIP Encryption Using Recipient Job Output Listing Without VERBOSE.....81 SecureZIP Encryption Using a Recipients List ...... 82 Editing the Recipients List...... 83 SecureZIP Encryption Using a Recipients List ...... 83 SecureZIP Halt Process Request ...... 84 SecureZIP Encryption Using LDAP Search for Recipients...... 84 SecureZIP Encryption Using LDAP Search for Recipients-Generated JCL...... 84 SecureZIP Encryption Using LDAP Search for Recipients - Output...... 85 Selecting Filename Encryption ...... 86 Panel Option “Z” - Selecting Filename Encryption...... 86 Zip Compress File(s) to an Archive FIle (Option ‘Z’ ) Using Passwords...... 87 SecureZIP Encryption ...... 87 Cryptographic Algorithms...... 88 UNZip File(s) from an Archive (Option ‘U’ ) Using Recipients...... 90 Unzip Panel (Option ‘U’ ) Using Recipients ...... 90 Unzip Output Using Recipients ...... 91 View Display the Contents of an Archive File (Option ‘V’ )...... 91
vi
View Detail Display ...... 92 Incorrect Password Use...... 93
7 FILE SELECTION AND NAME PROCESSING ...... 96 ZIP Processing File Selection ...... 96 Primary File Selection Inputs ...... 96 Cataloged Dataset Name Filter Requests ...... 96 Exclusion Filters...... 97 INFILE DD Requests...... 97 JES2 SYSIN INFILE Support...... 97 Input ZIP Archive Files...... 98 File Selection Processing Notes ...... 98 Cataloged Dataset Name and INFILE Request Restrictions ...... 99 ZIP File Names ...... 100 Summary of Commands Affecting ZIP Filename...... 100 Essentials for running PKZIP/SECZIP and PKUNZIP/SECUNZIP ...... 101 PKUNZIP/SECUNZIP ...... 101
8 ZIP FILES ...... 103 Data Formats - Text or Binary ...... 103 Data Format - Text Records...... 104 Data Format - Binary Records...... 105 File Attributes...... 105 Data Set Name Transformation ...... 106 Large File Considerations ...... 106 Determining File Size ...... 107
9 FILE PROCESSING ...... 108 File Support...... 108 Sequential Files ...... 109 Compressing Sequential Files ...... 109 Extracting Records into a Sequential File...... 110 Managing a Sequential File ZIP Archive...... 110 Processing GDGs ...... 110 File Concatenation for ZIP Processing ...... 111 PDS and PDSE Members ...... 111 Selecting PDS Members for Compression ...... 111 Extracting Data into a PDS ...... 112 Managing ZIP Archives as PDS Members ...... 112 Load Libraries ...... 113
vii
VSAM Files ...... 113 Compressing a VSAM File...... 114 Extracting Data into a VSAM File...... 115 Managing a VSAM ZIP Archive ...... 117 Magnetic Tapes and Cartridges ...... 117 Copying a Tape-Based Archive to a Disk File ...... 117 Compressing Data from Tape...... 118 Extracting Data onto Tape ...... 119 Managing a ZIP Archive on Tape ...... 119
10 COMMANDS ...... 122 Command Syntax ...... 122 File Selections vs. Commands...... 123 &SYSUID ...... 123 Summary of Available Commands ...... 123 Command Details ...... 138 Command Icon Legend...... 141
11 ZIP ARCHIVES...... 275 “Old” ZIP Archive ...... 276 “Temporary” Dataset...... 276 “New” ZIP Archive ...... 277
12 PROCESSING WITH GZIP ...... 278 What Is GZIP? ...... 278 Why Use GZIP? ...... 278 PKZIP and SecureZIP for zSeries Implementation Notes for GZIP ...... 279 GZIP Restrictions...... 279 GZIP Extensions ...... 279 Processing GZIP Archives ...... 280
13 USING THE ISPF INTERFACE...... 281 Getting Started with the ISPF Interface...... 281 Configuration (Option ‘C’)...... 282 Defaults (Options ZD and UD) ...... 283 Primary Commands ...... 284 Changing Default Options...... 285 Including Changed Defaults...... 285 View Archive (Option ‘V’)...... 285 Setting VIEW Options ...... 286 Primary Commands ...... 288 Line Commands...... 289 Display Fields...... 290
viii
Using Security ...... 292 Archive Authenticated ...... 292 File Signers ...... 293 Zip (Option ‘Z’) ...... 294 Using Security ...... 296 Select Password Protect...... 296 Select Recipients ...... 297 Archive Signing ...... 297 File Signing ...... 298 Archive Authentication ...... 298 UNZIP (Option ‘U’) ...... 299 Using Security ...... 301 Select Password Protect...... 301 Select Recipients ...... 302 Archive Authentication ...... 302 File Authentication...... 303 SYSPRINT Browse (Option ‘S’) ...... 303 Messages (Option ‘M’)...... 303 License Display (Option ‘L’) ...... 305 Certificate Stores (Option ‘CS’)...... 306 What’s New (Option ‘W’) ...... 306 Contact PKWARE (Option ‘A’)...... 306
14 USER API PROCESSING ...... 307 Overview...... 307 Data Record Transformation API for ZIP processing...... 307 File Name Manipulation API for UNZIP processing...... 307 Invocation...... 307 Negation of API processing ...... 308 Execution Environment ...... 308 File Name Manipulation API ...... 309 Data Record Transformation API...... 309 User API Samples...... 310 JCL and Sample Programs...... 310 Assembler ...... 310 Assembler Source...... 310 Assembler JCL...... 311 Assembler Source...... 311 DCTMAPIU DSECT ...... 312 COBOL...... 312 COBOL JCL ...... 312 COBMAPIU copy member ...... 313 Sample input file - SAMPDAPI...... 313 Output from sample jobs ...... 314 ASMFNAPI Sample Output...... 314 XSMFNAPI Sample Output...... 314
ix
User API_Module Program Exception Trap...... 315
15 INVOKING PKZIP/PKUNZIP FROM AN APPLICATION PROGRAM...... 317 CALLZIPA Sample Assembly Source to Call PKZIP ...... 318 CALLZIPC Sample COBOL Source to Call PKZIP ...... 320 CALLZIPP Sample PL/I Source to Call PKZIP...... 321 CALLZIPR Sample REXX Source to Call PKZIP ...... 322 CALLZC Sample C source program to call PKZIP ...... 323 CALLZCPP Sample C++ program source to call PKZIP ...... 324
16 PKWARE PARTNERLINK: SECUREZIP READER/SECURELINK ... 327 About SecureZIP for zSeries Reader/SecureLink ...... 327 If You Are a Sponsor: Sign the Central Directory ...... 328 Terms and Acronyms Used in This Chapter...... 328 PKWARE PartnerLink Program: Overview...... 329 Decrypting and Extracting Sponsor Data (Reader Mode) ...... 329 Partner (SecureLink) Data Exchange to Sponsor...... 330 Requirements...... 330 License...... 330 Operating Environment ...... 330 Sponsoring Configuration ...... 331 Functional Overview...... 331 General Restrictions...... 331 Reader (UNZIP) Processing...... 331 Restrictions ...... 332 Archive Authentication Settings ...... 332 Decryption Certificate Selection...... 332 File Signature Authentication Certificate Selection...... 333 SecureLink (ZIP) Processing...... 333 Restrictions ...... 333 Encryption Certificate Selection...... 334 Archive Authentication Settings ...... 334
A (RESERVED)...... 335
B SAMPLE JOBSTREAMS ...... 336 Example 1: Zip PDS to an Archive ...... 336 Example 2: Zip PDS to an Archive ...... 337 Example 3: Zip VSAM KSDS to an Archive...... 338 Example 4: Summary View of a Dataset...... 339 Example 5: Summary View of a Dataset...... 340
x
Example 6: View with Detail of an Archive...... 341 Example 7: Unzip an Archive to PDS...... 343 Example 8: Unzip an Archive to PDS...... 343 Example 9: Unzip an Archive to VSAM KSDS ...... 344
C 3490 INSTALLATION JCL (COPYCART) ...... 346
D MAKING CODE PAGE TRANSLATE TABLES (EDCICONV) ...... 356 Translation Tables...... 356 Code Page Support ...... 356 International Code Page Support...... 357 Code Conversion Utility...... 357 Translate Table Generation ...... 358 Sample Job...... 358
E FIPS-197 AES CERTIFICATION OF PKZIP AND SECUREZIP...... 360
F CONTACT INFORMATION ...... 361 PROBLEM REPORTING ...... 361 General ...... 361 Licensing ...... 362 ISPF ...... 362 FTP SERVER requirements ...... 363
GLOSSARY...... 364
INDEX...... 372
xi
xii
Preface
This manual covers both PKZIP for zSeries and SecureZIP for zSeries. PKZIP for zSeries provides powerful, easy-to-use data compression on the mainframe. PKZIP for zSeries Enterprise Edition additionally includes support for password-based decryption of encrypted files, powered by trusted RSA® BSAFE. Files created by PKZIP for zSeries use the widely-adopted ZIP format and can be accessed on all major platforms throughout the enterprise—from mainframe to PC. SecureZIP for zSeries provides powerful, easy-to-use data compression and data protection on the mainframe. SecureZIP for zSeries delivers high performance data compression and protects data with digital signatures and trusted RSA BSAFE encryption, either password- or certificate-based, with key lengths of up to 256 bits. Like PKZIP for zSeries, SecureZIP for zSeries uses the widely-adopted ZIP format and creates files that can be accessed on all major platforms throughout the enterprise.
Notices
Licensing requirements have changed for this release. See Chapter 4 for details.
About this Manual
This manual provides the information needed to use PKZIP/SecureZIP for zSeries in an operational environment. It is assumed that anyone using this manual has a good understanding of JCL and data set processing. This manual applies to the following operating systems: OS/390 – Version 2.10 and above. z/OS - all releases. • Chapter 1. An introduction to both PKZIP/SecureZIP for zSeries. Provides a general description of the product suite applicable to all supported platforms. This chapter also describes the features of the PKZIP/SecureZIP for zSeries products and provides a simple description of how it is used to compress and decompress datasets.
1
• Chapter 2. Provides a general discussion on data security along with specific implementations of encryption. • Chapter 3. Provides more detailed examples of how specific file types should be processed by PKZIP/SecureZIP for zSeries. This chapter also details the new features and functions introduced in various releases. • Chapter 4. This chapter explains licensing of PKZIP/SecureZIP for zSeries and provides information on invoking the 5-day grace period and disaster recovery tests. • Chapter 5. Provides general information on invoking PKZIP/SECZIP and PKUNZIP/SECUNZIP, the main component programs of PKZIP/SecureZIP for zSeries. This chapter explains the details associated with compression, decompression, restrictions, migration, and an overview of ZIP processing. • Chapter 6. Provides details on security and authentication, including ISPF screen images and examples. • Chapter 7. Provides a summary of ZIP file processing procedures, including filtering, file selection, requests, and the basic essentials for running the ZIP and UNZIP programs. • Chapter 8. Explains ZIP file formats (text or binary), files attributes, and file size considerations. • Chapter 9. Provides information about the types of files that are supported by PKZIP/SecureZIP for zSeries, such as sequential files, PDS, or PDSE members, and VSAM files. • Chapter 10. A reference covering the PKZIP/SecureZIP for zSeries commands and messages. • Chapter 11. Explains the possible states of an archive during processing and the functions of associated formats. • Chapter 12. Provides an overview of how to process GZIP files and archives, including information about GZIP restrictions and extensions. • Chapter 13. Provides instructions on the use of other facilities provided with PKZIP/SecureZIP for zSeries, specifically the ISPF panel interface, to include setting options for configuration, defaults, and viewing archives. • Chapter 14. Provides information on the User Application Programming Interface or USER API. • Chapter 15. Provides information on calling PKZIP/SECZIP and PKUNZIP/SECUNZIP. • Chapter 16. Provides information about the PKWARE PartnerLink program • Appendix B. Sample Jobstreams • Appendix C. 3490 Installation JCL • Appendix D. Making Code Page Translate Tables • Appendix E. FIPS-197 AES Certification • Appendix F. Contact Information • Glossary. Explains terms related to compression and encryption
2
Conventions Used in This Manual
Throughout this manual, the following conventions are used: • PKZIPz (bold-italicized) refers to both PKZIP for zSeries and SecureZIP for zSeries. Information given for PKZIPz applies to both products. Information given specifically for PKZIP for zSeries or SecureZIP for zSeries applies specifically to that product. • The use of the Courier font indicates text that may be found in job control language (JCL), parameter controls, or printed output. • The use of italics in a command line indicates a value that must be substituted by the user, for example, a data set name. Italics are also used in body text to quote command names and so forth or to indicate the title of a manual or other publication. • Bullets (•) indicate items (or instructions) in a list. • The use of
Requires SecureZIP
PKZIP and SecureZIP Manuals
PKZIP for Series and SecureZIP for zSeries product manuals include: • PKZIP/SecureZIP for zSeries User’s Guide - Provides detailed information on the product set in OS/390 and z/OS operating environments. Provides a general introduction to data compression, PKZIP-specific data compression, and an overview of how to use PKZIPz control cards, and parameters. Provides SecureZIP-specific security extension information. • PKZIP/SecureZIP for zSeries Messages and Codes Guide - Provides information on the messages and codes that are displayed on the consoles, printed outputs, and associated terminals.
3
• PKZIP/SecureZIP for zSeries System Administrator’s Guide - Provides detailed information to assist the system administrator to install and manage PKZIPz in an operational environment. Topics include: o System planning and administration o Installation, licensing and configuration o Verifying the installation o Security administration overview (SecureZIP) o Certificate store management (SecureZIP)
Related Publications
IBM Manuals relating to the PKZIPz products include: • System Codes - Documents the completion codes issued by the operating system when it terminates a task or an address space. Describes the wait state codes placed in the program status word (PSW) when the system begins a wait state. Describes the causes of loops. • System Messages - Documents the messages issued by the OS/390 operating system. The descriptions explain why the component issued the message, give the actions of the operating system, and suggest responses by the applications programmer, system programmer, and/or operator. • JES2 Messages - Documents the messages issued by the JES2 subsystem. The descriptions explain why the component issued the message, give the actions of the operating system, and suggest responses by the applications programmer, system programmer, and/or operator. • JCL User's Guide - Describes the job control tasks needed to enter jobs into the operating system, control the system's processing of jobs, and request the resources needed to run jobs. To perform the tasks, programmers code job control statements. The user's guide assists in deciding how to perform job control tasks. • JCL Reference - Describes the job control tasks needed to enter jobs into the operating system, control the system's processing of jobs, and request the resources needed to run jobs. To perform the tasks, programmers code job control statements. The reference guide; is designed to be used while coding the statements. • Access Methods Services - Documents the functions that are available with Virtual Storage Access Method (VSAM) and describes the IDCAMS commands that can be issued to control VSAM datasets. • TSO/E Command Reference - Documents the functions of the TRANSMIT and RECEIVE Command Facility used for the distribution and allocation of PKZIPz installation libraries. • MVS/QuickRef 6.3 (Chicago-Soft, Ltd.) - Includes both messages and command reference material for PKZIPz.
4
Related Information on the Internet
PKWARE, Inc. www.pkware.com FTP site Product manuals - ftp://bigiron.pkware.com/pub/manuals/zSeries Product downloads - ftp://bigiron.pkware.com/pub/products o PKZIP for zSeries - ftp://bigiron.pkware.com/pub/products/pkzip/zseries o SecureZIP for zSeries - ftp://bigiron.pkware.com/pub/products/securezip/zseries o PartnerLink Reader/SecureLink - ftp://bigiron.pkware.com/pub/products/partnerlink/zseries
National Institutes of Standards Computer Security Resource Center - http://csrc.ncsl.nist.gov Information on the AES development - http://csrc.nist.gov/encryption/aes/ Information on Key Management - http://csrc.nist.gov/CryptoToolkit/tkkeymgmt.html
RSA BSAFE® Content Library – http://www.rsasecurity.com/content_library.asp
User Help and Contact Information
For Licensing, please contact the Sales Division at 937-847-2374 or email [email protected]. For technical assistance, please contact Technical Suppport. Appendix F lists the types of information needed to resolve issues with the product.
5
1 An Introduction to PKZIP and SecureZIP for zSeries
Built on the award-winning PKZIP, SecureZIP for zSeries enables you to create and extract ZIP archives and archives of other types and, with the new security features, to use passwords and/or digital certificates to strongly encrypt archives and archived files. Strong, digital certificate-based encryption enables you to encrypt files just for the people you want to see them. With its advanced password and certificate-based security features, SecureZIP for zSeries offers multiple methods of encryption and is an excellent choice for secure messaging and storage. Like PKZIP, SecureZIP for zSeries offers various methods and levels of compression and a host of other powerful features. Note: Both PKZIP for zSeries and SecureZIP for zSeries can apply strong password-based encryption, and all current PKZIP desktop products recognize digital signatures and can decrypt strongly encrypted files. However, to do strong, certificate-based encryption requires the premium, SecureZIP for zSeries edition. SecureZIP for zSeries can access certificates in directory servers via an LDAP compliant interface. In addition, it can look for certificates in LDAP certificate stores. These stores can automatically be searched for recipients to whom you are sending an email message so that you can use their keys when encrypting an attachment. This feature requires the separately licensed Directory Integration module. The Directory Integration module enables you to access certificates stored in remote directories as well as certificates on the local machine. This extends your ability to work with certificates that belong to your colleagues in the enterprise as well as customers, partners, and vendors. PKZIPz contains two main programs: PKZIP (or SECZIP in SecureZIP) and PKUNZIP (or SECUNZIP in SecureZIP). The ZIP program compresses or otherwise stores files into a ZIP format archive; the UNZIP program extracts files compressed into ZIP-compatible archives. Processing control is available through the use of customized option modules, shared command lists, and individual job inputs. In addition to file selection, features such as compression levels and performance selections can be specified. SecureZIP for zSeries is also available in a special version—SecureZIP Reader/SecureLink—through the PKWARE PartnerLink program. The PKWARE PartnerLink program provides a straightforward, secure way for an organization to exchange sensitive information with outside partners who perhaps do not have SecureZIP.
6
SecureZIP Reader/SecureLink differs from the full SecureZIP for zSeries in that it only extracts archives from, and only creates and encrypts archives for, a PartnerLink sponsor. Contact PKWARE for more information on PKWARE PartnerLink. To guarantee data integrity, 32-bit Cyclic Redundancy Check (CRC) is a standard feature for all products. A ZIP archive is platform-independent; therefore, data compressed (zipped) on one platform, such as UNIX or Windows, can be decompressed (unzipped) on another platform, such as OS/390 or z/OS by using a compatible version of the UNZIP program.
Data Compression
Data compression reduces file size. A compressed data file uses less storage space and can be transferred faster. A data file to be compressed (a ZIP candidate) is compressed to a compact size (ZIPPED file). To use the file again, it must be uncompressed or extracted to its original size (UNZIPPED file). For example, a simple data compression technique is the Run-Length Encoding method. This method works when repeating characters are evident in a data stream. The run of characters is represented in a compressed form as a single character with its count. Example: B 2 2 2 2 E H H H H H H H H H Compressed: B *4 2 E H*9 However, to perform a thorough compression operation, more advanced algorithms and enhanced techniques are required which work at the bit level and allow for noncontiguous iterations of bit strings. PKZIPz uses such methods to achieve maximum results.
ZIP Archives
PKZIPz stores compressed data files into ZIP archives. There is no limit to the number of archives you may create. A ZIP archive refers to any valid ZIP-format file created by a ZIP-compatible product. PKWARE's Application Note on the .ZIP file format provides developers a general description and technical details of the ZIP specification. This specification is periodically revised according to the publication policy statement as new features are added to ensure the continued interoperability of ZIP applications. With the ZIP64 feature available in SecureZIP for zSeries and PKZIP for zSeries (Enterprise Edition) release 5.6 and higher, over 4 billion files can be managed within a single archive. The ZIP archive architecture supports Exabyte (64-bit) sizes for files in an archive. ZIP archives themselves can exceed 4 gigabytes for specified access methods and device media. With ZIP products prior to release 4.5 (and PKZIP for MVS products), an archive can store up to 65,535 files. File sizes of less than 4 gigabytes in size can be compressed, and an archive is limited to less than 4 gigabytes in size. For each file in an archive, the following information is stored with the compressed data:
7
• Filename • File directory date and time • File’s initial CRC value. See Cyclic Redundancy Check • Method of compression used • ZIP Version required for file extraction • File size, uncompressed • File size, compressed Some files may contain the following additional information: • The version of ZIP that created the file • File attributes • A comment about the file • A comment about the archive • Platform specific attributes (see Cross Platform Compatibility)
Cyclic Redundancy Check
A Cyclic Redundancy Check (CRC) is performed to check the integrity of a data file when it is restored from a ZIP archive. While a file is compressed, a PKZIPz algorithm computes a 32-bit hexadecimal value for its data. That CRC value is stored with the file in the ZIP archive. When the data in the file is extracted, PKZIPz processes it again by the same algorithm to produce a second CRC value and compares the two. If the data has not changed, the values will be the same. If the two CRC values do not match, data may have been corrupted in the ZIP archive during file transfer operations, and PKZIPz reports the failure.
Distinctive Features of PKZIP and SecureZIP for zSeries
Distinctive features of SecureZIP for the z/OS and OS/390 operating environments include: • Ability to process execution from ISPF Panels, as a TSO/E command, within TSO/E REXX EXECs or CLISTs, from an application program, or a stand-alone batch utility. • A robust ISPF panel interface that displays the ZIP archive directory in a table format and enables selection of individual archived (zipped) files for browsing, viewing, extracting, or deleting. • Compression and extraction of datasets of the following types on DASD: • Sequential files. • PDS and PDSE members. • VSAM files (KSDS, ESDS, RRDS). • JES2 subsystem input files (for example, //ddname DD *).
8
• Command extensions allowing greater flexibility in file selection. • Unique filename translation to/from system/390 DSNAME conventions and the UNIX- style names typically found in zip archives. • Compressing and extracting of datasets of the following types on tape or cartridge: • Sequential files. • Compressing and extracting of files to OS/390 and z/OS Load Libraries. • Compressing and extracting of files to Generation Data Groups (GDGs). • GDG files can be used as a ZIP archive. • Retention of dataset allocation information, such as dataset organization, device type, and DCB/Cluster attributes. Preservation of this information allows for duplication of the file with the same characteristics during the UNZIP process. Support of ZIP archives within the following dataset organizations: • Sequential files (DASD, Tape, or Cartridge). • PDS and PDSE members. • VSAM ESDS. • Selection of datasets for processing based upon user-specified control statements, DD JCL specifications, or user-defined filtering lists. • Execution on OS/390 2.10 and higher. SecureZIP also executes on a z/OS system IPL’d in 64-bit mode. • Execution in AMODE 31, using storage primarily above the 16-Mb line. However, certain operating system control blocks and system services require virtual storage below the 16-Mb line. The amount of virtual storage available within each of these areas of an address space will limit the use of some performance options (for example, multi-tasking and temporary files in storage) and capabilities. • Defaults customizable during installation. Multiple defaults modules may be created for use in a variety of application needs. • Use of pre-defined command files saved in a place selected by the user or system administrator. These can be referenced by multiple jobs or users, thus eliminating the need for individual JCL command streams, or used in combination with individual job inputs to provide a consistent set of processing controls. Certain features of PKZIP for zSeries are separately licensed (see Chapter 4).
Distinctive Features of SecureZIP for zSeries
Distinctive features of SecureZIP for the z/OS and OS/390 operating environments include: • Ability to access certificates in directory servers through an LDAP-compliant interface. SecureZIP can look for certificates in LDAP certificate stores and automatically search these stores for recipients to whom you are sending an email message so that you can use their keys when encrypting an attachment. (Requires the optional Directory Integration module.) Certain features of SecureZIP for zSeries are separately licensed (see Chapter 4).
9
Encryption Using Passwords and/or Digital Certificates
Requires SecureZIP
SecureZIP for zSeries can encrypt data for security control with digital certificates and/or provide a password lockout for extracting data. Varying security levels are available with multiple encryption algorithms. See Chapter 2 for a complete description of security features in SecureZIP for zSeries.
Cross Platform Compatibility
PKZIPz was designed for cross-platform use and enables you to move data among different computer operating environments. Archives created with PKZIP/SecureZIP for zSeries are compatible with, PKZIP for MVS, PKZIP/SecureZIP for iSeries, PKZIP for OS/400, PKZIP/SecureZIP for UNIX, PKZIP/SecureZIP for LINUX, PKZIP for DOS, and PKZIP/SecureZIP for Windows. All of these products use the the same ZIP archive file format and can work with each other’s archives. As a result, data can be zipped on one platform—for example, UNIX—and unzipped onto another platform, such as OS/400. PKZIPz automatically converts the data between EBCDIC and ASCII, so files prepared on the host are readable on any PC or UNIX system. The following table lists ZIP features supported on different platforms and the version of the ZIP file format Application Note where the features appear. In the table, (EE) refers to PKZIP for zSeries Enterprise Edition.
10
ZIP Feature ZIP AppNote Version MVS/zSeries OS400/iSeries Default 1.0 File represents a volume 1.1 Not supported Not supported label File represents a folder 2.0 Not supported Not supported Deflate compression 2.0 2.x 2.x Traditional encryption 2.0 2.x 2.x Deflate64 compression 2.1 8.2 8.2 DCL Implode compression 2.5 Not supported Not supported File is a patched data set 2.7 Not supported Not supported File uses ZIP64 size 4.5 5.6 5.6 extensions BZip2 compression 4.6 Not supported Not supported DES encryption 5.0 8.2 8.2 3DES encryption 5.0 8.2 8.2 RC2 encryption 5.0 Not supported Not supported RC4 encryption 5.0 8.2 8.2 AES encryption 5.1 5.5 5.5 DES decryption 5.0 SZ8.2, PK8.2(EE) SZ8.2, PK8.2(EE) 3DES decryption 5.0 SZ8.2, PK8.2(EE) SZ8.2, PK8.2(EE) RC4 decryption 5.0 SZ8.2, PK8.2(EE) SZ8.2, PK8.2(EE) AES decryption 5.1 SZ5.5, PK8.2(EE) SZ5.5, PK8.2(EE) Certificate encryption using 6.1 8.2 (SecureZIP) 8.2 (SecureZIP) non-OAEP key wrapping Central directory encryption 6.2 8.2 (SecureZIP) 8.2 (SecureZIP) (file name encryption)
If you want to transfer data across platforms using any other “ZIP compatible” product, you should check with the supplier first to confirm which versions of PKZIP it is compatible with.
11
2 Introduction to Data Security
In this chapter we will detail how SecureZIP for zSeries can strongly encrypt data for security control and protection. Much of the reference information in this chapter is from the National Institutes of Standards and Technology. The NIST Computer Security Resource Center web site, http://csrc.ncsl.nist.gov/, contains FAQs and documentation relating to computer security along with the Federal Information Processing Standard (FIPS) documents. The PKWARE web site, www.pkware.com, also contains information relating to security and links to the RSA Security, Inc., Web site that provides detailed information on the BSAFE® implementation used in SecureZIP for zSeries. The following sections describe encryption, types of algorithms: in use, information about specific mandates requiring the use of secure data, and how SecureZIP for zSeries secures that data. Examples are provided in Chapter 6. See Chapter 10 for documentation for the commands. Note: PKZIP for zSeries provides support for password-based encryption and decryption using a 96-bit “Standard” encryption algorithm that is supported by older ZIP-compatible utilities. PKZIP for zSeries Enterprise Edition supports the decryption of all password-based algorithms provided in SecureZIP for zSeries.
SecureZIP for zSeries Security Basics
SecureZIP for zSeries security functions include strong encryption tools using RSA BSAFE and the PKWARE implementation of the Advanced Encryption Standard. SecureZIP for zSeries provides the option for password encryption using RC4, DES, 3DES and AES. SecureZIP for zSeries uses a multi-layer key generation process, based on a user-specified password of up to 250 characters, and/or a users digital certificate, that creates a unique internal key for each file being processed. The same password will result in a different system- generated key for each file. SecureZIP for zSeries also implements Cipher Block Chaining (CBC) to further enhance industry standard encryption algorithms. This feature ensures that each block of data is uniquely modified, further protecting the data from fraudulent access. SecureZIP for zSeries encryption is activated through the use of the PASSWORD and RECIPIENT commands. If a value is present for either setting, whether through commands or default settings, then encryption will be attempted in accordance with other settings (for
12
example, ENCRYPTION_METHOD). However, if ENCRYPTION_METHOD=NONE is specified, then encryption will be bypassed. Archives created under PKZIP for Windows and PKZIP for UNIX using the encryption setting Strong: Recipient List or Password can be decrypted with the password on zSeries systems running release 8.0 or later. SecureZIP for zSeries signing and authentication features are activated through the use of the SIGN_ARCHIVE, SIGN_FILES and AUTHCHK commands.
Operating System Levels OS/390 2.10 or any zOS release is required to run certificate-based operations. If your operating system is not at this level, you will receive the message, ZPEN100E Certificate- Based functions require a minimum operating system…. You will receive a RC=12.
Digital Certificate Formats
Requires SecureZIP
SecureZIP for zSeries requires that X.509 certificates be used and that they conform to specific formats depending on the type being accessed or administered. See the section “Setting Up Stores for Digital Certificates on zOS,” later in this chapter, for more information.
SecureZIP for Windows Compatibility Windows users running pre-XP versions of Windows may experience a problem decrypting depending on the way in which private-key certificates are imported on the system. Unless the dialog check box “Mark the private key as exportable” is selected when certificates are imported on pre-XP Windows, Windows will allow an AES encrypted file to be decrypted only if the master session key is wrapped with 3DES. A new command, Secure_OPT_MSK3DES, is introduced with RECIPIENT processing which allows the SecureZip user to create AES-encrypted files that are compatible with older Windows workstations. When turned on, the MSK3DES flag is set in the NDH/DIB, indicating that the master session key information is protected with 3DES when recipients are specified. PKZIP for Windows has a variance in processing for versions 6.0 and 7.x because of an issue with OAEP encryption processing. PKZIP for Windows 5.0 through 6.0 used OAEP. However, OAEP was found to be incompatible with smart cards, so versions 6.1 and later set a NO_OAEP flag in the NDH/DIB flags and no longer create OAEP encryption-mode files by default. SecureZIP for zSeries always sets NO_OAEP; therefore, PKZIP for Windows 5.0 - 6.0 will not be able to read recipient-list encrypted files from the large platforms. SecureZIP for zSeries should be able to detect whether the NO_OAEP flag is set and successfully extract in either case. No change in logic is required within the SecureZIP high- level code, but the low-level EVTCERTD code should handle the switch based on the flag.
13
General Information to Help You Get Started
How do I activate encryption in SecureZIP for zSeries? Encryption is activated through the use of the PASSWORD (and/or RECIPIENT for SecureZIP) commands. If a value is present for either setting, whether through commands or default settings, then encryption will be attempted in accordance with other settings (such as ENCRYPTION_METHOD). However, if ENCRYPTION_METHOD=NONE is specified, then encryption will be bypassed. Note that certificate-based encryption for recipients is only supported by SecureZIP, not by PKZIP versions of the product. Also, this mode of encryption requires that one of the strong encryption methods (minimum 128-bit) be selected.
How do we activate MASTER_RECIPIENT Contingency Keys? To meet the needs of corporate security policies, SecureZIP provides the ability to use the MASTER_RECIPIENT setting to include one or more master recipient contingency key certificate files in a SecureZIP job when strong encryption is activated. The setting causes the data to be encrypted for the master recipient(s) in addition to other recipient or password settings, thereby ensuring that the organization can always decrypt its encrypted data. The primary MASTER_RECIPIENT may be set directly in the defaults module, or indirectly by specifying MASTER_RECIPIENT in a command stream referenced by SECUREZIP_CONFIG. This default-module-only setting specifies a PDS[E] member that contains SecureZIP certificate store configuration commands to be automatically included in the processing stream. The configuration command values from this member are included at the start of command input processing, before //SYSIN statements are read. The data set(member) is internally converted into an "INCLUDE_CMD=(pds[e](member)" command and is echoed to the message log in accordance with the ECHO setting. The primary MASTER_RECIPIENT is reported in the SHOW_SETTINGS report. Supplemental MASTER_RECIPIENT commands may be provided via the primary SYSIN input stream or indirectly from either the SECUREZIP_CONFIG or INCLUDE_CMD specifications. They will be internally converted to RECIPIENT commands for processing. MASTER_RECIPIENT settings are cumulative. Therefore a setting in the defaults module is not overridden or eliminated from an execution.
How does the MASTER_RECIPIENT contingency key setting affect processing? When SecureZIP is used to encrypt data, either with RECIPIENT or PASSWORD, then a recipient specified by MASTER_RECIPIENT will be automatically included. However, MASTER_RECIPIENT does not trigger encryption.
How does recipient-based encryption differ from password? Password-based encryption depends on both the sender and receiver knowing, and providing input (the password), in clear text. The password is used to derive a binary master session key for each decryption run. No key information is kept within the ZIP archive, therefore both parties must retain the password in an external location. Recipient-based encryption provides a means by which the master session key (MSK) information can be hidden, protected, and carried within the ZIP archive. This is done by using
14
technique known as digital enveloping with public key encryption. The technique requires that the creating process have a copy of the recipient's public key digital certificate, which is used to protect and store the MSK. The receiving side must have a copy of the recipient's private key digital certificate. With these two pieces of information in place, there is no need for users to retain or recall a password for decryption.
What is a Digital Certificate Store?
Requires SecureZIP
Recipient-based encryption requires that public and private key certificates be used by SecureZip for zSeries. These are kept in file streams encoded according to the X.509 standard. A certificate store is the location of where various types of certificates are kept and accessed. The primary stores used by SecureZip for zSeries include: • CSPUB: Certificate store for individual public-key X.509 certificates on the local system. • CSPRVT: Certificate store for individual private-key X.509 certificates on the local system. • CSCA: Certificate store for certificate authority public-key X.509 certificates on the local system. • CSROOT: Certificate store for the trusted root public-key X.509 certificates on the local system. • LDAP: Certificate store for individual public-key X.509 certificates accessible via a TCPIP network.
Can both recipient-based and password encryption be used together? Yes. When both RECIPIENT and PASSWORD settings are used, to encrypt a file, the master session key is derived from the password and is also protected by using public key encryption. This means that the file can be decrypted either by supplying the password or by providing access to a private key associated with a public key used to encrypt.
How does ENCRYPTION_METHOD pertain to recipient or password encryption? Public/private key encryption using BSAFE digitally envelopes the master session key information. Once the master session key is determined, an independent file session key is derived (which is unique for each file) to encrypt the file data with a symmetric algorithm specified by ENCRYPTION_METHOD. Several algorithms are supplied with SecureZip for zSeries. Any algorithm may be specified for use with a password, but only those prefixed with “BSAFE” are valid for use with recipient-based encryption.
Which encryption settings should I choose? Various external factors such as legislative requirements or corporate policy may influence your selection an algorithm or mode of encryption. However, in general, certificate-based encryption is considered more secure than password-based encryption.
15
Except for the older 96-bit “Standard” SecureZip for zSeries encryption algorithm, encryption algorithms are provided at a minimum of 128 bits. PKWARE supports interoperability among OS/390, zOS, OS400, iSeries, UNIX and Windows for all algorithms provided with ENCRYPTION_METHOD for PKWARE products at release 8.0 and later. Older releases of PKWARE products support “Standard” 96-bit encryption. When RECIPIENT PKI exchanges are required, then ENCRYPTION_METHOD must specify an algorithm whose name begins with “BSAFE”. Password-based AES encryption is supported by PKWARE products at release 5.5 or higher. BSAFE_AES and AES password-based encryption are 100% compatible. Archives created with PKZIP for zSeries Release 5.5 can be bi-directionally exchanged with SecureZip or PKZIP products using the BSAFE AES algorithms. The BSAFE algorithms provided for the OS/390 and zSeries products are high-performance algorithms. The 128-bit BSAFE algorithms out-perform the older 96-bit PKZIP “Standard” algorithm.
How many recipients can be specified? The ZIP file format specification allows for a maximum list size of 3,275 recipients. This can be restricted further by other file attributes associated with the data and by run-time capacity limitations (such as virtual storage). (Approximately 20 bytes are required for each recipient within the ZIP archive central directory record for each file. This area is limited to 64K in size).
What are digital signatures? A digital signature is an unforgeable mechanism that ensures that the file to which it is attached originates from the owner of the signature and is unchanged since it was signed. The private key from a user’s digital certificate is used to attach a digital signature. The signature is authenticated by application of the public key from the certificate. Files in a ZIP archive can be digitally signed, and an archive itself can be digitally signed. An archive is signed by attaching a signature to its central directory, which contains archive meta-data, including the list of files in the archive. A signed ZIP archive can contain files that are signed or unsigned (or both). Signing an archive enables people who receive it to confirm that the archive as a whole is not changed. Signing only files in an archive enables people to confirm that the individual signed files are unchanged but does not guarantee that files have not been added or removed. SecureZIP for Windows can use certificates to sign files and to authenticate digital signatures on files that you receive from others. SecureZIP for zSeries provides an informational message that a ZIP archive central directory signature exists. SecureZIP for zSeries prevents a ZIP archive from being altered in-place when its central directory is signed.
What is file name encryption? Someone who cannot decrypt the contents of an archive may still be able to infer sensitive information just from the unencrypted names of files. To prevent this, you can encrypt the names of files in addition to their contents. Encrypted file names can be viewed in the clear— that is, unencrypted—only when the archive is opened by an intended recipient, if the archive
16
was encrypted using a recipient list, or by someone who has the password, if the archive was encrypted using a password. SecureZip for zSeries encrypts file names using your current settings for (strong) encryption method and algorithm. File names can be encrypted using either strong password encryption or a recipient list (or both). You must use one of the strong encryption methods: you cannot encrypt file names using traditional encryption. Encrypting names of files and folders in an archive encrypts and hides a good deal of other internal information about the archive as well. To encrypt file names, SecureZip for zSeries encrypts the archive's central directory, where virtually all such metadata about the archive is stored. Be aware, however, that archive comments are not encrypted even when you encrypt file names. Do not put sensitive information in an archive comment. An archive that contains encrypted file names requires PKZIP for zSeries 8.0 or SecureZIP for zSeries 8.0 or later to open it. SecureZIP for zSeries 8.0 can use passwords, recipients, or a combination of the two to do filename encryption. With PKZIP for zSeries, only passwords can be used to do filename encryption.
Encryption
Encryption provides confidentiality for data. Unencrypted data is called plaintext. Encryption transforms the plaintext data into an unreadable form, called ciphertext, using an encryption key. Decryption transforms the ciphertext back into plaintext using a decryption key. Several algorithms have been approved in FIPS for the encryption of general purpose data. Each of these algorithms is a symmetric key algorithm, where the encryption key is the same as the decryption key. SecureZIP for zSeries uses symmetric key algorithms when encrypting user data. In order to maintain the confidentiality of the data encrypted by a key, the key must be known only by the entities that are authorized to access the data. These symmetric key algorithms are commonly known as block cipher algorithms because the encryption and decryption processes each operate on blocks (chunks) of data of a fixed size. FIPS 46-3 and FIPS 197 have been approved for the encryption of general-purpose data. The protection of keys is discussed below under “Key Management.”
Authentication
Requires SecureZIP
Authentication is the process of validating digital signatures that may be attached to files in an archive or to an archive’s central directory. Authentication is a separate operation from data encryption. Whereas encryption is concerned with preventing parties from accessing sensitive data (such as private medical or financial information), authentication confirms that information actually comes unchanged from the purported source. Authenticating digitally signed data both verifies the signature and validates the signed data.
17
Data Integrity Both PKZIP and SecureZIP use a Cyclic Redundancy Check (CRC) to ensure that data is successfully transferred into and out of a ZIP archive. The CRC process creates a unique hash value “thumbprint” from the original data stream. The thumbprint is regenerated at the receiving end and compared with the hash of the source for equality. The thumbprint value is stored independently of the data stream and is used during UNZIP processing to complete validation of the data. SecureZIP extends the concept of the CRC in two ways for the purpose of providing a tamper-resistant container within the ZIP archive. First, more rigorous HASH algorithms (MD5 and SHA-1) are used (as specified by the SIGN_HASHALG command) in place of the 32-bit CRC to accurately reflect the uniqueness of the data stream. Second, the hash value is encrypted within a digital signature using a private-key certificate to protect it from tampering. For more information regarding SHA-1 (Secure Hash Algorithm), see FIPS PUB 180-1, describing the Secure Hash Standard, at http://www.itl.nist.gov/fipspubs/fip180-1.htm. SecureZIP for zSeries provides two commands, SIGN_ARCHIVE and SIGN_FILES, to intiate the creation of digital signatures within the ZIP archive. The AUTHCHK command is used to perform a tamper check operation using the digital signature and hash.
Digital Signature Validation
Requires SecureZIP
SecureZIP makes use of certificate-based encryption within the public key infrastructure (PKI) to generate and validate digital signatures. PKI provides an authentication chain for certificates to guarantee that the signature was created by the purported source. SecureZIP supports the certificate chain authentication process by including necessary identification information within the ZIP archive. Subsequently, the certificate(s) used for signing can be authenticated through a complete chain of trust. To complete the chain of trust, a root (or self-signed) certificate representing the certificate’s issuing organization is installed on the authenticating system. This provides the receiving organization with the authority to declare how the final trust sequence should be treated. Signatures based on certificates from certificate authorities (CA) that are not authorized or trusted are declared as being untrusted by SecureZIP. Additional facets of validating a certificate’s viability for use include a defined range of dates within which a certificate may be used and whether the certificate has been declared to have been revoked. Configurable SecureZIP policies (EXPIRED and REVOKED attributes) provide support to ensure that the certificates involved in authentication also adhere to these restrictions. SecureZIP for zSeries provides a means to install and access the certificates necessary for signing and authentication. The AUTHCHK command, along with configured policy settings governs the type (archive directory or data files) and level of authentication that is to be performed.
18
Digital Signature Source Validation A final step in completing the authentication process is to ensure that the archive and/or file data was sent from a particular source. Up to this point, using the previous two aspects of authentication, we are certain that the archive directory and/or files were signed with a private-key certificate that came from a trusted source (CA) and that the data stream has not been tampered with since it was placed into the ZIP archive. However, these steps alone do not guarantee that a different party under the same root/CA chain did not perform the signing operation. SecureZIP for zSeries provides an optional parameter in the AUTHCHK command to declare the specific party from whom the data is expected.
Public-Key Infrastructure and Digital Certificates
Public-Key Infrastructure (PKI) Use of digital certificates for encryption and digital signing relies on a combination of supporting elements known as a public-key infrastructure (PKI). These elements include software applications such as SecureZIP that work with certificates and keys as well as underlying technologies and services. The heart of PKI is a mechanism by which two cryptographic keys associated with a piece of data called a certificate are used for encryption/decryption and for digital signing and authentication. The keys look like long character strings but represent very large numbers. One of the keys is private and must be kept secure so that only its owner can use it. The other is a public key that may be freely distributed for anyone to use to encrypt data intended for the owner of the certificate or to authenticate signatures.
How the Keys Are Used With encryption/decryption, a copy of the public key is used to encrypt data such that only the possessor of the private key can decrypt it. Thus anyone with the public key can encrypt for a recipient, and only the targeted recipient has the key with which to decrypt. With digital signing and authentication, the owner of the certificate uses the private key to sign data, and anyone with access to a copy of the certificate containing the public key can authenticate the signature and be assured that the signed data really proceeds unchanged from the signer. Authentication has one additional step. As an assurance that the signer is who he says he is— that the certificate with Bob’s name on it is not fraudulent—the signer’s certificate itself is signed by an issuing certificate authority (CA). The CA in effect vouches that Bob is who he says he is. The CA signature is authenticated using the public key of the CA certificate used. This CA certificate too may be signed, but at some point the trust chain stops with a self- signed root CA certificate that is simply trusted. The PKI provides for these several layers of end-user public key certificates, intermediate CA certificates, and root certificates, as well as for users’ private keys.
19
x.509 X.509 is an International Telecommunication Union (ITU-T) standard for PKI. X.509 specifies, among other things, standard formats for public-key certificates. A public-key certificate consists of the public portion of an asymmetric cryptographic key (the public key), together with identity information, such as a person’s name, all signed by a certificate authority. The CA essentially guarantees that the public key belongs to the named entity.
Digital Certificates A digital certificate is a special message that contains a public key and identify information, such as the owner’s name and perhaps email address, about the owner. An ordinary, end-user digital certificate is digitally signed by the CA that issued it to warrant that the CA issued the certificate and has received satisfactory documentation that the owner of the certificate is who he says he is. This warrant, from a trusted CA, enables the certificate to be used to support digital signing and authentication, and encryption of data uniquely for the owner of a certificate. For example, Web servers frequently use digital certificates to authenticate the server to a user and create an encrypted communications session to protect transmitted secret information such as Personal Identification Numbers (PINs) and passwords. Similarly, an email message may be digitally signed, enabling the recipient of the message to authenticate its authorship and that it was not altered during transmission. To use PKI technology in SecureZIP for zSeries for encryption and to attach digital signatures, you must have a digital certificate. To learn how to get a digital certificate and to use certificates for encryption, see Chapter 6.
Certificate Authority (CA) A certificate authority (CA) is a company (usually) that, for a fee, will issue a public-key certificate. The CA signs the certificate to warrant that the CA issued the certificate and has received satisfactory documentation that the owner of the new certificate is who he says he is.
Private Key A digital certificate contains both private and public portions of an asymmetric cryptographic key together with identity information, such as a person's name and (possibly) email address. The private portion of the key is called the private key and is used to decrypt data encrypted with the associated public key and to attach digital signatures. A private key must be accessible solely by the owner of the certificate because it represents that person and provides access to encrypted data intended only for the owner. SecureZIP for zSeries uses a private key maintained in x.509 PKCS#12 format. This means that the private key cannot be accessed unless a password is entered for each SecureZIP request.
20
Public Key A public key consists of the public portion of an asymmetric cryptographic key in a certificate that also contains identity information, such as the certificate owner’s name. The public key is used to authenticate digital signatures created with the private key and to encrypt files for the owner of the key’s certificate. For information on the digital enveloping process SecureZIP for zSeries uses for certificate- based encryption, download the Secure .ZIP Envelopes white paper from the PKWARE Web site.
Certificate Authority and Root Certificates End entity certificates and their related keys are used for signing and authentication. They are created at the end of the trust hierarchy of certificate authorities. Each certificate is signed by its CA issuer and is identified in the “Issued By” field in the end certificate. In turn, a CA certificate can also be issued by a higher level CA. Such certificates are known as intermediate CA certificates. At the top of the issuing chain is a self-signed certificate known as the root. SecureZIP for zSeries uses public-key certificates in PKCS#7 format. The intermediate CA certificates are maintained independently from the ROOT certificates.
Setting Up Stores for Digital Certificates on zOS
Requires SecureZIP
To use certificates for encryption/decryption or digital signing/authentication, SecureZIP needs to access the keys in the certificates. Unlike Windows, zOS does not have a native facility for storing digital certificates and converting them into a form that SecureZIP can use. To address this, SecureZIP provides a utility program to set up and manage certificate stores on zOS for use with SecureZIP.
Setting Up the Certificate Stores The PKWARE utility used to administer the local certificate store is accessed through an ISPF dialog. The CREATE option assists you in setting up the store and imports certificates you want SecureZIP to use. For detailed instructions on creating certificate stores on zOS, refer to the SecureZIP for zSeries System Administrator’s Guide. The utility procedure maintains the stores listed in the following table.
21
Store Description Public A store for end-entity certificates used to identify encryption recipients or for authentication of digital signatures. Certificate files in this store contain only public keys; they do not contain private keys. SecureZIP for zSeries represents these certificates held in the local certificate store through the ISPF interface as “CER” entries. Other system types may refer to this store as “Other People” or “Address Book” Private A store for end-entity certificate files with their respective private keys. Private keys are used to decrypt files or perform digital signing. SecureZIP for zSeries represents these certificates held in the local certificate store through the ISPF interface as “PFX” entries. (Private keys in the this store are encrypted using PKCS#8 format and PKCS#5 version 2.) Other system types may refer to this store as “Personal” or “MY Store” Intermediate A store of issuing certificates files associated with the end-entity Certificate certificates. These certificates are used to authenticate the Authority validity of an end-entity digital signature on a receiving system. They are also included in a SecureZIP archive when a signing operation is performed. Other system types may refer to this store as “CA” Trusted Root A store of issuing certificates that are classified as “self signed,” Certificate meaning that each one is at the top of a hierarchy of issuing Authority CAs. These certificates are used to authenticate the validity of an end-entity digital signature on a receiving system. They are deemed to be “trusted” by virtue of their installation on an authenticating system. They are also included in a SecureZIP archive when a signing operation is performed. Other system types may refer to this store as “ROOT”
The local certificate store administrative utility sets up the certificate stores as physical files containing X.509 certificates, with a VSAM index structure providing search and selection capabilities. A SecureZIP for zSeries “create” dialog is provided to lead a systems administrator through the steps needed to allocate and prime a new local certificate store. Sample test certificates are installed to each store type, making it ready for use. In addition, a configuration file is generated that should be made accessible for SecureZIP users for use in encryption, decryption, signing, and authentication requests. The configuration file may be included explicity through an INCLUDE_CMD command, or implicitly by activating it through the PARMLIB configuration of the SecureZP defaults module. A set of high-level qualifiers is used to control the allocation of the physical store data sets and index components. This permits multiple distinct local certificate stores to be created, administered and accessed independently within a system. This is useful for segregating test from production, or other departmental separation. Data set protection may then be applied to various components to control update or read access as needed. RACF ALTER authority (or equivalent) must be granted to the systems administrator responsible for creating a new certificate store. This authority is also required for creating
22
backups, performing recovery operations, or performing some synchronization tasks which re- allocate components.
Updating the Certificate Stores X.509 certificates may be added to the local certificate store through the SecureZIP local certificate store administration tool. These certificates are frequently obtained through another platform and transferred (binary) to the operational zOS system for installation.
Important: All X.509 certificates should be transferred to the local zOS environment in binary mode with no translation.
When certificates are added, the certificate administration tool determines the appropriate store location based on the certificate type specified and dynamically builds an index entry for future search and selection. SecureZIP can import certificates and keys in the following file formats:
Format Description PEM Contains a single end-entity public-key certificate. It may be in Base-64 encoded (ascii text with ascii headers) or DER-encoded binary format. Common file extensions: .pem, .cer, .key PKCS#12 Contains a single end-entity private-key certificate (which also contains and its public keys). By definition, it is in binary format. Common file extensions: .pfx, .p12 PKCS#7 Contains one or more CA (and or Root) certificates Common file extension: .p7b
You must tell the certificate store administrative dialog what certificate file-type and key-type to import. The utility copies the existing certificates and keys from their specified location and adds them to the appropriate store locations. When transferring certificates to the zOS environment in preparation for an import to the local certificate store, be sure to allocate the file they are stored in as sequential, with a DCB RECFM of F, FB, V or VB. RACF UPDATE authority (or equivalent) must be granted to the systems administrator responsible for altering the certificate store. This authority is also required when performing the on-line Synchronize function.
Types of Encryption Algorithms
FIPS 46-3, Data Encryption Standard (DES) The FIPS (Federal Information Processing Standards) specification 46-3 formerly specified the DES algorithm for use in Federal government applications. In 2004, the specification was changed such that DES is no longer approved for Federal government applications.
23
Triple DES Algorithm (3DES) Triple DES is a more recent algorithm related to DES. Triple DES is a method for encrypting data in 64-bit blocks using three 56-bit keys by combining three successive invocations of the DES algorithm. ANSI X9.52 specifies seven modes of operation for 3DES and three keying options: 1) the three keys may be identical (one key 3DES), 2) the first and third key may be the same but different from the second key (two key 3DES), or 3) all three keys may be different (three key 3DES). One key 3DES is equivalent to DES under the same key; therefore, one key 3DES, like DES, will not be approved after 2004. Two key 3DES provides more security than one key 3DES (or DES), and three key 3DES achieves the highest level of security for 3DES. NIST recommends the use of three different 56-bit keys in Triple DES for Federal Government sensitive/unclassified applications. SecureZIP for zSeries uses three-key 3DES when Triple DES is selected as the data encryption algorithm.
Advanced Encryption Standard (AES) The Advanced Encryption Standard (AES) encryption algorithm specified in FIPS 197 is the result of a multiyear, worldwide competition to develop a replacement algorithm for DES. The winning algorithm (originally known as Rijndael) was announced in 2000 and adopted in FIPS 197 in 2001. The AES algorithm encrypts and decrypts data in 128-bit blocks, with three possible key sizes: 128, 192, or 256 bits. The nomenclature for the AES algorithm for the different key sizes is AES-x, where x is the size of the AES key. NIST considers all three AES key sizes adequate for Federal Government sensitive/unclassified applications. Please see http://www.nist.gov/public_affairs/releases/g00-176.htm a press release recapping NIST’s position SecureZIP for zSeries uses AES as the default encryption algorithm.
Comparison of the 3DES and AES Algorithms Both the 3DES and AES algorithms are considered to be secure for the foreseeable future. Below are some points of comparison: • 3DES builds on DES implementations and is readily available in many cryptographic products and protocols. The AES algorithm is new; although many implementers are quickly adding the algorithm to their products, and protocols are being modified to incorporate the algorithm, it may be several years before the AES algorithm is as pervasive as 3DES. • The AES algorithm was designed to provide better performance (e.g., faster speed) than 3DES. • Although the security of block cipher algorithms is difficult to quantify, the AES algorithm, at any of the key sizes, appears to provide greater security than 3DES. In particular, the best attack known against AES-128 is to try every possible 128-bit key (i.e., perform an exhaustive key search, also known as a brute force attack)). By contrast, although three key 3DES has a 168-bit key, there is a “shortcut” attack on
24
3DES that is comparable, in the number of required operations, to performing an exhaustive key search on 112-bit keys. However, unlike exhaustive key search, this shortcut attack requires a lot of memory. Assuming that such shortcut attacks are not discovered for the AES algorithm, the uses of the AES algorithm may be more appropriate for the protection of high-risk or long-term data. • The smallest AES key size is 128 bits; the recommended key size for 3DES is 168 bits. The smaller key size means that fewer resources are needed for the generation, exchange, and storage of key bits. • The AES block size is 128 bits; the 3DES block size is 64 bits. For some constrained environments, the smaller block size may be preferred; however, the larger AES block size is more suitable for cryptographic applications, especially those requiring data authentication on large amounts of data. See http://www.nist.gov/public_affairs/releases/g00-176.htm for a press release describing NIST’s position on the two algorithms. With a block cipher algorithm, the same plaintext block will always encrypt to the same ciphertext block whenever the same key is used. If the multiple blocks in a typical message were to be encrypted separately, an adversary could easily substitute individual blocks, possibly without detection. Furthermore, data patterns in the plaintext would be apparent in the ciphertext. Cryptographic modes of operation have been defined to alleviate these problems by combining the basic cryptographic algorithm with a feedback of the information derived from the cryptographic operation. FIPS 81, DES Modes of Operation, defines four confidentiality (encryption) modes for the DES algorithm specified in FIPS 46-3: the Electronic Codebook (ECB) mode, the Cipher Block Chaining (CBC) mode, the Cipher Feedback (CFB) mode, and the Output Feedback (OFB) mode. SecureZIP for zSeries uses Cipher Block Chaining for data encryption.
RC4 The RC4 algorithm is a stream cipher designed by Rivest for RSA Security. It is a variable key- size stream cipher with byte-oriented operations. The algorithm is based on the use of a random permutation. Analysis shows that the period of the cipher is overwhelmingly likely to be greater than 10100. Eight to sixteen machine operations are required per output byte, and the cipher can be expected to run very quickly in software. Independent analysts have scrutinized the algorithm and it is considered secure. RC4 is used for secure communications, as in the encryption of traffic to and from secure web sites using the SSL protocol.
Key Management
The proper management of cryptographic keys is essential to the effective use of cryptography for security. Keys are like the combination of a safe. If the combination becomes known to an adversary, the strongest safe provides no security against penetration. Similarly, poor key management can easily compromise strong algorithms. Ultimately, the security of information protected by cryptography directly depends on the strength of the keys, the effectiveness of mechanisms and protocols associated with keys, and the protection afforded the keys.
25
Cryptography can be rendered ineffective by the use of weak products, inappropriate algorithm pairing, poor physical security, and the use of weak protocols. All keys need to be protected against modification, and secret and private keys need to be protected against unauthorized disclosure. Key management provides the foundation for the secure generation, storage, distribution, and destruction of keys. Further information is available on key management at the NIST Computer Security Resource Center web site, http://csrc.nist.gov/CryptoToolkit/tkkeymgmt.html
Passwords and PINS
FIPS 112, Password Usage, provides guidance on the generation and management of passwords used to authenticate the identity of a system user and, in some instances, to grant or deny access to private or shared data. This standard recognizes that passwords are widely used in computer systems and networks for these purposes, although passwords are not the only method of personal authentication, and the standard does not endorse the use of passwords as the best method. The password used to encrypt a file with PKZIPz may be from 1 to 250 characters in length. Different passwords may be used for various files within a ZIP archive, although only one password may be specified per run. The password is not stored in the ZIP archive and, as a result, care must be taken to keep passwords secure and accessible by some other source.
Recipient Based Encryption
Requires SecureZIP
Password-based encryption depends on both the sender and receiver knowing, and providing intellectual input (the password) in clear text. The password is used to derive a binary master session key for each decryption run. No key information is kept within the ZIP archive, therefore both parties must retain the password in an external location. Recipient-based encryption provides a means by which the master session key (MSK) information can be hidden, protected, and carried within the ZIP archive. This is done by using a technique known as digital enveloping with public key encryption. The technique requires that the creating process have a copy of the recipient's public key digital certificate, which is used to protect and store the MSK. In addition, the receiving side must have a copy of the recipient's private key digital certificate. With these two pieces of information in place, there is no need for users to retain or recall a password for decryption.
Random Number Generation
Random numbers are used within many cryptographic applications, such as the generation of keys and other cryptographic values, the generation of digital signatures, and challenge response protocols. Some approved algorithms to produce random numbers have been
26
specified in FIPS 186-2, Digital Signature Standard. An effort is in progress by the Financial Services Committee of ANSI to develop a random number generation standard.
Integrity of Public and Private Keys
Public and private keys must be managed properly to ensure their integrity. The key owner is responsible for protecting private keys. The private signature key must be kept under the sole control of the owner to prevent its misuse. The integrity of the public key, by contrast, is established through a digital certificate issued by a certification authority (CA) that cryptographically binds the individual’s identity to his or her public key. Binding the individual’s identity to the public key enables the key to be reliably used, for example, to authenticate signatures created with the corresponding private key. A PKI includes the ability to recover from situations where an individual’s private signature key is lost, stolen, compromised, or destroyed. This is done by revoking the digital certificate that contains the private signature key’s corresponding public key (discussed further below). The user then creates or is issued a new public/private signature key pair and receives a new digital certificate for the new public key.
27
3 PKZIP and SecureZIP for zSeries Release Information
Release Summary
New Products The following products have been added to the PKWARE SecureZIP suite for the zOS operating environment: • SecureZIP for zSeries Reader • SecureZIP for zSeries SecureLink
New Features New features in PKZIP for zSeries Release 8.2 include: • Increased pass phrase (PASSWORD) length to 250 characters • Faster compression • Better compression ratios • New COMPRESSION_METHOD command • New GZIPCRC_IGNORE command • New ZIP_UNMOVABLE_CHKPT command • Additional COMPRESSION_LEVEL settings • Add PKSUPPRC(ZPEN016W) License warning override • Add PKSUPPRC(ZPEX084E) Unsupported Compression method • New SIGNAL_ZIP64 command (Enterprise Edition) • Decryption of password-based Strongly Encrypted files (Enterprise Edition) • Decryption of password-based Strongly Encrypted Directory (Enterprise Edition)
28
New features in SecureZIP for zSeries Release 8.2 include: • Increased pass phrase (PASSWORD) length to 250 characters • Support for multiple MASTER_RECIPIENT encryption contingency keys • Faster compression • Better compression ratios • New COMPRESSION_METHOD command • New GZIPCRC_IGNORE command • New ZIP_UNMOVABLE_CHKPT command • Additional COMPRESSION_LEVEL settings • Add PKSUPPRC(ZPEN016W) License warning override • Add PKSUPPRC(ZPEX084E) Unsupported Compression method
New features in SecureZIP for zSeries Release 8.1 include: • Advanced signing and authentication security features. SecureZIP for zSeries offers the ability to digitally sign the archive directory and/or files for secure messaging and storage. • New SIGN_ARCHIVE command • New SIGN_FILES command • New AUTCHK command • New return code = 6 for authentication failures • Add PKSUPPRC(ZPEN035E) Archive Authentication Failure • Add PKSUPPRC(ZPEN045E) File Authentication Failure • Add PKSUPPRC(ZPEN039E) Archive Authentication Incomplete • Add PKSUPPRC(ZPEN049E) File Authentication Incomplete • Add PKSUPPRC(ZPEN057W) Certificate Validation Failed • New SIGNAL_ZIP64 command
New features in SecureZIP for zSeries Release 8.2 include: • Advanced password and certificate-based security features. SecureZIP for zSeries offers multiple methods of encryption and is an excellent choice for secure messaging and storage. • Access certificates in directory servers via an LDAP compliant interface. SecureZIP for zSeries can look for certificates in LDAP certificate stores. SecureZIP for zSeries can automatically search these stores for recipients to whom you are sending an email message so that you can use their keys when encrypting an attachment. Requires the optional Directory Integration Feature. • BSAFE® Encryption
29
• Add PKSUPPRC(ZPEN002W) Algorithm not supported by this release. • Add PKSUPPRC(ZPEN020W) FILENAME_ENCRYPTION has been deactivated in the output archive
New features introduced with PKZIP for zSeries Release 5.6: • ZIP64 Large File Support (licensed feature) to: • Compress files > 4 gigabytes in size • Compress up to 4 billion files (previously 65,535) • Handle filenames up to 1,024 characters (previously 256) • Allow for archives > 4 gigabytes in size • Provide faster archive directory search processing • Virtual Storage Constraint Relief by reducing file management control block sizes. • A new User API for UNZIP file name transformation - allowing users to generate their own MVS names from UNIX-based file names. This feature utilizes the new FILENAME_API suite of commands • A new User API for ZIP Data Record transformation - allowing users to filter records and convert binary numeric data to clear text display numerics prior to compression. This feature utilizes the new DATA_TRANS_API suite of commands • Add INCLUDE_CMD command that assists the user in converting EBCDIC records into the correct TEXT format for a different platform target. • Add INCLUDE_SFX command that adds a self-extracting program to the beginning of the archive for extraction on specified releases of AIX, HP/UX, LINUX, Sun Solaris or Windows. • A new summary processing report at the end of each invocation. • Add FILENAME_SELECT_CASE command to control case-insensitivity for UNZIP filename selection. • Add LICENSE_WTO_INFO control switch to support automation traps for license expiration events. • Add ARCHIVE_MULTIVOL, OUTFILE_MULTIVOL and TEMP_SPACE_MULTIVOL commands to support extended multi-volume allocation support for archives, output files and work files. • Add PKSUPPRC(ZPCM032W) to suppress RC=4 when cataloged files are not found to be compressed.
New features introduced with PKZIP for MVS Release 5.5: • Advanced Encryption (password-based, using the AES encryption algorithm) • Improved Compression • Enhanced File Filtering Capabilities • PASSWORD echo masking
30
• Add ACTION(COPY) • Add CHECK_SYSIN_MEMBER command • Add ENCRYPTION_METHOD command • Add EXCLUDE command • Add KEY_PROTECT_LEVEL command • Add PKSUPPRC command • Add PRESERVE_CMD_SPACE command • Rebuilt Messages Manual • DOC Memory Usage Info • DOC Abend S213-30 (IEC143I) when competing with UNZIP to PDS • PANVALET Subsystem Support for command input
New Commands and Defaults The following commands or their default values were introduced in the specified release.
Release Command Description Values 8.2 COMPRESSION_LEVEL Specify a relative “strength” of User-selectable compression. Additional values. 8.2 COMPRESSION_METHOD Specify which compression DEFLATE32 algorithm to use during ZIP. DEFLATE64 8.2 GZIPCRC_IGNORE Yes/No switch permitting UNZIP User-selectable processing for GZIP archive that has superfluous data at the end of the stream due to environmental transfer 8.2 PASSWORD Increased PASSWORD size 250 8.1 AUTHCHK Perform an authentication check User-selectable against a signed archive directory or files 8.1 PKSUPPRC(ZPEN035E) Archive authentication failed User-selectable 8.1 PKSUPPRC(ZPEN039E) Archive authentication User-selectable unsuccessful 8.1 PKSUPPRC(ZPEN045E) File authentication failed User-selectable 8.1 PKSUPPRC(ZPEN049E) File authentication unsuccessful User-selectable 8.1 PKSUPPRC(ZPEN057W) Certificate Validation Failed User-selectable 8.1 SIGN_ARCHIVE Sign the archive central directory User-selectable 8.1 SIGN_FILES Sign files added to the archive User-selectable 8.1 SIGN_HASHALG Specify digital signature hash User-selectable algorithm
31
Release Command Description Values 8.1 SIGNAL_ZIP64 Provides control over the creation User-selectable of archives using ZIP64 extensions 8.1 TRANSLATE_TABLE_DATA Load module containing translation EBC#8859 tables for EBCDIC/ASCII Text data conversion. 8.1 TRANSLATE_TABLE_FILEINFO Load module containing translation EBC#8859 tables for EBCDIC/ASCII File name and password conversion. 8.0 ENCRYPT_CERT_LIMIT Restricts the number of certificates User-supplied used for each encrypted file 8.0 FILENAME_ENCRYPTION Specifies whether the archive Y|N|blank) central directory is to be strongly encrypted 8.0 LDAP_ENCRYPT_CERT_SELECT Restricts the number or type of User-supplied certificates used in encrypting a file. 8.0 MASTER_RECIPIENT This enables an enterprise to User-supplied decrypt and access the file(s) when other RECIPIENTs are no longer able or eligible. 8.0 PKSUPPRC(ZPEN002W) Algorithm not supported for this User-selectable release. 8.0 PKSUPPRC(ZPEN020W) FILENAME_ENCRYPTION has User-selectable been deactivated in the output archive 8.0 RECIPIENT Identifies the eligible party that may User-supplied decrypt the file(s) 8.0 SECUREZIP_CONFIG Specifies a member that contains User-supplied the cert store configuration commands to be included during processing
The following commands were introduced in the 5.x releases.
Release Command Description Values 5.6 ARCHIVE_FASTSEEK Performance improvement for Y|N archive read access. 5.6 ARCHIVE_SPACE_MULTIVOL Control multi-volume allocation of Y|N the archive data set. 5.6 DATA_TRANS_API_ERRLIM Unused at this time 0 5.6 DATA_TRANS_API_ERROR Intended action when a user API STOPRUN, program error occurs. IGNORE, ABEND 5.6 DATA_TRANS_API_LANGUAGE Programming language/linkage ASM, COBOL used for the DATA_TRANS_API user program. 5.6 DATA_TRANS_API_NAME Load module name of User User-supplied
32
Release Command Description Values program used to modify data records during PKZIP/SECZIP processing. 5.6 DATA_TRANS_API_PARM Data string to be passed to the User-supplied User API program. 5.6 DATA_TRANS_API_TRACE Tracing level for API operation. 0 – 4 5.6 DATA_TRANS_API_WORKSIZE Size of persistent work area 4096 provided by PKZIP/SECZIP to the user program. 5.6 FILENAME_API_ERRLIM Unused at this time 0 5.6 FILENAME_API_ERROR Intended action when a user API STOPRUN, program error occurs. IGNORE, ABEND 5.6 FILENAME_API_LANGUAGE Programming language/linkage ASM, COBOL used for the FILENAME_API user program. 5.6 FILENAME_API_NAME Load module name of User User-supplied program used to convert archive file names to MVS Data Set names during EXTRACT processing. 5.6 FILENAME_API_PARM Data string to be passed to the User-supplied User API program. 5.6 FILENAME_API_TRACE Tracing level for API operation. 0 – 4 5.6 FILENAME_API_WORKSIZE Size of persistent work area 4096 provided by SECUNZIP to the user program. 5.6 FILENAME_SELECT_CASE Affect archive filename selection M (mixed) case sensitivity. U (upper) 5.6 INCLUDE_CMD Include batched commands from a User-supplied partitioned library. member 5.6 INCLUDE_SFX Create a self-extracting archive SFXAIX SFXWIN SFXHP SFXSUN SFXLNX2I 5.6 LICENSE_WTO_INFO Support console message Y|N automation for expiring license. (Specify in the defaults module). 5.6 NOAPI The Language Environment User-supplied CEEPIPI environment associated with User API programs (such as DATA_TRANS_API) will not be initialized. 5.6 OUTFILE_SPACE_MULTIVOL Control multi-volume allocation of Y|N an Output data set during EXTRACT. 5.6 PKSUPPRC(ZPCM032W) Override the default RC=4 that is User-selectable generated when a requested file is not found for ZIP processing.
33
Release Command Description Values 5.6 TEMP_SPACE_MULTIVOL Control multi-volume allocation of Y|N Temporary work files. 5.5 CHECK_SYSIN_MEMBER Verifies a command input stored in Y|N a PDS or PDSE member. 5.5 DATA_TYPE(DETECTX) Provides automatic detection and Default remains as translation of ASCII text during “DETECT”. UNZIP processing (similar to DETECT for ZIP processing). 5.5 EXCLUDE Enhanced file filtering capabilities. User-supplied 5.5 KEY_PROTECT_LEVEL Specifies a relative intensity of 1 / 2 encryption key protection. 5.5 PKSUPPRC Allows the return code to be ZPAM092E - Nothing suppressed on certain conditions. to do. ZPAM093W - No Files match: Initializing/Copying Archive. ZPEX013 - Truncation. 5.5 PRESERVE_CMD_SPACE Preserves or removes blanks Y|N proceeded by a “|”. 5.5 SUPPRESS_DYNALLOC_MSGS Specifies that the dynamic NODYNMSGS allocation messages in job log be suppressed.
Command Changes The default values for the following commands have been changed. When assembling an existing installation defaults module (ACZDFLT), these values should be reviewed for applicability and adjusted as required.
Upgrade Notes • Installations suppressing the //SYSIN PDS member verification for performance reasons with PROC_OPT1=N (available with PKZIP for MVS 5.0.10 maintenance) in ACZDFLT should change to CHECK_SYSIN_MEMBER=N in the assembly of ACZDFLT. PROC_OPT1 is longer used for this purpose in PKZIP for MVS Release 5.5 or SecureZIP for zSeries. • Installations controlling the //SYSPRINT DCB attributes with PROC_OPT2 (available with PKZIP for MVS 5.0.10 maintenance) in ACZDFLT should change to SYSPRINT_DCB in the assembly of ACZDFLT. PROC_OPT2 is no longer used for this purpose in PKZIP for MVS Release 5.5 or SecureZIP for zSeries. • Installations utilizing the filename case-insensitivity feature with PROC_OPT3=U (available with PKZIP for MVS 5.5.0 maintenance) in ACZDFLT should change to FILENAME_SELECT_CASE=U in the assembly of ACZDFLT. PROC_OPT3 is no longer used for this purpose in SecureZIP for zSeries.
34
• Upgrade note: Installations previously using text translation tables other than EBC#8859 for TRANSLATE_TABLE_DATA or TRANSLATE_TABLE_FILEINFO should review the data translation characters used. The newer default tables in EBC#8859 use the IBM ICONV standard character sets for IBM-1047 EBCDIC and ISO-8859-1 ASCII. In general, the newer default table is better for general-purpose text translation than the older ASCIIUS, ASCIIUSE, ASCIIUK, and ASCIIUKE tables. However, the older tables are still provided for compatibility in case installation-dependent processing requires translation of specialized character sets.
Release Command Old Values New Values 8.0 ENCRYPTION_METHOD STANDARD STANDARD AES128 AES128 AES192 AES192 AES256 AES256 BSAFE_AES128 BSAFE_AES192 BSAFE_AES256 BSAFE_DES BSAFE_3DES BSAFE_RC4 5.6 No changes since PKZIP for MVS 5.5 5.5 ARCHIVE_DIR_BLOCKS 10 56 5.5 ARCHIVE_SPACE_PRIMARY 100 10 5.5 ARCHIVE_SPACE_SECONDARY 100 10 5.5 ARCHIVE_SPACE_TYPE TRK CYL 5.5 ARCHIVE_UNIT SYSALLDA SYSDA 5.5 COMPRESSION_LEVEL NORMAL SUPERFAST 5.5 MULTI_THREAD_LIMIT 1 3 5.5 OUTFILE_SPACE_TYPE TRK CYL 5.5 OUTFILE_SPACE_PRIMARY 100 10 5.5 OUTFILE_SPACE_SECONDARY 100 10 5.5 OUTFILE_UNIT SYSALLDA SYSDA 5.5 PASSWORD Increased Maximum length to 200 characters. 5.5 PARMLIB_DSNAME_ZIP NULLFILE 5.5 PARMLIB_DSNAME_UNZIP NULLFILE 5.5 PROCESS_ALIAS N Y 5.5 SAVE_FILE_ATTRIBUTES BOTH CENTRAL 5.5 TEMP_UNIT NULL SYSDA
35
Release Command Old Values New Values 5.5 VSAM_SPACE_PRIMARY 100 10 5.5 VSAM_SPACE_SECONDARY 100 10 5.5 VSAM_SPACE_TYPE TRK CYL
Message Changes PKWARE.MVSMessages have been added (along with some text changes) with PKZIP/SecureZIP 8.2. A library compare of pkzip.MVS.HELP will show these changes relative to the release being migrated from.
Enhancements for Secure Data The following enhancements for strong security are included with release 8.2. • The password will no longer be echoed in the SYSPRINT stream. The value ‘PASSWORD(**********)” will be displayed instead. • Password information is not left in clear text within virtual storage during PKZIP/SecureZIP operations. • When entering passwords on the ISPF panels, the input field has been changed to non- display. A password verification field has been added on the password prompting screens to assist you in verifying that the correct password has been entered. However, the password may be displayed by selecting a panel option. • SecureZIP for zSeries supports encryption algorithms with keylengths of 128 and greater, including DES, 3DES, AES and RC4. • SecureZIP for zSeries supports filename encryption to prevent file names and file metadata from being visible. • PKZIP Enterprise Edition supports the decryption of strongly encrypted files from a SecureZIP source. • SecureZIP for zSeries with the Advanced Encryption Module supports certificate- based encryption. • SecureZIP for zSeries with the Advanced Encryption Module supports signing and authentication using digital certificates.
Restrictions for PKZIP and SecureZIP for zSeries
The following restrictions apply: • The integrity of the ZIP archive is not impaired in any way and archived files can be extracted successfully. However, the temporary dataset name of the ZIP archive should be changed to the name required by you after PKZIP/SECZIP has completed. • When two (or more) files from a ZIP archive are extracted with the same MVS dataset name, the last file will overwrite any previous file(s).
36
• When a dataset is spread over more than 31 volumes, PKZIPz may not restore the dataset to the identical volumes. • Extracting to a GDG dataset via OUTFILE_DD will result in the use of the user-specified DCB values. The user must ensure that these values are appropriate to the record lengths being written. • The number of files or PDS members that can process in one operation may be restricted by the number of concurrent DD’s that can be used in the address space, such as, the size of the TIOT. For further information on this limit, see the documentation for DD statements in the IBM JCL User’s Guide. • Some IDCAMS DEFINE Cluster options can be specified at the Cluster and Data (and Index if appropriate) levels. However, a few of these options, when specified using ARCH* or OUT* commands during PKZIP/SECZIP or PKUNZIP/SECUNZIP operations, will set only the Data (and Index) components. This is because some ARCHIVE_* and OUTFILE_* commands which apply to Cluster, Data, and Index components, currently set both the data and index attributes, and ignore the Cluster level component. These may in future, set the Cluster level option only. Commands that may change in this way are shown in the following table. For these commands, it is recommended that the ARCHDATA* and ARCHINDX, or OUTDATA* and OUTINDX* options be used.
SECUNZIP Comments Command ARCHEEXT Is effectively the same as setting both ARCHDATAEEXT and ARCHINDXEEXT. ARCHOWNER Is effectively the same as setting both ARCHDATAOWNER and ARCHINDXOWNER. OUTEEXT Is effectively the same as setting both OUTDATAEEXT and OUTINDXEEXT. OUTOWNER Is effectively the same as setting both OUTDATAOWNER and OUTINDXOWNER.
• PDS members containing positioning information (for example load members with overlay sections) are not supported. In certain circumstances these might be processed with unpredictable results. • PDSE program objects are not currently supported in native format. IEBCOPY should first be used to offload the PDSE Library to a sequential file and the resulting sequential file can be archived. Subsequently, after extracting the unloaded version of the PDSE, it can be reloaded with IEBCOPY. • GZIP (GNU zip) file processing has a number of restrictions as documented in Chapter 12. • Dataset alias entries can be used to select datasets, however, the true name will be used to process filename associations in the archive. The dataset alias name is not retained. • Values for dynamic allocation requests by PKZIPz may be added, altered, or removed by installation-dependent storage management services, for example, DF/SMS.
37
Allocation results may be different from those specified by PKZIPz commands or default values. • PKZIPz makes use of access method services user I/O routines for SYSIN and SYSPRINT file requests. OEM products and/or installation-written routines that modify standard IBM processing for these exits should not be active during PKZIP/SECZIP processing. • Data types found natively in the OS/390 and zOS environments, such as binary load modules, may not be usable on other platforms. That is, PKZIPz does not convert executable programs from one system platform to another. • Although it is possible for archives to be appended to other archives in a dataset during a ZIP process—for example, DISP(=MOD,CATLG, in MVS, or using the UNIX append”>>” operator for files)—this is not recommended. The result is that “dead” archives are carried along in the file, and various ZIP products will read the file differently, with some looking for the ZIP archive directory structure from the beginning, others from the end of the file. PKZIPz attempts to read the first archive found from the beginning of the file, for performance reasons and to perfom an archive integrity check. If an inconsistency in the initial header structures exist, a secondary search from the back of the archive will be attempted. PKZIPz will accept up to 64k of non-archive data at the end of the archive file when searching for the end of the directory (from the back). This limit does not apply when the local directory structure is intact. For more information regarding data formats, see Chapter 8. • PKZIPz is designed to work with archives and compression methods starting with the PKZIP 2.x standard. Although the implode algorithm was used in PKZIP 1.x, SecureZIP for zSeries 8.2 retains the ability to extract the older compression method’s files. • Internal to the Zip archive, file dates are saved as a count of the number of years from 1980. Because only six bits are used to store this date, a limit of 64 years (2**^) can be symbolized. This representation will successfully allow dates to be shown through the year 2043. • IBM has restricted licensing for some components of zOS.e, such as Language Environment Compatibility Preinitialization (CEEPIPI) for some languages. Therefore some languages cannot be used for the PKZIP/SECZIP User API facility when running under zOS.e. (SecureZIP for zSeries uses CEEPIPI to prepare the language environment for high-level language user API programs.)
Region Size and Storage
Older versions of PKZIP (v2.x) used work files to translate and then compress data before adding it to an archive file. Using these work files, very little REGION space was needed to run a job, since this space was used to handle the processing once the REGION had been consumed. Note that this approach can create a substantial amount of I/O. PKZIPz recommends the REGION value of 32M or higher. A value greater than 16,384K or 16M and less than or equal to 32,768K or 32M gives the job all the storage available below 16 megabytes. The resulting size of the region below 16 megabytes is installation-dependent. The
38
extended region size is the default value of 32 megabytes. The purpose behind this requirement is to increase speed and reduce I/O. However, if you run out of virtual storage then temporary files must be used to hold work space information. MEMORY_MODEL(MEDIUM or SMALL), will give PKZIP/SECZIP the outlet that it needs to handle the condition. PKZIP/SECZIP processing, attempts to keep file management control information and compressed data in 31-bit virtual storage to maximize performance. In the event that 31-bit storage is constrained (by combinations of installation restrictions, high file volumes, and high data volumes), the following commands may be used to reduce 31-bit storage requirements for a given run. • DATA_STORAGE • MULTI_THREAD_LIMIT • MEMORY_MODEL(SMALL|MEDIUM|LARGE) controls where file management control blocks are held, such as, control blocks describing an archive file with its attributes. When MEMORY_MODEL(LARGE) is specified or defaulted, all PKZIP/SECZIP control blocks are held in 31-bit virtual storage. When either SMALL or MEDIUM is specified, the file descriptor information is spilled to a set of work files to be sorted, merged, and selected. Note that file descriptors are built for both files existing in the input archive and new files to be selected, so the aggregate count must be managed. Approximate sizes for each file descriptor are as follows: • VSAM - 2.5K. • Sequential - 800 bytes. • PDS/PDSE - 800 bytes for base dataset + 224 bytes per member. • DATA_STORAGE(MAX|xM) controls the amount of 31-bit virtual storage used to hold transient compressed data. When the amount of storage specified is exceeded, the data is processed through work files (controlled by the TEMP_... suite of commands). • MULTI_THREAD_LIMIT(number) specifies the number of concurrent subtask sets to run for ZIP or UNZIP processing. When a count greater than 1 is used, additional copies of modules, work areas, and buffers are allocated to handle the processing.
SMS Dataclass Considerations
SecureZIP parameters overlap with several SMS data class parameters. In general, SMS data class specifications will provide default values in place of SecureZIP default settings. Explicit SecureZIP commands (SYSIN, PARMLIB, included command streams and EXEC PARM values) will be presented to dynamic allocation as overrides for any default setting. Due to the way DFSMS handles override requests, sub-groups of parameters are defined in SecureZIP to assist with control of where default values should come from. These subgroups are: • Allocation SPACE • Directory Blocks • Volume Count
39
• DCB Attributes DFSMS data classes may or may not contain values for all of the attribute sets above. SecureZIP provides a means of identifying which sets of attributes should be expected to be handled by SMS data classes so that SecureZIP does not specify its own default values. (DFSMS receives control after SecureZIP has built its list and does not provide a means by which SecureZIP can systematically pre-determine which values will be provided by SMS). DFSMS groups allocation type (cylinders, tracks, etc.), primary space, and secondary space into a category. If even one of these values is provided in an allocation request, then SMS will not provide its default values for the remaining entries. For example, if ARCHIVE_SPACE_PRIMARY is provided as a command, then SecureZIP needs to supply the TYPE and SECONDARY default values even if a DATACLASS is specified. DFSMS treats the Directory Block allocation value separately from other space parameters. In the previous example, SecureZIP will not provide its default ARCHIVE_DIRBLKS value even though it provides the other allocation attributes. This is consistent with SMS data class operations. SecureZIP makes use of temporary files during various phases of processing that have very specific DCB attribute requirements. For this reason, SecureZIP will specify the necessary overrides regardless of TEMPFILE_DATACLASS usage.
Note for users of PKZIP for MVS and PKZIP for zSeries 5.6 Previous levels of maintenance for release 5.6 specified a volume count even if it was 1. The maintenance level associated with fix TT1777 eliminated VOLCNT=1 from the allocation request. In addition, the maximum number specified for any of the MULTIVOL=Y commands is now 59 to be consistent with system limitations for DASD devices. If a unit type other than DASD is assigned (either explicitly or indirectly through SMS), and a volume count greater than 59 is desired, then MULTIVOL=N should be specified in SecureZIP, and an SMS data class should be designated which can assign the desired volume count.
Reserved DDNAMEs
The following DDNAMES are reserved for use by SecureZIP for zSeries: ARCHTEMP - used for STAGE_TAPE_TO_DISK(y). PKSPRINT - alternate SYSPRINT DD name when directed to a file. ZPDIRIN - used when processing requires input archive file descriptors to be spilled to work file. ZPDIRSRT - used when processing requires input archive file descriptors to be sorted in a work file. ZPFILIN - used when input file descriptors requires sorting. ZPFILSRT - used when input file descriptors require sorting. ZIPCDS - license control dataset. FNETMPCD - used for various FILENAME_ENCRYPTION processes.
40
The following DDNAMES are reserved, but may be modified with a customized ACZDFLT module: ARCHIN - ARCHIVE_INFILE ARCHOUT - ARCHIVE_OUTFILE PARMLIB - DDNAME_PARMLIB SYSIN - DDNAME_SYSIN SYSPRINT - DDNAME_SYSPRINT ZPSRTIN - DDNAME_ZPSORTIN ZPSRTOUT - DDNAME_ZPSORTOUT
SYSPRINT By default (unless overriden in the ACZDFLT module with DDNAME_SYSPRINT, //SYSPRINT is used for PKZIP/SECZIP logging. This does not conflict with utilities used internally unless the SYSPRINT is directed to a physical file . Because utilities such as SORT may use a different set of DCB characteristics than PKZIP/SECZIP, a change to PKSPRINT for sysout will occur.
PKSPRINT //PKSPRINT is used when the SORT utility is internally invoked and the //SYSPRINT DD statement is determined to be allocated as a non-JES SYSOUT file. If not already allocated to the jobstep, PKZIP/SECZIP will dynamically allocate this DD to the SYSOUT= value specified in SYSPRINT_SYSOUT_CLASS from the installation defaults module.
PKNODUMP If allocated to the job step before invoking PKZIP/SECZIP, a //SYSABEND DD will not be dynamically allocated.
Use of System Utilities
SORT SecureZIP for zSeries uses the system SORT utility to manage archive directory entries, during both match/merge procedures and View processing.
Access Method Services SecureZIP for zSeries invokes this utility to locate cataloged files, define VSAM clusters, and handle Delete/Rename processing for an updated archive.
41
IEBGENER IEBGENER is called to open the PANVALET input stream (according to the DDNAME_SYSIN specification in the active ACZDFLT module) and copy the data. The temporary file will be dynamically allocated with the TEMP_SPACE_TYPE settings.
GRS/ENQ Data set serialization is normally performed through the use of the allocation DISP value. This makes use of the SYSDSN major name for GRS/ENQ processing. When archive creation or update processing is performed with dynamic allocation, a temporary ZIP archive data set is created with DISP=NEW,CATLG. The input archive (if one exists) is allocated as DISP=OLD to ensure that only one update process is performed against the logical archive at a time. Once the temporary target archive has been successfully updated, the original input archive is deleted, and the new temporary archive is renamed to the original name. When an output archive or extract target (outfile) is intended to be a member of a partitioned data set, an allocation is performed for the data set with a disposition in accordance with the setting for OUTFILE_PDS_ENQ. In addition, an exclusive ENQ with a major name of SPFEDIT is performed against the member. SecureZIP for zSeries update processing for administration of the local certificate store uses DISP=OLD serialization against the VSAM Cluster specified in the profile for CSPUB_DBX=. Run-time processing for PKZIP/SECZIP performs a SYSDSN ENQ for this data set as DISP=SHR. This allows multiple run-time users for certificate store searches, or one administrative update process. Jobs requiring read access for locating certificates wait until an update process completes and then continue processing. License control data set (ZIPCDS DD) access is normally performed with DISP=SHR allocation. However, when a newly accessed feature requires that an update be done, an additional ENQ is performed using QNAME(PKZIPCDS) for the update process to serialize on. The PKZIPz programs are not re-entrant. To protect run-time integrity against inadvertent simultaneous calls into the mainline programs, a STEP level ENQ is performed with QNAME(PKZIP) RNAME(RUNNING).
42
4 Licensing
Operating Requirements
The use of the PKZIP and SecureZIP product line for zSeries requires the activation of a PKWARE-provided license key. A set of licensing messages will be shown at the front of the SYSPRINT output for each invocation of PKZIP or SecureZIP.
Change of Release Licensing Note: Each release of PKZIPz requires that a new PKWARE license key be activated. If the license data set from a previous release is used, the new release will fail with the message ZPLI901E Product License is Invalid.
Grace Period PKWARE recognizes that there may be periods where the licensing environment established by the customer is no longer valid. Circumstances such as disaster recovery processing or the installation or upgrade of new processors will affect the environment. When a grace period has been activated, error messages will be displayed on the console (and in the output) for each execution of PKZIPz. At the end of the period, if the license is not updated, the product will no longer function for the new CPUs except to VIEW an archive. The five-day grace period is designed so that the program will not cease to function on a weekend or the Monday following the five-day grace period. You must contact PKWARE at [email protected] during the grace period to obtain licensing to allow extended use.
Initializing the License
Refer to the PKZIP/SecureZIP for zSeries System Administrator’s Guide for license administration details.
43
5 Getting Started with PKZIP and SecureZIP
PKZIP/SecureZIP for zSeries are broad, flexible products on the OS/390 and z/OS platforms, allowing for compression/decompression and encryption of files. They are fully compliant with other ZIP-compatible compression products running on other operating systems. However, if you are licensed for SecureZIP for zSeries, its advanced security features are only compatible with designated PKWARE products also enabled for these features. Because the ZIP standard for text data storage is ASCII, PKZIPz facilitates conversion between the ASCII and EBCDIC character sets. Therefore, compressed text files can be transferred between IBM mainframe environments and systems using either character set. Some of these platforms include DOS, Windows, UNIX/Linux, and iSeries. In addition to ZIP archive format support, PKZIPz can also produce and manipulate (GNU) GZIP-format archives. Additional information on this subject can be found in Chapter 12.
Introduction to PKZIP and SecureZIP for zSeries
PKZIP for zSeries consists of two separate executable programs: • PKZIP - Compresses datasets into an archive. • PKUNZIP - Decompresses and extracts datasets from an archive
SecureZIP for zSeries consists of two separate executable programs: • SECZIP - Compresses datasets into an archive. • SECUNZIP - Decompresses and extracts datasets from an archive Note: For installations upgrading from PKZIP for zSeries to SecureZIP for zSeries, the PKZIP and PKUNZIP program names are maintained as ALIAS entries for compatibility. There is no operational difference when using the PKZIP/PKUNZIP program names versus the SECZIP/SECUNZIP counterparts. To use these programs, you must specify: • Commands, which tell PKZIP/SECZIP or PKUNZIP/SECUNZIP what processing they are to perform and how they are to do it. Commands are identified by a preceding hyphen
44
(“–”). For example, –ARCHIVE_DSN is the command that designates the dataset name for the ZIP archive containing compressed data. • File selections, which identify the files to be compressed into an archive (ZIP) or decompressed from an archive (UNZIP). File selections are distinguished from commands because they are not preceded by a hyphen. Commands and file selections can be specified in a number of ways. The most common way, which is the way that will be used in the examples presented in this chapter, is to run PKZIP/SECZIP and PKUNZIP/SECUNZIP as batch jobs using JCL and specify the commands and file selections through SYSIN, as shown in the next section.
Invoking PKZIP/SECZIP or PKUNZIP/SECUNZIP Using JCL
In these examples, you will be running PKZIPz in batch by submitting JCL. The product can also be executed using the ISPF panels interface, called from a user written program, or from a TSO environment with REXX or CLISTS. The example below demonstrates the basic JCL statements required to run PKZIP.
//
Notes to the example above 1.
45
Return Codes A completion code dependent on the results of the processing that was carried out will be issued. The completion code can take the following values:
0 Processing has completed without errors being detected. 4 A warning message has been output but processing has continued. 6 An authentication error was encountered while processing a signed archive central directory or File. 8 or higher An error has occurred during processing; refer to the error messages for more details. 12 A syntax error or configuration setup error was encountered. The command and/or combination of commands should be reviewed. The error can include inappropriate processing when attempting to locate digital certificates for encryption or authentication functions.
The final completion code issued is the maximum value of the conditions found during the sum. A return code greater than zero indicates that there are one or more warning or error messages in the job output.
Compressing a Dataset
The following example shows how to compress a data set using PKZIPz.
//ZIP EXEC PGM=PKZIP,REGION=8M //STEPLIB DD DISP=SHR,DSN=PKWARE.MVS.V56.LOAD //SYSPRINT DD SYSOUT=* //SYSIN DD * -ARCHIVE_DSNAME(MY.ARCHIVE.FILE.ZIP) -ARCHIVE_UNIT(SYSDA) MY.INPUT.DATA.SEQ /*
This step will give the following output:
ZPLI001I SecureZIP for zSeries (TM), Data Compression, Version 8.2 - 07/21/05 ZPLI001I Copyright. 2004 PKWARE Inc. All Rights Reserved. ZPLI001I SecureZIP(TM) is a trademark of PKWARE (R), Inc. ZPLI001I Registered, Processor Type=7060 Processor Group=00 Serial Number=00052 ZPLI001I OS Level: HBB7703 SP6.1.0 -ARCHIVE_DSN(MY.ARCHIVE.FILE.ZIP) -ARCHIVE_UNIT(SYSDA) MY.INPUT.DATA.SEQ ZPAM030I OUTPUT Archive opened: MY.ARCHIVE.FILE.ZIP ZPAM253I ADDED File MY.INPUT.DATA.SEQ ZPAM254I as MY/INPUT/DATA/SEQ ZPAM255I (DEFLATED 93%/93%) ZPMT002I PKZIP processing complete. RC=00000000 0(Dec)
In this case, the sequential data set MY.INPUT.DATA.SEQ is to be compressed into the new ZIP archive MY.ARCHIVE.FILE.ZIP, which is created on a SYSDA volume.
46
Notes for Dataset Compression • A ZIP archive can be considered as a large envelope or box into which the compressed files are placed. Note, however, that an empty dataset is not the same as an empty archive. ZIP archives created by PKZIPz cannot be pre-allocated; only PKZIPz should be used to create new archives. • You tell PKZIP how to create the ZIP archive. By default ZIP archives are created as sequential datasets and allocated using half track blocking. However, you have full control over the type of archive created and how it is created using the various ARCHIVE_* commands. • PKZIP compresses datasets using a file selection. Any command that does not begin with a “–” is considered to be a file selection. In the previous example, we told PKZIP to compress the sequential dataset MY.INPUT.DATA.SEQ. • You can specify a file for compression via an INFILE_DD statement if you prefer, but a file selection has the advantage of wildcards. For example, to compress a specific group of files, you could type MY.INPUT.DATA.*. This file selection would inform PKZIP to compress every dataset that begins with the previous qualifying nodes. PKZIP can compress up to 65,535 datasets or up to 4Gb of data. • To ensure cross platform compatibility, all MVS dataset names are converted to the standard PKZIP UNIX format, such as, MY/INPUT/DATA/SEQ. When you unzip the file, the conversion is reversed to recreate the original MVS name. See ZIPPED_DSN_SEPARATOR for more information about the character used to separate levels. The compressed version of the sequential data set in a ZIP archive is sometimes called a zipped file.
Viewing the Contents of an Archive
The following example shows how to use SecureZIP for zSeries to view the contents of the ZIP archive created in the previous example.
//STPZIP EXEC PGM=PKZIP //STEPLIB DD DISP=SHR,DSN=PKWARE.MVS.LOAD //SYSPRINT DD SYSOUT=* //SYSIN DD * -ARCHIVE_DSN(MY.ARCHIVE.FILE.ZIP) -ACTION(VIEW) /*
This step yields output similar to the following:
ZPLI001I SecureZIP(TM) for zSeries, Version 8.2 - 07/21/05 14.26 ZPLI001I Copyright. 1989-2005 PKWARE Inc. All Rights Reserved. ZPLI001I SecureZIP(TM) is a trademark of PKWARE (R), Inc. ZPLI001I Registered, Processor Type=7060 Processor Group=00 Serial Number=00052 ZPLI001I OS Level: HBB7707 SP7.0.4 -ARCHIVE_DSN(MY.ARCHIVE.FILE.ZIP) -ACTION(VIEW) ZPAM030I INPUT Archive opened: MY.ARCHIVE.FILE.ZIP ZPAM014I There are 1 file(s) in the input Archive.
47
ZPAM012I ZIP comment: SecureZIP for zSeries by PKWARE ZPAM013I ********************************************************************** ZPAM015I Length Method Size Ratio Date Time CRC-32 Name ZPAM016I ------ZPAM017I 1,067 Dflt-Norm 81 92% 01/16/2005 11:54 C7A3091B MY/INPUT/DATA/SEQ ZPAM016I ------ZPAM019I 1,067 81 92% ZPAM013I *********************************************************************** ZPAM140I FILES: VIEWED EXCLUDED BYPASSED IN ERROR ZPAM140I 1 0 0 0 ZPMT002I PKZIP processing complete. RC=00000000 0(Dec)
Notes for Viewing the Contents of an Archive • The ACTION(VIEW) command is available through the ZIP program (PKZIP/SECZIP). • The ACTION(VIEW) command has various options that can be used to tailor the output. For example, if the archive contains multiple files, the output can be sorted by the file’s attributes, including name, size, and compression ratio. • This example demonstrates a standard view of the archive. It displays information about the files in the archive including the original length of the file, the compression method, and the compressed file size.
ACTION(VIEWDETAIL) One especially useful option is the ACTION(VIEWDETAIL) control card. It displays the full technical details, including any file attributes stored, for each file in the archive.
//STPZIP EXEC PGM=PKZIP //STEPLIB DD DISP=SHR,DSN=PKWARE.MVS.LOAD //SYSPRINT DD SYSOUT=* //SYSIN DD * -ARCHIVE_DSN(MY.ARCHIVE.FILE.ZIP) -ACTION(VIEWDETAIL) /*
This step produces output like the following:
ZPLI001I SecureZIP(TM) for zSeries, Version 8.2 - 07/21/05 14.26 ZPLI001I Copyright. 1989-2005 PKWARE Inc. All Rights Reserved. ZPLI001I SecureZIP(TM) is a trademark of PKWARE (R), Inc. ZPLI001I Registered, Processor Type=7060 Processor Group=00 Serial Number=00052 ZPLI001I OS Level: HBB7707 SP7.0.4 -ARCHIVE_DSN(MY.ARCHIVE.FILE.ZIP) -ACTION(VIEWDETAIL) ZPAM030I INPUT Archive opened: MY.ARCHIVE.FILE.ZIP ZPAM014I There are 1 file(s) in the input Archive. ZPAM012I ZIP comment: SecureZIP for zSeries by PKWARE ZPAM013I ****************************************** ZPAM001I Filename: MY/INPUT/DATA/SEQ ZPAM002I File type: TEXT ZPAM003I Date/Time: 16-JAN-2005 11:54:06 ZPAM004I Compression Method: Deflate- Normal ZPAM005I Compressed Size: 81 ZPAM006I Uncompressed Size: 1,067 ZPAM007I 32-bit CRC: C7A3091B ZPAM008I Created by: PK zSeries 8.1 ZPAM009I Needed to extract: ZipSpec 2.0
48
ZPAM301I File Type: NONVSAM SEQUENTIAL ZPAM303I File Record Format: FB ZPAM304I File Allocation Type: TRK ZPAM305I File Primary Space Allocated: 1 ZPAM306I File Secondary Space Allocated: 1 ZPAM307I File Record Size: 80 ZPAM308I File Block Size: 3120 ZPAM309I File Volume(s) Used: SUP001 ZPAM310I File Creation Date: 2005/01/14 ZPAM311I File Referenced Date: 2005/01/16 ZPAM319I SMS Management Class: SUPPORT ZPAM000I SMS Storage Class: SUPPORT ZPAM013I ********************************************************* ZPAM140I FILES: VIEWED EXCLUDED BYPASSED IN ERROR ZPAM140I 1 0 0 0 ZPMT002I PKZIP processing complete. RC=00000000 0(Dec)
Note: The order in which attributes are displayed may vary.
Decompressing a Dataset
The following example shows how to extract, or unzip, a data set using SecureZIP for zSeries.
//UNZIP EXEC PGM=PKUNZIP,REGION=8M //STEPLIB DD DISP=SHR,DSN=PKWARE.MVS.LOAD //SYSPRINT DD SYSOUT=* //SYSIN DD * -ARCHIVE_DSN(MY.ARCHIVE.FILE.ZIP) -OUTFILE_UNIT(SYSDA) /*
This step produces output like the following:
ZPLI001I SecureZIP(TM) for zSeries, Version 8.2 - 07/21/05 14.26 ZPLI001I Copyright. 1989-2005 PKWARE Inc. All Rights Reserved. ZPLI001I SecureZIP(TM) is a trademark of PKWARE (R), Inc. ZPLI001I Registered, Processor Type=7060 Processor Group=00 Serial Number=00052 ZPLI001I OS Level: HBB7707 SP7.0.4 -ARCHIVE_DSN(MY.ARCHIVE.FILE.ZIP) -OUTFILE_UNIT(SYSDA) ZPAM030I INPUT Archive opened: MY.ARCHIVE.FILE.ZIP ZPEX002I MY/INPUT/DATA/SEQ ZPEX003I Extracted to MY.INPUT.DATA.SEQ ZPAM140I FILES: EXTRACTED EXCLUDED BYPASSED IN ERROR ZPAM140I 1 0 0 0 ZPMT002I PKZIP processing complete. RC=00000000 0(Dec)
Notes for Decompressing a Dataset • To extract files from an archive, you must call the PKZIP/SECUNZIP program. • The extracted dataset is created dynamically according to the stored file attributes, if any, or the OUTFILE DD attributes supplied in the job allocation. In this case, the
49
dataset is recreated on a SYSDA volume. Information required to create the dataset that is not provided by the stored file attributes or by the OUTFILE allocation may be defaulted by PKUNZIP/SECUNZIP. • By default, PKUNZIP/SECUNZIP tries to extract every file that is compressed and stored inside the ZIP file or archive. To extract just one file, or selected files, you must explicitly select the files you wish to extract or decompress. Wildcards can be used in the file selection to have PKUNZIP/SECUNZIP extract a suite of like datasets. • If the extracted dataset already exists, then (by default) PKUNZIP/SECUNZIP does not overwrite it. • To overwrite a dataset or PDS member, use the OUTFILE_OVERWRITE command. To add new members to existing PDS's, use the INSERT_MEMBER command. Alternatively you can use the UNZIPPED_DSN command to give the extracted file a new name.
Updating or Refreshing a File
You cannot ACTION(ADD) a file that already exists in a ZIP archive. However, you can replace it by using the ACTION(UPDATE) or ACTION(FRESHEN) commands. The ACTION(UPDATE) and ACTION(FRESHEN) commands differ in their processing of files that do not already exist in the archive: If a file selected for compression does not already exist in the archive, ACTION(UPDATE) adds it, but ACTION(FRESHEN) ignores it.
Invoking the PKZIP and SecureZIP for zSeries Utility
There are several ways to use PKZIPz in the OS/390 and z/OS operating environments. These include: • Batch JCL job-steps. • Started task JCL. • Executed from TSO CLIST/REXX. • TSO command line interface. • ISPF panel. The following sections provide a brief overview of these interfaces. Subsequent sections in this chapter describe basic functions using the JCL interface.
Invoking PKZIP/SecureZIP from JCL (Batch or Started Task) PKZIPz programs can be executed from a batch job or STC. See pkware.mvs.INSTLIB(IVPBASIC) for a sample JOB, or use the ISPF interface to generate JCL for a batch job.
50
Invoking PKZIP/SecureZIP as Called Programs Under TSO PKZIPz batch interface programs can be executed within a TSO CLIST or REXX EXEC provided that the proper FILE allocations (TSO equivalent of DD statements) are made. The following samples show how allocations can be done to invoke PKZIPz.
CLIST Call - Read commands from a member and put messages to a pre-allocated FB132 file.
PROC 0 ALLOC F(SYSIN) DA('pkware.mvs.INSTLIB(SAMPVIEW)') SHR ALLOC F(SYSPRINT) DA('USERID.QZ.SYSOUT') SHR CALL 'pkware.mvs.LOAD(PKUNZIP)' FREE F(SYSIN,SYSPRINT)
REXX Call - Pass commands as a parm and allocate a new SYSPRINT file to browse.
/* Rexx Sample call of SECUNZIP for -VIEW with no SYSIN */
/* First allocate a SYSPRINT output file for later browsing */
Address TSO "attrib dcbout recfm(f b) lrecl(132) blksize(27984)" "ALLOC F(SYSPRINT) da(my.sysprint) new catalog cylinders " , "using(dcbout) space(1,1)"
/* Define the command list to pass (without SYSIN) */
callparms = "-NOSYSIN -ARCHIVE(USERID.MY.ZIP) -VIEWBRIEF"
/* Invoke SECUNZIP */
Address LINKMVS "SECUNZIP callparms"
/* Free the work files and browse the output */
Address TSO "free f(DCBOUT,SYSPRINT)" Address ISPEXEC "browse dataset(my.sysprint)"
Invoking ZIP or UNZIP TSO Command Line Interface A subset of PKZIPz features can be invoked from the ZIP and UNZIP REXX EXECs. These commands are intended to approximate the PKZIP and PKUNZIP DOS-based commands with similar command syntax. In addition to the standard commands being passed as input options, several shorthand Actions and Options are provided with this interface (see the tables below).
Syntax ZIP <-action> [-options]
51
Valid ZIP Actions
'–a' '–ACTION(ADD)' '–d' '–ACTION(DELETE)' '–f' '–ACTION(FRESHEN)' '–u' '–ACTION(UPDATE)' '–v' '–ACTION(VIEW)' '–vbd' '–ACTION(VIEWDATE)' '–vn' '–ACTION(VIEWNAME)' '–vo' '–ACTION(VIEWOFFSET)' '–vp' '–ACTION(VIEWPERCENT)' '–vs' '–ACTION(VIEWSIZE)' '–vr' '–ACTION(VIEWREVERSE)' '–vrd' '–ACTION(VIEWDATEREVERSE)' '–vrn' '–ACTION(VIEWNAMEREVERSE)' '–vro' '–ACTION(VIEWOFFSETREVERSE)' '–vrp' '–ACTION(VIEWPERCENTREVERSE)' '–vrs' '–ACTION(VIEWSIZEREVERSE)' '–vb' '–ACTION(VIEWBRIEF)' '–vbd' '–ACTION(VIEWBRIEFDATE)' '–vbn' '–ACTION(VIEWBRIEFNAME)' '–vbo' '–ACTION(VIEWBRIEFOFFSET)' '–vbp' '–ACTION(VIEWBRIEFPERCENT)' '–vbs' '–ACTION(VIEWBRIEFSIZE)' '–vbr' '–ACTION(VIEWBRIEFREVERSE)' '–vbrd' '–ACTION(VIEWBRIEFDATEREVERSE)' '–vbrn' '–ACTION(VIEWBRIEFNAMEREVERSE)' '–vbro' '–ACTION(VIEWBRIEFOFFSETREVERSE)' '–vbrp' '–ACTION(VIEWBRIEFPERCENTREVERSE)' '–vbrs' '–ACTION(VIEWBRIEFSIZEREVERSE)' '–vt' '–ACTION(VIEWDETAIL)' '–vtd' '–ACTION(VIEWDETAILDATE)'
52
Valid ZIP Options
'–vtn' '–ACTION(VIEWDETAILNAME)' '–vto' '–ACTION(VIEWDETAILOFFSET)' '–vtp' '–ACTION(VIEWDETAILPERCENT)' '–vts' '–ACTION(VIEWDETAILSIZE)' '–vtr' '–ACTION(VIEWDETAILREVERSE)' '–vtrd' '–ACTION(VIEWDETAILDATEREVERSE)' '–vtrn' '–ACTION(VIEWDETAILNAMEREVERSE)' '–vtro' '–ACTION(VIEWDETAILOFFSETREVERSE)' '–vtrp' '–ACTION(VIEWDETAILPERCENTREVERSE)' '–vtrs' '–ACTION(VIEWDETAILSIZEREVERSE)' '–ex' '–COMPRESSION_LEVEL(MAXIMUM)' '–en' '–COMPRESSION_LEVEL(NORMAL)' '–ef' '–COMPRESSION_LEVEL(FAST)' '–es' '–COMPRESSION_LEVEL(SUPERFAST)' '–e0' '–COMPRESSION_LEVEL(STORE)' ‘–s…’ secure with encryption where “…”=password ‘–noprompt’ When being run from an ISPF environment, the default is for the interpreted commands to be displayed in an EDIT session allowing you an opportunity to alter the commands. This option will bypass this feature, as well as, the ISPF browse of SYSPRINT when the function is complete.
Valid UNZIP Actions
'–e' '–ACTION(EXTRACT)' '–o' '–OUTFILE_OVERWRITE(Y)' '–v' '–ACTION(VIEW)' '–t' '–ACTION(TEST)' '–vbd' '–ACTION(VIEWDATE)' '–vn' '–ACTION(VIEWNAME)' '–vo' '–ACTION(VIEWOFFSET)' '–vp' '–ACTION(VIEWPERCENT)' '–vs' '–ACTION(VIEWSIZE)' '–vr' '–ACTION(VIEWREVERSE)' '–vrd' '–ACTION(VIEWDATEREVERSE)' '–vrn' '–ACTION(VIEWNAMEREVERSE)'
53
'–vro' '–ACTION(VIEWOFFSETREVERSE)' '–vrp' '–ACTION(VIEWPERCENTREVERSE)' '–vrs' '–ACTION(VIEWSIZEREVERSE)' '–vb' '–ACTION(VIEWBRIEF)' '–vbd' '–ACTION(VIEWBRIEFDATE)' '–vbn' '–ACTION(VIEWBRIEFNAME)' '–vbo' '–ACTION(VIEWBRIEFOFFSET)' '–vbp' '–ACTION(VIEWBRIEFPERCENT)' '–vbs' '–ACTION(VIEWBRIEFSIZE)' '–vbr' '–ACTION(VIEWBRIEFREVERSE)' '–vbrd' '–ACTION(VIEWBRIEFDATEREVERSE)' '–vbrn' '–ACTION(VIEWBRIEFNAMEREVERSE)' '–vbro' '–ACTION(VIEWBRIEFOFFSETREVERSE)' '–vbrp' '–ACTION(VIEWBRIEFPERCENTREVERSE)' '–vbrs' '–ACTION(VIEWBRIEFSIZEREVERSE)' '–vt' '–ACTION(VIEWDETAIL)' '–vtd' '–ACTION(VIEWDETAILDATE)' '–vtn' '–ACTION(VIEWDETAILNAME)' '–vto' '–ACTION(VIEWDETAILOFFSET)' '–vtp' '–ACTION(VIEWDETAILPERCENT)' '–vts' '–ACTION(VIEWDETAILSIZE)' '–vtr' '–ACTION(VIEWDETAILREVERSE)' '–vtrd' '–ACTION(VIEWDETAILDATEREVERSE)' '–vtrn' '–ACTION(VIEWDETAILNAMEREVERSE)' '–vtro' '–ACTION(VIEWDETAILOFFSETREVERSE)' '–vtrp' '–ACTION(VIEWDETAILPERCENTREVERSE)' '–vtrs' '–ACTION(VIEWDETAILSIZEREVERSE)'
To compress and store all of a user’s files into an archive, type the following: ZIP –a 'MY.CLI.TEST.ZIP' '&SYSUID.** '
54
Invoking the PKZIP and SecureZIP for zSeries ISPF Panel Interface The ISPF panel interface provides a simple way for a TSO user to either build batch JCL or invoke foreground PKZIPz services. The panel interface also provides a dynamic table interface to display ZIPPED files within a ZIP archive allowing line-command selection for browsing, viewing, and extracting.
SecureZIP 8.1
OPTION ===>
C Config Modify Run-time Configuration Settings ZD Zip Defaults Modify Default ZIP Command Settings UD Unzip Defaults Modify Default UNZIP Command Settings U Unzip Decompress, Decrypt, Authenticate File(s) in an Archive V View Display the Contents of a Zip Archive Z Zip Compress, Encrypt, Sign File(s) into a Zip Archive
S Sysprint Browse Log of Last Foreground Execution M Messages Message ID lookup L License Display License Information CS Cert Store Certificate Store Administration and Configuration
W What's New Browse Information on Changes Since Last Release P Contact PKWARE Browse Information on How to Contact PKWARE
X EXIT
For HELP Press PF1
The ISPF interface is covered in detail in Chapter 13. See the PKZIP/SecureZIP for zSeries System Administrator’s Guide for instructions on installaton and implementation.
Configuration Manager
In releases of PKZIP for MVS version 2, users were allowed to create a configuration file that allowed PKZIP to accept different parameters during a run of PKZIP or PKUNZIP. PKZIPz has extended the means of allowing the user to control the defaults that PKZIP/SECZIP and PKUNZIP/SECUNZIP use during a job. First, edit PKWARE.MVS.INSTLIB(ACZDFLT) to set defaults for PKZIP. These defaults are then assembled into PKWARE.MVS.LOAD by using the ASMDFLT member of INSTLIB. The ACZDFLT's module gives you extended flexibility to make PKZIP work the way you want it to. ACZDFLT is a data-only CSECT that uses macro MCZDFLTS to generate the table data. An installation can customize the values for this module by adding appropriate variable data to the invocation of MCZDFLTS in the ACZDFLT module source. Multiple versions of ACZDFLT may be assembled and linked into an execution load library for use with the DM execution parameter. Doing this allows multiple configurations to be pre- defined and used. In addition to the //PARMLIB DD for the configuration file, //CONFIG DD is also supported for compatibility with PKZIP for MVS version 2.
55
Making Changes to the Defaults Within the ACZDFLT’s member, one variable (at least) must coincide with your installation’s PKZIP high-level qualifier. This variable is the LICENSE_HLQ parameter. PKZIP accesses your PKWARE.MVS.LICENSE data set during every execution of ZIP or UNZIP. Providing your installation’s high level qualifier for the LICENSE_HLQ parameter tells PKZIP where to find it.
*********************************************************** MCZDFLTS TYPE=CSECT, * LICENSE_HLQ=PKWARE.MVS * ***********************************************************
Remember that the PKWARE.MVS.INSTLIB(ACZDFLT) is a configuration member. Therefore, besides providing the high level qualifier for your installation, you can re-establish new defaults for ZIP and UNZIP processing. Below is an example that shows other parameters that can be coded.
*********************************************************** MCZDFLTS TYPE=CSECT, * LICENSE_HLQ=PKWARE.MVS * PARMLIB_DSNAME_ZIP=NULLFILE, * PARMLIB_DSNAME_UNZIP=NULLFILE, * ARCHIVE_UNIT=SYSDA, * TEMP_UNIT=SYSDA, * COMPRESSION_LEVEL=SUPERFAST, * CRLF=C * ***************** Bottom of Data **************************
Assembling Your Changes After editing the ASMDFLT member of PKWARE.MVS.INSTLIB, modify the ASMDFLT JCL member per your JCL Standards and submit the job to assemble PKWARE.MVS.INSTLIB(ACZDFLT) into PKWARE.MVS.LOAD. For every execution of ZIP and UNZIP, PKZIPz will refer to this assembled ACZDFLT module in your LOAD library.
Inputs User inputs to PKZIPz can come from various sources and formats, as described in the following tables:
56
User Input Sources (MVS)
ACZDFLT or other customized The installation defaults module, which is provided at installation defaults modules. time, or modified and re-assembled by the systems programmer responsible for installation changes. Installation Configuration File A list of commands can be defined in a sequential file (or PDS member). This file can either be dynamically allocated (file name defined in ACZDFLT), or explicitly allocated through the //PARMLIB DD statement. //SYSIN DD A batch, started-task or TSO user may provide this DD statement to input control statements. EXEC PGM … PARM= A batch job or started task can pass a subset of parameters through the execution PARM= statement.
API Call Parm When calling PKZIPz from an application program, this set of parameters acts like EXEC PARM= above.
Processing Order of Control Statements In general, after the loading of the defaults module ACZDFLT, control statements are read sequentially from the various sources in the order below. 1. Configuration File (//PARMLIB DD or dynamically allocated). 2. EXEC PARM, or API Call Parm. 3. //SYSIN DD. Exceptions to this order are for commands providing early initialization control through the EXEC PARM. –DM ACZDFLT <= Defaults Module selection. –ECHO.
Configuration Manager Processing: Managing Control Statements
Control Statement Definitions Control statements are managed via an internal control table, ACMTABLE. This table determines which command values are permitted for each command and provides validation information to the Configuration Manager. Keywords, formats, and values generated in the defaults module are kept in synchronization with internal module control information maintained in ACMTABLE (which is used programmatically by Configuration Manager routines to parse control statements). The control statement values are mapped directly to the defaults module values for use. Default values for the commands are held in module ACZDFLT, which is loaded at run time. A sample source module is provided (pkware.mvs.INSTLIB(ASMDFLT)) that can be assembled to change the defaults for the installation.
57
In addition, ACZDFLT can be assembled as a different load module name to create custom profiles of defaults for a variety of needs. A different flavor of ACZDFLT can be requested at execution time by using the JCL EXEC parameter –DM nnnnnnnn, where nnnnnnnn is the name of the module to use instead of ACZDFLT. The ISPF interface has 2 options UD and ZD that allow you to see and set values for many of the commands. This may be used as a reference when trying to determine which of the available command values to use. The batch SHOW_SETTINGS command may also be helpful as a reference to command names and their default values.
Troubleshooting
PKZIP and SecureZIP for zSeries Messages PKZIPz writes messages to SYSPRINT (or other output DD file as specified by the defaults module) that indicate whether processing is successful. Each message type is defined with a unique message ID starting with “ZP” (see the Messages and Codes Guide for specific format information). The volume of messages that are written to SYSPRINT is controlled by the command LOGGING_LEVEL. Additional processing information is displayed when VERBOSE is requested. This does not affect the output of critical error messages, which are written regardless of the level requested. Explanatory information regarding messages can also be found on-line via the ISPF interface, or by browsing the PKWARE.MVS.HELP members.
Debugging Controls To see which processing options are in effect, code SHOW_SETTINGS as the last SYSIN command or EXE PARM to display all final parameter values. When isses concerning non-VSAM data set allocation arise, specify TRACE_DYNALLOC(4) to see values used for individual files. When issues concerning VSAM Cluster definitions arise, use TRACE_AMS(1) to see control cards passed to IDCAMS.
58
6 About Security, Certificates and Encryption
Requires SecureZIP
This chapter discusses how you utilize SecureZIP for zSeries to secure your data. Elements that are required to make a SecureZIP for zSeries archive are discussed in detail. These elements, when selectively used, combine to create a SecureZIP for zSeries archive or to allow the extraction of a file or files from a SecureZIP for zSeries archive. A series of ISPF panels are used to assist you in building and maintaining the SecureZIP certificate store. These panels are standard with SecureZIP for zSeries. The chapter provides ISPF screens and SecureZIP commands used to accomplish these task, along with notes and comments. Note: SecureZIP for zSeries is required for all advanced encryption operations, but PKZIP for zSeries Enterprise Edition can decrypt password-based archive data encrypted with SecureZIP.
Terms and Acronyms Used in This Chapter
SecureZIP for zSeries introduces new terminology to users that are familiar with PKZIP. These expressions relate to the security features in SecureZIP for zSeries. • Public Key Certificate(s) • Private Key Certificate(s) • Data Base Profile (Local Certificate Store) • LDAP Profile (Networked Certificate Store) • Password • RECIPIENT • MASTER RECIPIENT • Configuration Profile • Certificate Store • Common Name
59
• Path • Cert Configuration • PING • TCPIP • User Certificate • Certificate Authority • Recipient DataBase • Recipient Searches • Filename Encryption • Authentication • File Signing • Archive Signing
Accessing Certificates
SecureZIP for zSeries provides access to certificates through a sets of local files, either sequential, PDS or PDSE, and VSAM index paths when control card requests are present. In addition, RECIPIENT(LDAP"...) requests are resolved through configured network definitions. The recipient of a file that has been encrypted with a public key must supply a matching private key to decrypt and UNZIP the file. This is done by using the RECIPIENT command to specify the location of the private-key certificate and the password required to access it. This password is unrelated to any password used to encrypt the file; it is used solely to access the recipient’s private key. RECIPIENT commands may be included in the command input stream directly or through the INCLUDE_CMD command. A Private-Cert profile designates a saved repository of the private- key certificates. When SecureZIP for zSeries dialogs prepare batch JCL or UNZIP call streams, these commands will be automatically included when file decryption is requested.
Configuration Profile
A configuration profile is a collection of SecureZIP for zSeries commands that describes the SecureZIP environment. At execution time this profile is read to locate appropriate certificate stores and index. SecureZIP provides various means by which the configuration information can be supplied. Contact your organization’s technical support staff for instructions regarding access to the configuration.
60
Contents of the Configuration Profile Execution configuration values may be supplied in any of the following ways. It is highly recommended that the command sources be coordinated in logical groups (local certificate store settings or LDAP settings) so that overrides are not overly complex. • Direct commands in the SYSIN stream. When accepted, these commands take precedence over other sources. • INCLUDE_CMD indirect reading of profile commands. This is the method employed when you specify a file location through the SecureZIP Active DB Profile: field. When accepted, these commands take precedence over profiles read by the Defaults module, but may be overridden by SYSIN commands. • Defaults module indirect reading of profile commands. This is the method employed when you specify UNDEFINED in the SecureZIP Active DB Profile: field.
Data Base (DB) Profile (Local Certificate Store) When you specify recipients for certificate-based encryption, SecureZIP for zSeries must be able to locate the recipients’ public-key certficates. One way to designate recipients is through the DB: form of the RECIPIENT command. This allows for recipient selection based on name or email address through a configured database of certificates on the system that is executing SecureZIP for zSeries. Your organization’s technical support staff is responsible for configuring the local certificate store and should provide you with information on which profile data set—typically a member of a partitioned data set—to use. Below is a sample of the contents of the data base profile.
} Active Store Configuration: 'PKWARE.MVS.PROFILES(DBPROF)' -{CSPUB=4;1;PKWARE.MVS.CERTSTOR.PUBLIC} -{CSPRVT=4;1;PKWARE.MVS.CERTSTOR.PRIVATE} -{CSPUB_DBX=PKWARE.MVS.CERTSTOR.DBX} -{CSPUB_DBX_PATH_CN=PKWARE.MVS.CERTSTOR.PATHCN} -{CSPUB_DBX_PATH_EM=PKWARE.MVS.CERTSTOR.PATHEM} -{CSPUB_DBX_PATH_PUBKEY=PKWARE.MVS.CERTSTOR.PATHPUBK} -{CSCA=1;0;PKWARE.MVS.CERTSTOR.P7CA} -{CSROOT=1;0;PKWARE.MVS.CERTSTOR.P7ROOT} -{VALSIGN=TRUSTED,EXPIRED,NOTREVOKED} -{VALENCRYPT=TRUSTED,EXPIRED,NOTREVOKED} -{AUTHENTICATE=TRUSTED,EXPIRED,NOTREVOKED,TAMPERCHECK}
LDAP Profile (Networked Certificate Store) When you specify recipients for certificate-based encryption, SecureZIP for zSeries must be able to locate the recipients’ public-key certficates. One way to designate which recipients to include is through the LDAP interface to a directory server: form of the RECIPIENT command. This approach allows for recipient selection based on name, email address, or other installation-configured LDAP fields. One or more LDAP-compliant servers may be configured for searching.
61
The technical support staff responsible for configuring the LDAP compliant directory that stores certificates will provide you with information of which profile data set—typically a member of a partitioned data set—to use. Below is a sample of the contents of the file.
* ------* * zSeries LDAP access * * ------* * --- * Primary LDAP * --- -{LDAP=1;192.168.9.12;389;0;0;;;*EMAIL;| o=pkware,c=US,cn=user,dc=cosmos,dc=pkzip,dc=com} * ---
Note: The LDAP profile may not contain any encryption certificate validation policies. If the end user specifies only the LDAP profile without a local certificate store, then the SecureZIP default validation settings of TRUSTED and REVOKED will be enforced for the run. This will cause the job to fail during validation of the trusted certificate path because there are no CA and/or root certificates available for processing. If you wish to execute the SecureZIP job with the LDAP profile only, then you must include the validation policy in the job stream (see sample below), or add the VALENCRYPT policy statement to the LDAP profile.
-INCLUDE_CMD(PKWARE.MVS.PROFILES(LDAP)) -RECIPIENT(LDAP:CN=PKWARE TEST4,R) -{VALENCRYPT=NOTTRUSTED,EXPIRED,NOTREVOKED}
Recipient Searches When RECIPIENT requests are made for either the local certificate store ("DB:"), an LDAP directory ("LDAP:") or both ("SYSTEM:"), a set of search criteria are provided. The search criteria of Email address ("EM=" or "mail=") and Common Name ("CN=") are accepted by both the DB: and LDAP: service providers. When multiple RECIPIENT requests are made, two or more search criteria may resolve to the same recipient certificate. For example, if both EM= and CN= are used in different RECIPIENT (or MASTER_RECIPIENT, contingency key processing) requests, both may find the same public key certificate. The first entry found will be used, and any duplicate copies of the same certificate will be ignored, resulting in only one representation of the certificate. A search for an individual by name or email address may return multiple digital certificates, whether from the same certificate store source or not. In this case, more than one representation of an individual can be included in the run. LDAP searching can be accomplished with direct RECIPIENT requests: -RECIPIENT(LDAP:search_criteria) or implicitly: -RECIPIENT(*system:search_criteria). In either case, the certificate store configuration settings define the order in which the LDAP servers are searched. However, in the case of using *system, local certificate stores are searched prior to any of the configured LDAPs.
62
When multiple stores are to be searched (*system: or LDAP:), all RECIPIENT requests are searched in one store before the next store is referenced. If a RECIPIENT request finds one or more entries in one store, subsequent stores are not searched. This means that it is possible for generic LDAP search criteria to bypass entries defined in subsequent LDAP servers. RECIPIENT requests that were not satisfied at all by the higher-level store search continue to be searched for.
Example: Search LDAP’s for RECIPIENT matches LDAP #1 0 entries 0 matches LDAP #2 3 entries 3 matches Add entry LDAP #1 has an entry added matching RECIPIENT LDAP #1 1 entry 1 match LDAP #2 3 entries 0 matches
Local Certificate Stores
Access x.509 Public and Private Key Certificates See also Chapter 2 for an overview of certificate stores. SecureZIP for zSeries introduces a new subtask, CSERV, that utilizes RSA’s BSAFE Cert-C Toolkit to access X.509 public- and private-key certificates. The access to the various certificate stores by this task is governed by various forms of the RECIPIENT, SIGN_ARCHIVE, SIGN_FILES and AUTHCHK commands, as well as by a suite of configuration commands. The configuration commands are read either through SYSIN, INCLUDE_CMD(parmlib) or SECUREZIP_CONFIG specifications. The syntax of the commands is -{ ... }. The semi-colon (;) is used as a parameter delimiter.
-{CSPUB=type;Seq;string PUB} -{CSPRVT=type;Seq;string Prvt} -{CSCA=type;Seq;string CA} -{CSROOT=type;Seq;string Root}
-{CSPUB_DBX=vsam_cluster_base_index} -{CSPUB_DBX_PATH_CN=vsam_path_through_AIX_for_Common_Name} -{CSPUB_DBX_PATH_EM=vsam_path_through_AIX_for_Email_address} -{CSPUB_DBX_PATH_PUBKEY=vsam_path_through_AIX_for_PublicKey}
-{AUTHENTICATE=TRUSTED,EXPIRED,REVOKED,TAMPERCHECK} -{VALSIGN=TRUSTED,EXPIRED,NOTREVOKED} -{VALENCRYPT=TRUSTED,EXPIRED,NOTREVOKED}
-{RESET}
Where: • type (*PATH 0) (FILE 1) (*DB 2) (*LDAP 3) (*PDS 4) • Seq 0 through 9 (Cert Store search order) • LDAP - timeout of 0 results in system settings
63
• user of NULL or ";;" will use "anonymous" login
Certificate Store References –{CSxxx} If not supplied through configuration changes, the defaults are:
{CSPUB=1;9;DUMMY} {CSPRVT=1;9;DUMMY} {CSCA=1;9;DUMMY} {CSROOT=1;9;DUMMY} {CSPUB_DBX=SECZIP.CERTSTOR.PUBLIC.DBX} {CSPUB_DBX_PATH_CN=SECZIP.CERTSTOR.PATHCN} {CSPUB_DBX_PATH_EM=SECZIP.CERTSTOR.PATHEM} {CSPUB_DBX_PATH_PUBKEY=SECZIP.CERTSTOR.PATHPUBK}
The local zSeries certificate store for public-key certificates (configuration settings for {CSPUB_...}), can be built as a PDS[E] indexing scheme for common name and email address searches. This is accomplished through a VSAM base cluster and a set of alternate index paths to access the appropriate field types. The PDS[E] and the VSAM suite are managed as a unit and should not be manipulated independently from the supplied SecureZIP utilities. When no public-key store (CSPUB=) PDS[E] is specified, then the indexing (CSPUB_DBX...) files are not accessed. The CSCA (Certificate Authority) and CSROOT (Trusted Root Certificate Authority) certificates are maintained in repective sequential files in X.509 PKCS#7 format. Overrides to {CSxxx…} or {LDAP…} configuration commands can be done through input command streams or included members. However, you must take care to coordinate overrides so that intermixed PATHS do not result in different databases or indexes being used when resolving the various search criteria.
Authentication and Certificate Validation Policies Certificate validation may be done when activities in the following functional areas are performed: • Recipient based encryption • Archive or file signing • Authentication of digital signatures for files and/or archive directory Validation policies are passed to SECZIP and SECUNZIP to govern various aspects of certificate validation at execution time. The policies are defined in configuration profile settings and may also be included as override commands for individual executions of SECZIP and SECUNZIP. The policy command settings are coded in the same format as other certificate store profile commands, with the syntax -{...} Each functional area supports a single policy statement with its associated settings. The CERTSTORE Policy Setup panel will generate a policy statement for each functional area for use in the certificate store profile.
64
• -{AUTHENTICATE=...} • -{VALENCRYPT=...} • -{VALSIGN=...}
{AUTHENTICATE} Policy The {AUTHENTICATE} setting can be used within an include member that contains configuration commands, or within the standard command stream. It defines the level of processing that AUTHCHK commands will perform. The last AUTHENTICATE command found in the input stream will be used for processing and fully defines the signature authentication elements to be verified. The default settings may be changed by the SecureZIP administrator at any time. However, if this command is not supplied, all supported elements default to being checked. Elements include: • [NO]TAMPERCHECK – The signature associated with the archive or file(s) involved will be used to verify that the content has not been altered since the archive was built. • [NOT]EXPIRED – The digital certificates used to originally perform the signing operation contain internal date ranges of validity. The AUTHCHK operation will fail if any of the certificates in the trust chain are not found to be within their stated data range. Note that an end-certificate may have expired at the time that the archive is being accessed, and NOTEXPIRED may be used to continue processing. • [NOT]REVOKED – A certificate owner may request that the issuing certificate authority declare a certificate to be revoked and thereby no longer consider that certificate to be valid. The AUTHCHK operation will fail if any of the certificates in the trust chain are found to have been revoked or if the revocation status could not be determined. • [NOT]TRUSTED – Each end-certificate used in the signature must be traced back to a trusted root certificate. The CACA and CSROOT stores on the local system performing the authentication check will be accessed to determine if the entire certificate chain can be trusted. Although the Root (“self-signed”) certificate may be included within the archive, it MUST also exist in the CSROOT store to complete the TRUSTED state.
{VALSIGN} Policy The {VALSIGN} setting can be used within an include member that contains configuration commands, or within the standard command stream. It defines the level of processing that SIGN_FILES and SIGN_ARCHIVE commands will perform during SECZIP execution. The last VALSIGN command found in the input stream will be used for processing and fully defines the signing certificate elements to be verified. The default settings may be changed by the SecureZIP administrator at any time. However, if this command is not supplied, all supported elements default to being checked. Elements include: • [NOT]EXPIRED – The digital certificates used to originally perform the signing operation contain internal date ranges of validity. The AUTHCHK operation will fail if any of the certificates in the trust chain are not found to be within their stated data range. Note that an end-certificate may have expired at the time that the archive is being accessed, and NOTEXPIRED may be used to continue processing. • [NOT]REVOKED – A certificate owner may request that the issuing certificate authority declare a certificate to be revoked and thereby no longer consider that certificate to be
65
valid. The AUTHCHK operation will fail if any of the certificates in the trust chain are found to have been revoked or if the revocation status could not be determined. • [NOT]TRUSTED – Each end-certificate used in the signature must be traced back to a trusted root certificate. The CACA and CSROOT stores on the local system performing the authentication check will be accessed to determine if the entire certificate chain can be trusted. Although the Root (“self-signed”) certificate may be included within the archive, it MUST also exist in the CSROOT store to complete the TRUSTED state.
{VALENCRYPT} Policy The {VALENCRYPT} setting can be used within an include member that contains configuration commands, or within the standard command stream. It defines the level of processing that RECIPIENT-based encryption requests will perform during SECZIP execution. The last VALENCRYPT command found in the input stream will be used for processing and fully defines the signing certificate elements to be verified. The default settings may be changed by the SecureZIP administrator at any time. However, if this command is not supplied, all supported elements default to being checked. Elements include: • [NOT]EXPIRED – The digital certificates used to originally perform the signing operation contain internal date ranges of validity. The AUTHCHK operation will fail if any of the certificates in the trust chain are not found to be within their stated data range. Note that an end certificate may have expired at the time that the archive is being accessed. NOTEXPIRED may be used to continue processing. • [NOT]REVOKED – A certificate owner may request that the issuing certificate authority declare a certificate to be revoked and thereby no longer consider that certificate to be valid. The AUTHCHK operation will fail if any of the certificates in the trust chain are found to have been revoked or if the revocation status could not be determined. • [NOT]TRUSTED – Each end-certificate used in the signature must be traced back to a trusted root certificate. The CACA and CSROOT stores on the local system performing the authentication check will be accessed to determine if the entire certificate chain can be trusted. Although the root (“self-signed”) certificate may be included within the archive, it must also exist in the CSROOT store to complete the TRUSTED state.
Other Profile Commands
{RESET} Clearing the Active Configuration The {RESET} command can be used at the beginning of an include member that contains configuration commands, or within the standard command stream to “clear” all existing {CSxxx…} and {LDAP…} configuration commands that may have been previously loaded. This will help avoid mixed entries if an incomplete set of overrides is present. Remember that the defaults module may include settings for the configuration commands even if commands are not explicitly coded at run-time. The default settings may be changed by the SecureZIP administrator at any time.
Execution Time SecureZIP for zSeries is commonly run as a batch job step utility to place one or more files into a SecureZIP container (archive) prior to subsequent processing (such as transporting to
66
an off-board system). Processing considerations when utilizing recipient-based encryption include: • Using INCLUDE_CMD to reference the local certificate store configuration control records (created by the initial setup in Certificate Store Administration) in the SYSIN command stream • Using the RECIPIENT command to trigger certificate-based encryption. (Optionally, the RECIPIENT command used for extraction (decryption) may be referenced via INCLUDE_CMD to protect the password information contained within it.) • Having dataset-level READ authority (via RACF or equivalent product) to the private- key certificate and referenced command files necessary to access the certificate • Performing JCL return code checking within the job stream after the SECZIP program has completed to test the success of Encryption/Decryption processing
Security Considerations To ensure the continued integrity of private-key certificates within an organization, special attention should be paid to protecting access to them. The X.509 PKCS#12 certificate format supported by SecureZIP has an inherent security mechanism designed to protect the private keys within the transportable certificate by way of an access password. This means that, without the appropriate password, the private keys cannot be accessed from the private-key PKCS#12 digital certificate (on any system or location). RACF READ authority (or equivalent) must be granted to the job accessing certificate store, X.509 certificate file and the referenced input stream containing the command having the certificate request (and password for a private-key certificate). To perform a decryption operation, SecureZIP for zSeries requires read access to the PKCS#12 private-key certificate (file or PDS member), as well as a command (RECIPIENT) containing the corresponding password. Similarly, the signing and authentication commands (SIGN_ARCHIVE, SIGN_FILES and AUTCHK) may reference private keys. The following should be considered when using SecureZIP to access private keys: • Password information will be masked out in SecureZIP SYSPRINT output. • If jobstream inputs can be viewed by operational staff members, then an indirect reference to the command(s) containing the password should be considered. • Read protection of command files containing passwords • Read protection of PKCS#12 certificate files • Optionally use ECHO=N within the command sequence to eliminate the command from showing in the SYSPRINT output.
SecureZIP Certificate Store Administration and Configuration For detailed instructions on certificate store configuration and management, LDAP configuration, and other x.509 certificate utilities, see the SecureZIP for zSeries System Administrator’s Guide.
67
Run-Time Configuration
The Runtime Configuration panel is used for entering configuration information for the ISPF SecureZIP interface (option C). That information includes active load library, default options files, job card and other miscellaneous information. A panel for SecureZIP certificate store settings must be configured as well. A message at the bottom of the configuration panel directs you to press “Enter” to view the SecureZIP certificate store settings.
Runtime Configuration Panel
SecureZIP Runtime Configuration OPTION ===> More: - Initial Execution Default Command Settings Defaults module.....: ACZDFLT (ACZDFLT) ZIP processing...... : 'PKWARE.MVS.INSTLIB(CMDZIP)' UNZIP processing....: 'PKWARE.MVS.INSTLIB(CMDUNZIP)'
Foreground Processing Controls Use TSO Prefix : N (Y/N) Lowest Acceptable RC: 4 (0,4,8)
SYSPRINT Allocation Type : CYLS (BLKS,TRKS,CYL) Primary : 3 Secondary : 1
Batch Job Card information //FPDCS1 JOB 'ACCOUNTING INFO',CLASS=A,REGION=8M, // MSGCLASS=H,MSGLEVEL=(1,1),NOTIFY=&SYSUID //*
Hit ENTER for SecureZIP Certificate Store Settings To EXIT Press PF3 For HELP Press PF1
Runtime Configuration Panel: Certificate Stores
PKZC001S SecureZIP Runtime Configuration Option ===> Certificate Store Settings ( ENTER to validate PF7/PF8 to scroll) / to Edit the file M to Display a member selection list Private-Cert > 'PKWARE.MVS.JCL(CERTPROF)' DB Profile > 'PKWARE.MVS.PROFILES(DB810X)' LDAP Profile > 'PKWARE.MVS.JCL(LDAPFPD1)'
ZIP Recipient List > 'PKWARE.MVS.CERTSTOR.PROFILES($RECIPS)' UNZIP Recipient List> UNDEFINED Archive Signing > 'PKWARE.MVS.CERTSTOR.PROFILES($SIGNARC)' File Signing > 'PKWARE.MVS.CERTSTOR.PROFILES($SIGNFIL)' Authenticate Archive> 'PKWARE.MVS.CERTSTOR.PROFILES($AUTHARC)' Authenticate Files > 'PKWARE.MVS.CERTSTOR.PROFILES($AUTHFIL)' Authenticate Files > 'PKWARE.MVS.CERTSTOR.PROFILES($AUTHFIL)'
------***** Top of Data ************************************************************** Private-key Certificate Recipient(s):
68
======*------* * Profile PKWARE.MVS.JCL(certprof) * *------* *-recipient(db:cn=PKWARE TEST1,R,PASSWORD=PKWARE) *-recipient(dsn://'SECZIP.IVP.CERT.ADMIN04.PFX',password=password)
Local Certificate Store DB Profile: ======*** * LOCAL CERTIFICATE STORE CONFIGURATION CONTROL * * Include this member in SecureZIP runs requiring Local Certificate * Store RECIPIENTS, SIGN_ARCHIVE, SIGN_FILES and AUTHCHK signatories. *** -{CSPUB=4;1;PKWARE.MVSSTD.CERTSTOR.PUBLIC} -{CSPRVT=4;1;PKWARE.MVSSTD.CERTSTOR.PRIVATE} -{CSPUB_DBX=PKWARE.MVSSTD.CERTSTOR.DBX} -{CSPUB_DBX_PATH_CN=PKWARE.MVSSTD.CERTSTOR.PATHCN} -{CSPUB_DBX_PATH_EM=PKWARE.MVSSTD.CERTSTOR.PATHEM} -{CSPUB_DBX_PATH_PUBKEY=PKWARE.MVSSTD.CERTSTOR.PATHPUBK} -{CSCA=1;0;PKWARE.MVSSTD.CERTSTOR.P7CA} -{CSROOT=1;0;PKWARE.MVSSTD.CERTSTOR.P7ROOT} -{AUTHENTICATE=TRUSTED,EXPIRED,REVOKED,TAMPERCHECK} *{VALSIGN=TRUSTED,EXPIRED,REVOKED} *{VALENCRYPT=TRUSTED,EXPIRED,REVOKED}
LDAP Configuration Profile: ======-{LDAP=1;ASI4;4389;0;0;;;*CN;o=PKWARE}
Saved Recipient List: ======*RECIPIENT(DB:CN=PKWARE Test1,PASSWORD=PKWARE)
Saved Archive Signing List: ======-SIGN_ARCHIVE(DB:CN=PKWARE Test1,PASSWORD=PKWARE)
Saved File Signing List: ======-SIGN_FILES(DB:CN=PKWARE Test1,PASSWORD=PKWARE) -SIGN_FILES(DB:CN=PKWARE Test2,PASSWORD=PKWARE) -SIGN_FILES(DB:CN=PKWARE Test3,PASSWORD=PKWARE) -SIGN_FILES(DB:CN=PKWARE Test4,PASSWORD=PKWARE)
Saved Archive Authentication List: ======-AUTHCHK(ARCHIVE,DB:CN=PKWARE Test1)
Saved File Authentication List: ======1AUTHCHK(FILES,DB:CN=PKWARE Test1,PASSWORD=PKWARE) -SIGN_FILES(DB:CN=PKWARE Test4,PASSWORD=PKWARE)
Saved Archive Authentication List: ======-AUTHCHK(ARCHIVE,DB:CN=PKWARE Test1)
Saved File Authentication List: ======1AUTHCHK(FILES,DB:CN=PKWARE Test1,PASSWORD=PKWARE)
***** Bottom of Data *******************************************
The preceding panel is used for entering configuration information for certificate profiles and for editing saved control cards used in certificate processing.
69
That information includes the locations of the private-key certificate, the data base profile, and the LDAP profile. You must specify the location of private-key certificates. For the locations of the DB and/or LDAP profiles, contact your SecureZIP administrator.
SecureZIP Runtime Configuration Panel Undefined
SecureZIP Runtime Configuration Option ===> Certificate Store Settings ( ENTER to validate PF7/PF8 to scroll)
/ to Edit the configuration file M to Display a member selection list Private-Cert> undefined DB Profile > undefined LDAP Profile> undefined / to Edit the saved lists Zip Recipient List > undefined UNZIP Recipient List> UNDEFINED Archive Signing > undefined File Signing > undefined Authenticate Archive> undefined Authenticate Files > undefined ***** Top of Data ************************************************************** Private-key Certificate Recipient(s): ======Profile: MISSING DATASET NAME
Local Certificate(DB) Profile: ======Profile: MISSING DATASET NAME
LDAP Configuration Profile: ======Profile: MISSING DATASET NAME
***** Bottom of Data ***********************************************************
As you begin the process of creating archives with recipients and signing and validate existing archives, the Edit/Saved Lists are populated with control records.
SecureZIP Runtime Configuration Panel with DB Profile Defined The following example shows how the Runtime Configuration Panel looks after completing the local certificate store configuration.
SecureZIP Runtime Configuration Option ===> Certificate Store Settings ( ENTER to validate PF7/PF8 to scroll)
/ to Edit the configuration file Private-Cert> undefined DB Profile > 'PKWARE.MVS.JCL(CCFGFPD1)' LDAP Profile> undefined / to Edit the saved lists Recipient List > undefined Archive Signing > undefined File Signing > undefined Authenticate Archive> undefined Authenticate Files > undefined ***** Top of Data **************************************************************
70
Private-key Certificate Recipient(s): ======Profile: Undefined
Local Certificate(DB) Profile: ======* DATABASE ACCESS CONTROL CARDS -{CSPUB=4;1;PKWARE.MVS1.CERTSTOR.PUBLIC} -{CSPRVT=4;1;PKWARE.MVS1.CERTSTOR.PRIVATE} -{CSPUB_DBX=PKWARE.MVS1.CERTSTOR.DBX} -{CSPUB_DBX_PATH_CN=PKWARE.MVS1.CERTSTOR.PATHCN} -{CSPUB_DBX_PATH_EM=PKWARE.MVS1.CERTSTOR.PATHEM} -{CSPUB_DBX_PATH_PUBKEY=PKWARE.MVS1.CERTSTOR.PATHPUBK}
SecureZIP Runtime Configuration Panel with Private Certificate Location The following example shows the Runtime configuration panel with the private certificate identified that will be used to provide the private key to decrypt an archive. Notice that the RECIPIENT location, the requirement to always find the certificate (R), and the password for the private key are displayed as part of the panel information provided. The private certificate dataset must be allocated and specified by the user as it is not automatically generated during the installation process. Be sure to require suitable security authority for any and all datasets that contain private certificate password information.
SecureZIP Runtime Configuration Option ===> Certificate Store Settings ( ENTER to validate PF7/PF8 to scroll)
/ to Edit the configuration file Private-Cert> ‘PKWARE.MVS.JCL(CERTPROF)' DB Profile > 'PKWARE.MVS.JCL(CCFGFPD1)' LDAP Profile> 'PKWARE.MVS.JCL(LDAPFPD1)' / to Edit the saved lists Recipient List > undefined Archive Signing > undefined File Signing > undefined Authenticate Archive> undefined Authenticate Files > undefined ***** Top of Data ************************************************************** Private-key Certificate Recipient(s): ======*------* * Profile PKWARE.MVS.JCL(CERTPROF) * *------* -recipient(db:cn=PKWARE TEST1,R,PASSWORD=xxxxxxxx)
Filename Encryption
How SecureZIP for zSeries Encrypts File Names SecureZIP for zSeries encrypts file names using your current settings for (strong) encryption method and algorithm. File names can be encrypted using either strong password encryption or a recipient list (or both).
71
Note: Encrypting names of files and folders in an archive encrypts and hides a good deal of other internal information about the archive as well. To encrypt file names, SecureZIP for zSeries encrypts the archive's central directory, where virtually all such metadata about the archive is stored. Note: Be aware that archive comments are not encrypted even when you encrypt file names. Do not put sensitive information in an archive comment.
When SecureZIP for zSeries Encrypts File Names With archives that do not already contain encrypted file names: SecureZIP for zSeries encrypts file names only when you add files to an archive. SecureZIP for zSeries does not encrypt file names when you encrypt files that are already in an archive even if the option to encrypt file names is turned on. SecureZIP for zSeries encrypts file names only when you add and encrypt files. SecureZIP for zSeries does not encrypt file names when you add files without encrypting them, even if the option to encrypt file names is turned on.
Encrypting File Names When You Update an Archive If you turn on the setting to encrypt file names and then add files to an archive that already contains files with unencrypted file names, SecureZIP for zSeries encrypts the names of all files in the archive. If the archive contains files whose contents are already encrypted, SecureZIP for zSeries rejects an attempt to add filename encryption. If you update an archive that already contains files with encrypted file names, SecureZIP for zSeries encrypts the newly added files and their names using the same password or recipient list originally used to encrypt file names in the archive. Notes: • Once file names in an archive are encrypted, you cannot currently remove the encryption or change the password or recipient list used. • You cannot change the encryption on files that are already in an archive that contains encrypted file names.
Opening and Viewing an Archive That Has Encrypted File Names An archive that contains encrypted file names requires SecureZIP for zSeries 8.0 or later to open it.
72
Input Required To View Recipients in a Filename Encrypted Archive To view the recipients of a filename-encrypted archive, place VERBOSE in the input.
//FPDTEST3 JOB '0',CLASS=A,REGION=64M, // MSGCLASS=H,MSGLEVEL=(1,1),NOTIFY=&SYSUID //UNZIP EXEC PGM=PKUNNZIP //STEPLIB DD DISP=SHR,DSN=PKWARE.MVS.LOAD // DD DISP=SHR,DSN=PKWARE.MVS.LOAD //CERT DD DSN=FPD.FPDPVT08.PFX,DISP=SHR //SYSPRINT DD SYSOUT=* //SYSIN DD * -ARCHIVE_DSN(PKWARE.MVS.FNEREC.ZIP) -VERBOSE -ACTION(VIEW) -RECIPIENT(DD:CERT,R,PASSWORD=PKWARE)
View of Recipients in a Filename Encrypted Archive
ZPGE001T UNZIP STARTUP STORAGE QUERY: 24BIT= 9144K 31BIT= 65536K CACHE= ZPLI001I SecureZIP(TM) for zSeries, Version 8.2 - 07/21/05 14.26 ZPLI001I Copyright 1989-2005 PKWARE Inc. All rights reserved. ZPLI001I SecureZIP(TM) is a trademark of PKWARE (R), Inc. ZPLI001I Registered, Processor Type=2066 Processor Group=00 Serial Number= ZPLI001I OS Level: HBB7707 SP7.0.4 -INCLUDE_CMD=PKZIP.IVP.JCL(DEVCERT1) -ECHO=N -ARCHIVE_DSN(PKWARE.MVS.FNEREC.ZIP) -VERBOSE -LOGGING_LEVEL(VERBOSE) -ACTION(VIEW) -RECIPIENT(DD:CERT,R,PASSWORD=******) ZPCM011I Processing EXEC PARM parameters ZPEN110I Locating Digital Certificates ... ZPCM023I Digital Certificate Store Configuration {CSPUB=4;1;PKWARE.MVS.CERTSTOR.PUBLIC} {CSPRVT=4;1;PKWARE.MVS.CERTSTOR.PRIVATE} {CSCA=1;1;PKWARE.MVS.CERTSTOR.PUBLIC(CAP7)} {CSROOT=1;1;PKWARE.MVS.CERTSTOR.PUBLIC(ROOTP7)} {CSPUB_DBX=PKWARE.MVS.CERTSTOR.PUBLIC.DBX} {CSPUB_DBX_PATH_CN=PKWARE.MVS.CERTSTOR.PATHCN} {CSPUB_DBX_PATH_EM=PKWARE.MVS.CERTSTOR.PATHEM} {CSPUB_DBX_PATH_PUBKEY=PKWARE.MVS.CERTSTOR.PATHPUBK} {LDAP=1;192.168.0.54;4389;1;0;CN=LDAP Administrator;secret;;O=PKWARE;} ZPCM023C ------ZPCM024I Digital Certificate Request List ZPCM024C Req'd Private Recipient dd:CERT ZPCM024C FILE FOUND *REQUIRED* ZPCM024C ------ZPAP900I NO API REQUIRED ZPCM100I Configuration Manager Shutdown. Posting Main Task: 00000000 ZPAM030I INPUT Archive opened: PKWARE.MVS.FNEREC.ZIP ZPAM710I Archive Directory is Compressed 85% ZPAM711I Archive Directory is Encrypted: AES_256 Certificate Only ZPEX100I Extract Task { 5} TCB: 008D0A90 Started. ZPEX004I Archive Central Directory extracted for processing. ZPAM014I 234 file(s) are in the input Archive. ZPAM012I ZIP comment: SecureZIP for zSeries by PKWARE ZPAM013I ********************************************************************************* ZPAM015I Length Method Size Ratio Date Time CRC-32 Name
73
ZPAM016I ------ZPAM017I 4,183 Deflate-SFST 2,240 46% 08/30/2004 16:24 419ABFDA ! PKZIP/FPD/JCL/ACZDFLT ZPAM017I 4,183 Deflate-SFST 2,256 46% 08/30/2004 16:24 18A324CE ! PKZIP/FPD/JCL/ACZDFL ZPAM017I 1,067 Deflate-SFST 1,536 0% 08/30/2004 16:24 183003D8 ! PKZIP/FPD/JCL/ZIPVIEW ………………… ………………… ……………
ZPAM017I 1,067 Deflate-SFST 1,536 0% 08/30/2004 16:24 2F3E1C63 ! PKZIP/FPD/JCL/ZIP12 ZPAM017I 985 Deflate-SFST 1,520 0% 08/30/2004 16:24 5A8D5879 ! PKZIP/FPD/JCL/ZIP123 ZPAM018I ------ZPAM019I 698,546 450,288 36% ZPAM013I ********************************************************************************* ZPAM140I FILES: VIEWED EXCLUDED BYPASSED IN ERROR ZPAM140I 234 0 0 0 ZPAM712I Archive Directory Encryption Recipients: ZPAM320I 4 recipient(s) were designated: ZPAM321I Recipient: PKWARE Test0 ZPAM323I Email: [email protected] ZPAM325I Valid: 07/23/2002-07/23/2003 ZPAM326I Issuer: VeriSign, Inc. ZPAM321I Recipient: PKWARE TEST1 ZPAM323I Email: [email protected] ZPAM325I Valid: 11/05/2003-11/04/2004 ZPAM326I Issuer: VeriSign, Inc. ZPAM321I Recipient: PKWARE Test2 ZPAM323I Email: [email protected] ZPAM325I Valid: 07/22/2003-07/21/2004 ZPAM326I Issuer: VeriSign, Inc. ZPAM321I Recipient: PKWARE Test00 ZPAM323I Email: [email protected] ZPAM325I Valid: 07/22/2003-07/21/2004 ZPAM326I Issuer: VeriSign, Inc. ZPAM101I Archive Manager Task { 3} TCB: 008D0E88 shutdown begun. ZPAM109I Archive Manager Task { 3} TCB: 008D0E88 shutdown complete. ZPEX101I Extract Task { 5} TCB: 008D0A90 shutdown begun. ZPEX109I Extract Task { 5} TCB: 008D0A90 shutdown complete. ZPMT002I PKZIP processing complete. RC=00000000 0(Dec)
View Detail of an Archive that Has Encrypted File Names ZPAM711I in the output below identifies the type of encryption used for filename encryption.
ZPAM030I INPUT Archive opened: PKWARE.MVS.FNEREC.ZIP ZPAM710I Archive Directory is Compressed 85% ZPAM711I Archive Directory is Encrypted: AES_256 Certificate Only ZPAM014I 234 file(s) are in the input Archive. ZPAM012I ZIP comment: SecureZIP for zSeries by PKWARE ZPAM013I ************************************************************* ZPAM001I Filename: PKZIP/FPD/JCL/ACZDFLT ZPAM002I File type: TEXT ZPAM003I Date/Time: 30-AUG-2004 16:24:00 ZPAM004I Compression Method: Deflate- Super Fast ZPAM005I Compressed Size: 2,240 ZPAM006I Uncompressed Size: 4,183 ZPAM007I 32-bit CRC: 419ABFDA LHDR Offset: 0 ZPAM008I Created by: PK zSeries 8.1 ZPAM009I Needed to extract: ZipSpec 6.1
74
ZPAM010I Encryption: AES_256 Certificate Key BSAFE(R) ZPAM301I File Type: NONVSAM PDS ZPAM302I File PDS Directory Blocks: 50 ZPAM303I File Record Format: FB ZPAM304I File Allocation Type: CYL ZPAM305I File Primary Space Allocated: 5 ZPAM306I File Secondary Space Allocated: 9 ZPAM307I File Record Size: 80 ZPAM308I File Block Size: 27920 ZPAM309I File Volume(s) Used: FPD002 ZPAM310I File Creation Date: 2003/07/22 ZPAM311I File Referenced Date: 2004/08/30 ZPAM319I SMS Storage Class: PRIVATE ZPAM312I File PDS Extended Directory Information: DIRECTORY INFORMATION FOLLOWS LENGTH=00001E 000000 01040029 0102198F 0102205F 14010033 |...... | ) _ 3| 000010 00330000 C6D7C440 40404040 40400000 |....FPD ..| 3 @@@@@@@ | ZPAM312C -SIZE -CREATED------CHANGED------ID-- -INIT VV.MM ZPAM312C 51 2002/07/17 2002/07/24 14:01:29 FPD 51 01.04 ZPAM313I PDS member TTRKZC: 00010700000F ZPAM320I 4 recipient(s) were designated: ZPAM321I Recipient: PKWARE Test2 ZPAM322I Public Key Hash: 07E091CE30862B61663CF9D356863BF84D3DC8D5 ZPAM323I Email: [email protected] ZPAM324I Cert: //'PKWARE.MVS.CERTSTOR.PRIVATE(PKT2004)' ZPAM321I Recipient: PKWARE Test2 ZPAM322I Public Key Hash: 271842663AA344FBC35656BE68B5A46EE7E545F0 ZPAM323I Email: [email protected] ZPAM324I Cert: //'PKWARE.MVS.CERTSTOR.PUBLIC(PKT2003)' ZPAM321I Recipient: PKWARE TEST1 ZPAM322I Public Key Hash: 5D9E8B89B5948E9E853338A7250D64C5BED5E9E7 ZPAM323I Email: [email protected] ZPAM324I Cert: //'PKWARE.MVS.CERTSTOR.PUBLIC(PKT12003)' ZPAM321I Recipient: PKWARE Test00 ZPAM322I Public Key Hash: 6E16CFEFFAA093242B89DEE623C7D7428082F3E3 ZPAM323I Email: [email protected] ZPAM324I Cert: //'PKWARE.MVS.CERTSTOR.PUBLIC(PK002003)' ZPAM013I *************************************************************
Two fields in the preceding output require explanation: • Created by: Lists the program, and its release level, that created the archive. • Needed To Extract: Lists the version of the ZIP file format specification on which the program that created the archive is based. The number listed is not a version of the SecureZIP for zSeries program. It is the earliest version of the ZIP file format specification that defines certain features implemented in the program. A different program must support at least the listed version of the ZIP file format in order to extract files from an archive that uses features initially defined in the listed specification. For example, to extract files from an archive that uses filename encryption, a program must support a version of the ZIP file format that provides for filename encryption.
Decrypting a Filename-Encrypted Archive When opening an archive, SecureZIP for zSeries automatically decrypts file names for anyone on a recipient list for the encrypted file names. If file names are encrypted using a password (with or without a recipient list), SecureZIP for zSeries (and PKZIP for zSeries Enterprise Edition) requests a password when anyone who is
75
not on the recipient list tries to open the archive. If the correct password is not entered, PKZIP/SecureZIP does not open the archive.
Security Examples
Below are examples of how to invoke SecureZIP for zSeries processing using ISPF panels and JCL along with sample output listings.
SecureZip using Recipients or Combo When protection modes of Recipient or Combo are selected, recipients can be designated such that a password is not required to extract the data. If a password is entered, the lines will be concatenated to create a single password string of up to 250 characters and each line must begin and end with a non-blank. Each recipient is represented by a public-key x.509 digital certificate. The public-key certificates can be stored and accessed in one or more of the following locations: • Individual data sets (or PDS members) • The Local certificate store Database as described by DB Profile • One or more network LDAP servers as described by LDAP Profile. (LDAP operations require SecureZIP with the Directory Integration feature enabled.) Recipient designations: • LDAP:CN=Joe Smith • dsn://'PKZIP.CERTSTOR.PRIVATE(MAS2004)',R,password=abcdef • db:[email protected] • LDAP:mail=*@location.com It is important to note the following: • CN=Joe Smith may return more than one recipient digital certificate. The LDAP entry for Joe Smith may contain multiple certificates. Certificates are frequently valid for only one year, so a recipient may have a certificate for each year with the company. • A local PDS has a certificate loaded into member MAS2004, which may represent a specific person's 2004 certificate. In this case, the R indicates that the certificate is required for processing to be performed. In addition, this certificate is a private-key certificate, so the export password is necessary for the public-key portion to be extracted from it. • db:EM= (or CN= for common name) may be used to locate a public-key certificate from within the local certificate store database. Private-key certificates may also be stored in the database, in which case the private-key password must also be coded to access it. • LDAP:mail=*@location.com demonstrates that masked requests may be made to an LDAP server. However, caution must be used not to make search criteria too broad, to avoid related high CPU and virtual storage requirements.
76
Zip Compress File(s) to an Archive FIle (Option ‘Z’ ) Using Recipients Below is the main ZIP compression panel. Here you place a “Y” in the Encryption option field to encrypt.
SecureZIP ZIP Processing Command ===>
Archive File Information: File Name : 'FPD.SEQ.ZIP' File Type : 1 ( 1 = SEQ, 2 = PDS, 3 = VSAM, 4= PDSE) More Attributes : N ( Y - Yes, N - Take Defaults)
Zip file information: File to compress : 'FPD.TEST.SEQ3' Zipped DSN : Encryption : Y ( Y - Encrypt files) : N ( Y - View typed password) Format : ( B -Binary T -Text D -Detect BV -Binary-Variable) More Files : N ( Y - Enter additional file names, N - None)
Security options: Security required : N ( Y - To Display Security Options Dialog)
Processing options: Simulation Mode : N ( Y - Test file selection, N - Normal Processing) Zip Function : A ( A - Add, F - Freshen, U - Update, D - Delete) Processing Mode : B ( F - Foreground, B - Batch) Batch JCL Status : C ( C - New Dataset, A - Add to existing Dataset) Advanced Options : N ( Y - Change Defaults, N - None)
Enter VIEW on command line to VIEW archive
SecureZIP Encryption Using Individual Recipients as Input The next panel that appears when you have selected Encryption is a pop-up that allows you to select the method of encryption and either enter the password and the recipient, or the password alone, or the recipient alone, to be used to encrypt the file.
77
PKZZ005 SecureZIP ZIP Processing Command ===> More: Security options: Password protect : N ( Y - Use Passwords) : N ( Y - View typed pwd)
Encryption: Algorithm : BSAFE_AES128 / for selection list Filename Encryption: N ( Y - Encrypt file names in the Archive) ------SecureZIP certificate-based operations. (Page down for all options)
Certificate Encryption: Recipients : N ( Y - Digital Certificate Encryption) Validation Policy: Y Trusted Y Expired Y Revoked
Signing: Archive : N ( Y - Sign Archive Central Directory) Files : N ( Y - Sign Files) Hash Algorithm : SHA-1 (MD5, SHA-1) Validation Policy: Y Trusted Y Expired Y Revoked SecureZIP certificate-based operations. (Page down for all options)
Certificate Encryption: Recipients : Y ( Y - Digital Certificate Encryption) Validation Policy: Y Trusted Y Expired Y Revoked
Signing: Archive : N ( Y - Sign Archive Central Directory) Files : N ( Y - Sign Files) Hash Algorithm : SHA-1 (MD5, SHA-1) Validation Policy: Y Trusted Y Expired Y Revoked
Authentication: Archive : N ( Y - Authenticate Archive Directory) Validation Policy: Y Trusted Y Expired Y Revoked Y Tampercheck ------Reporting: Certificate Report : Y ( Y - Verbose certificate selection info)
In this example we are going to enter “RECIPIENTS=Y” to allow the use of certificate processing. This displays pop-up screen PKSZ001 so that intended recipients can be identified (see screen below). Notice that the Certificate Report option has a “Y”. This places a VERBOSE control card in the input stream to generate additional details on the locations searched for certificate information and the status of the search. A set of ZPCM024C messages display in the SecureZIP program output to show how each RECIPIENT request was resolved.
SecureZIP Encryption OPTION ===> More:
Selection Mode: Recipients / to Edit the profile used to satisfy DB: and LDAP: requests DB Profile > 'SECZIP.FPD.PROFILES(DB810X)' LDAP Profile> 'SECZIP.FPD.JCL(LDAPFPD1)'
/ Edit a file containing a set of -RECIPIENT commands. S Search the Local Certificate Store to build a list M Data set member selection list Recipient List: 'SECZIP.FPD.CERTSTOR.PROFILES($RECIPS)'
78
Individual Recipients: A -RECIPIENT() request will be built for each of of the following requests. 1. 2. 3. 4. 5.
Note: Recipient requests are cumulative. All requests from the Recipient List, Individual Recipients, the configured default RECIPIENT and MASTER RECIPIENT will be included.
The DB Profile member contains the definitions for the local certificate store that were created by the SecureZIP administrator. The Recipient List member $RECIPS identifies a file from which RECIPIENT commands can be included. In addition, a specific recipient with a common name of “PKWARE Test3” is identified.
SecureZIP Certificate Report Option
------Digital Certificate Request List Req'd Private Recip-ient //'PKZIP.CERTSTOR.PRIVATE(MAS2004)' FILE FOUND *REQUIRED* Cond'l Public Recipient CN=Joe Smith FILE NOT_FOUND ------
SecureZIP Verification Window Below is a pop up window to allow you to verify your selected security options.
Command ===>
The following security options have been selected:
Recipient-based BSAFE_AES256 Encryption No Filename Encryption No Archive Directory Signature No File Signatures No Authentication of Archive Signature
Press ENTER to continue with detailed specifications of each, or PF3 or 'END' to respecify the basic security options.
SecureZIP Encryption Using Individual Recipients-Generated JCL Below is the generated JCL to submit to encrypt this archive. The JCL contains the recipients added in the Encryption panel above.
79
****** ********************************* Top of Data ************************** 000001 //FPDCS1 JOB 'ACCOUNTING INFO',CLASS=A,REGION=8M, 000002 // MSGCLASS=H,MSGLEVEL=(1,1),NOTIFY=&SYSUID 000003 //* 000004 //ZIPIT EXEC PGM=PKZIP 000005 //STEPLIB DD DISP=SHR,DSN=PKWARE.MVS.LOAD 000006 //SYSPRINT DD SYSOUT=* 000007 //SYSIN DD * 000008 * PANEL INPUT COMMANDS: 000009 -ENCRYPTION_METHOD(BSAFE_AES128) 000010 * Configured Profile: 000011 -INCLUDE_CMD(PKWARE.MVS.JCL(DBPROF)) 000012 -INCLUDE_CMD(MAS.TEST.CERTSTOR.PROFILES($RECIPS)) 000013 -RECIPIENT(db:cn=Joe Smith) 000014 -RECIPIENT(db:cn=PKWARE Test3) 000015 -VERBOSE 000016 -ARCHIVE_DSN(FPD.SEQ.ZIP) 000017 -ARCHIVE_DSORG(PS) 000018 -ACTION(ADD) 000019 FPD.TEST.SEQ3 000020 /*
SecureZIP Encryption Using Recipient Job Output Listing with VERBOSE Below is the output from the SecureZIP for zSeries batch job submitted. The output listing contains all pertinent information related to certificate processing. The additional certificate information is generated as a result of using the VERBOSE control card.
ZPGE001T ZIP STARTUP STORAGE QUERY: 24BIT= 8208K 31BIT= 32768K CACHE= ZPLI001I SecureZIP(TM) for zSeries, Version 8.2 - 07/21/05 14.26 ZPLI001I Copyright 1989-2005 PKWARE Inc. All rights reserved. ZPLI001I SecureZIP(TM) is a trademark of PKWARE (R), Inc. ZPLI001I Registered, Processor Type=2066 Processor Group=00 Serial Number= ZPLI001I OS Level: HBB7707 SP7.0.4 -INCLUDE_CMD=PKZIP.IVP.JCL(DEVCERT1) -ECHO=N * PANEL INPUT COMMANDS: -ENCRYPTION_METHOD(BSAFE_AES128) * Configured Profile: -INCLUDE_CMD(PKWARE.MVS.JCL(DBPROF)) *------* * PROFILE PKWARE.MVS.JCL(DBPROF) * *------* * DATABASE ACCESS CONTROL CARDS -{CSPUB=4;1;SECZIP.CERTSTOR.PUBLIC} -{CSPRVT=4;1;SECZIP.CERTSTOR.PRIVATE} -{CSPUB_DBX=SECZIP.CERTSTOR.DBX} -{CSPUB_DBX_PATH_CN=SECZIP.CERTSTOR.PATHCN} -{CSPUB_DBX_PATH_EM=SECZIP.CERTSTOR.PATHEM} -{CSPUB_DBX_PATH_PUBKEY=SECZIP.CERTSTOR.PATHPUBK} -INCLUDE_CMD(PKWARE.MVS.JCL(LDAPPROF)) *------* * PROFILE PKWARE.MVS.JCL(LDAPPROF) * *------* -{LDAP=1;LDAP1234.PKWARE.COM;4389;0;0;;;*CN;O=PKWARE} -RECIPIENT(db:cn=PKWARE TEST1) -RECIPIENT(db:cn=PKWARE Test2) -RECIPIENT(db:[email protected]) -VERBOSE -LOGGING_LEVEL(VERBOSE) -ARCHIVE_DSN(FPD.SEQ.ZIP)
80
-ARCHIVE_DSORG(PS) -ACTION(ADD) FPD.TEST.SEQ3 ZPCM011I Processing EXEC PARM parameters ZPCS200I Opening Common Name DB Index (//'SECZIP.CERTSTOR.PATHCN') ZPCS200I Opening Email Address DB Index (//'SECZIP.CERTSTOR.PATHEM') ZPCM023I Digital Certificate Store Configuration {CSCA=1;1;PKWARE.MVS.CERTSTOR.PUBLIC(CAP7)} {CSROOT=1;1;PKWARE.MVS.CERTSTOR.PUBLIC(ROOTP7)} {CSPUB=4;1;SECZIP.CERTSTOR.PUBLIC} {CSPRVT=4;1;SECZIP.CERTSTOR.PRIVATE} {CSPUB_DBX=SECZIP.CERTSTOR.DBX} {CSPUB_DBX_PATH_CN=SECZIP.CERTSTOR.PATHCN} {CSPUB_DBX_PATH_EM=SECZIP.CERTSTOR.PATHEM} {CSPUB_DBX_PATH_PUBKEY=SECZIP.CERTSTOR.PATHPUBK} ZPCM023C ------ZPCM024I Digital Certificate Request List ZPCM024C Cond'l Public Recipient //'SECZIP.CERTSTOR.PUBLIC(GEN50874)' ZPCM024C FILE FOUND ZPCM024C Cond'l Public Recipient //'SECZIP.CERTSTOR.PUBLIC(GEN51550)' ZPCM024C FILE FOUND ZPCM024C ------ZPCM025I Digital Certificates Found: 2 ZPCM025C Joe Smith;[email protected]; ZPCM025C PKWARE Test3;[email protected]; ZPCM025C ------ZPAP900I NO API REQUIRED ZPAM030I OUTPUT Archive opened: FPD.SEQ.ZIP ZPCM017I A total of 1 ADD/UPDATE candidate file(s) were identified. ZPCO100I Compression Task { 5} TCB: 008D1858 Started. ZPCM100I Configuration Manager Shutdown. Posting Main Task: 00000000 ZPAM253I ADDED File FPD.TEST.SEQ3 ZPAM254I as FPD/TEST/SEQ3 ZPAM255I (DEFLATED 79%/78%) SecureZIP(TM): BSAFE_AES128 ORIG. SIZE 216,800; ZIP SIZE 47,608 ZPAM140I FILES: ADDED EXCLUDED BYPASSED IN ERROR ZPAM140I 1 0 0 0 ZPAM101I Archive Manager Task { 3} TCB: 008D1E88 shutdown begun. ZPAM109I Archive Manager Task { 3} TCB: 008D1E88 shutdown complete. ZPCO101I Compression Task { 5} TCB: 008D1858 shutdown begun. ZPCO109I Compression Task { 5} TCB: 008D1858 shutdown complete. ZPMT002I PKZIP processing complete. RC=00000000 0(Dec)
SecureZIP Encryption Using Recipient Job Output Listing Without VERBOSE Below is the output from the SecureZIP for zSeries batch job submitted. This output shows the result of not using VERBOSE control card.
ZPGE001T ZIP STARTUP STORAGE QUERY: 24BIT= 8208K 31BIT= 32768K CACHE= ZPLI001I SecureZIP(TM) for zSeries, Version 8.2 - 07/21/05 14.26 ZPLI001I Copyright 1989-2005 PKWARE Inc. All rights reserved. ZPLI001I SecureZIP(TM) is a trademark of PKWARE (R), Inc. ZPLI001I Registered, Processor Type=2066 Processor Group=00 Serial Number= ZPLI001I OS Level: HBB7707 SP7.0.4 -INCLUDE_CMD=PKZIP.IVP.JCL(DEVCERT1) -ECHO=N * PANEL INPUT COMMANDS: -ENCRYPTION_METHOD(BSAFE_AES128) * Configured Profile: -INCLUDE_CMD(PKWARE.MVS.JCL(DBPROF)) *------* * PROFILE PKWARE.MVS.JCL(DBPROF) *
81
*------* * DATABASE ACCESS CONTROL CARDS -{CSPUB=4;1;SECZIP.CERTSTOR.PUBLIC} -{CSPRVT=4;1;SECZIP.CERTSTOR.PRIVATE} -{CSPUB_DBX=SECZIP.CERTSTOR.DBX} -{CSPUB_DBX_PATH_CN=SECZIP.CERTSTOR.PATHCN} -{CSPUB_DBX_PATH_EM=SECZIP.CERTSTOR.PATHEM} -{CSPUB_DBX_PATH_PUBKEY=SECZIP.CERTSTOR.PATHPUBK} -INCLUDE_CMD(PKWARE.MVS.JCL(LDAPPROF)) *------* * PROFILE PKWARE.MVS.JCL(LDAPPROF) * *------* -{LDAP=1;LDAP1234.PKWARE.COM;4389;0;0;;;*CN;O=PKWARE} -RECIPIENT(db:cn=PKWARE TEST1) -RECIPIENT(db:cn=PKWARE Test2) -RECIPIENT(db:[email protected]) -ARCHIVE_DSN(FPD.SEQ.ZIP) -ARCHIVE_DSORG(PS) -ACTION(ADD) FPD.TEST.SEQ3 ZPAM030I OUTPUT Archive opened: FPD.SEQ.ZIP ZPAM253I ADDED File FPD.TEST.SEQ3 ZPAM254I as FPD/TEST/SEQ3 ZPAM255I (DEFLATED 79%/78%) SecureZIP(TM): BSAFE_AES128 ORIG. SIZE 216,800; ZIP SIZE 47,608 ZPAM140I FILES: ADDED EXCLUDED BYPASSED IN ERROR ZPAM140I 1 0 0 0 ZPMT002I PKZIP processing complete. RC=00000000 0(Dec)
SecureZIP Encryption Using a Recipients List In the example below, we enter “RECIPIENTS” using a data set that contains the recipients. Placing a slash / in front of the data set name enables you to edit the list prior to execution.
SecureZIP ZIP Processing +------+ ³ SecureZIP Encryption ³ ³ OPTION ===> ³ ³ More: ³ ³ ³ ³ ------³ ³ Recipient Section (For Protection Modes "Recipient" or "Combo") ³ ³ ³ ³ / to Edit/View the profile ³ ³ DB Profile > 'PKWARE.MVS.JCL(DBPROF)' ³ ³ LDAP Profile> 'PKWARE.MVS.JCL(LDAPPROF)' ³ ³ ³ ³ / to Edit/View the list where -RECIPIENT requests are. ³ ³ Recipient List: 'PKWARE.MVS.JCL(RECIPL1)' ³ ³ ³ ³ Individual Recipients: A -RECIPIENT() request will be built with each value ³ ³ 1. ³ ³ 2. ³ ³ 3. ³ ³ 4. ³ ³ 5. ³ ³ ³ ³ ³ +------+
82
Editing the Recipients List You can add, change, or delete any of your existing recipients.
File Edit Edit_Settings Menu Utilities Compilers Test Help ------EDIT PKWARE.MVS.JCL(RECIPL1) - 01.01 Columns 00001 Command ===> Scroll === ****** ********************************* Top of Data *************************** 000001 *------* 000002 * Recipient list 1 PKWARE.MVS.JCL(RECIPL1) * 000003 *------* 000004 -RECIPIENT(db:cn=PKWARE TEST1) 000005 -RECIPIENT(db:cn=PKWARE Test2) 000006 -RECIPIENT(db:[email protected]) ****** ******************************** Bottom of Data *************************
SecureZIP Encryption Using a Recipients List Below is the generated JCL using the recipients list. Notice the control card INCLUDE_CMD(PKWARE.MVS.JCL(RECIPL1)). This brings into SecureZIP for zSeries your recipients.
File Edit Edit_Settings Menu Utilities Compilers Test Help ------EDIT FPD.PKWARE.JCL Columns 00001 Command ===> Scroll === ****** ********************************* Top of Data *************************** 000001 //FPDCS1 JOB 'ACCOUNTING INFO',CLASS=A,REGION=8M, 000002 // MSGCLASS=H,MSGLEVEL=(1,1),NOTIFY=&SYSUID 000003 //* 000004 //ZIPIT EXEC PGM=PKZIP 000005 //STEPLIB DD DISP=SHR,DSN=PKWARE.MVS.LOAD 000006 //SYSPRINT DD SYSOUT=* 000007 //SYSIN DD * 000008 * PANEL INPUT COMMANDS: 000009 -ENCRYPTION_METHOD(BSAFE_AES128) 000010 * Configured Profile: 000011 -INCLUDE_CMD(PKWARE.MVS.JCL(DBPROF)) 000012 -INCLUDE_CMD(PKWARE.MVS.JCL(LDAPPROF)) 000013 -INCLUDE_CMD(PKWARE.MVS.JCL(RECIPL1)) 000014 -VERBOSE 000015 -ARCHIVE_DSN(FPD.SEQ.ZIP) 000016 -ARCHIVE_DSORG(PS) 000017 -ACTION(ADD) 000018 FPD.TEST.SEQ3 000019 /* ****** ******************************** Bottom of Data *************************
83
SecureZIP Halt Process Request If you press PF3 on the build screens, a popup dialog asks you if you wisk to halt the current process and begin again.
Command ===>
Do you wish to cancel the ZIP run?
Press ENTER to continue. Press PF3 or enter CANCEL command to return.
SecureZIP Encryption Using LDAP Search for Recipients Below we enter recipients using a search of the LDAP(s) that are configured in the LDAP profile. The search criteria in this instance is the common name (CN). The CN request is for a name fragment beginning with M*, F*, S*, and B*. This will generate recipients that match those criteria.
SecureZIP ZIP Processing +------+ ³ SecureZIP Encryption ³ ³ OPTION ===> ³ ³ More: ³ ³ ³ ³ ------³ ³ Recipient Section (For Protection Modes "Recipient" or "Combo") ³ ³ ³ ³ / to Edit/View the profile ³ ³ DB Profile > 'PKWARE.MVS.JCL(DBPROF)' ³ ³ LDAP Profile> 'PKWARE.MVS.JCL(LDAPPROF)' ³ ³ ³ ³ / to Edit/View the list where -RECIPIENT requests are. ³ ³ Recipient List: ³ ³ ³ ³ Individual Recipients: A -RECIPIENT() request will be built with each value ³ ³ 1. LDAP:CN=M* ³ ³ 2. LDAP:CN=F* ³ ³ 3. LDAP:CN=S* ³ ³ 4. LDAP:CN=B* ³ ³ 5. ³ ³ ³ ³ ³ +------+
SecureZIP Encryption Using LDAP Search for Recipients-Generated JCL
EDIT FPD.PKWARE.JCL Columns 00001 Command ===> Scroll === ****** ********************************* Top of Data *************************** 000001 //FPDCS1 JOB 'ACCOUNTING INFO',CLASS=A,REGION=8M, 000002 // MSGCLASS=H,MSGLEVEL=(1,1),NOTIFY=&SYSUID 000003 //* 000004 //ZIPIT EXEC PGM=PKZIP 000005 //STEPLIB DD DISP=SHR,DSN=PKWARE.MVS.LOAD
84
000006 //SYSPRINT DD SYSOUT=* 000007 //SYSIN DD * 000008 * PANEL INPUT COMMANDS: 000009 -ENCRYPTION_METHOD(BSAFE_AES128) 000010 * Configured Profile: 000011 -INCLUDE_CMD(PKWARE.MVS.JCL(DBPROF)) 000012 -INCLUDE_CMD(PKWARE.MVS.JCL(LDAPPROF)) 000013 -RECIPIENT(LDAP:CN=M*) 000014 -RECIPIENT(LDAP:CN=F*) 000015 -RECIPIENT(LDAP:CN=S*) 000016 -RECIPIENT(LDAP:CN=B*) 000017 -VERBOSE 000018 -ARCHIVE_DSN(FPD.SEQ.ZIP) 000019 -ARCHIVE_DSORG(PS) 000020 -ACTION(ADD) 000021 FPD.TEST.SEQ3
SecureZIP Encryption Using LDAP Search for Recipients - Output
ZPGE001T ZIP STARTUP STORAGE QUERY: 24BIT= 8208K 31BIT= 32768K CACHE= ZPLI001I SecureZIP(TM) for zSeries, Version 8.2 - 07/21/05 14.26 ZPLI001I Copyright 1989-2005 PKWARE Inc. All rights reserved. ZPLI001I SecureZIP(TM) is a trademark of PKWARE (R), Inc. ZPLI001I Registered, Processor Type=2066 Processor Group=00 Serial Number= ZPLI001I OS Level: HBB7707 SP7.0.4 -INCLUDE_CMD=PKZIP.IVP.JCL(DEVCERT1) -ECHO=N * PANEL INPUT COMMANDS: -ENCRYPTION_METHOD(BSAFE_AES128) * Configured Profile: -INCLUDE_CMD(PKWARE.MVS.JCL(DBPROF)) *------* * PROFILE PKWARE.MVS.JCL(DBPROF) * *------* * DATABASE ACCESS CONTROL CARDS -{CSPUB=4;1;SECZIP.CERTSTOR.PUBLIC} -{CSPRVT=4;1;SECZIP.CERTSTOR.PRIVATE} -{CSPUB_DBX=SECZIP.CERTSTOR.DBX} -{CSPUB_DBX_PATH_CN=SECZIP.CERTSTOR.PATHCN} -{CSPUB_DBX_PATH_EM=SECZIP.CERTSTOR.PATHEM} -{CSPUB_DBX_PATH_PUBKEY=SECZIP.CERTSTOR.PATHPUBK} -INCLUDE_CMD(PKWARE.MVS.JCL(LDAPPROF)) *------* * PROFILE PKWARE.MVS.JCL(LDAPPROF) * *------* -{LDAP=1;LDAP1234.PKWARE.COM;4389;0;0;;;*CN;O=PKWARE} -RECIPIENT(LDAP:CN=M*) -RECIPIENT(LDAP:CN=F*) -RECIPIENT(LDAP:CN=S*) -RECIPIENT(LDAP:CN=B*) -VERBOSE -LOGGING_LEVEL(VERBOSE) -ARCHIVE_DSN(FPD.SEQ.ZIP) -ARCHIVE_DSORG(PS) -ACTION(ADD) FPD.TEST.SEQ3 ZPCM011I Processing EXEC PARM parameters ZPCM023I Digital Certificate Store Configuration {CSCA=1;1;PKWARE.MVS.CERTSTOR.PUBLIC(CAP7)} {CSROOT=1;1;PKWARE.MVS.CERTSTOR.PUBLIC(ROOTP7)} {CSPUB=4;1;SECZIP.CERTSTOR.PUBLIC} {CSPRVT=4;1;SECZIP.CERTSTOR.PRIVATE} {CSPUB_DBX=SECZIP.CERTSTOR.DBX} {CSPUB_DBX_PATH_CN=SECZIP.CERTSTOR.PATHCN}
85
{CSPUB_DBX_PATH_EM=SECZIP.CERTSTOR.PATHEM} {CSPUB_DBX_PATH_PUBKEY=SECZIP.CERTSTOR.PATHPUBK} {LDAP=1;LDAP1234.PKWARE.COM;4389;0;0;;;*CN;O=PKWARE} ZPCM023C ------ZPCM024I Digital Certificate Request List ZPCM024C Cond'l Public Recipient CN=M* ZPCM024C LDAP FOUND ZPCM024C Cond'l Public Recipient CN=F* ZPCM024C LDAP FOUND ZPCM024C Cond'l Public Recipient CN=S* ZPCM024C LDAP FOUND ZPCM024C Cond'l Public Recipient CN=B* ZPCM024C LDAP FOUND ZPCM024C ------ZPCM025I Digital Certificates Found: 6 ZPCM025C PKWARE Test2;[email protected]; ZPCM025C PKWARE Test2;[email protected]; ZPCM025C Michael Burkard;[email protected]; ZPCM025C PKWARE TEST1;[email protected]; ZPCM025C Stewart T. Hamiel;[email protected]; ZPCM025C William Stackhouse;[email protected]; ZPCM025C ------ZPAP900I NO API REQUIRED ZPAM030I OUTPUT Archive opened: FPD.SEQ.ZIP ZPCM017I A total of 1 ADD/UPDATE candidate file(s) were identified. ZPCM100I Configuration Manager Shutdown. Posting Main Task: 00000000 ZPCO100I Compression Task { 5} TCB: 008D1A70 Started. ZPAM253I ADDED File FPD.TEST.SEQ3 ZPAM254I as FPD/TEST/SEQ3 ZPAM255I (DEFLATED 78%/78%) SecureZIP(TM): BSAFE_AES128 ORIG. SIZE 216,800; ZIP SIZE 48,094 ZPAM140I FILES: ADDED EXCLUDED BYPASSED IN ERROR ZPAM140I 1 0 0 0 ZPAM101I Archive Manager Task { 3} TCB: 008D1E88 shutdown begun. ZPAM109I Archive Manager Task { 3} TCB: 008D1E88 shutdown complete. ZPCO101I Compression Task { 5} TCB: 008D1A70 shutdown begun. ZPCO109I Compression Task { 5} TCB: 008D1A70 shutdown complete. ZPMT002I PKZIP processing complete. RC=00000000 0(Dec)
Selecting Filename Encryption To encrypt file names when encrypting and adding files to an archive, use the FILENAME_ENCRYPTION command.
Panel Option “Z” - Selecting Filename Encryption This panel appears when you have selected Encryption on the Zip panel. To add filename encryption, place a “Y” in that selection field.
+------+ | SecureZIP Encryption | | OPTION ===> | | More: | | Main Processing Options | | Protection Mode : RECIPIENTS Password, Recipients, Combo | | Encryption Method : BSAFE_AES128 / for selection list | | Filename Encryption: Y Y/N | | Certificate Report : Y Y/N (Recipients shown in SYSPRINT) | | | | Password Section (For Protection Modes "Password" or "Combo") | | | | Enter Password below (up to 250 characters) |
86
| ....5...10....5...20....5...30....5...40....5...50....5...60....5...70 | | | | | | | | Re-enter Password to verify: | | | | | | | | ------| | Recipient Section (For Protection Modes "Recipient" or "Combo") |
Zip Compress File(s) to an Archive FIle (Option ‘Z’ ) Using Passwords Below is the main ZIP compression panel. Here you place a “Y” in the Security required field.
SecureZIP ZIP Processing Command ===>
Archive File Information: File Name : 'MAS1.TEMP.ZIP' File Type : 1 ( 1 = SEQ, 2 = PDS, 3 = VSAM, 4= PDSE) More Attributes : N ( Y - Yes, N - Take Defaults) Zip file information: File to compress : 'MAS.TEST.SEQ' Zipped DSN : Format : ( B -Binary T -Text D -Detect BV -Binary-Variable) More Files : N ( Y - Enter additional file names, N - None)
Security options: Security required : Y ( Y - To Display Security Options Dialog)
Processing options: Simulation Mode : N ( Y - Test file selection, N - Normal Processing) Zip Function : U ( A - Add, F - Freshen, U - Update, D - Delete) Processing Mode : B ( F - Foreground, B - Batch) Batch JCL Status : C ( C - New Dataset, A - Add to existing Dataset) Advanced Options : N ( Y - Change Defaults, N - None)
Enter VIEW on command line to VIEW archive
SecureZIP Encryption The next panel that appears when you select Encryption is a pop-up that allows you to select the encryption algorithm and various security modes. To select password-based encryption, place a “Y” in the Password protect field. Press “Enter” and a pop-up menu appear to allow you to type in the password. You must enter the password twice to validate that you entered it correctly.
PKZZ005 SecureZIP ZIP Processing Command ===> More: Security options: Password protect : Y ( Y - Use Passwords) : N ( Y - View typed pwd)
Encryption: Algorithm : BSAFE_AES128 / for selection list Filename Encryption: N ( Y - Encrypt file names in the Archive)
87
SecureZIP Password Encryption Command ==>
To encrypt file(s), enter a password and select an algorithm
Data Set Name: MAS.TEST.SEQ
Password (up to 250 characters): ....5...10....5...20....5...30....5...40....5...50....5...60....5...70
Re-enter password:
Press ENTER to continue, PF3 to terminate processing.
Entering PF8 will display the additional information listed below.
Cryptographic Algorithms Placing a “/” in the Encryption Method field causes an additional panel to appear to allow you to select one of the Encryption Method options. Placing a “/” in the Select field next to the desired Encryption Method presents the panel below, which allows you to select an encryption method to use.
+------+ | SecureZIP Cryptographic Algorithm | | COMMAND ===> SCROLL ===> PAGE | | | | Enter a / by the desired Option Value and press ENTER | | | | Select Option Value | | ------| | BSAFE_AES128 | | BSAFE_AES192 | | BSAFE_AES256 | | BSAFE_DES | | BSAFE_3DES | | BSAFE_RC4 | | AES128 | | AES192 | | AES256 | | STANDARD | *********************** Bottom of data *********************** | +------+
When you press “Enter”, the original Zip panel reappears with the return code from SECZIP in the upper right hand corner.
SecureZIP for zSeries 8.2 Zip PKZIP Done: RC=0 Command ===>
Archive File Information: File Name : 'FPD.TEST600.ZIP' File Type : 1 ( 1 = SEQ, 2 = PDS, 3 = VSAM, 4= PDSE)
88
More Attributes : N ( Y - Yes, N - Take Defaults)
Zip file information: File to compress : 'PKWARE.MVS.JCL' Zipped DSN : Encryption : Y ( Y - Encrypt files) : N ( Y - View typed password) Format : ( B -Binary T -Text D -Detect BV -Binary-Variable) More Files : N ( Y - Enter additional file names, N - None)
Security options: Security required : Y ( Y - To Display Security Options Dialog)
Processing options: Simulation Mode : N ( Y - Test file selection, N - Normal Processing) Zip Function : A ( A - Add, F - Freshen, U - Update, D - Delete) Processing Mode : F ( F - Foreground, B - Batch) Advanced Options : N ( Y - Change Defaults, N - None)
Enter VIEW on command line to VIEW archive To EXIT Press PF3 or enter X For HELP Press PF1
If the “Batch” option is selected, the following JCL is generated for you to review and submit.
//JOBNAME JOB 'ACCOUNTING INFO',CLASS=A,REGION=8M, // MSGCLASS=H,MSGLEVEL=(1,1),NOTIFY=&SYSUID //ZIPIT EXEC PGM=PKZIP //STEPLIB DD DISP=SHR,DSN=PKWARE.MVS.LOAD //SYSPRINT DD SYSOUT=* //SYSIN DD * * PANEL INPUT COMMANDS: -PWD(| test) -ENCRYPTION_METHOD(BSAFE_AES128) -SIMULATE(Y) -ARCHIVE_DSN(FPD.TEST600.ZIP) -ARCHIVE_DSORG(PS) -ACTION(ADD) PKWARE.MVS.JCL /*
Following is an output listing of a batch job submitted. The message ZPAM255I displays the encryption method used.
ZPGE001T ZIP STARTUP STORAGE QUERY: 24BIT= 8144K 31BIT= 32768K CACHE= 32768K ZPLI001I SecureZIP(TM) for zSeries, Version 8.2 - 07/21/05 14.26 ZPLI001I Copyright 1989-2005 PKWARE Inc. All rights reserved. ZPLI001I SecureZIP(TM) is a trademark of PKWARE (R), Inc. ZPLI001I Registered, Processor Type=2066 Processor Group=00 Serial Number= ZPLI001I OS Level: HBB7707 SP7.0.4 *PANEL INPUT COMMANDS: -PASSWORD (**********) -ENCRYPTION_METHOD(BSAFE_AES128) -ARCHIVE_DSN(FPD.TEST600.ZIP) -ARCHIVE_DSORG(PS) -ACTION(ADD) PKWARE.MVS.JCL ZPAM030I OUTPUT Archive opened: FPD.TEST600.ZIP ZPAM253I ADDED File PKWARE.MVS.JCL(ACZDFLT) ZPAM254I as PKZIP/FPD/JCL/ACZDFLT ZPAM255I (DEFLATED 73%/72%) SecureZIP(TM) ENCRYPTION:BSAFE_AES128 ORIG. SIZE 4,080; ZIP SIZE 1,126 ZPAM253I ADDED File PKWARE.MVS.JCL(ACZDFLTB) ZPAM254I as PKZIP/FPD/JCL/ACZDFLTB
89
ZPAM255I (DEFLATED 73%/72%) SecureZIP(TM) ENCRYPTION:BSAFE_AES128 ORIG. SIZE 4,080; ZIP SIZE 1,126 ZPAM253I ADDED File PKWARE.MVS.JCL(AESASM) ZPAM140I FILES: ADDED EXCLUDED BYPASSED IN ERROR ZPAM140I 203 0 0 0 ZPMT002I PKZIP processing complete. RC=00000000 0(Dec)
UNZip File(s) from an Archive (Option ‘U’ ) Using Recipients
To unzip a recipient-encrypted archive file requires no changes on the Extract panel. Previously, we described the placement of the pointer to the private-key certificate, used for decryption, in the Runtime Configuration panel.
SecureZIP Runtime Configuration Option ===> Certificate Store Settings ( ENTER to validate PF7/PF8 to scroll)
/ to Edit the configuration file Private-Cert> ‘PKWARE.MVS.JCL(CERTPROF)' DB Profile > 'PKWARE.MVS.JCL(CCFGFPD1)' LDAP Profile> 'PKWARE.MVS.JCL(LDAPFPD1)' ------***** Top of Data ************************************************************** Private-key Certificate Recipient(s): ======*------* * Profile PKWARE.MVS.JCL(CERTPROF) * *------* -recipient(db:cn=PKWARE TEST1,R,PASSWORD=xxxxxxxx)
Unzip Panel (Option ‘U’ ) Using Recipients SecureZIP for zSeries uses the Private-Cert pointer to find and use your private certificate to do the decryption.
SecureZIP Extract Processing Command ===>
Enter Archive from which file(s) are to be extracted: Archive Name . . . : 'FPD.SEQ.ZIP'
Enter Files to be extracted: File Selection . . : Rename to. . . . . : File Decryption. . : N ( Y - Enter password) : N ( Y - View typed password) More Files . . . . : N ( Y - Enter additional file names, N - None)
Security options: Security required. : N ( Y - To Display Security Options Dialog)
Enter processing options: Simulation Mode. . : N ( Y - Test file selection, N - Normal Processing) Integrity Check. . : Y ( Y - Yes, N - No) Overwrite/Insert . : O ( O - Overwrite, I - Ins Mbr, OI - Both, N - None) Processing Mode. . : B ( F - Foreground, B - Batch) Batch JCL Status . : C ( C - New Dataset, A - Add to existing Dataset) Advanced Options . : N ( Y - Change Defaults, N - None) Preallocate file . : N ( Y - Prompt for allocation info, N -Use Defaults)
90
File type : ( 1 - PDS, 2 - PS, 3 - VSAM, 4 - PDSE)
Enter VIEW in the command field to VIEW an archive To EXIT Press PF3 Press ENTER to process For HELP Press PF1
Unzip Output Using Recipients Below is the output generated from the previous Unzip request.
ZPGE001T UNZIP STARTUP STORAGE QUERY: 24BIT= 8208K 31BIT= 32768K CACHE= 32768K ZPLI001I SecureZIP(TM) for zSeries, Version 8.2 - 07/21/05 14.26 ZPLI001I Copyright 1989-2005 PKWARE Inc. All rights reserved. ZPLI001I SecureZIP(TM) is a trademark of PKWARE (R), Inc. ZPLI001I Registered, Processor Type=2066 Processor Group=00 Serial Number= ZPLI001I OS Level: HBB7707 SP7.0.4 -INCLUDE_CMD=PKZIP.IVP.JCL(DEVCERT1) -ECHO=N * Configured Profile: -INCLUDE_CMD(PKWARE.MVS.JCL(DBPROF)) *------* * PROFILE PKWARE.MVS.JCL(DBPROF) * *------* * DATABASE ACCESS CONTROL CARDS -{CSPUB=4;1;SECZIP.CERTSTOR.PUBLIC} -{CSPRVT=4;1;SECZIP.CERTSTOR.PRIVATE} -{CSPUB_DBX=SECZIP.CERTSTOR.DBX} -{CSPUB_DBX_PATH_CN=SECZIP.CERTSTOR.PATHCN} -{CSPUB_DBX_PATH_EM=SECZIP.CERTSTOR.PATHEM} -{CSPUB_DBX_PATH_PUBKEY=SECZIP.CERTSTOR.PATHPUBK} * Configured Private-Key Recipients: -INCLUDE_CMD(PKWARE.MVS.JCL(CERTPROF)) *------* * Profile PKWARE.MVS.JCL(certprof) * *------* -recipient(db:cn=PKWARE TEST1,R,PASSWORD=******) *-recipient(dsn://'PKZIP.IVP.CERT.ADMIN04.PFX',password=password) * Panel Commands: -ACTION(TEST) -SUPPRESS_DYNALLOC_MSGS -TRACE_DYNALLOC(0) -ARCHIVE_DSN(FPD.SEQ.ZIP) -OUTFILE_OVERWRITE(Y) ZPAM030I INPUT Archive opened: FPD.SEQ.ZIP ZPEX001I tested okay FPD/TEST/SEQ3 ZPAM140I FILES: TESTED EXCLUDED BYPASSED IN ERROR ZPAM140I 1 0 0 0 ZPMT002I PKZIP processing complete. RC=00000000 0(Dec)
View Display the Contents of an Archive File (Option ‘V’ )
When a file has been encrypted, one of the following indicators describing the strength of encryption is displayed before the file name. + Password-only "Standard" (96-bit) encryption. ! Password-only (128-bit or above) encryption. $ Recipient-only Digital Certificate encryption. & Combination Password/Recipient encryption.
91
SecureZIP View Archive Command ===>
Enter name of archive to be viewed: Archive Name : 'FPD.TEST.AUTH.ZIP' Filename Filter :
Security options: Security required : N ( Y - To Display Security Options Dialogue)
Enter VIEW Options: View Type . .: V ( V - View, D - Detail, B - Brief, S - Scan Sort Output : N ( Y - Yes, N - No) Sort Field . : ( D - Date, N - Name, O - Offset, P - Percent, S - Size) Sort Order . : ( A - Ascending, D - Descending)
Processing Mode. : F ( F - Foreground, B - Batch) Batch JCL Status : C ( C - New Dataset, A - Add to existing Dataset)
Additional Commands:
To EXIT Press PF3 For HELP Press PF1
SecureZIP View Archive Row 1 to 1 of 1 Command ===> SCROLL ===> PAGE Name of Archive : 'FPD.SEQ.ZIP'
Primary commands: LOCATE to position list or SORT to sort list. Enter line command or '/' for list of valid line commands. Press PF1 for HELP.
Cmd File Name Zipped Zipped Unzipped Comp Type Volume(s) Message Date/Time Size Size Ratio ------$ FPD/TEST/SEQ3 5/25/2004 11:16 47608 222.2K 78% TEXT FPD002
View Detail Display The View Detail option of the View panel describes the encryption algorithm used to encrypt, along with certificate information.
*********************************************************** Top of Data *** ZPGE001T UNZIP STARTUP STORAGE QUERY: 24BIT= 5172K 31BIT= 28840K C ZPLI001I SecureZIP(TM) for zSeries, Version 8.2 - 07/21/05 14.26 ZPLI001I Copyright 1989-2005 PKWARE Inc. All rights reserved. ZPLI001I SecureZIP(TM) is a trademark of PKWARE (R), Inc. ZPLI001I Registered, Processor Type=2066 Processor Group=00 Serial Number= ZPLI001I OS Level: HBB7707 SP7.0.4 -INCLUDE_CMD=PKZIP.IVP.JCL(DEVCERT1) -ECHO=N -CALLMODE(ISPF) -ARCHIVE_DSN(FPD.SEQ.ZIP) -SUPPRESS_DYNALLOC_MSGS -TRACE_DYNALLOC(0) -ACTION(VIEWDETAIL) -CALLMODE(ISPF) -TRACEDALC0 -TRACE_DYNALLOC(0) ZPAM030I INPUT Archive opened: FPD.SEQ.ZIP
92
ZPAM014I 1 file(s) are in the input Archive. ZPAM012I ZIP comment: SecureZIP for zSeries by PKWARE ZPAM013I ****************************************************************** ZPAM001I Filename: FPD/TEST/SEQ3 ZPAM002I File type: TEXT ZPAM003I Date/Time: 25-MAY-2004 12:00:00 ZPAM004I Compression Method: Deflate- Super Fast ZPAM005I Compressed Size: 47,608 ZPAM006I Uncompressed Size: 222,221 ZPAM007I 32-bit CRC: 213E63AC LHDR Offset: 0 ZPAM008I Created by: PK zSeries 8.1 ZPAM009I Needed to extract: ZipSpec 6.1 ZPAM010I Encryption: AES_128 Certificate Key BSAFE(R) ZPAM301I File Type: NONVSAM SEQUENTIAL ZPAM303I File Record Format: FB ZPAM304I File Allocation Type: BLK ZPAM305I File Primary Space Allocated: 48 ZPAM306I File Secondary Space Allocated: 10 ZPAM307I File Record Size: 80 ZPAM308I File Block Size: 6160 ZPAM309I File Volume(s) Used: FPD002 ZPAM310I File Creation Date: 2003/04/21 ZPAM311I File Referenced Date: 2004/05/25 ZPAM319I SMS Storage Class: PRIVATE ZPAM320I 3 recipient(s) were designated: ZPAM321I Recipient: PKWARE TEST1 ZPAM310I File Creation Date: 2003/04/21 ZPAM311I File Referenced Date: 2004/05/25 ZPAM319I SMS Storage Class: PRIVATE ZPAM320I 3 recipient(s) were designated: ZPAM321I Recipient: PKWARE TEST1 ZPAM322I Public Key Hash: 5D9E8B89B5948E9E853338A7250D64C5BED5E9E7 ZPAM323I Email: [email protected] ZPAM324I Cert: //'PKWARE.MVS.CERTSTOR.PUBLIC(PK12003)' ZPAM321I Recipient: PKWARE Test2 ZPAM322I Public Key Hash: 07E091CE30862B61663CF9D356863BF84D3DC8D5 ZPAM323I Email: [email protected] ZPAM324I Cert: //'PKWARE.MVS.CERTSTOR.PUBLIC(PKT2004)' ZPAM013I ********************************************************************* ZPAM140I FILES: VIEWED EXCLUDED BYPASSED IN ERROR ZPAM140I 1 0 0 0 ZPMT002I PKZIP processing complete. RC=00000000 0(Dec) ********************************************************** Bottom of Data ****
Incorrect Password Use
The following four illustrations show what to expect if you enter an incorrect password. The third panel is a foreground execution of SECUNZIP. The upper right-hand corner contains the “Incorrect Password” message when the extraction fails. The fourth panel contains the output listing of a batch job with the message that the encrypted file has been skipped because of a missing or incorrect password.
Figure 1. Select the file to browse
SecureZIP View Archive Row 1 to 7 of 203 Command ===> SCROLL ===> PAGE Name of Archive : 'FPD.TEST600.ZIP'
Primary commands: LOCATE to position list or SORT to sort list. Enter line command or '/' for list of valid line commands.
93
Press PF1 for HELP.
Cmd File Name Zipped Zipped Unzipped Comp Type Volume(s) Message Date/Time Size Size Ratio ------b ! PKZIP/FPD/JCL/ACZDFLT 2/11/2004 14:08 1126 4183 73% TEXT FPD002 ! PKZIP/FPD/JCL/ACZDFLTB 2/11/2004 14:08 1126 4183 73% TEXT FPD002 ! PKZIP/FPD/JCL/AESASM 2/11/2004 14:08 1110 3281 66% TEXT FPD002 ! PKZIP/FPD/JCL/AESASM2 2/11/2004 14:08 1110 3281 66% TEXT FPD002 ! PKZIP/FPD/JCL/APIMJB1 2/11/2004 14:08 502 1477 66% TEXT FPD002 ! PKZIP/FPD/JCL/ASMACTM 2/11/2004 14:08 374 903 58% TEXT FPD002 ! PKZIP/FPD/JCL/ASMACTRT
Figure 2. Enter the password
SecureZIP View Archive Row 1 to 7 of 203 EsssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssN e SECUREZIP for zSeries Encrypted File Password e e Command ==> e e e e File is encrypted. Enter password. e e e e Data Set Name: e e PKZIP/FPD/JCL/ACZDFLT e e e e Password (up to 250 characters): e e ....5...10....5...20....5...30....5...40....5...50....5...60....5...70 e e e e e e e e Re-enter password: e e e e e e e e Press ENTER to continue. e e Press PF3 to terminate processing e e e e e DsssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssM
Figure 3. Receive the error message and condition code if execution is in the Foreground.
SecureZIP for zSeries 8.2 View Arch Incorrect Password Command ===> SCROLL ===> PAGE Name of Archive : 'FPD.TEST600.ZIP'
Primary commands: LOCATE to position list or SORT to sort list. Enter line command or '/' for list of valid line commands. Press PF1 for HELP.
Cmd File Name Zipped Zipped Unzipped Comp Type Volume(s) Message Date/Time Size Size Ratio ------! PKZIP/FPD/JCL/AESASM2 Brw 4 2/11/2004 14:08 1110 3281 66% TEXT FPD002
94
! PKZIP/FPD/JCL/APIMJB1 2/11/2004 14:08 502 1477 66% TEXT FPD002 ! PKZIP/FPD/JCL/ASMACTM 2/11/2004 14:08 374 903 58% TEXT FPD002 ! PKZIP/FPD/JCL/ASMACTRT 2/11/2004 14:08 486 1067 54% TEXT FPD002 ! PKZIP/FPD/JCL/ASMALL 2/11/2004 14:08 5446 33867 83% TEXT FPD002 ! PKZIP/FPD/JCL/ASMAMGR 2/11/2004 14:08 438 1477 70% TEXT FPD002 ! PKZIP/FPD/JCL/ASMAPI
Figure 4. Receive the error message ZPEX014W Encrypted file skipped. Password not provided or not valid in the batch job output listing.
*************************************** Top of Data ********************************* ZPLI001I SecureZIP(TM) for zSeries, Version 8.2 - 07/21/05 14.26 ZPLI001I Copyright 1989-2005 PKWARE Inc. All rights reserved. ZPLI001I SecureZIP(TM) is a trademark of PKWARE (R), Inc. ZPLI001I Registered, Processor Type=2066 Processor Group=00 Serial Number= ZPLI001I OS Level: HBB7707 SP7.0.4 * PANEL COMMANDS: -SIMULATE(Y) -PASSWORD(**********) -SUPPRESS_DYNALLOC_MSGS -TRACE_DYNALLOC(0) -ARCHIVE_DSN(FPD.TEST600.ZIP) -OUTFILE_OVERWRITE(Y) -UNZIPPED_DSN(**,FPDTST2) PKZIP/FPD/JCL/AESASM2 -CALLMODE(ISPF) ZPCM000I Simulation Mode has been selected for action EXTRACT ZPAM030I INPUT Archive opened: FPD.TEST600.ZIP ZPEX014W Encrypted file skipped. Password not provided or not valid. ZPEX002I ...... ZPEX003I Extracted to FPDTST2(AESASM2) ZPAM140I FILES: EXTRACTED EXCLUDED BYPASSED IN ERROR ZPAM140I 1 0 0 0 ZPMT002I PKZIP processing complete. RC=00000000 0(Dec) ************************************ Bottom of Data **********************************
95
7 File Selection and Name Processing
ZIP Processing File Selection
This chapter describes how to select files for ZIP processing. The chapter discusses the primary commands used, with notes and restrictions. ZIP file directory entries in a ZIP archive are defined in a system-independent format that is compatible with UNIX systems and has been translated into the ASCII character set. Data set level separators are typically the forward slash (“/”), not the period (“.”) as in MVS (although this can be controlled through command actions).
Primary File Selection Inputs
Files that are candidates ZIP processing are selected when input parameters are processed and the old archive directory (if any) is read. Consequently, data set selection is controlled by three input sources:
Selection Source Effective ACTION Processes Cataloged Dataset name command requests. ADD, UPDATE INFILE command (JCL DD) requests. ADD, UPDATE Input ZIP archive files. UPDATE, FRESHEN
Data set names found with the inputs listed above are combined into a single list of candidate files to be processed in the compression phase. A data set is selected only once. The following sections describe file selection from each of the input sources.
Cataloged Dataset Name Filter Requests
Requesting a file (or set of files) for ZIP processing by data set name triggers a standard search of the system catalog structure to determine eligible file names. Both NONVSAM and VSAM CLUSTER entries are used to identify candidates.
96
With data set name masking, multiple data set names may be identified from the system catalog. Also see: RECURSE_LEVELS and VSAM.
Exclusion Filters
When requesting data sets for ZIP processing through the catalog, it may be desirable to filter out categories of files. In addition to the data set name masking characters (?, *, and **), PKZIPz provides the following commands to limit cataloged file selections:
Command Description EXCLUDE(dsname|mask) Used to avoid selecting data sets based on the file name. Multiple EXCLUDE commands may be specified for an individual ZIP call. SELECT_DSN_ALIAS(N) Used to avoid selecting data sets based on a catalog ALIAS definition. SELECT_TAPE(N) Used to avoid processing tape files. SELECT_VSAM(N) Used to avoid processing VSAM Clusters (this does not affect the archive data set organization). The archive may be VSAM, while the clusters are excluded for ZIP processing. SELECT_MIGRATED(N) Used to avoid processing DISK files that have been migrated using a product such as IBM’s DFSMShsm. Files in this category are identified in the catalog as having a volume serial of “MIGRAT”. SELECT_GDGALL Select all generations of a generation data group, while SELECT_NOGDGALL disables this feature (these are synonyms for the GDGALL_SUPPORT(Y|N) command). RECURSE_LEVELS(N) Specifies if lower level data set name masking is not desired.
INFILE DD Requests
When requesting a data set for inclusion in ZIP processing with INFILE (with an associated JCL DD statement), operating system allocation is performed before PKZIPz execution begins.
JES2 SYSIN INFILE Support
JES2 SPOOLed input data is supported for input ZIP processing. By referencing a “//… DD * “statement with an INFILE command, the input stream is treated as a sequential file with DCB attributes of RECFM=FB, LRECL=80, and BLKSIZE=80. The filename generated is based on the DSN generated by the JES2 subsystem and is modified to end in “SYSIN”; for example, userid/jobname/JOBxxxxx/sysinfo/SYSIN. When performing a SECZIP operation against an existing archive, the DCB attributes (LRECL, BLKSIZE) are retained in the new archive unless explicitly overridden with new command values.
97
Note: When performing an EXTRACT of such a file, OUTFILE_… space allocation and volume information must be provided through the defaults module or command input stream since JES2 DD statements do not carry space attributes.
Input ZIP Archive Files
During an ACTION(FRESHEN) or ACTION(UPDATE) request, files contained within the old ZIP archive are added to the candidate list. Names as previously stored are used to search the system catalog for viability (any file names not found in the system catalog remain in the ZIP archive). During an ACTION(COPY), only files within the input archive are candidates for copying to the new archive (which must be unique from the input archive).
File Selection Processing Notes
Files are not normally opened during the file selection phase of processing in order to streamline performance. However, some file characteristics are gathered for non-tape files at this time. PDS and PDSE data sets are opened so that their directory information can be reviewed and members identified for selection. &SYSUID may be used in cataloged data set selection requests. Multiple components of PKZIPz are used to process File Selection requests. Various informational messages can be obtained from these internal components by turning on various logging and trace elements in the command stream. PDS member name selection can be requested through INFILE command parameters, associated JCL DD member reference, or Data set name parameters. • When an INFILE JCL DD specification is used and a member-name is coded in the JCL, it overrides any INFILE command parameters. (Only the member requested in the JCL are added to the selection list). • Dataset name command requests that also contain member request masks act in a cumulative fashion. All members from a PDS matching the requested masks are added to the candidate member list. • When both INFILE and Dataset Name command requests are made with member names, the multiple requests are merged into a cumulative list, and only one copy of the member is processed. • Because member name selections can also be placed on Dataset name masked requests, such as, more than one dataset is identified via a masked name, combinations of requests may result in different member-selection criteria for different datasets. • Member selection requests are compiled into an internal table, which is later used to match against the list of members available from the PDS. PDS members are selected in alphanumeric order.
98
Cataloged Dataset Name and INFILE Request Restrictions
Cataloged data set command requests must begin with a fully qualified first level. For example, SYS1.** is valid, but SYS*.** is not. Cataloged data set name requests depend on the accuracy of the system catalog structure under which PKZIPz is executing. If a data set is cataloged, but does not exist on the cataloged device, an allocation error will occur later in processing. INFILE(ddname) requests must accurately reflect the device and volume for the requested data set. “ddname” must be a fully-qualified DDname allocated to the job step (or TSO session). INFILE requests, which refer to a DD statement that is a concatenated set of data sets, should have all files of the same DSORG and RECFM in accordance with OS/390 rules for concatenated data sets. The associated DD statement are opened with the DCB characteristics of the first file in the concatenation, and that file’s name represents the group for processing in the ZIP archive. Data set ALIAS names may be used to identify candidate data sets. However, the system catalog structure is used to translate the ALIAS name to the true data set name for processing. When a data set name request is made, a message is issued to the output log indicating that an ALIAS to Truename translation has occurred. However, when an ALIAS name is used with an INFILE request, the operating system resolves the ALIAS entry to its associated Truename before program execution begins, and file selection only refers to the Truename as presented by OS/390. Generation data sets (GDG) can be requested with a fully-qualified generation name, for example, “SYS1.BACKUP.G0020V00”; a relative generation level, for example, “SYS1.BACKUP(- 1)”; or a GDG-base request. In all cases, identified candidates resolve to their fully qualified NONVSAM data set name, and each is processed as an independent entry. • GDG-base selection only applies to ZIP processing at the time of the request in accordance to the current catalog structure. • Relative generation selection is valid only with INFILE and JCL specifications. • UNZIP processing requires selection according to fully qualified generation names. When GDG-base names are used via data set name command requests, each current ASSOCIATION entry in the catalog will be used to identify individual NONVSAM entries, and each is processed as an independent entry. This differs from the way GDG-base names are handled when INFILE is used. When an INFILE request is used in conjunction with a DD statement to reference a GDG-base, standard MVS expansion of the GDGALL name occurs. This results in all generations being treated as a concatenation group, with the latest generation name being assigned to the file. You must take care in handling the resultant ZIP file, since the data from one or more generations are included in the file. This differs from the way GDG-base names are handled when data set name requests are made. VSAM files are supported at the CLUSTER level only. Individual DATA and INDEX COMPONENT names should not be requested.
99
ZIP File Names
The ZIP archive architecture describes files in an internal format that is comparable to the UNIX file naming standards. Each file is described within a ZIP archive central directory entry and is represented in ASCII. The format carries an inherent directory/sub-directory format (with “/” as the directory separator character). MVS data set names are converted to the standard ZIP archive file directory format before they are stored. For example, the data set “SYS1.PARMLIB(CLOCK00)” will appear in a ZIP archive as “SYS1/PARMLIB/CLOCK00”. A browse of the file in HEX format shows the ASCII representation for the characters, not EBCDIC. The following commands are used to control the file names being saved and restored during ZIP and UNZIP processing: (See the appropriate command section later in this manual for more detail).
Summary of Commands Affecting ZIP Filename
Process Command Description ZIP & UNZIP TRANSLATE_TABLE_FILEINFO EBCDIC <=> ASCII translate table ZIP & UNZIP ZIPPED_DSN_SEPARATOR Default is “/” and replaces “.” In MVS DSNs, as well as separating a member name. UNZIP UNZIPPED_DSN Allows the transformation of the internal ZIP Filename to an MVS standard name and allows the replacement of qualifiers during the process. ZIP ZIPPED_DSN Allows the transformation of the MVS DSN to an internal ZIP Filename. ZIP PATH Specifies whether the higher-level qualifiers should be stored as a directory pathname in the ZIP Filename. UNZIP HIERARCHY Determines what should be done with the hi-level qualifiers (directory path structure) of the ZIP Filename during the conversion process. UNZIP FILE_EXTENSION Specifies what should be done with a low-level extension (such as .TXT) during an EXTRACT request. ZIP & UNZIP SIMULATE(Y) Provides a means of running a simulation to determine what the resulting names will be.
100
Essentials for running PKZIP/SECZIP and PKUNZIP/SECUNZIP
PKZIP/SECZIP can perform various actions for the following commands: [ADD | COPY | DELETE | FRESHEN | UPDATE | VIEW ] The actions are described below. ADD is the default action if no action is specified.
Command Description ADD Adds files that are not already present into a new or existing ZIP archive. COPY Copies a subset of an archive to a new archive. DELETE Deletes selected files from an existing ZIP archive. FRESHEN Updates existing files in an existing ZIP archive. UPDATE Adds new files to or update existing files in an existing ZIP archive. VIEW Displays details of selected files in an existing ZIP archive.
Each of the actions requires a ZIP archive to process, so the ARCHIVE command (or ARCHIVE_OUTDD) must always be specified. –ARCHIVE(
PKUNZIP/SECUNZIP For UNZIP to extract compressed data sets from a ZIP archive, PKUNZIP/SECUNZIP must be told three things: • The action to perform. • The archive from which the data sets are to be decompressed. • The files that are to be extracted from the archive. PKUNZIP/SECUNZIP can perform the following commands: [ EXTRACT | TEST | VIEW ] The comands are described below. EXTRACT is the default if no command is specified.
101
Command Description EXTRACT Extracts selected files from an existing ZIP archive. TEST Deletes selected files from an existing ZIP archive. VIEW Displays details of selected files in an existing ZIP archive.
Each of the commands requires a ZIP archive to process, so the ARCHIVE command (or alternative) must always be specified. -ARCHIVE(
Note: To process an MVS DSN format for SECUNZIP selection, the name must readily match the internal zip name with the exception of the directory separators, such as, substitutes for “/”, and the target MVS name must be acceptable to the operating system. (See OUTFILE_DD and UNZIPPED_DSN).
102
8 ZIP Files
Data Formats - Text or Binary
Data files are held within a ZIP archive in either text or binary format. Both formats are supported by ZIP-compatible products on other platforms; however, some restrictions apply to cross-platform use of the data. For example, workstation-based applications may not be able to process EBCDIC-based data that is commonly produced by S390 platforms. Text data is represented by one of two character sets, EBCDIC or ASCII, in which individual alphanumeric characters are assigned an internal numeric code within the range of 0-255 (hexadecimal 00-FF). Although most of the same characters—for example, A-Z, a-z, 0-9—are contained in the EBCDIC and ASCII character sets, different code assignments are used for each. To preserve cross-platform compatibility of files containing only text characters, the DATA_TYPE(TEXT) or DATA_TYPE(DETECT) commands should be used. These commands direct PKZIPz to translate EBCDIC characters into the ASCII character set (the standard set used by ZIP-compatible products). The DATA_TYPE(BINARY) command causes EBCDIC to ASCII character translation to be bypassed. This feature is useful when the file contains non-text data. (Warning: Binary fields may generate what appear to be record-delimited characters. Therefore, TEXT should not be used if binary data is present.) Note that a custom TRANSLATETABLE_DATA table can be built to substitute blanks for control characters (X’0D’ + ‘25’ EBCDIC or graphics or internal numeric representations; for example, packed, or binary numeric data), or if text-based data is to be extracted only to other EBCDIC based platforms. All data within a file is treated the same during ZIP processing in accordance with the DATA_TYPE(TEXT) and DATA_TYPE(BINARY) commands. Care should be taken when zipping files that do not contain both text and binary data. Use of the DATA_TYPE(TEXT) command when binary data exists within the file will produce unpredictable results for fields containing binary data. DATA_TYPE(BINARY) should be used to preserve data integrity; however, with this command, text data will not be translated into the ASCII format by UNZIP processing in a cross-platform environment. As an advanced feature, DATA_TYPE(DETECT) is provided to instruct PKZIPz to read a portion of data from the input file (in accordance with the DATATYPE_DETECT_DEPTH value) and scan
103
it for non-translatable text characters using the active text translation table. If the number of translatable text characters (as specified by the DATATYPE_DETECT_TABLE) meets or exceeds the percentage specified by DATATYPE_TEXT_PERCENT, the file is treated as DATA_TYPE(TEXT). Otherwise, it is treated as if DATA_TYPE(BINARY) was used. In an exception to this rule, X’00’, or the NULL terminator character, which is commonly used in C language is allowed within the files. If it is unknown whether a file in the ZIP archive is text or binary, you may use the ACTION(VIEWDETAIL) command to examine the file attributes. It is possible for members of the same PDS or PDSE to be treated differently when DATA_TYPE(DETECT) is used because of a varying mix of data. Each member is treated as an independent file during ZIP processing. The command DATA_TYPE(DETECTX) is provided as an advanced feature to assist in identifying and translating text-based files for UNZIP processing. This is useful when the originating ZIP platform (typically a workstation) does not set the “text” indicator for the file in the archive.
Data Format - Text Records
In the context of ZIP archives, a “text file” is one that is stored in the ASCII format. A text file contains records of data, each separated by a delimiter to signify the end of the record.
Note: An EBCDIC file containing text information (such as source code) can be stored in its original format by using DATA_TYPE(BINARY), but it is not considered to be a “text” file within the ZIP architecture.
z PKZIP uses the default delimiter CR-LF (x'0D0A') at the end of each text record. You may choose to use a different delimiter by using the DATA_DELIMITER command (or other characters as specified in the command set). At the end of each ZIP’d file is a file terminator. z The default file terminator for PKZIP is Ctrl+Z (x'1A'). This file terminator can be changed by using the FILE_TERMINATOR command.
Note: The last record will have the data delimiter followed by the file terminator.
If you want the ZIPPED file to contain no data delimiters, you may specify CRLF(N) or DATA_DELIMITER(). If CR-LF is specified on ZIP, but CRLF(N) is specified on UNZIP, then z PKZIP treats any x'0D0A' as data characters, translates them into the EBCDIC equivalent, and embeds them in the output file. Although it is possible to align fixed-length records in an output file without CR-LF (by using input and output files with identical record lengths), care must be taken when using CRLF(N) because DATA_DELIMITER is the only explicit mechanism available to determine record lengths for text files. At the time of UNZIP file extraction, PKZIPz changes text data from ASCII to EBCDIC by using a translation table. During installation, several translation tables are available, and the customizing process selects one as the default. Additional translation tables may be created through the customizing procedure. Note that, during UNZIP processing, if the defined CR-LF character sequence (for example, x'0D0A') is not found in the scan of the first buffer of data, the SECUNZIP program attempts to locate a valid record terminator character to use throughout the extraction of that file.
104
Note: Unpredictable results may occur if a mix of the control characters X' OA', X' OD', or X' 1A' are found in the input stream. PKZIP uses the first occurrence of one of these characters when automatic detection is used.
For example, in a ZIP archive brought from a standard UNIX platform, the record delimiter is saved as x'0A'. UNZIP processsing dynamically re-defines the DATA_DELIMITER value for the remainder of that file. This is also useful if multiple ZIP Files are contained within the same archive and have differing record delimiters. Situations may arise in unique platform interchanges or when working with text files from different countries when the default translation table is not adequate. You may select any available translation table by using the TRANSLATE_TABLE_DATA command.
Note: The PKZIPz INSTLIB contains sample JCL and source members to assist in creating customized translate tables.
PKZIPz extracts text records stored in the ZIP archive by examining the data for record delimiter and file terminator indicators. Using these indicators, records are aligned in accordance with the target file attributes.
Data Format - Binary Records
Binary data is stored in the ZIP archive in its original format. Binary data may be graphics or numbers that are already in “computer format”; therefore, no translation is done. The length of binary records in UNZIP processing is determined in one of two ways: • Fixed-length records: PKZIPz automatically fills the available block according to the allocation specifications. • Binary records of variable length: A Record Descriptor Word (RDW) is inserted with the SAVE_LRECL(Y) command. An indicator is tracked in the archive directory that instructs UNZIP processing to automatically use these lengths when extracting the file. Use of this feature is extremely important when processing binary data with varying- length records. Note that the record length is in little-Endian format within the archive, not S390 format.
File Attributes
Within the ZIP archive are two different directories providing information about the files held within the archive. • A local directory included at the front of each file, with information pertaining to it—for example, file size and date ZIPPED. • A central directory located at the end of the ZIP archive. The central directory lists the complete contents of the ZIP archive and is the primary source of information for controlling UNZIP processing. PKZIPz will optionally store extended attributes about the file that can be useful in re-creating the file during UNZIP processing. These attributes include items such as space allocation,
105
maximum record size, data set organization (VSAM/PDS/SEQ, etc.). Additionally, an optional sub-category of extended attributes is available. Extended attributes for NONVSAM files include record format, DSORG, LRECL, and block size. Extended attributes for VSAM files would include CLUSTER information. File attributes can be displayed by using the ACTION(VIEWDETAIL) command. PKZIPz enables you to store the extended attributes in the local directory, central directory (recommended), both, or neither. See the Chapter 10 for the specific command for each of these options. Attributes held in the central directory are used by SECUNZIP.
Data Set Name Transformation The ZIP Archive normally holds file information in a platform-independent directory structure. The default format of each ZIP file name looks very much like an ASCII UNIX directory structure. PKZIPz performs a transformation between MVS data set names and ZIP file names during ZIP and UNZIP processing. The default transformation involves translating MVS EBCDIC characters to/from ASCII in accordance with the translate table specified by the TRANSLATE_TABLE_FILEINFO setting, and altering data set node delimiters (“.” and “(“ for PDS member name designation) to slashes “/”. When a partitioned membername is specified, the trailing “)” is eliminated. Additional controls are provided to permit renaming of file names during the transformation process. The ZIPPED_DSN command set assists the user in tailoring the filename built during ZIP processing. The UNZIPPED_DSN command and FILENAME_API (user exit program) assist the user in tailoring the MVS name to be used during UNZIP processing.
Large File Considerations
It is best when using the ZIP process for large files to use half-track blocking for the ZIP archive (this is the default size employed by PKZIPz). This method provides the best performance and makes the most efficient use of storage space for ZIP archives and ZIP temporary files. Use of other block sizes decreases the volume of data that can fit onto a single volume and affects performance. A temporary work file may be created during the updating or reconfiguring of a file in the ZIP archive, depending on file size and available storage. This temporary file may or may not have the same storage attributes as the original file. The temporary file holds the updated form of the file in order to allow for the reformatting of the (new) ZIP archive. To preserve the integrity of the original archive in case of a failure, the old archive is preserved while a new archive is being built. Therefore, there must be enough space allowed to accommodate the size of the old archive, the temporary file, and the updated archive.
106
Determining File Size
Default space allocations may not be adequate when compressing large files. To calculate the space needed for the ZIP archive and the temporary files, the following proportions may be helpful: • ZIP archives - Primary: 25% (one-quarter) of the total size of the uncompressed file(s) (ARCHIVE_SPACE_PRIMARY command). • ZIP archives - Secondary: 10% (one-tenth) of the total size of the uncompressed file(s) (ARCHIVE_SPACE_SECONDARY command). • Temporary Files - Primary: 25% (one-quarter) of the size of the largest uncompressed file (TEMP_SPACE_PRIMARY command). • Temporary Files - Secondary: 10% (one-tenth) of the size of the largest uncompressed file (TEMP_SPACE_SECONDARY command). If a tape-based archive is used, it is possible to use a temporary disk archive during processing (see STAGE_TAPE_ON_DISK command). The sizes used should correspond to those specified in the tape archive.
107
9 File Processing
File Support
PKZIPz can support files of various formats—specifically: sequential files, PDS, or PDSE members, VSAM files, and magnetic tapes or cartridges. Three applications are possible for each file type: • Compressing files of each format into a ZIP archive. • Data from a ZIP archive may be extracted into each of these formats. • A ZIP archive may be managed in each of these formats. An overview of information regarding each file type is shown in the table below. Additional information that is required in working with each specific file type is detailed under the appropriate section later in this chapter. In all cases, PKZIPz will optionally save file type information during ZIP processing. This information may be used by ZIP-compatible products in applicable environments for an equivalent reconstruction of the file during UNZIP processing.
108
Sequential Files PDS or PDSE VSAM Files Magnetic Tapes/Cartridges Members Supported Undefined: U Undefined: U ESDS Same as sequential files for Record standard-label and non-label Formats Fixed: F, FA, FB, Fixed: F, FA, FM, KSDS tapes. FM, FBA, FBM, FBS FBA, FBM RRDS Variable: V, VA, VB, Variable: V, VA, VB, VM, VBA, VBM, VS, VM, VBA, VBM, VS, VBS (see Note) VBS (see Note) Supported Undefined: U Undefined: U ESDS See Magnetic Tapes/Cartridge ZIP Archive section later in chapter. Formats Fixed: F, FB, FBS Fixed: F, FB Variable: V, VB Variable: V, VB File File name File name Cluster name JCL DD cards (see DD Selection commands used with Methods File masks File masks Path name sequential files). JCL DD cards JCL DD cards File masks File names (limited to ZIP ALIAS Path Name JCL DD cards processing of cataloged tape files where mount authority is provided).
Note: Spanned Files: Spanned record support for binary files (DATA_TYPE=BINARY) will require the record length (SAVE_LRECL=Y). The maximum record length for a binary file is 32768, the maximum record length for a text file (DATA_TYPE=TEXT) is 32764. IEBCOPY unload files will require DATA_TYPE=BINARY and SAVE_LRECL=Y with a maximum supported record length of 32740. IEBCOPY PDS UNLOAD REQUIRES THAT THE BLKSIZE OF THE PDSU DATASET (this is the output of the IEBCOPY unload) CAN NOT BE SMALLER THAN THE PDS BLKSIZE +20. THE LARGEST PDS BLKSIZE THAT CAN BE ACCOMMODATED WILL BE 32740. IF THIS IS EXCEEDED A S002 ABEND WILL OCCUR IN PKZIP.
Sequential Files
In this chapter, the term sequential file means an MVS NON-VSAM data set with DSORG=PS. This includes individual members of a GDG.
Compressing Sequential Files Batch jobs may be submitted to process sequential files using JCL DD cards and/or by file selection specifications made with control statements. Use the INFILE command to reference a data set allocated to the job step with a JCL DD statement. This directs PKZIPz to place the specified file into the archive. Multiple INFILE control statements may be used in a single execution. The files are selected for processing in the order specified by INFILE (not by the sequence of the JCL statements).
109
//MYFILE DD DISP=SHR,DSN=SYS1.PARMLIB(CLOCK00) //SYSIN DD * -ADD -INFILE(MYFILE) /*
Extracting Records into a Sequential File The default extraction format is a sequential file with dynamic allocation (creation) of the file. When the output file is to be dynamically created by the unzip process, then the OUTFILE space and attribute command settings are merged with any saved attribute information from the source archive to govern the dynamic allocation request. When a target output file is already allocated to the system, unzip processing attempts to identify and use the pre-allocated DCB attributes for the file (either from the VTOC or JCL DD statement). If attributes are supplied in this manner, be certain to allocate the file the DCB attributes that are consistent with the data to be extracted. The saved file attributes in the source archive and command settings are ignored. The OUTFILE_DD command may be used to reference a data set for extraction into a sequential file format.
//TARGET DD DISP=(NEW,CATLG),DSN=userid.MY.SEQUENTIAL,UNIT=SYSDA, // SPACE=(CYL,(1,1)),DCB=(RECFM=FB,LRECL=80,BLKSIZE=27920) //SYSIN DD * -EXTRACT -OUTFILE_DD(TARGET) -ARCHIVE(MY.ARCHIVE) /*
Managing a Sequential File ZIP Archive A new sequential archive may be created by use of the ARCHIVE_OUTFILE command with appropriate DCB information in the referenced JCL, or implicitly by specifying ARCHIVE_DSN(ZIP_name) with ARCHIVE_DSORG(PS).
//newarch DD DISP=(NEW,CATLG),DSN=userid.MY.ZIP,UNIT=SYSDA, // SPACE=(CYL,(1,1)),DCB=(RECFM=FB,LRECL=27998,BLKSIZE=27998) //SYSIN DD * -ADD -ARCHIVE_OUTFILE(newarch) userid.MY.JCL(*) <= file to be ZIP’d hlq.*.ASM(*)
Additionally, an existing archive may be read by use of the ARCHIVE_INFILE command.
Processing GDGs GDG members are generally treated as individual sequential data sets with their respective fully qualified names. With some restrictions, full GDGs and relative generations can be selected for ZIP processing.
110
The compression and extraction of GDGs (Generation Data Groups) present unique concerns. These are described in more detail in section “Cataloged Dataset Name and INFILE Request Restrictions” in Chapter 7.
File Concatenation for ZIP Processing It is possible to use INFILE to concatenate multiple files of like attributes—for example, the same RECFM and LRECL. File types may include sequential files (DSORG=PS), fully qualified or relative generations of a GDG, or PDS/PDSE members. Note that PKZIPz processes the entire concatenation as one file stream and uses the first DSNAME in the concatenation sequence as its basis for saving file attributes in the ZIP archive.
PDS and PDSE Members
Partitioned data sets have a variety of unique characteristics and applications. For this reason, separate sections are dedicated to the following topics: • Selecting PDS/PDSE members for compression. • Extracting data into a PDS. • Managing ZIP archives as PDS members. • Load libraries.
Selecting PDS Members for Compression PKZIPz operates on individual PDS members as distinct file entities, although a complete PDS or subset of a PDS can be operated on through JCL and control card specifications.
Note: In this section, unless specified otherwise, the term PDS also applies to PDSE.
File Name or File Mask PKZIPz can compress a single PDS member, multiple PDS members, or all members of one or multiple PDS files by adapting the file selection name. Examples of these options are shown below.
//member1 DD DISP=SHR,DSN=SYS1.PARMLIB(CLOCK00) //SYSIN DD * -INFILE(member1)
SYS1.PARMLIB(CLOCK00) <= get a single member by catalog SYS1.PARMLIB(CLOCK*) <= get all members starting with “CLOCK” SYS1.PARMLIB or SYS1.PARMLIB(*) <= get all members SYS1.PARMLIB(*00) <= all members suffixed with “00” MY.PDS(A??SRC) <= any character in 2nd and 3rd positions
111
DD Statements Batch jobs can be submitted to process PDS members using JCL DD cards. To process only one PDS member, the member name can be used as the file identifier. To process all members of a PDS, the PDS name can be used as the file identifier. To process several members, the INFILE command is used along with the selected member names, or a file mask can be used in place of specific member names.
//pds DD DISP=SHR,DSN=SYS1.PARMLIB //SYSIN DD * -INFILE(pds,CLOCK*,*00,MEMBER6) <= multiple INFILE statements may be used.
Extracting Data into a PDS PKZIPz allows you to extract files from an archive into either a new or existing PDS. A PDS member that has been compressed into the archive may be extracted into a different PDS. In this case, file attributes for the target PDS can be governed by pre-allocation, JCL, control cards, or extended attributes previously saved in the archive during ZIP processing. When instructing unzip processing to dynamically create the target PDS, use OUTFILE_DSNTYPE(PDS) along with other OUTFILE space and attribute commands. The PDS name is governed by the use of UNZIPPED_DSN, FILE_EXTENSION, and HIERARCHY(N).
//SYSIN DD * -ARCHIVE(my.zipfile) -EXTRACT -OUTFILE_DSNTYPE(PDS) -OUTFILE_RECFM(FB) -OUTFILE_LRECL(80) -OUTFILE_BLKSIZE(27920) -OUTFILE_SPACE_TYPE(CYLINDERS) -OUTFILE_SPACE_PRIMARY(2) -OUTFILE_SPACE_SECONDARY(1) MY/PDS/MEMBER1 <= this is the archive filename selection to result in MY.PDS(MEMBER1)
When a target output file is already allocated to the system, unzip processing attempts to identify and use the pre-allocated DCB attributes for the file (either from the VTOC or JCL DD statement). In this case, be certain to allocate the file the DCB attributes that are consistent with the data to be extracted. The saved file attributes in the source archive and command settings are ignored. Unzip processing does not alter the existing DCB (LRECL or BLKSIZE) for an existing PDS or PDSE.
Managing ZIP Archives as PDS Members PKZIPz can maintain a ZIP archive as a PDS member using the ARCHIVE_DSN command along with the PDS and member name. When the archive is created as a member of an existing PDS, the attributes for the PDS are not altered.
112
Load Libraries In most cases, load libraries are extracted only to another OS/390 platform; therefore, PKZIPz is able to process either an individual member or an entire load library. The methods used vary, as described below.
Processing Individual Members Each member of the PDS is maintained as an individual file in the ZIP archive. Both DATA_TYPE(BINARY) and RDW commands should be used to ensure data integrity. In addition to normal data storage, necessary load module directory information is saved in the extended attributes section of the archive directory. During extraction, any individual member can be selected for processing. When recreating the member on extraction, additional information (such as the TTR entry point) is translated by PKZIPz to use when loading the file.
Load Module Control Some information, for example, the NOTELIST used for overlay segments, is not retained in the archive. This may cause inaccuracies upon extraction, as that load module may not be properly restored. To avoid this problem, it is recommended that the load module be placed in a library by itself and that the file be extracted to a library that has the same blocksize, on the same device type, or use the process described below.
Processing Entire Load Library If it is not necessary to select individual members for later extraction, or if the library contains overlay segments or other specialized load modules, an alternate method is recommended. First, unload the PDS to a sequential file format supported by PKZIPz (such as IEBCOPY, or the TSO command TRANSMIT, which can be run in batch). Then ZIP the sequential file. On extraction, PKZIPz will recreate the sequential file, which can then be reloaded to the PDS with the utility used previously. Although this method entails an extra step, it allows compression of the entire library, and there are no restrictions placed on individual members of the library. See pkware.mvs.INSTLIB(IVPVSPAN) for a sample job stream.
VSAM Files
VSAM files are selected and allocated with the use of the IBM Access Method Services utility IDCAMS, as described in the IBM Access Method Services manual. A working knowledge of IDCAMS processing will enhance the effectiveness of managing VSAM data sets with PKZIPz. Control statements and input file characteristics are used to internally generate Access Method Services control statements for dynamic calls to IDCAMS. PKZIPz makes use of Access Method Services User I/O Routines for SYSIN and SYSPRINT file requests. OEM products and/or Installation-written routines that modify standard IBM processing for these exits should not be active for PKZIP processing. A sample JOB to demonstrate a ZIP and UNZIP of a VSAM KSDS to a VSAM archive can be found in pkware.mvs.INSTLIB(IVPVSAM).
113
Compressing a VSAM File The cluster name is used when selecting a VSAM file for compression. Attempting to use only the data or index components of the file is likely to result in an unusable file. As with sequential and PDS files, either INFILE (with JCL) or file selection statements may be used to identify VSAM files for processing. VSAM files often contain a mixture of text and binary data. Therefore, unless it is necessary to translate the data to ASCII, use both the DATA_TYPE(BINARY) and SAVE_LRECL commands. During ZIP processing, the type of VSAM file requested is determined from the system catalog. Through the use of ATTRIB commands, this information can be retained in the ZIP archive for use during UNZIP processing to reconstruct the cluster.
VIEWDETAIL of a KSDS in an Archive The following VIEWDETAIL shows the ZIP result of a KSDS file:
-ACTION(VIEWDETAIL) ZPAM030I INPUT Archive opened: PKWARE.MVS.IVP.TEMP ZPAM560I ARCHIVE FASTSEEK processing is disabled. ZPAM014I 1 file(s) are in the input Archive. ZPAM012I ZIP comment: SecureZIP for zSeries by PKWARE ZPAM013I ****************************************************************** ZPAM001I Filename: RCE/MVS810/IVP/KSDS ZPAM002I File type: BINARY SAVED_LRECL (RDW) ZPAM003I Date/Time: 18-FEB-2005 08:48:00 ZPAM004I Compression Method: Deflate- Super Fast ZPAM005I Compressed Size: 64 ZPAM006I Uncompressed Size: 252 ZPAM007I 32-bit CRC: 874B6B6A LHDR Offset: 0 ZPAM008I Created by: PK zSeries 8.1 ZPAM009I Needed to extract: ZipSpec 2.0 ZPAM301I File Type: VSAM ZPAM307I File Record Size: 100 ZPAM308I File Block Size: 0 ZPAM309I File Volume(s) Used: SUP001 ZPAM331I VSAM Cluster Type: INDEXED ZPAM331I VSAM Cluster Catalog Name: SYSC.USERCAT.VSYSVOL ZPAM331I VSAM Cluster Erase: ERASE ZPAM331I VSAM Cluster Format: INDEXED ZPAM331I VSAM Cluster Free CI Space %: 33 ZPAM331I VSAM Cluster Free CA Space %: 10 ZPAM331I VSAM Cluster Imbed: NOIMBED ZPAM331I VSAM Cluster Key Length: 19 ZPAM331I VSAM Cluster Key Position: 0 ZPAM331I VSAM Cluster Ordered: UNORDERED ZPAM331I VSAM Cluster Avg. Record Size: 80 ZPAM331I VSAM Cluster Max. Record Size: 100 ZPAM331I VSAM Cluster Recovery/Speed: RECOVERY ZPAM331I VSAM Cluster Replicate: NREPL ZPAM331I VSAM Cluster Spanned: NONSPANNED ZPAM332I VSAM Data Name: RCE.MVS810.IVP.KSDS.DATA ZPAM332I VSAM Data Type Space: CYL ZPAM332I VSAM Data Primary Space: 5 ZPAM332I VSAM Data Secondary Space: 2 ZPAM332I VSAM Data Buffer Space: 37376 ZPAM332I VSAM Data CI Size: 18432 ZPAM332I VSAM Data Reuse: REUSE ZPAM332I VSAM Data Share Options: 1,3 ZPAM332I VSAM Data Volume: SUP001
114
ZPAM333I VSAM Index Name: RCE.MVS810.IVP.KSDS.INDEX ZPAM333I VSAM Index Type Space: TRK ZPAM333I VSAM Index Primary Space: 1 ZPAM333I VSAM Index Secondary Space: 1 ZPAM333I VSAM Index CI Size: 512 ZPAM333I VSAM Index Reuse: REUSE ZPAM333I VSAM Index Share Options: 1,3 ZPAM333I VSAM Index Volume: SUP001 ZPAM013I ************************************************************************ ZPAM140I FILES: VIEWED EXCLUDED BYPASSED IN ERROR ZPAM140I 1 0 0 0 ZPMT002I PKZIP processing complete. RC=00000000 0(Dec) ******************************** BOTTOM OF DATA *********************************
Extracting Data into a VSAM File Before extracting data from a ZIP archive, it is helpful to be aware of what file name and file attributes are being stored for the compressed file. VIEWDETAIL can be used on the archive to verify this information. Unless SAVE_FILE_ATTRIBUTES(NONE) is specified, the PKZIP program saves the cluster definition information in the archive directory. When the SECUNZIP program is run to dynamically recreate the file during EXTRACT processing, it uses the stored file characteristics to define the cluster unless overridden in the control cards. (This includes volume information, so archives being transferred from one system to another, or being restored from an older environment, may require VSAM_DATA_VOLUMES override commands to avoid allocation problems to non-existent volumes.) Take care when defining or overriding VSAM cluster specifications. Items such as MAX LRECL (the second parameter of VSAM_RECORDSIZE) must be correct in order for the PKZIP program to correctly UNZIP the data to the target cluster. When extracting records for insertion into a VSAM cluster, the PKZIP program opens the cluster in Load-Mode and attempts a sequential insert strategy. However, if a record key is rejected by VSAM PUT because it is out of sequence, the PKZIP program changes to direct- insert strategy for all subsequent records. This has the two possible negative consequences: • Performance may be severely impacted for large files • Because VSAM handles CI and CA splits differently for direct inserts, the cluster may expand beyond anticipated space requirements, thereby requiring a subsequent re-org, or the extraction may fail due to space constraints For these reasons, if a large file is being extracted to a keyed VSAM cluster and the source data is not known to be in key sequence, the following procedure is recommended: 1. Extract the file to a sequential dataset. 2. Sort the sequential file by the key field. 3. Use IDCAMS REPRO to load the target cluster. Standard VSAM PUTs are performed during UNZIP operations. VSAM operating characteristics and limitations will be encountered (such as found during IDCAMS REPRO processing). A common occurrence may be that the defined VSAM CLUSTER may not have sufficient space to load the data due to FREESPACE designations. PKZIPz will report VSAM error and reason code information when these types of events occur.
115
To Overwrite a Current VSAM File When extracting a compressed file to an existing VSAM file, it may be desirable to overwrite the existing file. Use the combined commands of OVERWRITE and VSAM_REUSE to cause the compressed file to replace the current file. File attributes are not changed when processing a file overwrite, so you must assure the compatibility of the compressed file with the file being overwritten.
Note: In accordance with IBM’s rules for REUSABLE clusters, the target cluster must have been defined with the REUSE attribute, otherwise, the open for the file will terminate with the message “ZPFM071E VSAM OPEN Error 000000E8 for File(ddname) A(vsam_cluster_name).”
-ACTION(EXTRACT) -OVERWRITE -VSAM_REUSE(Y) filename_to_be_restored
To Restore a Compressed VSAM File PKZIPz retains the attributes of a VSAM cluster in the ZIP archive unless otherwise specified. Upon extraction, the file attributes are used to recreate the VSAM file if there is not already an existing file. File attributes can be overridden during extraction by use of commands beginning with VSAM_, VSAM_DATA_, and VSAM_INDEX_ as appropriate.
To Create a New VSAM File A VSAM file can be created from a ZIP file even though the file was not originally a VSAM file, or the file attributes were unknown. By using the MAKEVSAM command, along with any suitable VSAM_… commands, a new VSAM file is created with the appropriate VSAM file attributes. Using a combination of archive file attributes, the ACZDFLT module defaults and any SYSIN command overrides, PKZIPz generates command input to IDCAMS similar to the example below.
DEF CL(NAME(PKWARE.MVS.IVP.KSDS) INDEXED - BUFSP(37376) CISZ(18432) - ERASE FSPC(33 10) NONSPANNED REUSE NOWRITECHECK - RECSZ(80 100) SHR(1,3) - VOL(TSO001 - ) - NOIMBED NREPL RECOVERY - KEYS(10 4) - ) - DATA(NAME(PKWARE.MVS.IVP. KSDS.DATA) - CYL(5 2) ) - INDEX(NAME(PKWARE.MVS.IVP. KSDS.INDEX) - TRK(6 3) - CISZ(512) - )
Note: PKZIPz may default selected commands from the ACZDFLT module, while IDCAMS may default some file attributes when they are not specified.
116
Managing a VSAM ZIP Archive A VSAM Zip archive supports the ESDS format. The ARCHDSORG(VS) command is used to create the archive. See pkware.mvs.INSTLIB(IVPVSAM) for an example of creating a VSAM archive. Archive VSAM allocation specifications may be changed by using the ARCHIVE_…and VSAM_…commands. The Access Method Services section of the IBM Manual on the DEFINE CLUSTER command may be consulted for more information.
To Update a VSAM ESDS ZIP Archive To update a VSAM ZIP archive, PKZIPz creates a new ZIP archive and then deletes the previous archive. If either ARCHTO or ARCHFOR commands were used when the archive was originally created, a problem may occur during the deletion process, as the retention period for the VSAM ZIP archive may still be in operation.
To Process “Sparse” RRDS Files PKZIPz uses the same process as IDCAMS REPRO to process VSAM RRDS files that contain unused “slots.” In copying the RRDS to a sequential data set, the missing slots are treated as nonexistent. If an RRDS is later created, any missing slots are not included in the new file. As a result, the slot number of some of the copied records may be different from the original. PKZIPz correctly recreates only those RRDS files with no interspersed empty slots. Variable length and fixed length RRDS files are both processed with this constraint.
Unsupported File Types PKZIPz does not directly support alternate index files or paths. A VSAM alternate index can be managed in two ways. One option (recommended) is to process the base cluster and recreate the alternate index at the time of extraction. The other option is to copy the data to another supported data set type using the alternate index, and then compress the copy. On extraction, reverse the process. This approach maintains the data in the ZIP archive in the same order as it was contained in the alternate index.
Magnetic Tapes and Cartridges
PKZIPz can process cataloged tape files using file names (as specified in the table at the beginning of this chapter) or DD command. When an output file or a non-label tape file is defined by the DD command, it must include DCB information on the DD statement.
Copying a Tape-Based Archive to a Disk File To enhance performance, PKZIPz can use a temporary data set as an interim measure when reading a ZIP archive from an existing cartridge or tape based archive (governed by the STAGE_TAPE_ON_DISK(Y) command). This will be the normal method for reading a tape (3420).
117
TEMP commands are used to specify the size and format of the temporary data set. If default size options are chosen or if the ZIP archive is very large, it is possible that the temporary data set may not be large enough for the entire ZIP archive. This situation produces x37 abend errors, and invalidates the temporary data set, causing PKZIPz to process the file directly.
Note: Specifically, “tape” refers to Magnetic Tape (3420 style) or Magnetic Cartridge (3480/3490 style). Unless differentiated in the context, the information in this chapter refers to both tape and cartridge.
The //ARCHTEMP DD is used for this procedure. Normally, PKZIPz dynamically allocates this file; however, it is possible to allocate the DD statement directly in the JCL to provide manual control over the allocation of the staging file. Alternatively, the ARCHTEMP file may be allocated as a permanent data set. Using these techniques, the following additional benefits can be obtained: • The permanently staged archive can be used as a backup copy, for example, to maintain GDGs of the archive in a “before” picture • Retains the disk-based archive for subsequent processing runs More information may be found in Chapter 10 in the section on the command STAGE_TAPE_ON_DISK.
Compressing Data from Tape PKZIPz processes cataloged standard-label tape files just like disk files (namely, either through data set selection control cards or DD statements with INFILE). However, the file attributes that are stored with the archive for the related file are limited to information such as LRECL, BLKSIZE,and RECFM. When extracting such files to disk, OUTFILE_ commands should be provided either by command or the defaults module to specify proper space allocation information. The use of MULTI_THREAD_LIMIT(1) is required when there are multi file tape data sets on one volume. For example, assume that there are the following files on tape cartridge ZIP000. ZIP.FILE.TEST1 with LABEL=1, ZIP.FILE.TEST2 with LABEL=2, and ZIP.FILE.TEST3 with LABEL=3. In order to compress these files you must specify MULTI_THREAD_LIMIT(1). If you do not you will receive this DARC error: Dynamic Allocation error (0220) for {ZIP.FILE.TEST2 DARC: Requested volume not available. Ref. IKJ56221I
Non-labeled Tapes (NL) Non-label tapes do not contain DCB information that is necessary for PKZIPz to process the compression (such as, RECFM, LRECL, and BLKSIZE). This is not an issue when using standard-labeled tapes, as the information is coded in the label. It is imperative that the required information be included in the DD statement, as shown in the example below, otherwise standard system OPEN abends will result.
118
//TAPEIN DD DISP=OLD,DSN=my.tape.file,UNIT=TAPE, // DCB=(RECFM=FB,LRECL=80,BLKSIZE=32720) // LABEL=(1,NL) //SYSIN DD * -ARCHIVE(my.archive) -INFILE(TAPEIN)
Restriction: Non-label (NL) tape data sets should not be selected via control cards, because the DCB information cannot be obtained for the file.
File Attributes The minimal file attributes that are stored for tapes when compressed are DSORG, RECFM, LRECL, and BLKSIZE. These are apparent in the example of archive detail as shown below:
VIEWDETAIL Display
ZPAM012I ZIP comment: SecureZIP for zSeries by PKWARE Inc. ZPAM013I ************************************************************** ZPAM001I Filename: userid/TEST/TAPE ZPAM002I File type: TEXT ZPAM003I Date/Time: 18-FEB-2005 08:48:00 ZPAM004I Compression Method: Deflate- Super Fast ZPAM005I Compressed Size: 34 ZPAM006I Uncompressed Size: 247 ZPAM007I 32-bit CRC: 9EBBDFBB ZPAM008I Created by: PK zSeries 8.1 ZPAM009I Needed to extract: ZipSpec 2.0 ZPAM301I File Type: NONVSAM SEQUENTIAL ZPAM303I File Record Format: FB ZPAM307I File Record Size: 80 ZPAM308I File Block Size: 6160 ZPAM309I File Volume(s) Used: SC0016 ZPAM310I File Creation Date: 2005/02/18 ZPAM311I File Referenced Date: 2005/02/18
Extracting Data onto Tape PKZIPz requires these steps to extract data onto tape. • Specify the ZIP file to extract using an appropriate file selection • Use a DD statement to specify the tape dataset you are extracting to, being sure to include DCB information. • Use the OUTFILE command to extract the ZIP file onto the appropriate tape, as specified in the DD statement. Restriction: Only one OUTDD statement can be used per job. It is recommended that data sets be extracted to tape one at a time.
Managing a ZIP Archive on Tape PKZIPz can read or write ZIP archives on tape. Use the ARCHIVE_INFILE and ARCHIVE_OUTFILE commands to specify the tape to be processed.
119
To Process Multiple-Volume Tape Archives A tape archive contains information at the end of the tape that is necessary for PKZIPz processing. PKZIPz scans the tape until it finds the information and then returns to the beginning of the tape to begin processing. Because this necessitates accessing the tape at least twice, one of the following options should be considered to reduce the impact of the tape handling: • Mount all the required tapes at once. This can be done by specifying the unit count parameter on the DD statement (keyword UNIT). For example, if two tape units are to be allocated, the DD statement would read UNIT=(TAPE, 2), thus insuring that both volumes of a 2-volume archive will be mounted. • The UNIT= parameter for any tape file must match the devices defined for the local system. The systems programming staff at the installation should be contacted for information regarding these units and standards for use. • Copy the tape archive to a disk file, and processing the disk instead of tape. • Use TAPETODISK command of SecureZIP for zSeries to copy the archive to disk.
To Compress Data into a ZIP Archive on Tape With the ARCHIVE_OUTFILE command, PKZIPz compresses data into a ZIP archive residing on tape. Use a DD statement to specify the new tape-based archive data set and include necessary DCB information. The ARCHIVE_OUTFILE command replaces any ARCHIVE_… commands intended to dynamically create an archive, and directs PKZIPz to create the ZIP archive on the tape data set as specified by the name in the DD statement.
//ARCHOUT DD DSN=hlq.archive.zip,UNIT=tape1,DISP=(NEW,CATLG), // DCB=(RECFM,LRECL=32760,BLKSIZE=32760),LABEL=(1,SL) //SYSIN DD * -ARCHIVE_OUTFILE(ARCHOUT)
1 Reference PKZIP Support Notice #13 02/16/2001 regarding LINUX target system support files ld.so-1.9.5-13.i386.rpm and libc-5.3.12-31.i386.rpm.
To View a Tape-Based Archive Tape-based archives may be viewed in the same way as disk-based archives. You can use either a DD statement referenced by ARCHIVE_INFILE (with appropriate DCB information if the tape file is non-label) or a cataloged standard-label tape referenced by the ARCHIVE command. Restriction: Some data centers do not allow dynamic allocation of tape data sets. In this case, use ARCHIVE_INFILE with a DD statement. Processing Hint: If you intend to VIEW the archive and later process it for extraction, you may save the time of re-processing the tape volume(s) by specifying STAGE_TAPE_TO_DISK with an //ARCHTEMP DD statement to direct the SECUNZIP program to create a disk copy of the archive for subsequent processing. The disk archive can then be used for the EXTRACT (or further VIEWing with ISPF). //ARCHTEMP DD DSN=permanent_dsn,DISP=(NEW,CATLG),UNIT=disk_device DD
120
statement. The sample JCL below demonstrates the creation of a ZIP archive on tape, followed by a step to view the cataloged tape data set.
//ZIPIT EXEC PGM=PKZIP //SYSPRINT DD SYSOUT=* //ARCHOUT DD DSN=&SYSUID..TAPE.ZIP, // DISP=(NEW,CATLG), // UNIT=(3490,,DEFER), // LABEL=(1,SL), // DCB=(RECFM=FB,LRECL=32760,BLKSIZE=32760) //SYSIN DD * -ARCHIVE_OUTFILE(ARCHOUT) -ACTION(ADD) PKWARE.MVS.INSTLIB(DATASEQ1) /* //VIEWIT EXEC PGM=PKUNZIP //SYSPRINT DD SYSOUT=* //SYSIN DD * -ARCHIVE(&SYSUID.TAPE.ZIP) -ACTION(VIEW) /*
To Extract Data from a Tape-Based Archive A tape-based archive can be specified via ARCHIVE_INFILE (along with necessary DCB information on the associated DD statement for a non-label data set) or with ARCHIVE for a cataloged standard-label data set. Performance note: Processing a tape-based archive may be faster when specifying STAGE_TAPE_TO_DISK(Y). The reasons are as follows: • The architecture of a ZIP archive (on all platforms for all PKZIP 5.x products and newer) has the central file directory at the back of the archive. This is also where some important file information is kept (such as whether the file is text needing translation, or binary). Therefore, the SECUNZIP program must read the back of the archive before scheduling the processing of the files, and then rewind and read from the beginning. • Because of the serial nature of the tape media, only one task can be used to EXTRACT the data. When many non-partitioned files are being selected for processing, multi- tasking may be beneficial with a disk-based archive.
To Update Files in a Tape-Based Archive PKZIPz requires the use of a new tape to update files residing on a tape-based archive. For this, ARCHIVE_INFILE and ARCHIVE_OUTFILE must be used. The input and output archives do not need to both be of the same media type (one may be disk and the other tape).
121
10 Commands
This chapter describes the commands used by the PKZIPz programs. PKZIPz can perform various actions in conjunction with the use of the following commands and modifiers:
[–ACTION(ADD|COPY|DELETE|EXTRACT|FRESHEN|UPDATE|VIEW)]
ACTION(ADD) is the default action for ZIP processing, and ACTION(EXTRACT) is the default for UNZIP if none of the above actions is explicitly specified. The actions ADD, COPY, DELETE, FRESHEN, and UPDATE all make logical changes to an archive, while EXTRACT and VIEW only read an existing archive. Each of the actions requires a ZIP archive to process, so the following commands must always be specified: –ARCHIVE_DSN(
Command Syntax
• Command strings and filenames are identified with either a blank or a semi-colon “;” delimiter. • Non-blank characters found in a command buffer that are not identified as a command or comment are treated as a filename selection. • Comments are currently supported when Column1 of an input buffer is an asterisk “*”. Commands are identified by a hyphen “–” either in the first column of a non-continued line, or immediately following a blank or semi-colon. Unpredictable results will occur when unidentified characters are found in the input stream (depending on their location in the command structure). • Command names are accepted in mixed case.
122
• Command values which have specifically listed options are translated to upper case to facilitate case-insensitive coding. • Only selected command values which are free-form in nature—for example, MVS file names—are translated to upper case. Others—for example, internal ZIP filenames— retain case sensitivity. • Filename selections are case-sensitive.
File Selections vs. Commands
A PKZIPz command is indicated by placing a “–” (hyphen) character in front of a valid command string. If no “–” character is found at the start of a sequence of characters, the characters are interpreted to be part of a file selection for ZIP or UNZIP processing. When selecting files for SECUNZIP processing, keep in mind that, due to the heterogeneous nature of ZIP archives, filenames are handled with mixed case. This means that filename selection statements should be coded to match the filename exactly. When selecting files for SECUNZIP processing, quote (") delimiters are required when there is an embedded blank in the filename to be selected. For example: "My Documents/readme.txt" Quote delimiters can also be used when a filename begins with a hyphen (-), to avoid confusion with command syntax. If no file selection is specified for ZIP processing, the PKZIP program assumes that there are no files to be added or updated and outputs an error message. The PKUNZIP program assumes that all files in the archive are to be processed.
&SYSUID When specifying data set names in commands or filename specifications within the command input stream, the reserved word &SYSUID can be used to represent the 1-7 character user name that the operating system supplies in the address space control block extension for the execution. PKZIPz performs the substitution in the command string before continuing processing. By using this command notation, a generic set of commands can be set up to perform archiving operations for various users. -ARCHIVE_DSN(&SYSUID.MY.ZIPS(SOURCE)) &SYSUID.MY.COBOL(*)
Summary of Available Commands
The commands listed below are available in both the PKZIP and PKUNZIP programs. Information specific to individual commands appears later in this chapter, in the section “Command Details.” A notation of SZ in the PKZIP or PKUNZIP column of the table indicates that the command or setting is available only with SecureZIP for zSeries.
123
COMMAND DESCRIPTION PKZIP PKUNZIP
124
COMMAND DESCRIPTION PKZIP PKUNZIP –ARCHIVE_MGMTCLASS Specifies the DF/SMS management class to • be used for a new or updated ZIP archive. –ARCHIVE_OUTFILE Specifies a DD statement describing the • archive to output to by ZIP processing. –ARCHIVE_RECFM Specifies the record format of a new or • updated ZIP archive. –ARCHIVE_SPACE_MULTIVOL Control multi-volume allocation of the archive • data set. –ARCHIVE_SPACE_PRIMARY Specify the number of allocation units in the • primary extent of a new or updated ZIP archive. –ARCHIVE_SPACE_RLSE Specifies whether free space should be • released when the ZIP archive is de- allocated. –ARCHIVE_SPACE_SECONDARY Specifies the number of allocation units in the • secondary extent of a new or updated ZIP archive. –ARCHIVE_SPACE_TYPE Specifies how space is to be allocated for a • new or updated ZIP archive. –ARCHIVE_STORCLASS Specifies the DF/SMS storage class for a • new or updated ZIP archive. –ARCHIVE_TIMESTAMP Specifies which Date/Time option to use in • setting the timestamp of a created ZIP file. –ARCHIVE_UNIT Specifies the generic unit for allocation of a • new or updated ZIP file. –ARCHIVE_VOLUMES Specifies the volume(s) for allocation of a • new or updated ZIP archive. –ATTRIB_COMPATIBILITY Governs the type of extended attributes that • are stored in the archive. –AUTHCHK Activates digital signature authentication for •SZ the archive Directory or Files. –CALLMODE Internal environmental interfacing command. • • –CHECK_SYSIN_MEMBER Verifies a command input stored in a PDS or • • PDSE member. –COMPRESSION_LEVEL Specifies speed and compression level when • Zipping a file. –COMPRESSION_METHOD Specifies the compression algorithm to use when compressing a file –CRLF Controls the use of record delimiters and an • • optional file terminator. –DATA_DELIMITER Specifies the delimiter(s) to be used at the • • end of each text record of the file. –DATA_STORAGE Specifies the amount of cache memory used • • in ZIP processing.
125
COMMAND DESCRIPTION PKZIP PKUNZIP –DATA_TRANS_API_ERRLIM Unused at this time • –DATA_TRANS_API_ERROR Intended action when a user API program • error occurs. –DATA_TRANS_API_LANGUAGE Programming language/linkage used for the • DATA_TRANS_API user program. –DATA_TRANS_API_NAME Load module name of User program used to • modify data records during PKZIP processing. –DATA_TRANS_API_PARM Data string to be passed to the User API • program. –DATA_TRANS_API_TRACE Tracing level for API operation. • –DATA_TRANS_API_WORKSIZE Size of persistent work area provided by • PKZIP to the user program. –DATA_TYPE Specifies that selected files for compression • • are binary or text. (Can be dynamically detected). –DATATYPE_DETECT_DEPTH Specifies the distance that a file is scanned • • before making a determination between binary or text. –DATATYPE_DETECT_TABLE Specifies the table of characters used to • • assess whether a byte is text or binary. –DATATYPE_TEXT_PERCENT Specifies the percentage of the sample that • • must meet the “text” criteria before it will be TEXT. –DDNAME_PARMLIB Specifies the DDname to use for command • • input (prior to SYSIN). –DDNAME_SYSIN Specifies the DDname to use for command • • input (unless –NOSYSIN is specified).
–DDNAME_SYSPRINT Specifies the DDname to be used for PKZIPz • • messages. –DDNAME_ZPSORTIN During –ACTION(VIEW) processing, SORT is • called. This internal SORTIN DD is used. –DDNAME_ZPSORTOUT During –ACTION(VIEW) processing, SORT is • called. This internal SORTOUT DD is used.
–ECHO Specifies that a copy of PKZIPz commands • • should be output to the message dataset. –ENCRYPT_CERT_LIMIT Restricts the number of certificates used for • each encrypted file –ENCRYTPION_METHOD Specifies which encryption algorithm is to be • employed. –EXCLUDE(dsname mask) Specifies which files may be eliminated from • being processed using a mask selection. –EXTRACT_PREVIEW Specifies that a select number of records be • processed for previewing the data.
126
COMMAND DESCRIPTION PKZIP PKUNZIP
–FILE_BUSY_WAITTIME Specifies how long PKZIPz should wait while • • continually retrying before it will terminate. –FILE_EXTENSION Specifies what to do with an extension. • –FILE_TERMINATOR Specifies the character(s) to be stored (or • • recognized) at the end of the last record of a file. –FILENAME_API_ERRLIM Unused at this time • –FILENAME_API_ERROR Intended action when a user API program • error occurs. –FILENAME_API_LANGUAGE Programming language/linkage used for the • FILENAME_API user program. –FILENAME_API_NAME Load module name of User program used to • convert archive File names to MVS Data Set names during EXTRACT processing. –FILENAME_API_PARM Data string to be passed to the User API • program. –FILENAME_API_TRACE Tracing level for API operation. • –FILENAME_API_WORKSIZE Size of persistent work area provided by • PKUNZIP to the user program. –FILENAME_ENCRYPTION Perform strong encryption on the archive • central directory –FILENAME_SELECT_CASE Affect archive filename selection case • sensitivity. –GDGALL_SUPPORT Specifies whether all levels of a Generation • Data Group (GDG) are to be retrieved and included in the archive. –GZIP Specifies that the output archive will be • • created in GZIP format. –GZIP_SUFFIX Specifies the name to be used as the last • • level of the filename when there is no valid GZIP filename. -GZIPCRC_IGNORE Yes/No switch permitting UNZIP processing • for GZIP archive that has superfluous data at the end of the stream due to environmental transfer –HIERARCHY Specifies that the full dataset component • hierarchy should be used when converting a filename between ZIP archive format and MVS format. –INCLUDE_CMD Include batched commands from a partitioned • • library. –INCLUDE_SFX Create a self-extracting archive • –INFILE Specifies what file(s) to compress by • identifying a DD statement.
127
COMMAND DESCRIPTION PKZIP PKUNZIP –INSERT_MEMBER Used to add a member to an existing PDS. • –KEY_PROTECT_LEVEL Strength of key protection for advanced •SZ encrypted archives. –LDAP_ENCRYPT_CERT_SELECT Restricts the number or type of certificates •SZ used in encrypting a file. –LICENSE_HLQ Specifies the high level qualifier to be used in • • locating the License Control Dataset. –LICENSE_WTO_INFO Support console message automation for • • expiring license. (Specify in the defaults module). –LMOD_SUPPORT Sets –DATA_TYPE(BINARY),– • • SAVE_FILE_ATTRIBUTES, and – SAVE_LRECL commands on to allow simultaneous processing of load modules with text files in a PDS –LOGGING_LEVEL Specifies the level (or quantity) of messages • • output to SYSPRINT. –MASTER_RECIPIENT This enables an enterprise to decrypt and •SZ • access the file(s) when other RECIPIENTs are no longer able or eligible. –MEMORY_MODEL Specifies where file management control • blocks are held and the amount of storage than can be used for compression control tables. –MULTI_THREAD_LIMIT Specifies the number of subtasks to be used • • in compressing datasets. –NOAPI The Language Environment CEEPIPI • • environment associated with User API programs (such as DATA_TRANS_API) will not be initialized. –NOSYSIN Specifies the SYSIN dataset is not opened for • • commands. –ON_FILE_ACCESS_ERROR Specifies the action to take when an access • • error has occurred. –ON_FILE_IO_ERROR Specifies the action to take when an I/O error • • has occurred. –OUTFILE_BLKSIZE Specifies the block size for a newly extracted • dataset. –OUTFILE_DATACLASS Specifies the DF/SMS data class for a newly • extracted dataset. –OUTFILE_DD Specifies what file(s) are to contain the • extracted data by identifying a DD statement. –OUTFILE_DIR_BLOCKS Specifies the directory block amount for a • newly extracted dataset. –OUTFILE_DSNTYPE Determines the type of output file to be • created.
128
COMMAND DESCRIPTION PKZIP PKUNZIP –OUTFILE_LRECL Specifies the logical record length for a newly • extracted dataset. –OUTFILE_MGMTCLASS Specifies the DF/SMS management class to • be used for a newly extracted dataset. –OUTFILE_OVERWRITE Specifies overwrite of an existing file or • member within a PDS. –OUTFILE_PDS_ENQ Specifies the level of disposition that will be • used for a PDS or PDSE when processing an EXTRACT request. –OUTFILE_RECFM Specifies the record format of a newly • extracted dataset. –OUTFILE_SPACE_MULTIVOL Control multi-volume allocation of an Output • data set during EXTRACT. –OUTFILE_SPACE_PRIMARY Specify the number of allocation units in the • primary extent of a newly extracted dataset. –OUTFILE_SPACE_RLSE Specifies whether free space should be • released when a newly extracted dataset is de-allocated. –OUTFILE_SPACE_SECONDARY Specify the number of allocation units in the • secondary extent of a newly extracted dataset. –OUTFILE_SPACE_TYPE Specifies how space is to be allocated for a • newly extracted dataset. –OUTFILE_STORCLASS Specifies the DF/SMS storage class for a • newly extracted dataset. –OUTFILE_UNIT Specifies the generic unit for allocation of a • newly extracted dataset. –OUTFILE_VOLUMES Specifies the volume(s) for allocation of a • newly extracted dataset. –PAD_CHAR Specifies the character to use to pad fixed • length records when extracting. –PAD_VSAM Specifies that variable length records be • padded using the character specified in – PAD_CHAR. –PARMLIB_DSNAME_UNZIP Specifies the name of the dataset containing • • the configuration specifications for UNZIP processing. –PARMLIB_DSNAME_ZIP Specifies the name of the dataset containing • • the configuration specifications for ZIP processing. –PARMLIB_FILE_WAIT_MAX If the specified –PARMLIB_DSNAME cannot • • be dynamically allocated, this is the amount of time to wait before terminating.
129
COMMAND DESCRIPTION PKZIP PKUNZIP –PARMLIB_FILE_WAIT_TIMER If the specified –PARMLIB_DSNAME cannot • • be dynamically allocated, this is the amount of time to wait before retrying (up to PARMLIB_FILE_WAIT_MAX. –PASSWORD Specifies a password to encrypt/decrypt ZIP • • archive files. –PATCH_REPORT Specifies that a report of all patches be • • produced. See –ACTION. –PATH Specifies that only the last component of the • dataset component hierarchy should be used when converting a filename between MVS format and ZIP archive format. –PKSUPPRC A default command that allows the return • • code to be suppressed. –PRESERVE_CMD_SPACES Preserves or removes blanks preceding the • • “|”. –PROCESS_ALIAS Specifies whether the alias entries for • • selected PDS members are to be used. –RECALL_TO_ZIP Specifies whether DFHSM recall of datasets • should occur. –RECIPIENT Identifies the eligible party that may decrypt •SZ • the file(s) –RECURSE_LEVELS Specifies whether or not data components • beyond those specified should be used in matching with your selection. –SAVE_FILE_ATTRIBUTES Specifies where file attributes should be • • stored for datasets in the zip archive; in the central directory only, the Local Directory, both directories, or neither directory. –SAVE_LRECL Compress/ Decompress a binary file with • • variable record lengths. –SECUREZIP_CONFIG Specifies a member that contains the cert • • store configuration commands to be included during processing. . (Specify in the defaults module). –SELECT_CATALOGED_ALIAS Specifies whether aliases are to be supported • at time of zipping.
–SELECT_FROM_PDS Specifies a PDS dataset from which PKZIPz • • can obtain members to match user selection parameters that do not match any other dataset. –SELECT_TAPE Specifies whether tape files are to be • retrieved and included in the archive. –SET_ERROR_RC Specifies a firm return code to be passed to • • the system when an error has been detected.
130
COMMAND DESCRIPTION PKZIP PKUNZIP –SHOW_SETTINGS Displays all current command settings. • • –SIGN_ARCHIVE Generates a digital signature for the archive •SZ central directory –SIGN_FILES Generates a digital signature for the files •SZ added to an archive –SIGN_HASHALG Specifies which hashing algorithm to use •SZ when requesting a signing operation. –SIGNAL_ZIP64 Specifies return code control when engaging • ZIP64 extensions. –SIMULATE Simulates file selection processes, but does • • not perform actual data manipulation for the files selected. –SNAP_SYSOUT_CLASS Specifies the SYSOUT class to be used for • • SNAP dumps (reserved for future use). –STAGE_TAPE_ON_DISK Specifies input from a sequential device be • • stored in a temporary dataset. –STRIP_CHAR Specifies an ending character to be removed • from the end of each record before it is zipped. –SUPPRESS_DYNALLOC_MSGS Specifies that the dynamic allocation • • messages in job log be suppressed. –SYSPRINT_DCB Specifies the DCB record format to be used • for SYSPRINT listings. –SYSPRINT_SYSOUT_CLASS Specifies the JES SYSOUT class that will be • • used for the SYSPRINT listing. –TEMP_BLKSIZE Specifies the temporary block size of a • • temporary PKZIPz dataset. –TEMP_DATACLASS Specifies the DF/SMS data class to be used • • for a temporary ZIP dataset. –TEMP_MGMTCLASS Specifies the DF/SMS management class to • • be used for a temporary file allocation. –TEMP_RECFM Specifies the record format for a temporary • • ZIP dataset. –TEMP_SPACE_MULTIVOL Control multi-volume allocation of Temporary • • work files. –TEMP_SPACE_PRIMARY Specifies the number of space units to be • • used in the primary partition of a temporary ZIP dataset. –TEMP_SPACE_SECONDARY Specifies the number of space units to be • • used in the secondary partition of a temporary ZIP dataset. –TEMP_SPACE_TYPE Specifies how space is to be allocated for a • • temporary ZIP dataset.
131
COMMAND DESCRIPTION PKZIP PKUNZIP –TEMP_STORCLASS Specifies the DF/SMS storage class to be • • used for a temporary file allocation. –TEMP_UNIT Specifies the unit to be used for allocation of • • a temporary ZIP dataset. –TEMP_VOLUMES Specifies the volume onto which a temporary • • ZIP dataset should be placed. –TRACE_TABLE_SIZE Specifies the size of the internal trace table. • • –TRANSLATE_TABLE_DATA Specifies which translation table to use when • • converting character sets of text files. –TRANSLATE_TABLE_FILEINFO Specifies a translation table to be used with • • file information such as comments, file names, and control information of a ZIP archive. –TRANSLATION_MODE (Reserved for future use). • • –UNZIPPED_DSN Specifies a different high-level qualifier for an • extracted dataset. –VSAM Specifies whether VSAM files should be used • orignored when selecting files for compression and using wildcards. –VSAM_ACCOUNT Specifies the accounting information to be • provided to Access Methods Services during a DEFINE CLUSTER command used to create a new (or update an existing) VSAM- defined ZIP archive. –VSAM_ATTEMPTS Specifies the number of password attempts • that are permitted to Access Methods Services during a DEFINE CLUSTER command used to create a new (or update an existing) VSAM-defined ZIP archive. –VSAM_AUTH_EP Supplies the entry point of a user security • verification routine to Access Methods Services during a DEFINE CLUSTER command used to create a new (or update an existing) VSAM-defined ZIP archive. –VSAM_AUTH_STRING Supplies a string of information to be passed • to your security verification routine to Access Methods Services during a DEFINE CLUSTER command used to create a new (or update an existing) VSAM-defined ZIP archive. –VSAM_BUFFERSPACE Specifies the BUFFERSPACE parameter to • • the IDCAMS DEFINE CLUSTER command used to create a new (or update an existing) VSAM-defined ZIP archive. –VSAM_CATALOG Specifies the CATALOG parameter to the • • IDCAMS DEFINE CLUSTER command used to create a new (or update an existing) VSAM-defined ZIP archive.
132
COMMAND DESCRIPTION PKZIP PKUNZIP –VSAM_CISIZE Specifies the CONTROLINTERVALSIZE • • parameter to the IDCAMS DEFINE CLUSTER command used to create a new (or update an existing) VSAM-defined ZIP archive. –VSAM_CLUSTER_TYPE Specifies the file type to the IDCAMS • DEFINE CLUSTER command used to create a new (or update an existing) VSAM-defined ZIP archive. –VSAM_CODE Supplies a code name for the cluster or • component to Access Methods Services during a DEFINE CLUSTER command used to create a new (or update an existing) VSAM-defined ZIP archive. –VSAM_CONTROLPW Specifies the CONTROLPW parameter to the • IDCAMS DEFINE CLUSTER command used to create a new (or update an existing) VSAM-defined ZIP archive. –VSAM_DATA_CISIZE Specifies the CONTROLINTERVALSIZE • • parameter to the data component of an IDCAMS DEFINE CLUSTER command used to create a new (or update an existing) VSAM-defined ZIP archive. –VSAM_DATA_EXCEPTIONEXIT Specifies the EXCEPTIONEXIT parameter to • • the data component of an IDCAMS DEFINE CLUSTER command used to create a new (or update an existing) VSAM-defined ZIP archive. –VSAM_DATA_FILE Specifies the FILE parameter to the data • • component of an IDCAMS DEFINE CLUSTER command used to create a new (or update an existing) VSAM-defined ZIP archive. –VSAM_DATA_NAME Specifies the NAME parameter to the data • component of an IDCAMS DEFINE CLUSTER command used to create a new (or update an existing) VSAM-defined ZIP archive. –VSAM_DATA_ORDERED Specifies the ORDERED parameter to the • • data component of an IDCAMS DEFINE CLUSTER command used to create a new (or update an existing) VSAM-defined ZIP archive. –VSAM_DATA_PRIMARY Specifies the primary space allocation value • • to the data component of an IDCAMS DEFINE CLUSTER command used to create a new (or update an existing) VSAM-defined ZIP archive.
133
COMMAND DESCRIPTION PKZIP PKUNZIP –VSAM_DATA_SECONDARY Specifies the secondary space allocation • • value to the data component of an IDCAMS DEFINE CLUSTER command used to create a new (or update an existing) VSAM-defined ZIP archive. –VSAM_DATA_SPACE_TYPE Specifies the space allocation type parameter • • to the data component of an IDCAMS DEFINE CLUSTER command used to create a new (or update an existing) VSAM-defined ZIP archive. –VSAM_DATA_VOLUMES Specifies the VOLUMES parameter to the • • data component of an IDCAMS DEFINE CLUSTER command, used to create a new (or update an existing) VSAM-defined ZIP archive. –VSAM_DATACLASS Specifies the DF/SMS data class to be used • • for the creation of a new (or update of an existing) VSAM-defined ZIP archive. –VSAM_DUPLICATE_ERROR Specifies the action to be taken on realization • of a duplicate key when creating a new extracted VSAM dataset. –VSAM_ERASE Specifies the ERASE parameter to the • • IDCAMS DEFINE CLUSTER command used to create a new (or update an existing) VSAM-defined ZIP archive. –VSAM_EXCEPTIONEXIT Specifies the EXCEPTIONEXIT parameter to • • the IDCAMS DEFINE CLUSTER command used to create a new (or update an existing) VSAM-defined ZIP archive. –VSAM_FILE Specifies the FILE parameter to the IDCAMS • DEFINE CLUSTER command used to create a new (or update an existing) VSAM-defined ZIP archive. –VSAM_FOR Specifies the FOR parameter to the IDCAMS • DEFINE CLUSTER command used to create a new (or update an existing) VSAM-defined ZIP archive. –VSAM_FREESPACE_CA Specifies the FREESPACE parameter to the • • IDCAMS DEFINE CLUSTER command used to create a new (or update an existing) VSAM-defined ZIP archive. –VSAM_FREESPACE_CI Specifies the FREESPACE parameter to the • • IDCAMS DEFINE CLUSTER command used to create a new (or update an existing) VSAM-defined ZIP archive. –VSAM_IMBED Specifies the IMBED parameter of an • IDCAMS DEFINE CLUSTER command used to create a new (or update an existing) VSAM-defined ZIP archive.
134
COMMAND DESCRIPTION PKZIP PKUNZIP –VSAM_INDEX_ATTEMPTS Specifies the number of password attempts • that are permitted to Access Methods Services during a DEFINE CLUSTER command used to create a new (or update an existing) VSAM-defined ZIP archive. –VSAM_INDEX_AUTH_EP Supplies the entry point of a user security • verification routine to Access Methods Services during a DEFINE CLUSTER command used to create a new (or update an existing) VSAM-defined ZIP archive. –VSAM_INDEX_AUTH_STRING Supplies a string of information to be passed • to your security verification routine to Access Methods Services during a DEFINE CLUSTER command used to create a new (or update an existing) VSAM-defined ZIP archive. –VSAM_INDEX_CISIZE Specifies the CONTROLINTERVALSIZE • parameter to the INDEX component of an IDCAMS DEFINE CLUSTER command used to create a new (or update an existing) VSAM-defined ZIP archive. –VSAM_INDEX_CODE Supplies a code name for the cluster or • component to Access Methods Services during a DEFINE CLUSTER command used to create a new (or update an existing) VSAM-defined ZIP archive. –VSAM_INDEX_CONTROLPW Specifies the CONTROLPW parameter to the • index component of an IDCAMS DEFINE CLUSTER command used to create a new (or update an existing) VSAM-defined ZIP archive. –VSAM_INDEX_EXCEPTIONEXIT Specifies the EXCEPTIONEXIT parameter to • the index component of an IDCAMS DEFINE CLUSTER command used to create a new (or update an existing) VSAM-defined ZIP archive. –VSAM_INDEX_FILE Specifies the FILE parameter to the index • component of an IDCAMS DEFINE CLUSTER command used to create a new (or update an existing) VSAM-defined ZIP archive. –VSAM_INDEX_MASTERPW Specifies the MASTERPW parameter to the • index component of an IDCAMS DEFINE CLUSTER command used to create a new (or update an existing) VSAM-defined ZIP archive. –VSAM_INDEX_NAME Specifies the NAME parameter to the index • component of an IDCAMS DEFINE CLUSTER command used to create a new (or update an existing) VSAM-defined ZIP archive.
135
COMMAND DESCRIPTION PKZIP PKUNZIP –VSAM_INDEX_ORDERED Specifies the ORDERED parameter to the • index component of an IDCAMS DEFINE CLUSTER command used to create a new (or update an existing) VSAM-defined ZIP archive. –VSAM_INDEX_PRIMARY Specifies the primary space allocation • parameter to the index component of an IDCAMS DEFINE CLUSTER command used to create a new (or update an existing) VSAM-defined ZIP archive. –VSAM_INDEX_READPW Specifies the READPW parameter to the • index component of an IDCAMS DEFINE CLUSTER command used to create a new (or update an existing) VSAM-defined ZIP archive. –VSAM_INDEX_SECONDARY Specifies the secondary space allocation • parameter to the index component of an IDCAMS DEFINE CLUSTER command used to create a new (or update an existing) VSAM-defined ZIP archive. –VSAM_INDEX_SPACE_TYPE Specifies the space allocation type parameter • to the index component of an IDCAMS DEFINE CLUSTER command used to create a new (or update an existing) VSAM-defined ZIP archive. –VSAM_INDEX_UPDATEPW Specifies the UPDATEPW parameter to the • index component of an IDCAMS DEFINE CLUSTER command used to create a new (or update an existing) VSAM-defined ZIP archive. –VSAM_INDEX_VOLUMES Specifies the VOLUMES parameter to the • index component of an IDCAMS DEFINE CLUSTER command, used to create a new (or update an existing) VSAM-defined ZIP archive. –VSAM_KEYS Specifies the KEYS parameter for an • IDCAMS DEFINE CLUSTER command used to create a new (or update an existing) VSAM-defined ZIP archive. –VSAM_MASTERPW Specifies the MASTERPW parameter to the • IDCAMS DEFINE CLUSTER command used to create a new (or update an existing) VSAM-defined ZIP archive. –VSAM_MGMTCLASS Specifies the DF/SMS management class to • be used for the creation of a new (or update of an existing) VSAM-defined ZIP archive. –VSAM_MODEL Specifies the MODEL parameter to the • • IDCAMS DEFINE CLUSTER command used to create a new (or update an existing) VSAM-defined ZIP archive.
136
COMMAND DESCRIPTION PKZIP PKUNZIP –VSAM_ORDERED Specifies the ORDERED parameter to the • IDCAMS DEFINE CLUSTER command used to create a new (or update an existing) VSAM-defined ZIP archive. –VSAM_OWNER Specifies the OWNER parameter to the • IDCAMS DEFINE CLUSTER command used to create a new (or update an existing) VSAM-defined ZIP archive. –VSAM_READPW Specifies the READPW parameter to the • IDCAMS DEFINE CLUSTER command used to create a new (or update an existing) VSAM-defined ZIP archive. –VSAM_RECORDSIZE Specifies the RECORDSIZE parameter to the • • IDCAMS DEFINE CLUSTER command used to create a new (or update an existing) VSAM-defined ZIP archive. –VSAM_RECOVERY_OPT Specifies the SPEED or RECOVERY • parameter to the IDCAMS DEFINE CLUSTER command used to create a new (or update an existing) VSAM-defined ZIP archive. –VSAM_REPLICATE Specifies the REPLICATE parameter to the • IDCAMS DEFINE CLUSTER command used to create a new (or update an existing) VSAM-defined ZIP archive. –VSAM_REUSE Specifies the REUSE|NOREUSE parameter • • to the IDCAMS DEFINE CLUSTER command used to create a new (or update an existing) VSAM-defined ZIP archive. –VSAM_SHAREOPTIONS Specifies the SHAREOPTIONS parameter to • • the IDCAMS DEFINE CLUSTER command used to create a new (or update an existing) VSAM-defined ZIP archive. –VSAM_SPACE_PRIMARY Specifies the number of allocation units to be • • allocated in the primary extent of an IDCAMS DEFINE CLUSTER command used to create a new (or update an existing) VSAM-defined ZIP archive. –VSAM_SPACE_SECONDARY Specifies the number of allocation units to be • • allocated in the secondary extent of an IDCAMS DEFINE CLUSTER command used to create a new (or update an existing) VSAM-defined ZIP archive. –VSAM_SPACE_TYPE Specifies the type of allocation units to be • allocated in the IDCAMS DEFINE CLUSTER command used to create a new (or update an existing) VSAM-defined ZIP archive.
137
COMMAND DESCRIPTION PKZIP PKUNZIP –VSAM_SPANNED Specifies the SPANNED|NONSPANNED • • parameter to the IDCAMS DEFINE CLUSTER command used to create a new (or update anexisting) VSAM-defined ZIP archive. –VSAM_STORCLASS Specifies the DF/SMS storage class to be • used for the creation of a new (or update of an existing) VSAM-defined ZIP archive. –VSAM_TO Specifies the TO parameter to the IDCAMS • • DEFINE CLUSTER command used to create a new (or update an existing) VSAM-defined ZIP archive. –VSAM_UPDATEPW Specifies the UPDATEPW parameter to the • IDCAMS DEFINE CLUSTER command used to create a new (or update an existing) VSAM-defined ZIP archive. –VSAM_WRITECHECK Specifies the • • WRITECHECK|NOWRITECHECK parameter to the IDCAMS DEFINE CLUSTER command used to create a new (or update an existing) VSAM-defined ZIP archive. –ZIPPED_DSN Specifies what parameters to use in • converting MVS file names to ZIP file names. –ZIPPED_DSN_SEPARATOR Specifies what separator to use in the new • ZIP archive name.
Command Details
Descriptions of PKZIPz commands are given below in alphabetic sequence. If applicable, synonyms for each command are listed directly below the command.
Note: This command does not use a “–” prefix.
Pathnames may be specified in the and may be either in MVS format (MYFILES.PROJECT.DATA), where periods separate the qualifiers, or in UNIX format and use slashes (MYFILES/PROJECT/DATA). PKZIPz stores the in the latter format to provide cross-platform compatibility but accepts references to in MVS format.
138
Note: When standard ZIP archives are requested, a filename may be of mixed case. When GZIP is requested, all characters in the filename should be lower case, according to GZIP specifications.
Formatting For individual data sets or PDS names, the entry consists of: dataset level[.dataset level][.dataset level]….
For example: mydata.testing.temp. For PDS members, the entry consists of: dataset level[.dataset level][.dataset level] ... (member1[,member2][,member3]…)
For example: mydata.testing.temp(firstrun,secondrun). When a single data set level is specified either as a data set or a PDS member, and if SELECT_FROM_PDS is present, the associated PDS is identified. If SELECT_FROM_PDS is not present, then the single level will be identified as a high-level qualifier.
Wildcards Wildcard characters enable you to use a single name, containing wildcard characters, to specify multiple data sets. The wildcard characters (?, *, and **) are used in place of some or all of the characters in the name. They operate as “wild cards” in that they match a range of things instead of just a single character. Wildcards cannot be used in the highest data set level of the data set name. The more general the wildcard specifications, the longer the file search. To save time, be as specific as possible in selecting data set names.
Question mark (?) A question mark (?) represents any single character in that position within a data set level. For example, MBS.?ABC matches every data set that has one character preceding ABC in its data set level. For example: MBS.1ABC MBS.2ABC MBS.MABC MBS.??ABC includes data sets that have two characters before ABC in the data set level. For example: MBS.10ABC MBS.XXABC
139
MBS.1JABC
Asterisk * An asterisk (*) matches any string of zero or more characters in that position, within the level. For example, JEH.*.SUB matches all data sets of any second level and a third level of SUB data sets. For example: JEH.BVC.SUB JEH.TRIAL.SUB JEH.UNVTEST.SUB JEH.A*.SUB represents all data sets with a third level of .SUB and all second levels whose names begin with A. For example: JEH.ABC.SUB JEH.AQZAR.SUB JEH.ATEST.SUB BOOT.* represents all data sets with a first component of BOOT plus any of its second levels. It does not represent data sets with more than one level (see ** for more than one). For example: BOOT.MINE BOOT.DATA BOOT.TESTING but not BOOT.MINE.SOURCE JEH.*.D* represents all files within JEH with D beginning with its third level. For example: JEH.OWN.DATA JEH.SOURCE.DELIM JEH.BAKER.DEMO
Double asterisk ** A double asterisk (**) matches all occurrences of one or the next two data set levels. For example, ABC.** represents all data sets beginning with ABC and includes the next level or two, if present. For example: ABC.GROUP.TEST ABC.GROUP ABC.MINE ABC.**.DATA represents data sets with the first level of ABC followed by one or two levels and ending with DATA as the last level. For example: ABC.GROUP.BASIC.DATA
140
ABC.GROUP.DATA ABC.MINE.DATA
MS-DOS and UNIX file formats Data set names are supported in MS-DOS and UNIX formats to delete or view entries. For all other operations, data set names should be in the MVS format. For UNIX or MS-DOS formatting:
[pathname][/pathname]…[/pathname][/filename]
For MS-DOS formatting:
[pathname][\pathname]…[\pathname][\filename]
Command Icon Legend The following legend is used to identfy icons that may be associated with a given command. These icons provide platform information, command compatibility, and a icon indicates that you should proceed with extreme caution and double check that the information provided works with your platform. It is important that you double check a command before using it.
Icons Description ☺ This icon specifies what platforms use this command. This command is not compatible with UNIX, iSeries, OS/400, and Windows. This icon is a warning and it instructs you to read the information and proceed with caution.
–ACTION
Synonyms Include: –ADD, –COPY, –DELETE, –EXTRACT, –FRESHEN, PATCH_REPORT, TEST, –UPDATE, –VIEW
The ACTION command is used to add, copy, delete, extract, freshen, update, or view files in a ZIP archive. It may also be used to view a patch report.
–ACTION(ADD|COPY|DELETE|EXTRACT|FRESHEN|PATCH_REPORT|TEST| UPDATE|VIEW)
ADD - Specifies the addition of a file(s) to a ZIP archive using the method as specified in COMPRESSION_METHOD. If a file already exists in the archive with the same name, the addition will be disallowed and an UPDATE modifier will be required.
141
• Use ARCHIVE_DSN or a combination of ARCHIVE_INFILE and ARCHIVE_OUTFILE along with the ACTION(ADD) to create the new ZIP archive. • The ADD command forces creation of a new ZIP archive. • ADD is the default action for the PKZIP program. COPY - Specifies that designated files (all by default) are to be copied from one archive to another when running program PKZIP. Data set name selections are accomplished the same as they are with ACTION(DELETE) defined previously. When no names are specified, all files within the input archive are copied to the target. No action is taken if the target archive is the same as the source archive. • Use of ARCHIVE_DSN in conjunction with COPY causes an implicit deletion of all files not selected from the designated archive. This can be a more efficient way to delete files from an archive than by listing them all with DELETE. PKZIP does not allow implicit deletion of all files within an archive when using COPY. • When ARCHIVE_INFILE is used with COPY, PKZIP allows the creation of an empty target archive if none of the requested files matches the input archive. DELETE - Specifies that the file(s) selected by the command be deleted from an existing ZIP archive. This action results in the creation of a new archive, minus the deleted files. • Use ARCHIVE_DSN (or a combination of ARCHIVE_INFILE and ARCHIVE_OUTFILE) along with the ACTION(DELETE) to create the new ZIP archive. • The DELETE command forces the creation of a new ZIP archive minus the deleted files. EXTRACT - Specifies that items or files are looked for in the archive, are brought out, and are put into an MVS data set. EXTRACT is the default action for the PKUNZIP program. FRESHEN - Specifies that files already existing in an archive are to be replaced by different files having the same names. Note that timestamp verification does not occur, so it is possible to replace a file with one that is older. PATCH_REPORT - When gathering information for problem analysis, PKZIPz Technical Support may request the output from an execution with PATCH_REPORT. The report output is sent to the designated DDNAME_SYSPRINT standard output. No other commands are required. PATCH_REPORT is normally executed in batch, although a foreground report can be generated with the ISPF panels.
Note: The PATCH_REPORT command may be used under either PGM=PKZIP or PGM=PKUNZIP. No archive actions will be performed when this command action is selected.
TEST - Specifies that the ZIP archive files be tested for integrity. • This command performs the same functions as an ACTION(EXTRACT) command without actually extracting data or producing a decompressed file. The stored CRC is checked in this process, and a confirmation message occurs in the SYSPRINT data set for each valid file. • Use ARCHIVE_DSN or ARCHIVE_INFILE with this command to specify the ZIP archive to be validated.
142
UPDATE - Specifies the update or addition of a file(s) to an existing ZIP archive. VIEW - Specifies that information about selected files be displayed in SYSPRINT. The VIEW command may be used with or without parameters. All parameter fields are optional but, if specified, must be specified in the following order: VIEW[level][sort][REVERSE][COMMENT] • Level - This parameter specifies the amount and format of the information to be displayed. Null - If no level is specified, a standard report of one line per file (wrap lines may be inserted for the file name or comment) will be displayed with columnar headings for the field values. BRIEF - Provides a minimum of information about the files selected for display. DETAIL - Provides a full set of technical details about the files selected for display. • Sort - Determines the presentation sequence of information in the output report. NAME - Sort by filename only. DATE - Sort by date only. LENGTH - Sort by length of the uncompressed file only. OFFSET - Sort by order of occurrence within the ZIP archive (first in, first out). This is the default sort sequence. PERCENT - Sort by compression percentage, only. SIZE - See Length. • REVERSE - Optional switch that reverses the order in which files are normally displayed for the sort criterion specified. For example, a NAME sort normally displays files in ascending order. NAMEREVERSE displays the files in descending order by file name. • COMMENT - Optional parameter that lists any internal comment information in the archive directory in a separate line for each associated file. These file-specific comments are different from the ARCHIVE_COMMENT, which applies to the entire archive. The following table lists the valid ACTION(VIEW) options:
143
VIEWBRIEF VIEWDETAILLENGTHREVERSECOMMENT VIEWBRIEFCOMMENT VIEWDETAILNAME VIEWBRIEFDATE VIEWDETAILNAMECOMMENT VIEWBRIEFDATECOMMENT VIEWDETAILNAMEREVERSE VIEWBRIEFDATEREVERSE VIEWDETAILNAMEREVERSECOMMENT VIEWBRIEFDATEREVERSECOMMENT VIEWDETAILOFFSET VIEWBRIEFLENGTH VIEWDETAILOFFSETCOMMENT VIEWBRIEFLENGTHCOMMENT VIEWDETAILOFFSETREVERSE VIEWBRIEFLENGTHREVERSE VIEWDETAILOFFSETREVERSECOMMENT VIEWBRIEFLENGTHREVERSECOMMENT VIEWDETAILPERCENT VIEWBRIEFNAME VIEWDETAILPERCENTCOMMENT VIEWBRIEFNAMECOMMENT VIEWDETAILPERCENTREVERSE VIEWBRIEFNAMEREVERSE VIEWDETAILPERCENTREVERSECOMMENT VIEWBRIEFNAMEREVERSECOMMENT VIEWDETAILREVERSE VIEWBRIEFOFFSET VIEWDETAILREVERSECOMMENT VIEWBRIEFOFFSETCOMMENT VIEWDETAILSIZE VIEWBRIEFOFFSETREVERSE VIEWDETAILSIZECOMMENT VIEWBRIEFOFFSETREVERSECOMMENT VIEWDETAILSIZEREVERSE VIEWBRIEFPERCENT VIEWDETAILSIZEREVERSECOMMENT VIEWBRIEFPERCENTCOMMENT VIEWLENGTH VIEWBRIEFPERCENTREVERSE VIEWLENGTHCOMMENT VIEWBRIEFPERCENTREVERSECOMMENT VIEWLENGTHREVERSE VIEWBRIEFREVERSE VIEWLENGTHREVERSECOMMENT VIEWBRIEFREVERSECOMMENT VIEWNAME VIEWBRIEFSIZE VIEWNAMECOMMENT VIEWBRIEFSIZECOMMENT VIEWNAMEREVERSE VIEWBRIEFSIZEREVERSE VIEWNAMEREVERSECOMMENT VIEWBRIEFSIZEREVERSECOMMENT VIEWOFFSET VIEWCOMMENT VIEWOFFSETCOMMENT VIEWDATE VIEWOFFSETREVERSE VIEWDATECOMMENT VIEWOFFSETREVERSECOMMENT VIEWDATEREVERSE VIEWPERCENT VIEWDATEREVERSECOMMENT VIEWPERCENTCOMMENT VIEWDETAIL VIEWPERCENTREVERSE VIEWDETAILCOMMENT VIEWPERCENTREVERSECOMMENT VIEWDETAILDATE VIEWREVERSE VIEWDETAILDATECOMMENT VIEWREVERSECOMMENT VIEWDETAILDATEREVERSE VIEWSIZE VIEWDETAILDATEREVERSECOMMENT VIEWSIZECOMMENT VIEWDETAILLENGTH VIEWSIZEREVERSE VIEWDETAILLENGTHCOMMENT VIEWSIZEREVERSECOMMENT 144VIEWDETAILLENGTHREVERSE
ACTIVITY_LOG
Synonyms Include: N/A
Only applicable when running a Demonstration Product Key
ACTIVITY_LOG=dataset
This command is specified in the defaults module only. When a Demonstration Key is active for the product, certain activities are written to the pre- allocated sequential data set specified by this setting. Reference the Systems Administration Guide for more information.
–ARCHIVE_BLKSIZE
Synonyms Include: –ARCHBLKSIZ
For a new or updated ZIP archive, the block size may be specified using the ARCHIVE_BLKSIZE command. The default is to attempt half-track blocking (for example, 27998 bytes, on a 3390 DASD device) unless ARCHIVE_LRECL is specified using logical record lengths. The default is not used when ARCHIVE_DATACLASS is specified and DF/SMS is in control of data set allocation on the system.
–ARCHIVE_BLKSIZE(
Note: A large block size should be specified for best ZIP performance.
Block size of 0: If using a PDS or sequential archive, and a block size of 0 is specified, the program determines the block size. If using record formats that are undefined, by default or by ARCHIVE_RECFM(U) command, and a block size of 0 is specified, the system may not set a block size. An error occurs when the archive is processed: for example, IEC141I 013-34 abend.
145
–ARCHIVE_COMMENT
Synonyms Include: N/A
This command allows a comment of up to 255 characters to be specified and saved in the archive central directory.
–ARCHIVE_COMMENT(
-ARCHIVE_COMMENT(This is a sample of a long command input value, and a hyphen illustrates the use of the continuation character for a lon- …..g command.) The hyphen causes a concatenation without blanks.
–ARCHIVE_DATACLASS
Synonyms Include: –ARCHDCLASS
For a new or updated ZIP archive, the SMS data class may be specified using the ARCHIVE_DATACLASS command. If the command is not specified, no data class is used in the allocation request. Allocation of files in a SMS environment is controlled by the installation through automatic class selection routines as defined by the local storage administrator. Control cards specifying SMS classes and/or volume selection may be ignored by the system when performing allocations. Check with the systems administrator for proper designations of these values.
–ARCHIVE_DATACLASS() data class - Names the SMS data class where the updated or new archive is to reside. There is an 8-character limit. The following parameter option for SMS classes accommodates earlier PKZIP releases: _NONE_ For example: ARCHIVE_DATACLASS=_NONE_ An ACZDFLT parameter of _NONE_ maintains the behavior of earlier releases of PKZIP (pre- 5.6) for SMS specifications. Note that when PKZIP dynamically allocates an archive data set, an installation SMS ACS routine may assign a DATACLASS outside of PKZIP’s control. The _NONE_ specification negates the DYNALLOC (SVC99) parameter request for DATACLASS by PKZIP, but the installation can still generate an override. This has the potential for assigning DCB attributes that are incompatible with later processing of the archive data set. Care should be taken when
146
using SMS data class attributes to ensure that the installation assigns correct values (or does not assign them at all).
–ARCHIVE_DIR_BLOCKS
Synonyms Include: –ARCHDIRBLKS, –ARCHIVE_DIRBLKS
For a new ZIP archive, the number of directory blocks may be specified using the ARCHIVE_DIR_BLOCKS command. The default of 56 is not used with ARCHIVE_DATACLASS. Use ARCHIVE_DIR_BLOCKS in conjunction with an ARCHIVE_DSN when creating a new PDS.
–ARCHIVE_DIR_BLOCKS(
–ARCHIVE_DSN
Synonyms Include: –ARCHIVE, –ARCHIVE_DSNAME
In PKZIP Processing The ARCHIVE_DSN command specifies the archive name to be read in and updated by PKZIPz. Either this command or the ARCHIVE_INDD command must be used to identify an archive. ARCHIVE_INDD does not allow updating and is used in conjunction with ARCHIVE_OUTDD. There is no default.
–ARCHIVE_DSN(
Note: The temporary file(s) may require as large an allocation as the archive itself. Use the TEMP* commands to specify sufficient allocation.
147
If the archive came from another platform, the created data set must be created on MVS as sequential or as a PDS member with type U, F, or FB records. For best processing, generate this data set with a block size of at least 4000 bytes. PKZIPz will create the archive with the
In PKUNZIP Processing The ARCHIVE_DSN command specifies the archive name to be read in or viewed by the PKUNZIP program.
Note: Either this command or the –ARCHIVE_INDD command must be used to identify an archive. There is no default.
–ARCHIVE_DSN(
–ARCHIVE_DSORG
Synonyms Include: –ARCHDSORG
For a new or updated ZIP archive, the data set organization is specified using the ARCHIVE_DSORG command. The command may specify one of four organizations with Sequential the default. Note, with the exception of VSAM files PKZIPz can determine the data set organization by the data set name in the ARCHIVE_DSN command.
–ARCHIVE_DSORG(PO|PE|PS|VS)
PO - Partitioned data set archive. PE - Partitioned data set enhanced archive. PS - Physical sequential archive. VS - Virtual storage aaccess method archive.
Note: The program can determine the organization of the archive by the data set name, except for VSAM files.
148
–ARCHIVE_FASTSEEK
Synonyms Include:
Control fast archive directory seek logic for selected disk archive data set organizations.
ARCHIVE_FASTSEEK= Y|N
The central file directory for an archive is located at the back of the archive data set and local File directory entries are interspersed throughout the archive. When this setting is enabled with “Y”, PKZIP and PKUNZIP will use direct I/O techniques to locate the directory entries for view, extract and archive update processing. In order to be effective, the archive data set must reside on disk as DSORG=PS (Physical Sequential) with RECFM=U or RECFM=FB. When STAGE_TAPE_ON_DISK=Y is specified, the fast seek logic will take effect for the temporary disk archive once it has been copied from tape. If fast seek processing cannot be performed, message ZPAM561I is issued, and sequential processing of the archive directory entries is performed.
–ARCHIVE_INFILE
Synonyms Include: –ARCHINDD, –ARCHIFILE, –ARCHINFILE,– ARCHIVE_INDD, –ARCHIVE_IFILE
The ARCHIVE_INFILE command specifies a DD statement that describes a ZIP archive to be read in for processing. Use this command when the archive is not to be updated and the processed file is to be written to another destination using ARCHIVE_OUTFILE. Also use this command when processing tapes and GDG’s. Do not use this command with the ARCHIVE_DSN command.
–ARCHIVE_INFILE(
DDname - This is the DD statement in the JCL that identifies the ARCHIVE to be read. The same
–ARCHIVE_LRECL
Synonyms Include: –ARCHLRL
For a new or updated ZIP archive, the logical record length is specified using the ARCHIVE_LRECL command. If ARCHIVE_RECFM(U) is specified for sequential archives, a default record length of 0 is established. Otherwise the block size is used. Note that the command ARCHIVE_DATACLASS overrides this default.
149
–ARCHIVE_LRECL(
–ARCHIVE_MGMTCLASS
Synonyms Include: –ARCHMCLASS
For new file allocation when doing PKUNZIP processing, these classes are passed to SMS when data set allocation occurs.
–ARCHIVE_MGMTCLASS(
See IBM’s DF/SMS manuals for further information about this parameter. The following parameter option for SMS classes accommodates earlier PKZIP releases: _NONE_ For example: ARCHIVE_MGMTCLASS=_NONE_ An ACZDFLT parameter of _NONE_ maintains the behavior of earlier releases of PKZIP (pre- 5.6) for SMS specifications.
–ARCHIVE_OUTFILE
Synonyms Include: –ARCHIVE_OUTDD, –ARCHIVE_OFILE, –ARCHOUTDD, –ARCHOFILE, –ARCHOUTFILE
The ARCHIVE_OUTFILE command specifies a DD statement that points to a ZIP archive to be written. Use this command when the input archive is not to be updated with new information. This command is mainly used when processing tapes and GDG’s. Do not use this command in conjunction with the ARCHIVE_DSN command.
–ARCHIVE_OUTFILE(
DDname - This is the DD statement in the JCL that identifies the ARCHIVE to write. It must not be the same as used for ARCHIVE_INFILE. If the archive is updated, the JCL parameter DISP=MOD should not be used to extend the archive. DISP=OLD should be used instead to allow the archive to be overwritten. If the archive is not updated, then the input archive will be copied to the
150
is determined once the process completes and therefore will not be determined if an error is encountered.
–ARCHIVE_RECFM
Synonyms Include: –ARCHTYPE
For a new or updated ZIP archive, the record format may be specified using the ARCHIVE_RECFM command. The record specification may be one of four types with U (Undefined) as the default.
–ARCHIVE_RECFM(U|F|FB|FBS)
U - Undefined records (default) (note also that this default is ignored if an associated SMS command of ARCHIVE_DATACLASS is used). F - Fixed records. FB - Fixed-Block records. FBS - Fixed-Block Standard records. An undefined specification (U) causes any ARCHIVE_LRECL specifications to be ignored. Similarly, an unblocked file specification will cause ARCHIVE_BLKSIZE to be ignored.
–ARCHIVE_SPACE_MULTIVOL
Synonyms Include: N/A
The ARCHIVE_SPACE_MULTIVOL command controls whether the dynamic allocation of a new non-VSAM archive data set will request multiple volumes when ARCHIVE_DATACLASS is not in effect.
–ARCHIVE_SPACE_MULTIVOL=Y|N
N - When a value of “N” is specified, or an ARCHIVE_DATACLASS is specified, SecureZIP does not provide a volume count in the dynamic allocation request. When multiple volumes are required to hold the archive under this condition, the operating system may reject the volume extension with an associated IEC032I-04 E37 error. Y - When “Y” is specified without an ARCHIVE_DATACLASS, a maximum of 59 volumes will be requested in the DYNALLOC request. When this option is enabled, the catalog will show the archive data set as being a multi-volume data set. Message IGD17271I Allocation has been allowed to proceed for data set may appear in the JOB log from the system but will not affect PKZIP processing. Note: See the SecureZIP for zSeries System Administrator’s Guide for more information on SMS dataclass considerations. See also the section “Large File Considerations” in Chapter 8 for discussions regarding SMS class controls of extended size data sets.
151
–ARCHIVE_SPACE_PRIMARY
Synonyms Include: –ARCHPRIMARY
For a new or updated ZIP archive, the number of allocation units in the primary extent is specified using the ARCHIVE_SPACE_PRIMARY command. The default is not used if ARCHIVE_DATACLASS is specified.
–ARCHIVE_SPACE_PRIMARY(
–ARCHIVE_SPACE_RLSE
Synonyms Include: –ARCHIVE_RLSE, –ARCHIVE_RELEASE, – ARCHIVE_SPACE_RELEASE, –ARCHRLSE, –NOARCHRLSE, –ARCHNORLSE
This command specifies whether free space should be released when a ZIP archive is deallocated.
–ARCHIVE_SPACE_RLSE(Y|N)
Y - YES - The deallocated free space is released following compression. This is the default action taken for sequential data sets. N - NO - The deallocated free space is not released following compression. This is the default action taken for partitioned data sets.
–ARCHIVE_SPACE_SECONDARY
Synonyms Include: –ARCHSECONDARY
For a new or updated ZIP archive, the number of allocation units in the secondary extent is specified using the ARCHIVE_SPACE_SECONDARY command. If specified, the data unit number must not be 0. The default is not used if ARCHIVE_DATACLASS is specified. allocation units - This is an 8-character field specifying the number of allocation units for the secondary extent of the new or updated ZIP archive. 00000010 - Ten (cylinders) is the default.
152
–ARCHIVE_SPACE_TYPE
Synonyms Include: –ARCHSPACE
For a new or updated ZIP archive, the type of allocation units may be specified using the ARCHIVE_SPACE_TYPE command. Note the default is not used when ARCHIVE_DATACLASS is specified.
–ARCHIVE_SPACE_TYPE(
TRK - (also TRKS and TRACKS) Allocation by tracks. CYL - (also CYLS and CYLINDERS) Allocation by cylinders. BLK - (also BLKS and BLOCKS) Allocation by blocks (Note that the block size is specified in the ARCHIVE_BLKSIZE command. KB - (also KILOBYTES) Allocation by Kilobytes for a VSAM archive. MB - (also MEGABYTES) Allocation by Megabytes for a VSAM archive.
VSAM Note: Both the primary and secondary extents are allocated at 100 allocation units unless changed by the –VSAM_SPACE_PRIMARY or the –VSAM_SPACE_SECONDARY commands.
This command specification can be overridden at the data level by the VSAM_DATA_SPACE_TYPE command. At the data level, the corresponding cluster information is not recognized.
–ARCHIVE_STORCLASS
Synonyms Include: –ARCHSCLASS
For a new or updated ZIP archive, the DF/SMS storage class may be specified using the ARCHIVE_STORCLASS command. If the command is not specified no storage class is used.
–ARCHIVE_STORCLASS(
153
–ARCHIVE_TIMESTAMP
Synonyms Include: –TIMESTAMP
This command specifies the source of the date and time for a compressed file. The default is the LOCAL time, as set on the system.
–ARCHIVE_TIMESTAMP(CREATE|CREATEGMT|CREATEUTC|GMT|LOCAL|UTC)
CREATE - Specifies the creation date of the MVS data set with time of 00:00:00. This is because standard MVS systems retain the data set’s creation date but do not retain the time of creation. If this creation date does not exist, the LOCAL time is used. Members of a PDS will have the timestamp associated with the data set, not with the individual members. CREATEGMT - Specifies the creation date of the MVS data set with a time of 00:00:00 as in CREATE. Except if the creation date does not exist, the UTC option is used. CREATEUTC - Specifies the creation date of the MVS data set with a time of 00:00:00 as in CREATE. Except if the creation date does not exist, the UTC option is used. GMT - Specifies the Greenwich Mean Time as set on the system. Time zones are not specified here; therefore, it is the same time, world-wide. The time is captured at the time ZIP processing begins. LOCAL - Specifies the LOCAL time as set with the system. The LOCAL time is based on the UTC time with any adjustments made for time zones. UTC - Specifies the Greenwich Mean Time as set on the system. Time zones are not specified here; therefore, it is the same time, world-wide. The time is captured at the time ZIP processing begins. The time captured for the archive is the point at which ZIP processing begins and is the same for all files of that archive.
–ARCHIVE_UNIT
Synonyms Include: –ARCHUNIT
For new or updated ZIP file allocation, the generic units for the archive can be specified using the ARCHIVE_UNIT command. The default, should a unit be required, is the installation default, typically SYSDA.
–ARCHIVE_UNIT(unitname|SYSDA) unitname - An 8-character field specifying the name of the generic unit to which the archive is to be allocated. SYSDA - The default specification. For new ZIP archives that are members of a PDS, the PKZIPz DF/SMS command should specify the PDS class, and the non-DF/SMS command should specify the PDS volume or unit of the allocation.
154
–ARCHIVE_VOLUMES
Synonyms Include: –ARCHVOL
For a new or updated ZIP archive allocation, the volume(s) is specified using the ARCHIVE_VOLUMES command.
–ARCHIVE_VOLUMES(
–ATTRIB_COMPATIBILITY
Synonyms Include: –ATTRCOMPAT, –ATTRIB_COMPAT, –ATTRIBUTE_COMPATIBILITY
This parameter governs the type of extended attributes that are stored in the archive. Both PKZIP for zSeries and SecureZIP for zSeries provide compatible attributes with PKZIP for MVS version 2.5 and above in the Systems/390 environment through the use of extended file information. New attributes may be built upon the Z390 attribute set in future releases.
–ATTRIB_COMPATIBILITY(Z390|MV25)
Although ZIP archives created by older releases of PKZIP for MVS can be processed by PKZIPz, extended attributes created by PKZIPz in Z390 mode are not compatible with executions of PKZIP for MVS version 2. For installations where multiple releases of the product are run with files being shared between systems, a mode of MV25 can be used so that the attributes created are acceptable to the older product versions.
–AUTHCHK
Synonyms Include: N/A
Requires SecureZIP Advanced Encryption Module
This command specifies that digital signature authentication processing should be performed. Separate authentication processing may be specified for either the archive central directory or files by using multiple commands. Optionally, specific signers may be specified to authenticate against.
155
-AUTHCHK(ARCHIVE|FILES,[certificate_store_type:selection][,R] [,PASSWORD=password])
ARCHIVE|FILES - Designates the type of authentication that is to be performed. Either ARCHIVE or FILES can be specified on each command. Multiple AUTHCHK commands can be specified. certificate_store_type:selection - An optional parameter used when attempting to validate that the associated signature(s) are from a specific source (via a public key identification). This sub-parameter designates the media containing the certificate(s) having the public key. See SIGN_ARCHIVE for a discussion of the certificate store types and selection processing. Although a public-key X.509 certificate entity is to be used for authentication processing, a private-key entity can also be used to obtain the necessary public key. It is possible that more than one certificate may be returned for a single common name or email search. If so, each is added to the list of validating sources. When no specific certificates are requested, any signatories found in the archive are validated in accordance with the –{AUTHENTICATE} policy settings in effect. [,R] - This is an optional flag indicating that certificate(s) specified in this AUTHCHK request must be satisfied for the run. This means that the public-key certificate information must be resolved on the local system and must pass validation as signatory for the type of AUTHCHK being performed. This parameter is not valid when a generic AUTHCHK(FILES) is requested. All certificates specified with the “R” option must pass validation, or authentication will be marked as a failure. Only one authentication check command can be specified for the ARCHIVE type when a Required flag is set. [,PASSWORD=] - Designates the password that is required for a private-key certificate that is to be used for public-key access. When a value is specified, the target must be an X.509 PKCS#12 private-key certificate. It should not be coded when requesting a public-key certificate. The PASSWORD value may contain blanks and is delimited by the closing right parenthesis “)” of the signing command. Quotes and apostrophes should not be used as start/end delimiters.
Processing Notes AUTHCHK= is not honored from the defaults module (ACZDFLT or other user-designated module). A preferable technique is to use INCLUDE_CMD and reference an independent file from which the AUTCHK command(s) may be read (and file-protected from read access by the system’s security facility). Passwords are masked out in SYSPRINT output displays. When FILE: is specified as the certificate lookup type, the data set name is treated in accordance with fopen() as documented in the IBM C/C++ Programming Guide. See “Performing OS I/O Operations - Using a Data Set Name”. Starting a filename with “//” indicates the file refers to a non-POSIX file or data set. The name specified is translated to upper case by the run-time environment. A local certificate store configuration is required to complete the processing of this command. Even when a direct FILE specification is made to locate the private-key certificate, the {CSCA=} and {CSROOT=} certificate store components must be accessible to complete the
156
certificate signing chain within the archive. This information is required to complete authentication processing on the target system when the local certificate store on that system does not contain the certificate authority chain required to validate TRUST. Authentication will fail if none of the requested certificates can be accessed, regardless of the “R” required flag. If multiple requests are made and at least one signature is found, processing will continue normally. When one or more non-required certificates are requested but none can be resolved in the local certificate store, generic authentication continues as if no specific requests had been made. When one or more certificates (required or non-required) are requested, and any are found in the local certificate store, at least one certificate in the list must pass authentication. By providing a list of acceptable non-required certificates, any may pass validation to satisfy the authentication request. However, certificates specified for authentication with “R” must still pass validation. An archive Directory authentication failure generates a minimum condition code of 6 (RC=6) for the execution unless an appropriate PKSUPPRC command is entered. This halts further processing for the archive except for ACTION=VIEW processing. A file authentication failure generates a minimum condition code of 6 (RC=6) for the execution unless an appropriate PKSUPPRC command is entered. Processing continues for other files in the archive. Signed files are tolerated by prior releases of PKZIP/SecureZIP for zSeries but are not processed for authentication.
Authenticity Check Policies Although the AUTHCHK command specifies which signature type (Archive or Files) should be checked, it does not direct the levels of checking to be performed. (For an overview of authentication, see the section “Authentication” in Chapter 2). The policy configuration setting AUTHENTICATE= (which may also be entered as a command) is used to govern the various aspects to be validated when an AUTHCHK operation is processed.
–{AUTHENTICATE=[ALL]|[NOT]EXPIRED,[NOT]TRUSTED,[NOT] REVOKED,[NO]TAMPERCHECK}
The AUTHENTICATE policy setting is usually located in the local certificate store configuration file supplied by the SecureZIP administrator. If not present, AUTHENTICATE=ALL is the default. Although multiple AUTHENTICATE policy command sequences may be entered, the sub-parameter values are not cummulative between commands. The latest entry of AUTHENTICATE= encountered in the command stream takes effect. ALL - This subparameter activates all levels of authentication. If followed by negating sub- levels, then all but those negating levels are activated. For example: -{AUTHENTICATE=ALL,NOTEXPIRED} means that expired certificates will not cause an authentication error, but TRUST and TAMPERCHECK must both be satisfied.
157
[NOT]EXPIRED - This sub-parameter performs certificate date-range validation on the certificates (including the certificate authority chain). Although the term “expired” is used, a certificate that has not yet reached its valid data range specification will fail. [NOT]REVOKED - This subparameter examines certificates and their trust chains to ensure that certificates have not been revoked by the certificate authority. [NOT]TRUSTED - This subparameter signifies that the entire certificate authority chain must be validated. This includes locating the root (self-signed) certificate on the local system (as defined in {CSROOT=} within the local certificate store configuration). [NO]TAMPERCHECK - This sub-parameter verifies the data stream against the digital signature.
–CALLMODE
Synonyms Include: N/A
This command is an internal use command that is used for environmental interfacing and should not be specified.
–CALLMODE(BATCH|ISPF|TSO)
–CHECK_SYSIN_MEMBER
Synonyms Include: N/A
This is a defaults-module only parameter (since the value must be determined before the SYSIN command set is opened).
–CHECK_SYSIN_MEMEBER(Y|N)
The default operation of PKZIPz is to verify that command input stored in a PDS or PDSE member exists. If the member is not found, then a message is issued and the PKZIP function is terminated. "ZPCM010E MEMBER NOT ACCESSIBLE IN DATASET" Installations that use very large PDS/PDSE libraries may want to avoid the overhead of searching the directory. Performance may be improved by specifying CHECK_SYSIN_MEMBER=N in the ACZDFLT module. However, a system abend S013 will occur if the specified member does not exist in the library.
158
–COMPRESSION_LEVEL
Synonyms Include: –METHOD, –EN, –ES, –EX, –E0, –E1, –E2, –E3, –E4, –E5, –E6, –E7, –E8, –E9
This command specifies the speed and compression level when zipping a file.
–COMPRESSION_LEVEL(NORMAL|MAXIMUM|FAST|SUPERFAST|STORE|0|1|2| 3|4|5|6|7|8|9)
When updating files in a ZIP archive, COMPRESSION_LEVEL specifies a parameter that determines the compression level and speed to be used. The command specifies a level or degree of compression using a sliding scale of values. The related command, COMPRESSION_METHOD, specifies a compression algorithm. The following table shows the compression levels available. Each strikes a different balance of compression level and speed of compression. The levels range from 0 (fastest speed with no compression) to 9 (highest level of compression, usually taking the longest amount of time and using the most processor time).
Synonym Level Usage STORE, E0 0 No compression is performed. SUPERFAST, E1 1 Compression Method: Deflate32 or Deflate64 FAST, E2 2 Compression Method: Deflate32 or Deflate64 NORMAL, E3 3 Compression Method: Deflate32 or Deflate64 MAXIMUM, E4 4 Compression Method: Deflate32 or Deflate64 E5 5 Compression Method: Deflate32 or Deflate64 E6 6 Compression Method: Deflate32 or Deflate64 E7 7 Compression Method: Deflate32 or Deflate64 E8 8 Compression Method: Deflate32 or Deflate64 E9 9 Compression Method: Deflate32 or Deflate64
Usage Notes: • Compression levels 1 through 9 all work with Deflate32 and Deflate64 compression methods. • “Maximum” is retained at level 4 to provide equivalent compression ratios with earlier releases. Higher levels may yield better compression ratios than previously obtained with “Maximum”. • Compression results are data-stream dependent and produce non-linear results. When configuring a job for high volume processing, benchmarking results with sample file may be of value to find the best balance between compression ratio and resources (elapsed and processor time).
159
• In many cases, levels 8 and 9 do not produce significant compression results over level 7. • When COMPRESSION_LEVEL=0, STORE, or E0 are specified, COMPRESSION_METHOD=STORE is set automatically. • When migrating from earlier releases of PKZIP or SecureZIP, a difference in compression ratio/processor time can be expected for a given data stream and setting. Although internal settings have been tuned to produce similar results across the scale of levels, a specific level setting may not produce faster speeds or better compression for a data stream. If these criteria are important, then benchmarking should be performed to achieve the “best fit” results with the new algorithms. • “METHOD” remains as a synonym for COMPRESSION_LEVEL to maintain command stream compatibility with earlier releases. However, it is recommended that the use of this command format be eliminated to remove ambiguity.
–COMPRESSION_METHOD
Synonyms Include: –DEFLATE32, –DEF32, –DEFLATE64, –DEF64, –STORE
This command specifies the compression algorithm to use when compressing a file during ZIP processing.
–COMPRESSION_METHOD(DEFLATE32|DEFLATE64|STORE)
See also the COMPRESSION_LEVEL command, which specifies a degree of compression. STORE performs no compression of the data. Deflate64 (using the same level control) will usually produce better compression with less processor time than Deflate32.
Usage Notes: • When COMPRESSION_METHOD=STORE is specified, COMPRESSION_LEVEL=STORE will is set automatically. • The GZIP specification only supports Deflate32. When –GZIP mode is encountered, PKZIP will automatically switch from Deflate64 or STORE to Deflate32. In addition, if COMPRESSION_LEVEL has a setting of STORE, the level is changed to SUPERFAST. • Not all vendors of ZIP-compatible programs provide support for Deflate64-compressed data, and their products may not be able to extract files compressed with this advanced compression algorithm. If the intended target systems support Deflate64, then it may be chosen for the best compression/speed performance. • Deflate32 is equivalent to the compression method used in releases prior to the implementation of COMPRESSION_METHOD and is functionally compatible (see the migration note under COMPRESSION_LEVEL regarding performance).
160
–CRLF
Synonyms Include: –NOCRLF
☺ - Cross Platform Compatible command (iSeries, OS/400, UNIX, and Windows). This command determines whether special delimiters or terminators are inserted when a file is being extracted from a ZIP archive.
–CRLF(Y|N|C[,STRICT])
Y - YES - Insert CR (carriage control), LF (line feed), or CZ (Ctrl-Z), as appropriate. N - NO - Do not insert CR, LF, or CZ. C - COMPATIBILITY - Changes the way PKZIPz processes the last record in a file. Y,STRICT - This special setting specifies that during UNZIP text-file processing, strict adherence to the DATA_DELIMITER and FILE_TERMINATOR character sequences is required to identify the end of a record. This combination may only be specified through command input and should be coded as “-CRLF(Y,STRICT)” as the last CRLF command encountered. Any other CRLF command will switch “STRICT” off. When extracting a text file from a ZIP file that contains no internal delimiters or terminators of CR, LF, or CZ, you can use CRLF(N) so that the PKUNZIP program creates fixed record lengths for the output. The maximum record length of the extracted data set determines the output record length. The last record of the output is filled with EBCDIC spaces (Hex 40) if needed. FILE_TERMINATOR() and DATA_DELIMITER() may be also be used and the PKUNZIP program will search for default delimiters. See also DATA_TYPE(TEXT).
In PKZIP Processing CRLF=Y normally places the DATA_DELIMITER character(s) after every record (including the last one) before conditionally adding the FILE_TERMINATOR character(s). CRLF=C specifies that the last record should not have the DATA_DELIMITER characters added after the last record of the file, and should only have the FILE_TERMINATOR character(s) added.
Note: –CRLF(Y,NOEOFDELIM) also performs this action.
If the default values for DATA_DELIMITER and FILE_TERMINATOR are taken, the same output results are seen with either CRLY=Y (standard) or CRLF=C. The advantage of using CRLF=C or CRLF(Y,NOEOFDELIM) is that finer control of the last control characters in the file can be achieved through the FILE_TERMINATOR specifications.
In PKUNZIP Processing CRLF=C during an EXTRACT causes additional line control interpretation to be done when the DATA_DELIMITER and FILE_TERMINATOR characters specified do not accurately match the
161
source file. This is a compatibility option (PKZIP MVS 2.x) that sets the FILE_TERMINATOR to x’0D0A1A’ and treats this terminator as the last record’s delimiter. Use of CRLF=C or CRLF=Y (without STRICT) may cause records to be split when binary data (within a text file) is found to contain any of the typical line control characters. CRLF=Y causes any of the specified DATA_DELIMITER control characters to act as a record delimiter, regardless of sequence. X’1A’ (Ctrl-Z) is also considered to be a delimiter, even when not specified in the command set. CRLF(Y,STRICT) may be used in conditions where a multi-character record delimiter (such as x'0D0A' from a PC) is being read but there are also spurious control characters intermixed with the data. Assuming that an inbound text file used x'0D0A' as the record delimiter with default processing, any x'0D' or x'0A' in the data stream would normally cause a record break during output operations. However, with STRICT turned on, only exact sequences of x'0D0A' would cause a record break, and the indivdual occurances or reversed x'0A0D' will be kept as part of the data stream for subsequent translation. Only the character streams specified in DATA_DELIMITER and FILE_TERMINATOR are used in the scan. Note: When CRLF(Y,STRICT) is enabled, a check for an exact match of the FILE_TERMINATOR stream will be done before checking the DATA_DELIMITER characters. If there are no data bytes found since the preceeding record when a positive match of the terminator string occurs, no record is written. This will result in an empty output file when only the FILE_TERMINATOR stream is found in the extracted data. For example, if x'0D0A' are specified in both FILE_TERMINATOR and DATA_DELIMITER, a stand-alone x'0D0A' at the end of the uncompressed data stream will be treated as NULL information because it matches the FILE_TERMINATOR.
ACZDFLT (MCZDFLTS macro) When CRLF=C is used in the MCZDFLTS macro and FILE_TERMINATOR is not specified, the default for FILE_TERMINATOR will be set to CRLFCZ(x’0D0A1A) instead of the standard default of CZ(x’1A’). This yields equivalent ZIP results when CRLF=Y is specified with its defaults. “–FILE_TERMINATOR=” can be specified along with –CRLF=C to ZIP a file, resulting in no control characters at the end of the file. If both CRLF=C and FILE_TERMINATOR=CZ are specified, then FILE_TERMINATOR=0D0A1A is substituted. FILE_TERMINATOR=1A can be used to override this substitution.
162
Processing Examples
–DATA_DELIMITER –FILE_TERMINATOR CRLF = x'0A0D' CZ = x'CZ' CRLF(N) No control characters No control characters are Rec1_dataRec2_data… are inserted after any inserted at the end of the records. file. CRLF(Y) All records are After the final record, the – Assuming the distribute terminated with FILE_TERMINATOR defaults of: DATA_DELIMITER character is added. –DATA_DELIMITER=crlf characters. –FILE_TERMINATOR=cz Rec1_dataCRLF Rec2_dataCRLF Last_recordCRLF CZ CRLF(C) All records except the After the final record, the – Assuming the distribute last record are FILE_TERMINATOR defaults of: terminated with character is added. –DATA_DELIMITER=crlf –DATA_DELIMITER –FILE_TERMINATOR=cz characters. Rec1_dataCRLF Rec2_dataCRLF Last_record CZ CRLF=Y,NOEOFDELIM All records except the After the final record, the – Same as CRLF(C). last record are FILE_TERMINATOR terminated with character is added. –DATA_DELIMITER characters.
–DATA_DELIMITER
Synonyms Include: –DELIM
☺ - Cross Platform Compatible command (iSeries OS/400, UNIX, and Windows).
In PKZIP Processing: When compressing a file as text (not binary), the DATA_DELIMITER command specifies what character(s) to store at the end of each record to differentiate records. (See the CRLF and FILE_TERMINATOR commands regarding control over the last record). When compressing a file as binary, the DATA_DELIMITER command is ignored.
–DATA_DELIMITER(
Delim chars - The delimiter characters to be appended. There may be 0-4 characters specified in any combination: CR - Appends an ASCII Carriage Return (hex 0D). CZ - Appends an ASCII Ctrl-Z character (hex 1A).
163
LF - Appends an ASCII Line Feed character (hex 0A). () - No delimiters at all. The default is CRLF if no DATA_DELIMITER command is specified.
Note: Transfers of Microsoft- Disk Operating System (MS-DOS) records use a CRLF for a delimiter, while UNIX records use a LF. See –INCLUDE_CMD=TOMSDOS|TOUNIX for more information about target platform requirements.
When extracting the file(s), the same DATA_DELIMITER command should be used to differentiate each record, just as it was when it was compressed. PKZIPz searches for one each of CR, CZ, and LF characters as a default for text file record delimiters. If a file was compressed with double characters as delimiters—for example, DATA_DELIMITER(LFCZLF)—and the file is later decompressed without the DATA_DELIMITER command (a default search is used), PKZIPz uses each LF as a record delimiter. It then creates extra record(s) to accommodate for the duplicate characters—for example, LF.
In PKUNZIP Processing When decompressing a text file (not binary), the DATA_DELIMITER command specifies what characters to look for at the end of records (except the last) that serve as delimiters. The delimiter is removed from the record when it is decompressed. The last record of the file ends with the characters specified in the FILE_TERMINATOR command. When decompressing a binary file, the DATA_DELIMITER command is ignored.
–DATA_DELIMITER(
164
–DATA_STORAGE
Synonyms Include: –CACHEMEMORY
Cache memory may be specified, with the DATA_STORAGE command, in order to increase processing speed. This command specifies the total number of bytes to be allocated for caching. The default is zero (0)—no caching—when this command is not specified.
-DATA_STORAGE(
–DATA_TRANS_API_ERRLIM
Synonyms Include: N/A
This setting currently has no effect.
–DATA_TRANS_API_ERRLIM(
–DATA_TRANS_API_ERROR
Synonyms Include: N/A
Identify the type of processing to occur when an API error occurs.
165
–DATA_TRANS_API_ERROR(STOPRUN|ABEND|IGNORE>)
STOPRUN traps any program exception, displays the results of the trap, and causes the end of the SecureZIP execution. ABEND causes the API to allow an abend of the user API withour trapping the program exception, allows a dump to occur, and ends the SecureZIP execution. IGNORE traps any program exception, displays the results of the trap, and continues with the next record or file.
–DATA_TRANS_API_LANGUAGE
Synonyms Include: N/A
The language used to code the API. Basic Assembler Language (ASM) is the default.
–DATA_TRANS_API_LANGUAGE(ASM|COBOL)
–DATA_TRANS_API_NAME
Synonyms Include: N/A
The name of the data record transformation API load module. Place this load module into a JOBLIB, STEPLIB or a system linklist library.
–DATA_TRANS_API_NAME(
–DATA_TRANS_API_PARM
Synonyms Include: N/A
This control card can be used to pass information to the User API.
–DATA_TRANS_API_PARM(
166
–DATA_TRANS_API_TRACE
Synonyms Include: N/A
This allows headings, control blocks, registers, and data areas to be presented in SYSPRINT to help in the debugging of a User API.
–DATA_TRANS_API_TRACE(0|1|2|3|4)
0 = Trace Off 1 = Basic 2 = Medium 3 = Low Level 4 = Very Low Level The higher the number, the more volume of output.
–DATA_TRANS_API_WORKSIZE
Synonyms Include: N/A
The size of the work area to be used for the API. This area can be used to pass information between instances of the API being called and will be retained for the life of the run.
–DATA_TRANS_API_WORKSIZE(
–DATA_TYPE
Synonyms Include: –DETECT, –BINARY, –TEXT, –DETECTX
This command specifies that files for compression are either binary, text, or detectable. If the modifier is (BINARY), no translation is performed on the files. If the modifier is (TEXT), text files are files selected for compression and are translated from EBCDIC to ASCII before compression. If neither of these is specified, the program makes a determination (DETECT) based on the existing data type. The program reads in a portion of the data, evaluates it, and determines the appropriate process.
–DATA_TYPE(DETECT|BINARY|TEXT|DETECTX)
If you know the file type, you can save processing time by specifying DATA_TYPE(BINARY), DATA_TYPE(TEXT), or DATA_TYPE(BINARY) with SAVE_LRECL(Y).
167
In PKZIP Processing
When specifying –DATA_TYPE(BINARY): No translation of the data is performed, and record terminators are not inserted. A binary file contains no delimiters between records and should only be used when the target system (for UNZIP) will be able to handle the EBCDIC format. Variable length files should be processed with the addition of the SAVE_LRECL(Y) command. This command is commonly used when exchanging files between Systems/390 operating environments, for example, load modules.
When specifying –DATA_TYPE(TEXT): A compressed text file is stored as ASCII (unless otherwise specified with TRANSLATE_TABLE_DATA) and is stored with the specified delimiters (DATA_DELIMITER) and terminator (FILE_TERMINATOR). Note that the translation defaults and delimiter and terminator defaults of a stored text file from PKZIPz make the file compatible with compressed files on other platforms. This enables compressed text files to be extracted onto other platforms.
When specifying –DATA_TYPE(DETECT) or –DATA_TYPE(DETECTX) : PKZIP attempts to dynamically determine whether the data should be translated into TEXT format. A portion of the file (see DATATYPE_DETECT_DEPTH) is examined using the tailorable DETECTXT translation table (see DATATYPE_DETECT_TABLE ) and is compared to the value specified in DATATYPE_TEXT_PERCENT.
In PKUNZIP Processing:
When specifying –DATA_TYPE(BINARY): If the raw format of the data is desired, regardless of whether the originating system ZIPPED the file as TEXT, use this command. Binary processing does not attempt to resolve record delimiters. As a result, the data is streamed into records according to the file allocation specifications. Note that when using PKZIPz to create binary files that are targetted for another MVS system, SAVE_LRECL(Y) can be specified to preserve record lengths.
When specifying –DATA_TYPE(TEXT): The selected file is treated as a text file regardless of the archive directory indicator for the file. This can be used when the originating system is known to have ZIPPED an ASCII text file as binary. To discover what file type exists in the archive directory entry, see the ACTION(VIEW) command. When the PKUNZIP program extracts the selected file, it first translates the character set and then extracts records to the output file as determined by embedded record delimiters. (See DATA_DELIMITER command). The delimiters are not included in the extracted file. If the output file is a fixed record length, then records that exceed the record length will be truncated and records that are smaller than the record length will be filled with EBCDIC spaces (hex 40).
168
If no delimiters are embedded in the selected file, the command CRLF(N) should also be used. This command directs the PKUNZIP program to not seek out record delimiters but instead use the maximum record size in creating the output.
When specifying –DATA_TYPE(DETECT): The PKZIP archive layout contains an indicator that reflects whether the file was ZIPPED as text. PKZIPz honors that flag when DETECT is specified. This is the default setting. However, there are cases that DETECTX is recommended when TEXT data has been ZIPPED in an ASCII environment with a binary indication, for example, a workstation ZIP compatible product is used to create the archive.
When specifying –DATA_TYPE(DETECTX) : On some platforms, for example, workstations, some ZIP utilities do not set the TEXT indicator although the data was ASCII text. In this situation, DETECTX is recommended so that PKZIPz attempts to dynamically determine whether the data should be translated into EBCDIC TEXT format. A portion of the file (see DATATYPE_DETECT_DEPTH) is examined using the tailorable DETECTXT translation table (see DATATYPE_DETECT_TABLE ) and compared to the value specified in DATATYPE_TEXT_PERCENT. (Note that the detection depth is limited in size to the first internal buffer being extracted. This is typically less than 64K).
–DATATYPE_DETECT_DEPTH
Synonyms Include: –DATATYPE_SCAN_DEPTH, –DETECT_DEPTH
This command specifies the distance that a file is scanned before making a determination as to whether it is binary or text. It can be specified as a number of records (1000R) or as a size in bytes (64000), Kilobytes (64K), or Megabytes (4M).
–DATATYPE_DETECT_DEPTH(
169
determined, a record count is not applicable. The amount of data scanned for DETECTX is also limited to the amount of data returned by the decompression engine (typically a maximum of 64K) and is dynamically rounded down as needed.
–DATATYPE_DETECT_TABLE
Synonyms Include: N/A
This command specifies the table of characters used to assess whether a byte is text or binary. The default table name is DETECTXT.
–DATATYPE_DETECT_TABLE(
–DATATYPE_TEXT_PERCENT
Synonyms Include: N/A
This command specifies the percentage of the sample that must meet the “text” criteria before it will be considered to be TEXT.
–DATATYPE_TEXT_PERCENT(
170
Given the percentage listed above (97%), a file having 100 records, each containing 80 bytes of text with 2 bytes of additional termination information (total 82 bytes), passes as TEXT. 100 * 82 (8200) * .03 = 246 Thus, 246 bytes of binary data would be required to mark this file as BINARY, but there are only 200.
–DDNAME_PARMLIB
Synonyms Include: N/A
This command specifies the name of the JCL DD statement used to read the preset commands which are read before the //SYSIN member.
–DDNAME_PARMLIB(
–DDNAME_SYSIN
Synonyms Include: N/A
This command specifies the name of the JCL DD statement used to identify the SYSIN member. It can go into the defaults module to specify which DDname to open to read job level commands.
–DDNAME_SYSIN(
–DDNAME_SYSPRINT
Synonyms Include: N/A
This command specifies the name of the JCL DD statement used to identify where messages will be written.
–DDNAME_SYSPRINT(
171
–DDNAME_ZPSORTIN
Synonyms Include: N/A
This command specifies the name of the JCL DD statement used for sorting directory information associated with VIEW processing. This should not need to be changed unless the name conflicts with other JCL allocation used in the same job step.
–DDNAME_ZPSORTIN(
Note: The value specified for –TEMP_UNIT is used to allocate a temporary work file with this DD.
–DDNAME_ZPSORTOUT
Synonyms Include:
This command specifies the name of the JCL DD statement used for sorting directory information associated with ACTION(VIEW) processing. This should not need to be changed unless the name conflicts with other JCL allocation used in the same job step.
–DDNAME_ZPSORTOUT(
–ECHO
Synonyms Include: –NOECHO
Commands used for the PKZIP and PKUNZIP programs are put into the output message data set when ECHO(Y) is specified. This is the default setting.
–ECHO(Y|N)
Y - YES - Log all output messages to SYSOUT. N - NO - Do not log output messages to SYSOUT. One would use ECHO(Y) if the ECHO(N) command had previously been used (either in the configuration module or through the JCL) to suppress output messages. Then the commands that are output begin with the ECHO(Y) command itself. Since the ECHO command is
172
processed before it is activated, errors in this line would not appear in the output message data set.
–ENCRYPT_CERT_LIMIT
Synonyms Include: N/A
Requires SecureZIP Advanced Encryption Module
ENCRYPT_CERT_LIMIT(0|1-3275)
This command assists in restricting the number of certificates being used to represent a user or organization for each encrypted file. The limit number can be used to avoid long LDAP searches for generic search criteria that could consume virtual storage and processing resources. In addition, it can be used to allow processing to continue even if the limit is reached. When the LDAP search requests are found to exceed a specified non-zero value, ZIP processing will continue with the number of certificates found. When zero (0) is specified, then the default maximum value of 3275 is used. Under this condition, if the maximum limit is reached, ZIP processing will terminate.
–ENCRYPTION_METHOD
Synonyms Include: -AES128 | AES192 | AES256| BSAFE_AES128| - BSAFE_AES192| BSAFE_AES256| - BSAFE_DES|- BSAFE_3DES| - BSAFE_RC4
☺ - Cross Platform Compatible command (iSeries, OS/400, UNIX, and Windows).
Requires SecureZIP
When a ZIP action is requested to save a file in an archive and a password is provided, SecureZIP for zSeries will use an encryption method to protect the data. This command value specifies which algorithm is to be employed. Standard - This algorithm is the original algorithm used in PKZIP 2.x products and is compatible with other PKZIP 2.04g products that support standard encryption. This is the default value for password-only encryption unless the installation defaults module has been tailored differently. AES128 - A SECZIP exclusive implementation of the AES 128-bit key algorithm (also known as Rijndael) will be used. AES192 - A SECZIP exclusive implementation of the AES 192-bit key algorithm.
173
AES256 - A SECZIP exclusive implementation of the AES 256-bit key algorithm. BSAFE_AES128 - A SECZIP implementation of the RSA Security, Inc. CERT-C AES 128-bit key algorithm. When Recipient-based encryption is requested, this will be the default encryption method unless the installation defaults moduled has been tailored differently. BSAFE_AES192 - A SECZIP implementation of the RSA Security, Inc. CERT-C AES 192-bit key algorithm. BSAFE_AES256 - A SECZIP implementation of the RSA Security, Inc. CERT-C AES 256-bit key algorithm. BSAFE_DES - A SECZIP implementation of the RSA Security, Inc. CERT-C DES key algorithm. BSAFE_3DES - A SECZIP implementation of the RSA Security, Inc. CERT-C Triple DES key algorithm. BSAFE_RC4 - A SECZIP implementation of the RSA Security, Inc. CERT-C RC4 key algorithm.
Usage Notes: • SECZIP/PKUNZIP will automatically detect which encryption method was specified during the ZIP process and operate accordingly. • During a SECZIP (ZIP) run, only 1 encryption method may be specified, and that method will be used for each file operated on. • By executing SECZIP at different times, various files within the archive may be saved with differing levels (and types) of protection. That is, some files may not be protected at all, while others may have different methods and/or passwords. • A “+” is shown in a View to indicate Standard Encryption protection is used for a file. • A “!” is shown in a View to indicate Strong Encryption protection is used for a file. • When specifying long passwords (requiring multiple control records) do not use the “+” continuation character (because it supplies an implicit blank in the command stream). • This enhanced feature for ADD, UPDATE, and FRESHEN applies to standard ZIP archives and not GZIP.
–EXCLUDE(dsname mask)
Synonyms Include: N/A
This parameter has no equivalent. It is a new command. When selecting a large number of files via a mask selection it may be useful to eliminate some of the files from being processed, for example, GDGs, ZIP archives, or other special files that can be identified by their data set naming conventions. See also: –SELECT_TAPE, –SELECT_VSAM, –SELECT_CATALOGED_ALIAS, and – RECALL_TO_ZIP for other selection-restricting capabilities. The dsname mask may be a fully qualified file name or a masked name (similar to data set selection names) of 1 to 80 characters. (Embedded blanks in an MVS dsname for ZIP processing will truncate the mask.)
174
Multiple EXCLUDE commands may be specified in an execution. A table is built from all of the commands found and is scanned for a match against a candidate file for selection. The file will be excluded if ANY of the masks is a match. Note that there is no default for this command, nor can one be specified in the ACZDFLT module. This is a run-time only command, although it may be specified through the PARMLIB DD or EXEC parms (including a parm string from a calling program) in addition to SYSIN. Example: Assume that PDS SYS1.PARMLIB contains members CLOCK01, CLOCK02, CLOCK11, and CLOCK13. If the following commands were issued for SECZIP: SYS1.PARMLIB(CLOCK*) –EXCLUDE=SYS1.PARMLIB(*11) Member CLOCK11 would be excluded from the ZIP process, while the other members would be processed.
–EXTRACT_PREVIEW
Synonyms Include: –PREVIEW
When the contents of a large archived file is unknown, it may be useful to extract a small portion of the file for the purpose of previewing the data. The EXTRACT_PREVIEW(nnnnnnnn) command limits the number of records to extract and can save a considerable amout of time in assessing data content.
–EXTRACT_PREVIEW(
The parameter value specifies the maximum number of records to extract. If the value is either 0 (or not supplied) then the entire file is extracted.
–FILE_BUSY_WAITTIME
Synonyms Include: N/A
This command specifies how long PKZIPz should wait while continually retrying before it will terminate and give an error message or go on to further processing.
–FILE_BUSY_WAITTIME(
HHMMSSTH: HH - Hours MM - Minutes SS - Seconds T - Tenths of a second
175
H - Hundredths of a second 00100000: 10 minutes is the default
–FILE_EXTENSION
Synonyms Include: –CNVEXT
☺ - Cross Platform Compatible command (iSeries, OS/400, UNIX, and Windows).