IBM Europe Announcement ZP07-0335, dated August 7, 2007 IBM z/OS V1.9 delivers a highly secure infrastructure you need for your demanding data serving requirements Key prerequisites .......................................3 At a glance Description .................................................3 Product positioning .................................. 18 With z/OS V1.9, IBM introduces: Statements of direction ............................18 Reference information ............................. 20 • A revised and expanded Statement of z/OS System Integrity • Support for up to 54 engines in a single image • Simplified and centralized policy-based networking • Advancements in ease of use for both new and existing IT professionals coming to z/OS • Support for zIIP-assisted IPSec, and support for eligible portions of DB2 9 XML parsing workloads to be offloaded to zAAP processors • Expanded options for AT-TLS and System SSL network security • Improved creation and management of digital certificates with RACF, SAF, and z/OS PKI Services • Additional centralized ICSF encryption key management functions for applications • Support for new IBM Tivoli Directory Server for z/OS (originally available first quarter 2007 with z/OS V1.8) • Improved availability with Parallel Sysplex and Coupling Facility improvements • Enhanced application development and integration with new System REXX facility, Metal C facility, and z/OS UNIX® System Services commands • Enhanced Workload Manager in managing discretionary work and zIIP and zAAP workloads Overview With z/OS® V1.9, IBM delivers functionality that continues to solidify System z™ leadership as the premier data server. z/OS V1.9 offers enhancements in the areas of security, networking, scalability, availability, application development, integration, and improved economics with more exploitation for specialty engines. But why do System z and z/OS persist as such a phenomenal data-serving platform? The platform's classic strengths come to mind, but at the root of these classic capabilities — a foundational element of the platform — is z/OS's tight interaction with the System z hardware and its high level of system integrity. First issued in 1973, IBM's MVS™ System Integrity Statement and subsequent statements for IBM OS/390® and z/OS have stood for three decades as a symbol of IBM's confidence in and commitment to the z/OS operating system. Today, IBM reaffirms its commitment to z/OS System Integrity. IBM Europe Announcement ZP07-0335 IBM is a registered trademark of International Business Machines Corporation 1 IBM's commitment includes designs and development practices intended to prevent unauthorized application programs, subsystems, and users from bypassing z/OS security — that is, to prevent them from gaining access to, circumventing, disabling, altering, or obtaining control of key z/OS system processes and resources unless allowed by the installation. Specifically, z/OS "System Integrity" is defined as the inability of any program not authorized by a mechanism under the installation's control to circumvent or disable store or fetch protection, access a resource protected by the z/OS Security Server (RACF®), or obtain control in an authorized state; that is, in supervisor state, with a protection key less than 8, or Authorized Program Facility (APF) authorized. In the event that an IBM System Integrity problem is reported, IBM will always take action to resolve it. IBM's long-term commitment to System Integrity is unique in the industry, and forms the basis of z/OS's industry leadership in system security. z/OS is designed to help you protect your system, data, transactions, and applications from accidental or malicious modification. This is one of the many reasons System z remains the industry's premier data server for mission-critical workloads. Building on the solid foundation of z/OS System Integrity, IBM has added more security capabilities to z/OS V1.9 to help you protect your data. z/OS V1.9 has enhanced PKI Services and RACF to help improve the creation, authentication, renewal, and management of digital certificates for user and device authentication. In addition, the z/OS Integrated Cryptographic Service Facility (ICSF) is planned to be enhanced to include the PKCS#11 standard. ICSF is part of the base of z/OS mainframe encryption, which enables you to encrypt and decrypt data, generate and manage cryptographic keys, and perform other cryptographic functions dealing with data integrity and digital signatures. By adopting the PKCS#11 standard, ICSF enables the strength of mainframe encryption, and secure centralized key management can be brought to and used by Web-based application and networking environments more easily. z/OS V1.9 adds enhancements to help secure your network traffic, including additional exploiters for z/OS System SSL and Application Transparent — Transport Layer Security (AT-TLS). z/OS can also help you secure network traffic using IP Security (IPSec). And to make IPSec a more attractive option, the z/OS Communications Server has been enhanced to allow IPSec processing to take advantage of IBM System z9™ Integrated Information Processors (zIIPs) — in effect, making the zIIP a high-speed encryption engine. This is designed to allow you to take advantage of IPSec network security to protect your valuable business transactions and bulk data movement using your z/OS host, but with the cost-saving benefits of zIIP. In addition to supporting network security capabilities such as AT-TLS and IPSec, z/OS has additional enhancements which can help simplify overall network and network security management. The z/OS Communications Server uses a Policy Agent to centrally collect and distribute network settings you define in a simplified, centralized, manageable, and auditable manner. With this ability to provide centralized policy services for network Intrusion Detection Services (IDS), Quality of Service (QoS), IPSec, and AT-TLS, and now with Network Security Services (NSS) and TCP/IP Policy-Based Routing (PBR), you in effect have the ability to customize your network to suit the needs of your applications and data more easily. In addition to its commitment to secure and reliable data serving, z/OS V1.9 also continues to deliver on IBM's commitment to simplify z/OS systems management. This release offers many, many improvements in the areas of problem diagnosis and problem determination; network and security management; and overall z/OS, I/O configuration, sysplex, and storage operations. These improvements are intended to help simplify systems management, to improve application programmer, system programmer, and operator productivity, and to make the functions easier to understand and use. Of course, z/OS V1.9 continues to enhance its classic data-serving strengths. Scalability is improved with new 54-way single image support, and availability is improved with Parallel Sysplex® and Coupling Facility improvements. z/OS Workload Manager has enhanced its capabilities in managing discretionary work and workloads exploiting zIIPs and zAAPs. Support for the robust IBM Tivoli® Directory Server for z/OS (originally available first quarter 2007 with z/OS V1.8) offers a more scalable, more available, and better performing LDAP for z/OS. Furthermore, for those investigating expanding the System z data-serving role to include XML-based service-oriented architecture solutions, z/OS V1.9 now enables part of DB2® 9 XML parsing workloads to be made eligible for zAAP processors — enabling the efficient integration of XML flexibility to data serving excellence. Note: The total number of processors defined in a z/OS logical partition is the sum of general-purpose processors (CPs), System z9 Application Assist Processors (zAAPs), and System z9 Integrated Information Processors (zIIPs). IBM Europe Announcement ZP07-0335 IBM is a registered trademark of International Business Machines Corporation 2 Key prerequisites z/OS V1.9 will run on these IBM System z servers: • z9 BC • z9 EC • z900 • z990 • z800 • z890 For a complete description of z/OS V1.9 software prerequisites, refer to z/OS Planning for Installation (GA22-7504), when available. Planned availability date September 28, 2007 Availability of Programs with encryption algorithm in France is subject to French government approval. Description Ease of use With increased focus on simplifying z/OS for IT professionals, z/OS V1.9 provides improvements in the areas of simplifying diagnosis and problem determination; network and security management; as well as overall z/OS, I/O configuration, sysplex, and storage operations. These improvements can help simplify systems management, improve application programmer, system programmer, and operator productivity, and make the functions easier to understand and use. z/OS V1.9 has made the following systems management improvements: • The new System REXX (SYSREXX) component makes possible execution of REXX routines in an authorized environment. Now SYSREXX execs can be used to automate complex operator commands and other system functions. SYSREXX execs can be invoked by a program interface, and by operator command. IBM will also make this available for z/OS V1.8 and z/OS.e V1.8 via a Web deliverable. • The IBM Health Checker for z/OS has new health checks for z/OS UNIX System Services, TSO/E, the Virtual Storage Manager component of the z/OS BCP, and z/OS Communications Server. In addition, IBM Health Checker for z/OS supports checks that are written in REXX using the new SYSREXX facility available with