IBM Secure Service Container for IBM Cloud Private delivers pervasive encryption and data protection capabilities for hybrid and private cloud containerized workloads on IBM Z and LinuxONE servers

IBM United States Software Announcement 218-152
October 2, 2018

Table of contents
OverviewOverviewTechnical informationTechnical information
Key prerequisitesKey prerequisitesOrdering informationOrdering information
Planned availability datePlanned availability dateTerms and conditionsTerms and conditions
DescriptionDescriptionPricesPrices
Program numberProgram numberOrder nowOrder now
PublicationsPublications


(Corrected on October 9, 2018)

Publications, Hardware requirements, and Software requirements sections are revised.



At a glance

Top rule

IBM® Secure Service Container for IBM Cloud™ Private provides:

  • Differentiated security to Linux® container-based workloads
  • Protection from misuse of privileged-user system administrator credentials
  • Ability to help ensure only untampered solution images are installed
  • Automatic encryption of data and code in flight and at rest
  • Restricted access to memory and processor state
  • Well defined interfaces for communication and management to limit host and operating system level environment interaction
  • Deployment of software image into a certified EAL5+ logical partition (LPAR) for workload isolation
  • A deployment flow to help reduce the end user management of low-level execution environment components


Back to topBack to top

Overview

Top rule

Across all industries, incredible momentum has been built around the use of container technology to enable developers and organizations to more quickly build, integrate, and deliver solutions to market. At the same time, many organizations want to harden their computing environments to minimize the risk of vulnerabilities and attack vectors that can compromise their data.

To help meet the strictest requirements around data protection, IBM launches Secure Service Container for IBM Cloud Private to help deliver a secure computing environment for microservices-based applications. It includes:

  • Tamper protection during installation time
  • Restricted system administrator access to help prevent the misuse of privileged user credentials
  • Automatic encryption of data in flight and at rest to provide differentiated security to containerized middleware and applications that are deployed in hybrid and private clouds

With this technology, applications, when deployed can take advantage of its inherent security capabilities. Applications can take advantage of the platform design for certified EAL5+ LPAR separation for isolation of workloads, all within a single server footprint. This enables organizations to drive cost efficiencies through resource sharing whether between internal departments within the enterprise or across varied organizations to share computing power in a hosted Managed Service Provider (MSP) or Cloud Service Provider (CSP) environment.

By enabling IBM Cloud Private deployment to the Secure Service Container environment, enterprises can harden their mission-critical, highly-sensitive, Docker- and Kubernetes-based workloads with data protection capabilities on one of the industry's most trusted, resilient computing platforms, IBM Z® or IBM LinuxONE™.

In addition, clients and vendors can directly use the IBM Cloud Private platform to help manage and securely deploy their own Docker-based applications and Kubernetes-based applications for a cloud-native, cloud-ready deployment on the platform.

Secure Service Container uses the IBM Continuous Delivery (CD) support model. For additional information how Secure Service Container uses CD, see the Terms and conditions section.

IBM Cloud Private is a Platform as a Service (PaaS) environment for developing and managing containerized applications. This integrated environment can be deployed behind firewalls and managed or controlled by whomever the enterprise determines. It is built on the container orchestrator Kubernetes, and contains:

  • A private image repository
  • A management console
  • Monitoring, logging, and security frameworks

With a lightweight footprint, yet powerful platform capabilities, IBM Cloud Private enables enterprises to unleash their development creativity by using industry-common technologies and process guidance, in a minimal timeframe.

For additional information on IBM Cloud Private, see Software Announcements:



Back to topBack to top

Key prerequisites

Top rule

Secure Service Container for IBM Cloud Private requires:

  • One of the following IBM servers 1 :
    • z14 (all models 2 )
    • LinuxONE Emperor II
    • LinuxONE Rockhopper II
  • IBM Cloud Private base infrastructure

1 For the chosen server platform, clients must order and install the Container Hosting Foundation (feature code 0104). This feature code provides entitlement and support for the Secure Service Container hosting foundation and is orderable by using eConfig.

2 IBM recommends Integrated Facility for Linux (IFL) for deployment of Secure Service Container for IBM Cloud Private.

For details, see the Technical information section.



Back to topBack to top

Planned availability date

Top rule

October 19, 2018: Electronic download



Back to topBack to top

Description

Top rule

Organizations look to container technology to build and then deploy modern applications to private and hybrid cloud platforms that provide common tooling and management for applications across their enterprise. With greater attack focus on business targets due to the high value of corporate assets and client data, organizations are also challenged to better protect those assets by minimizing risk that result from vulnerabilities imposed by internal and external threats.

Secure Service Container for IBM Cloud Private is a software solution that is designed to provide differentiated security capabilities to Linux container-based applications that are deployed to IBM Cloud Private running on IBM Z and LinuxONE servers.

This technology enables workloads to exploit the Secure Service Container foundation strengths. The Secure Service Container for IBM Cloud Private is designed for deployment using a trusted boot process, with validation and signatures to check that the software image is untampered. This helps to reduce the risk of malware gaining access to the environment. In addition, the Secure Service Container for IBM Cloud Private is deployed on IBM Z and LinuxONE LPARs, which are certified at an EAL5+ level of peer isolation. This drives a high separation of computing environments on a single-server footprint.

The Secure Service Container for IBM Cloud Private is designed to protect workloads from insider threats by prohibiting privileged user access, namely system administrator or operating system administrator credentialed access, to the environment. This is intended to ensure that only those with the appropriate credentials can access the application data and code deployed in the Secure Service Container for IBM Cloud Private Additionally, management and communications are implemented through well-defined RESTful APIs to further protect the data flowing in and out of the environment.

Confidentiality of the data and code is designed to be protected through various layers of encryption. In addition, direct access to the memory and processor state are designed to prohibit system administrator access, and communication paths are encrypted.

These capabilities are designed to drive security hardening and data protection within the Secure Service Container for IBM Cloud Private environment for applications deployed to IBM Cloud Private on IBM Z and LinuxONE servers.

Accessibility by people with disabilities

A US Section 508 Accessibility Compliance Report containing details on accessibility compliance can be found on the Product accessibility information website.



Back to topBack to top

Reference information

Top rule

For information on IBM Cloud Private, see Software Announcements:

For information on the z14 servers, see Hardware Announcements:

For information on the z14 Model ZR1 server, see Hardware Announcements:

For information on the LinuxONE Rockhopper II server, see Hardware Announcements:

For information on the LinuxONE Emperor II server, see Hardware Announcements:



Back to topBack to top

Program number

Top rule

Program number VRM Program name
5737-I09 1.1.0 IBM Secure Service Container



Back to topBack to top

Offering Information

Top rule

Product information is available on the IBM Offering Information website.

More information is also available on the Passport Advantage® and Passport Advantage Express® website.



Back to topBack to top

Publications

Top rule

Technical documentation will be available in IBM Knowledge Center on October 19, 2018.



Back to topBack to top

Services

Top rule

Software Services

IBM Software Services has the breadth, depth, and reach to manage your services needs. You can leverage the deep technical skills of our lab-based, software services team and the business consulting, project management, and infrastructure expertise of our IBM Global Services team. Also, we extend our IBM Software Services reach through IBM Business Partners to provide an extensive portfolio of capabilities. Together, we provide the global reach, intellectual capital, industry insight, and technology leadership to support a wide range of critical business needs.

To learn more about IBM Software Services, contact your Lab Services Sales or Delivery Leader.



Back to topBack to top

Technical information

Top rule

Specified operating environment

Hardware requirements

IBM Secure Service Container for IBM Cloud Private is supported on the following hardware platforms:

  • IBM z14™ (all models)
  • LinuxONE Emperor II
  • LinuxONE Rockhopper II

The minimum firmware level required for the supported IBM servers is Driver 32 (2.14.0) Bundle S53.

For any hardware requirements for IBM Cloud Private, see System requirements.

Software requirements

Secure Service Container requires the IBM Cloud Private product for IBM Z or LinuxONE by choosing from either the monthly license or perpetual part numbers from Passport Advantage for IBM Cloud Private (5737-E67):

Part number description Part number
IBM Cloud Private Virtual Processor Core for Linux on z System Virtual Processor Core Monthly License D1VSLLL
IBM Cloud Private Virtual Processor Core for Linux on z System Virtual Processor Core License + SW Subscription & Support 12 Months D1VS3LL
IBM Cloud Private for Linux on z System Virtual Processor Core Annual SW Subscription & Support Renewal 12 Months E0P0FLL
IBM Cloud Private for Linux on z System Virtual Processor Core SW Subscription & Support Reinstatement 12 Months D1VS4LL

For any software requirements for IBM Cloud Private, see System requirements.

Planning information

Packaging

This offering is delivered through the internet as an electronic download. There is no physical media.

If physical media is required, contact your IBM representative or IBM Business Partner.

Direct client support

Software Subscription and Support (also referred to as Software Maintenance) is included with licenses purchased through Passport Advantage and Passport Advantage Express. Product upgrades and technical support are provided by the Software Subscription and Support offering as described in the Agreements. Product upgrades provide the latest versions and releases to entitled software, and technical support provides voice and electronic access to IBM support organizations, worldwide.

IBM includes one year of Software Subscription and Support with each program license acquired. The initial period of Software Subscription and Support can be extended by the purchase of a renewal option, if available.

Security, auditability, and control

Secure Service Container for IBM Cloud Private provides unique security for applications running in its environment and controls to protect against misuse of privileged user credentials in the IT environment. Auditability capability may be made available through the base IBM Cloud Private offering or associated software components.

The client is responsible for evaluation, selection, and implementation of security features, administrative procedures, and appropriate controls in application systems and communication facilities.



Back to topBack to top

Ordering information

Top rule

For ordering information, consult your IBM representative or IBM Business Partner, or go to the Passport Advantage website.

This product is only available through Passport Advantage. It is not available as shrinkwrap.

These products may only be sold directly by IBM or by IBM Business Partners for Channel Value Rewards.

More information can be found on the IBM Channel Value Rewards website.

To locate IBM Business Partners for Channel Value Rewards in your geography for a specific Channel Value Rewards portfolio, go to the Find a Business Partner page.

Product group: IBM Systems

Product: IBM Secure Service Container (5737-I09)

Product category: IBM Z Systems


Passport Advantage

IBM Secure Service Container (5737-I09)

Program name/Description Part number
IBM Secure Service Container for IBM Cloud Private Virtual Processor Core (VPC) License + SW Subscription & Support 12 Months D1XG3LL
IBM Secure Service Container for IBM Cloud Private VPC Annual SW Subscription & Support Renewal 12 Months E0PBULL
IBM Secure Service Container for IBM Cloud Private VPC SW Subscription & Support Reinstatement 12 Months D1XG4LL


Cross-platform product for use on IBM Z or Linux ONE Integrated Facility for Linux (IFL) engines

Order the appropriate part numbers when the product is intended to run on the Linux operating system on IBM Z or Linux ONE servers with IBM Integrated Facility for Linux (IFL) engines.

IBM Secure Service Container (5737-I09)

Program name/Description Part number
IBM Secure Service Container for IBM Cloud Private for Linux on IBM Z VPC License + SW Subscription & Support 12 Months D1XI6LL
IBM Secure Service Container for IBM Cloud Private for Linux on IBM Z VPC Annual SW Subscription & Support Renewal 12 Months E0PC9LL
IBM Secure Service Container for IBM Cloud Private for Linux on IBM Z VPC SW Subscription & Support Reinstatement 12 Months D1XI7LL

Charge metric

For IBM Secure Service Container charge metrics, see the following License Information document on the IBM Software License Agreement website.

Program name Part number or PID number License Information document number
IBM Secure Service Container 5737-I09 L-DHEN-AA3RPS

Select your language of choice and scroll down to the Charge Metrics section.



Back to topBack to top

Terms and conditions

Top rule

The information provided in this announcement letter is for reference and convenience purposes only. The terms and conditions that govern any transaction with IBM are contained in the applicable contract documents such as the IBM International Program License Agreement, IBM International Passport Advantage Agreement, and the IBM Agreement for Acquisition of Software Maintenance.

This product is only available through Passport Advantage.

Licensing

IBM International Program License Agreement including the License Information document and Proof of Entitlement (PoE) govern your use of the program. PoEs are required for all authorized use. Part number products only, offered outside of Passport Advantage, where applicable, are license only and do not include Software Maintenance.

This software license includes Software Subscription and Support (also referred to as Software Maintenance).

Software Maintenance

Licenses under the IBM Program License Agreement (IPLA) and the associated Agreement for Acquisition of Software Maintenance provide for support with ongoing access to releases and versions of the program. IBM includes one year of Software Subscription and Support (also referred to as Software Maintenance) with the initial license acquisition of each program acquired. The initial period of Software Subscription and Support can be extended by the purchase of a renewal option, if available. Two charges apply: a one-time license charge for use of the program and an annual renewable charge for the enhanced support that includes telephone assistance (voice support for defects during normal business hours), as well as access to updates, releases, and versions of the program as long as support is in effect.

License Information number

The following License Information documents apply to the offering in this announcement:

Program name LI number
IBM Secure Service Container L-DHEN-AA3RPS

Select your language of choice. Follow-on releases, if any, may have updated terms. See the License Information documents website for more information.

Limited warranty applies

Yes

Limited warranty

IBM warrants that when the program is used in the specified operating environment, it will conform to its specifications. The warranty applies only to the unmodified portion of the program. IBM does not warrant uninterrupted or error-free operation of the program or that IBM will correct all program defects. You are responsible for the results obtained from the use of the program.

IBM provides you with access to IBM databases containing information on known program defects, defect corrections, restrictions, and bypasses at no additional charge. For further information, see the IBM Software Support Handbook.

IBM will maintain this information for at least one year after the original licensee acquires the program (warranty period).

Program technical support

Technical support of a program product version or release will be available for a minimum of one year from the general availability date, as long as your Software Subscription and Support (also referred to as Software Maintenance) is in effect.

This technical support allows you to obtain assistance (by telephone or electronic means) from IBM for product-specific, task-oriented questions regarding the installation and operation of the program product. Software Subscription and Support (Software Maintenance) also provides you with access to versions, releases, and updates (CD releases, Long Term Support Releases or fixes) of the program. You will be notified, through an announcement letter, of discontinuance of support with six months' notice. If you require additional technical support from IBM, including an extension of support beyond the discontinuance date, contact your IBM representative or IBM Business Partner. This extension may be available for a fee. .

For additional information on the IBM Software Support Lifecycle Policy, see the IBM Software Support Lifecycle Policy website.

Money-back guarantee

If for any reason you are dissatisfied with the program and you are the original licensee, you may obtain a refund of the amount you paid for it, if within 30 days of your invoice date you return the program and its PoE to the party from whom you obtained it. If you downloaded the program, you may contact the party from whom you acquired it for instructions on how to obtain the refund.

For clarification, note that (1) for programs acquired under the IBM International Passport Advantage offering, this term applies only to your first acquisition of the program and (2) for programs acquired under any of IBM's On/Off Capacity on Demand (On/Off CoD) software offerings, this term does not apply since these offerings apply to programs already acquired and in use by you.

Volume orders (IVO)

No

Passport Advantage applies

Yes, information is available on the Passport Advantage and Passport Advantage Express website.

Usage restrictions

Yes

For any usage restrictions, see the license information documents as listed in the Terms and conditions section.

Software Subscription and Support applies

Yes. Software Subscription and Support, also referred to as Software Maintenance, is included with licenses purchased through Passport Advantage and Passport Advantage Express. Product upgrades and Technical Support are provided by the Software Subscription and Support offering as described in the Agreements. Product upgrades provide the latest versions and releases to entitled software, and Technical Support provides voice and electronic access to IBM support organizations, worldwide.

IBM includes one year of Software Subscription and Support with each program license acquired. The initial period of Software Subscription and Support can be extended by the purchase of a renewal option, if available.

While your Software Subscription and Support is in effect, IBM provides you assistance for your routine, short duration installation and usage (how-to) questions, and code-related questions. IBM provides assistance by telephone and, if available, electronic access, only to your information systems (IS) technical support personnel during the normal business hours (published prime shift hours) of your IBM support center. (This assistance is not available to your users.) IBM provides Severity 1 assistance 24 hours a day, 7 days a week. For additional details, see the IBM Software Support Handbook. Software Subscription and Support does not include assistance for the design and development of applications, your use of programs in other than their specified operating environment, or failures caused by products for which IBM is not responsible under the applicable agreements.

Unless specified otherwise in a written agreement with you, IBM does not provide support for third-party products that were not provided by IBM. Ensure that when contacting IBM for covered support, you follow problem determination and other instructions that IBM provides, including in the IBM Software Support Handbook.

For additional information about the International Passport Advantage Agreement and the IBM International Passport Advantage Express Agreement, go to the Passport Advantage and Passport Advantage Express website.

Other support

Passport Advantage

Variable charges apply

No

Educational allowance available

Not applicable.



Back to topBack to top

Statement of good security practices

Top rule

IT system security involves protecting systems and information through intrusion prevention, detection, and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, or misappropriated or can result in misuse of your systems to attack others. Without a comprehensive approach to security, no IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a regulatory compliant, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products, or services to be most effective.

Important: IBM does not warrant that any systems, products, or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party.



Back to topBack to top

Prices

Top rule


Business Partner information

If you are an IBM Business Partner acquiring products from IBM, you may link to Passport Advantage Online for resellers where you can obtain Business Partner pricing information. An IBMid and password are required to access the IBM Passport Advantage website.


Passport Advantage

For Passport Advantage information and charges, contact your IBM representative or IBM Business Partner for Channel Value Rewards. Additional information is also available on the Passport Advantage and Passport Advantage Express website.

IBM Global Financing

IBM Global Financing offers competitive financing to credit-qualified clients to assist them in acquiring IT solutions. Offerings include financing for IT acquisition, including hardware, software, and services, from both IBM and other manufacturers or vendors. Offerings (for all client segments: small, medium, and large enterprise), rates, terms, and availability can vary by country. Contact your local IBM Global Financing organization or go to the IBM Global Financing website for more information.

IBM Global Financing offerings are provided through IBM Credit LLC in the United States, and other IBM subsidiaries and divisions worldwide to qualified commercial and government clients. Rates are based on a client's credit rating, financing terms, offering type, equipment type, and options, and may vary by country. Other restrictions may apply. Rates and offerings are subject to change, extension, or withdrawal without notice.

Financing from IBM Global Financing helps you preserve cash and credit lines, enables more technology acquisition within current budget limits, can help accelerate implementation of economically attractive new technologies, offers payment and term flexibility, and can help match project costs to projected benefits. Financing is available worldwide for credit-qualified clients.



Back to topBack to top

Order now

Top rule

To order, contact the IBM Digital Sales Center, your local IBM representative, or your IBM Business Partner. To identify your local IBM representative or IBM Business Partner, call 800-IBM-4YOU (426-4968). For more information, contact the IBM Digital Sales Center.

Phone: 800-IBM-CALL (426-2255)

Fax: 800-2IBM-FAX (242-6329)

For IBM representative: askibm@ca.ibm.com

For IBM Business Partner: pwcs@us.ibm.com

IBM Digital Sales Offices
1177 S Belt Line Rd
Coppell, TX 75019-4642, US

The IBM Digital Sales Center, our national direct marketing organization, can add your name to the mailing list for catalogs of IBM products.


Note: Shipments will begin after the planned availability date.


IBM Channel Value Rewards

This product in this announcement is available to Business Partners who resell through open distribution.

Additions to CVR will be communicated through standard product announcements. To determine what IBM software is available under CVR, see the IBM Passport Advantage Online for IBM Business Partners website.

For questions regarding CVR, see the IBM Channel Value Rewards website.

Trademarks

IBM Cloud, IBM LinuxONE and IBM z14 are trademarks of IBM Corporation in the United States, other countries, or both.

IBM, IBM Z, Passport Advantage, PartnerWorld and Express are registered trademarks of IBM Corporation in the United States, other countries, or both.

Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both.

Other company, product, and service names may be trademarks or service marks of others.

Terms of use

IBM products and services which are announced and available in your country can be ordered under the applicable standard agreements, terms, conditions, and prices in effect at the time. IBM reserves the right to modify or withdraw this announcement at any time without notice. This announcement is provided for your information only. Additional terms of use are located at

Terms of use

For the most current information regarding IBM products, consult your IBM representative or reseller, or go to the IBM worldwide contacts page

IBM United States