IBM Encryption Facility for z/VSE, V1.1.0 helps secure data
IBM United States
Software Announcement 207-229
October 9, 2007
 ENUS207229.PDF (135KB)
|
|
Table of contents
| | Document options |
|
| |
|
IBM Encryption Facility for z/VSE can help you:
-
Secure business and customer data
-
Address regulatory requirements
-
Protect data from loss and inadvertent or deliberate compromise
-
Enable sharing of sensitive information across platforms with partners, vendors, and customers
-
Enable decrypting and encrypting of data to be exchanged between z/VSE and non-z/VSE platforms
For ordering, contact:
Your IBM representative, an IBM Business Partner, or IBM Americas Call Centers at
800-IBM-CALL
(Reference: LE001).
Back to top
Businesses today are focused on the importance of securing customer and business data from loss and
inadvertent or deliberate compromise. In addition, increasing regulatory requirements are driving
the need for data security. The IBM Encryption Facility for z/VSE® applies the powerful
encryption capabilities of the IBM mainframe to allow you to encrypt sensitive information to be
exchanged with your partners, suppliers, and customers.
The Encryption Facility for z/VSE Version 1 Release 1 feature is designed to be compatible with the
Encryption Facility System z™ format provided as part of the Encryption Services feature in
Encryption Facility for z/OS® V1.1 and V1.2 (5655-P97). It allows you to exchange an encrypted
file between your internal mainframe data centers, or exchange an encrypted file with your external
business partners and vendors who have installed any of the following: Encryption Facility for
z/VSE feature, Encryption Facility for z/OS Encryption Services feature (using System z format), or
the no-charge Encryption Facility for z/OS Client Web download (either Java™-based client or
Decryption Client for z/OS). The Encryption Facility for z/VSE V1.1 is packaged as an optional,
priced feature of VSE Central Functions V8.1 (5686-CF8).
Reference: Software Announcement
207-003
, dated January 9, 2007.
Back to top
Refer to the
Hardware requirements
and
Software requirements
sections for details.
Back to top
November 30, 2007
Back to top
The need for creating secure copies of business data is a critical security concern. Encrypting
data that can be recovered at any time offers a high degree of privacy protection from unwanted
access. Encryption Facility (EF) for z/VSE may help provide this protection by offering encryption
of data for exchange between different systems and platforms and for archiving and backup purposes.
Encryption Facility for z/VSE is a priced optional feature. Support includes, but is not limited
to:
-
Password-based encryption of session keys
-
Data encryption with a randomly generated symmetric session key using AES-128 or Triple-DES
algorithms
-
Asymmetric encryption of randomly generated symmetric keys using the RSA algorithm with key lengths
of 512-bit and 1024-bit (requires TCP/IP for VSE/ESA™ V1.5E)
-
Asymmetric encryption of randomly generated symmetric keys using the RSA algorithm with key length
of 2048-bit (requires TCP/IP for VSE/ESA V1.5E and a Crypto Express2, PCIXCC, or higher, crypto
feature)
-
Encryption of single SAM files, VSAM files, or VSE Library members
-
Encryption of virtual or real tapes
-
Support of hardware-accelerated compression before encryption
-
Encryption of complete backups made with any backup tool either from IBM or vendors
-
Output of encrypted data on disk, virtual tape, or real tape
The CP Assist for Cryptographic Function (CPACF), available on IBM eServer® z890 and z990 and IBM
System z9™ EC and z9 BC servers, is required. In addition, the Encryption Facility for z/VSE
exploits IBM System z hardware technology, including hardware-assisted compression and Crypto
Express2.
The Encryption Facility for z/VSE is designed to be compatible with the Encryption Facility System z
format provided as part of the Encryption Services feature in Encryption Facility for z/OS V1.1 and
V1.2 (5655-P97). This support allows you to exchange an encrypted file created by Encryption
Facility for z/VSE or z/OS between your internal data centers in conjunction with your external
business partners and vendors who have installed any of the following: Encryption Facility for
z/VSE feature, Encryption Facility for z/OS Encryption Services feature (using System z format), or
the no-charge Encryption Facility for z/OS Client Web download (either Java-based Client or
Decryption Client for z/OS). The Encryption Facility for z/VSE is not designed to support the data
format of the Encryption Facility for z/OS DFSMSdss™ Encryption feature or the OpenPGP format of
the Encryption Facility for z/OS Encryption Services feature.
Customers can use the Encryption Facility for z/OS Client, which runs on non-VSE platforms, to
decrypt data that has been encrypted with Encryption Facility for z/VSE. The Encryption Facility
for z/OS Client is not part of the Encryption Facility for z/VSE package.
The Encryption Facility for z/OS Client is a no-cost, separately licensed program (which is offered
as is, with no warranty) and is designed to enable the exchange of encrypted data between z/OS
systems that have the Encryption Facility installed and systems running on z/OS and other platforms
that need the supported functions. The Encryption Facility for z/OS Client consists of the
following:
-
Java-based Client. The Java-based Client can be used on z/OS and any platform that supports Java.
The Java-based Client supports both the decryption of data that was created on a z/OS or z/VSE
system using the Encryption Facility System z format, and the encryption of data to be sent to a
z/OS or z/VSE system, where the file will be decrypted using the Encryption Facility System z
format. Note that Java is not available on z/VSE platforms.
-
Decryption Client for z/OS. The Decryption Client for z/OS is supported on z/OS systems only. The
Decryption Client for z/OS supports decryption of data that was created on a z/OS or z/VSE system
using the Encryption Facility System z format.
You can download the Encryption Facility for z/OS Client from
For a detailed description of the Encryption Facility for z/OS, refer to
Software Announcement
207-008
, dated January 16, 2007.
Note:
The terms and conditions for the no-charge Encryption Facility for z/OS
Client only allow the use of the Encryption Facility for z/OS Client for
decrypting information or data that was encrypted by IBM's Encryption
Facility for z/OS or IBM's Encryption Facility for z/VSE, or for
encrypting information or data to be decrypted by IBM's Encryption
Facility for z/OS or IBM's Encryption Facility for z/VSE.
The following table shows possible choices:
Decrypt data using System z format with:
Encryption
Encrypt data using Services EF for Decryption Java-based
System z format feature of z/VSE Client for Client
with: EF for z/OS z/OS
Encryption Services
feature of EF for z/OS x x x x
EF for z/VSE x x x x
Java-based Client x x - -
x Permitted
- Not permitted per Terms and Conditions
Back to top
Helping to protect data (such as private personal information) from loss
and inadvertent or deliberate compromise is a critical concern for
businesses. To help address this issue, IBM Encryption Facility for
z/VSE extends the scope of IBM's mainframe encryption capabilities to
support the exchange of encrypted files with business partners.
The Encryption Facility for z/VSE complements the tape encryption
solution provided by IBM's System Storage™ TS1120 tape drives. The
TS1120 tape drive, with encryption enabled, is designed to provide a data
protection solution that has the ability to off-load the encryption
processing from the server to the tape drive. It is designed to provide
a cost-effective encryption solution for the large volumes of data
involved in data archive and backup activities.
While the Encryption Facility for z/VSE can be used to encrypt tapes
intended for data archive, the TS1120 is the preferred solution for uses
such as archive, backup, or internal exchange. The Encryption Facility
for z/VSE provides a highly flexible solution for exchanging encrypted
tapes with your business partners that do not have an encrypting TS1120
drive.
Hardware and software support services
SmoothStart™ and Installation Services:
IBM SmoothStart and Installation Services are not provided.
Back to top
Refer to Software Announcement
207-003
, dated January 9, 2007, IBM z/VSE V4.
Business Partner information
If you are a Direct Reseller - System Reseller acquiring products from IBM, you may link directly to
Business Partner information for this announcement. A PartnerWorld ID and password are required
(use IBM ID).
BP Attachment for Announcement Letter 207-229
Trademarks
-
-
System z, VSE/ESA, System z9, DFSMSdss, System Storage, and SmoothStart are trademarks of
International Business Machines Corporation in the United States or other countries or both.
-
-
z/VSE, z/OS, and eServer are registered trademarks of International Business Machines Corporation in
the United States or other countries or both.
-
-
Java is a trademark of Sun Microsystems, Inc.
-
-
Other company, product, and service names may be trademarks or service marks of others.
Back to top
Specified operating environment
Hardware requirements
The Encryption Facility for z/VSE® will operate on the following IBM servers:
-
IBM System z9™ Enterprise Class
-
IBM System z9 Business Class
-
IBM eServer® zSeries® 990
-
IBM eServer zSeries 890
The cryptographic options for Encryption Facility for z/VSE have the following requirements:
-
For the PASSWORD option, use CPACF only.
-
For the Clear-TDES and Clear-AES-128 (no ENCTDES), use CPACF only.
-
For RSA keys (bit length 2048), use one of the following:
-
Crypto Express2-accelerator mode (CEX2A)
-
Crypto Express2-coprocessor mode (CEX2C)
-
PCIX Cryptographic Coprocessor (PCIXCC)
Software requirements
-
The Encryption Facility for z/VSE requires z/VSE 4.1 with one or more individual PTFs. For details,
refer to the z/VSE homepage after general availability
-
For public encryption, TCP/IP for VSE/ESA™ V1.5E, or higher, is
required.
-
For RSA keys (bit length 1024) TCP/IP for VSE/ESA V1.5E, or higher, is
required.
-
For RSA keys (bit length 2048) refer to the
Hardware requirements
section.
Software requirements for the Encryption Facility for z/OS® are described in the Encryption
Facility for z/OS documentation. For details, refer to Software Announcement
207-008
, dated January 16, 2007.
Security, auditability, and control
The announced programs use the security and auditability features of the operating system software.
The customer is responsible for evaluation, selection, and implementation of security features,
administrative procedures, and appropriate controls in application systems and communication
facilities.
Back to top
Order IBM Encryption Facility for z/VSE through the Internet
ShopzSeries provides an easy way to plan and order System z™ software upgrades. This now includes
VM and VSE. Using ShopzSeries, you can quickly generate orders for VM SDOs and VSE SIPOs.
Additionally, ShopzSeries will ensure your order is technically correct (that is, ensures any co-req
or pre-req or incompatibility conditions are resolved to ensure timely order placement and
processing). ShopzSeries is available in the United States and several countries in Europe. In
countries where ShopzSeries is not available yet, contact your IBM representative (or IBM Business
Partner) to handle your order via the traditional IBM ordering process. For more details and
availability, visit the ShopzSeries Web site at
Current licensees
This feature can be ordered as an MES for installed users of z/VSE Central Functions V8. The charge
type selected must be the same as the base program; for example, one-time charge, monthly license
charge, and graduated one-time charge.
New licensees
Orders for new licenses can be placed on November 27, 2007.
Registered customers can access IBMLink™ for ordering information and charges.
Shipment will not occur before the availability date. Orders entered after the planned availability
date will be assigned a schedule date for the week following order entry.
New users of IBM Encryption Facility for z/VSE should specify:
Type: 5609 Model: ZV4 (SIPO SPO)
Type: 5686 Model: CF8 (CF)
To order a basic license, or a DSLO or MOSP license for IBM Encryption Facility V1.1 for z/VSE,
specify the program number, the feature number 9001 for asset registration, and one of the following
graduated monthly license charge feature numbers as applicable and corresponding to the processor
group that contains the designated machine.
DSLO: Distributed System License Option
MOSP: S/390® Multiple Operating Systems — PR/SM™
Entitlement License option/
identifier Description Pricing metric
S014BJL IBM Encryption Facility Processor Based,
for z/VSE Basic MLC, DSLO MLC,
MOSP Basic MLC, MOSP DSLO MLC
Workload license charge (WLC) basic license
Flat workload license charge features
Flat workload license charge
Basic license monthly license charge
Entitlement License option/
identifier Description Pricing metric
S014BJL IBM Encryption Facility Basic MLC, Flat WLC
for z/VSE
Tiered workload license charge (TWLC)
To order TWLC software, specify the TWLC charge feature number from the table below.
Entitlement License option/
identifier Description pricing metric
S014BJL IBM Encryption Facility Basic MLC, Tiered WLC
for z/VSE
Growth opportunity license charge (GOLC):
To order a basic license, specify the program number and the correct level.
Specify the GOLC monthly license option.
Entitlement License option/
identifier Description Pricing metric
S014BJL IBM Encryption Facility Basic MLC, GOLC
for z/VSE
System z entry license charge (zELC):
The program IBM Encryption Facility for z/VSE will operate on the following IBM servers only:
-
IBM System z9 Enterprise Class
-
IBM System z9 Business Class
-
IBM eServer zSeries 990
-
IBM eServer zSeries 890
Specify the zELC monthly license option.
Entitlement License option/
identifier Description pricing metric
S014BJL IBM Encryption Facility Basic MLC, zELC
for z/VSE
Single version charging:
To elect single version charging, the customer must notify and identify to IBM the prior
program and replacement program and the designated machine the programs are operating on.
Basic machine-readable material
IBM Encryption Facility for z/VSE order:
To order, select the feature number of the desired distribution medium. Basic machine-readable
material for the licensed program will be shipped on 3480, 3590, or 3592 tape cartridges, on CD-ROM,
or via Electronic Delivery.
Order feature numbers are:
Feature
number Description
4400 3480 Tape Cartridge (compressed) U.S. English
4401 3590 Tape Cartridge U.S. English
4402 3592 Tape Cartridge U.S. English
4403 CD-ROM U.S. English
Feature
number Description
4410 3480 Tape Cartridge (compressed) Japanese
4411 3590 Tape Cartridge Japanese
4412 3592 Tape Cartridge Japanese
4413 CD-ROM Japanese
IBM Encryption Facility for z/VSE
Order
Program feature
number Description number
5686-CF8 IBM Encryption Facility for z/VSE 4400, 4401
4402, 4403
Customization options:
Select the appropriate feature numbers to customize your order to specify the delivery options
desired. These features can be specified on the initial or MES orders.
Example:
If publications are not desired for the initial order, specify feature number 3470 to ship
media only. For future updates, specify feature number 3480 to ship media updates only. If, in the
future, publication updates are required, order an MES to remove feature number 3480; then, the
publications will ship with the next release of the program.
Initial Shipments
Feature Description
3444 Serial Number Only
(suppresses shipment of media and documentation)
3470 Ship Media Only
(suppresses initial shipment of documentation)
3471 Ship Documentation Only
(suppresses initial shipment of media)
7150 Electronic Delivery
7151 100% Electronic Delivery
Update Shipments
Feature Description
3480 Ship Media Updates Only
(suppresses update shipment of documentation)
3481 Ship Documentation Only
(suppresses update shipment of media)
3482 Suppress Updates
(suppresses update shipment of media and
documentation)
Expedite Shipments
Feature Description
3445 Local IBM Office Expedite
(for IBM use only)
3446 Customer Expedite Process Charge
Expedite shipments will be processed to receive 72-hour delivery from the time IBM Software Delivery
and Fulfillment (SDF) receives the order. SDF will then ship the order via overnight air
transportation.
Optional machine-readable material:
To order, select the feature number for the desired distribution medium.
With Encryption Facility for z/VSE, no optional machine-readable source material will be available.
DSLO license:
Ordering a DSLO feature will result in IBM maintaining a record of this customer location as a
DSLO user only. All material for the DSLO license will be provided through the basic license
location. If a user selects DSLO, no other feature numbers are valid for this order and no program
materials or updates will be shipped.
Midrange workload license charges (MWLC) for IBM z/VSE V4 ordering information:
Midrange workload license charges (MWLC) is a monthly license charge price metric on the IBM
System z9 Business Class (z9 BC) and the IBM System z9 Enterprise Class (z9 EC) servers that applies
to z/VSE V4 and 12 key VSE middleware programs such as CICS® TS for VSE, DB2® Server for VSE,
and ACF/VTAM® for VSE. MWLC is available on z9 BC and z9 EC servers with z/VSE V4.
Midrange
workload license charge
Entitlement License option/
identifier Description Pricing metric
S014BJL IBM Encryption Facility MLC, MWLC
for z/VSE
Extended license charge (ELC) basic license
To order a basic license, specify the appropriate program and feature number, if required, for asset
registration. Specify the applicable Extended License Charge feature(s). Also, specify the feature
number of the desired distribution medium.
Processors with assigned capacity above 80 MSUs will now have VM and VSE software prices based on
the CPU service unit capacity of the processor. The ELC price structure will have a Base Charge for
80 MSU capacity and an incremental Per MSU charge for all additional MSUs above the 80 MSU base.
Specify the applicable ELC license option.
Entitlement License option/
identifier Description Pricing metric
S014BJL IBM Encryption
Facility for z/VSE ELC Including 80 MSU,
Basic Per User Base
ELC Above 80 MSU,
Per Usage Additional
Quantity
ELC Above 80 MSU,
Per Block of 50 MSU
Additional Quantity
Terms and conditions
Licensing:
The following apply to products ordered with Extended License Charges (ELC):
-
Z125-6018 ICA Attachment for Extended License Charges, which should be signed by the customer
-
Z125-6019 ICA Exhibit for Extended License Charges
Subsequent updates (technical newsletters or revisions between releases) to the publications shipped
with the product will be distributed to the user of record for as long as a license for this
software remains in effect. A separate publication order or subscription is not needed.
IBM Operational Support Services — SupportLine:
Yes
Back to top
For all local charges, contact your IBM representative.
Back to top
To order, contact the Americas Call Centers, your local IBM representative, or your IBM Business
Partner.
To identify your local IBM representative or IBM Business Partner, call 800-IBM-4YOU (426-4968).
Phone: 800-IBM-CALL (426-2255)
Fax: 800-2IBM-FAX (242-6329)
Internet: callserv@ca.ibm.com
Mail: IBM Teleweb Customer Support
ibm.com Sales Execution Center, Americas North
3500 Steeles Ave. East, Tower 3/4
Markham, Ontario
Canada
L3R 2Z1
Reference: LE001
The Americas Call Centers, our national direct marketing organization, can add your name to the
mailing list for catalogs of IBM products.
Note:
Shipments will begin after the planned availability date.
Trademarks
-
-
System z9, VSE/ESA, System z, IBMLink, and PR/SM are trademarks of International Business Machines
Corporation in the United States or other countries or both.
-
-
z/VSE, eServer, zSeries, z/OS, S/390, CICS, DB2, and ACF/VTAM are registered trademarks of
International Business Machines Corporation in the United States or other countries or both.
-
-
Other company, product, and service names may be trademarks or service marks of others.
At a glance
