IBM Encryption Facility for z/VSE, V1.1.0 helps secure dataIBM United States Software Announcement 207-229
October 9, 2007
|Table of contents||Document options|
|At a glance|
IBM Encryption Facility for z/VSE can help you:
- Secure business and customer data
- Address regulatory requirements
- Protect data from loss and inadvertent or deliberate compromise
- Enable sharing of sensitive information across platforms with partners, vendors, and customers
- Enable decrypting and encrypting of data to be exchanged between z/VSE and non-z/VSE platforms
For ordering, contact:
Your IBM representative, an IBM Business Partner, or IBM Americas Call Centers at
Back to top
Businesses today are focused on the importance of securing customer and business data from loss and inadvertent or deliberate compromise. In addition, increasing regulatory requirements are driving the need for data security. The IBM Encryption Facility for z/VSE® applies the powerful encryption capabilities of the IBM mainframe to allow you to encrypt sensitive information to be exchanged with your partners, suppliers, and customers.
The Encryption Facility for z/VSE Version 1 Release 1 feature is designed to be compatible with the Encryption Facility System z format provided as part of the Encryption Services feature in Encryption Facility for z/OS® V1.1 and V1.2 (5655-P97). It allows you to exchange an encrypted file between your internal mainframe data centers, or exchange an encrypted file with your external business partners and vendors who have installed any of the following: Encryption Facility for z/VSE feature, Encryption Facility for z/OS Encryption Services feature (using System z format), or the no-charge Encryption Facility for z/OS Client Web download (either Java-based client or Decryption Client for z/OS). The Encryption Facility for z/VSE V1.1 is packaged as an optional, priced feature of VSE Central Functions V8.1 (5686-CF8).
|Planned availability date|
November 30, 2007
Back to top
The need for creating secure copies of business data is a critical security concern. Encrypting data that can be recovered at any time offers a high degree of privacy protection from unwanted access. Encryption Facility (EF) for z/VSE may help provide this protection by offering encryption of data for exchange between different systems and platforms and for archiving and backup purposes.
Encryption Facility for z/VSE is a priced optional feature. Support includes, but is not limited to:
- Password-based encryption of session keys
- Data encryption with a randomly generated symmetric session key using AES-128 or Triple-DES algorithms
- Asymmetric encryption of randomly generated symmetric keys using the RSA algorithm with key lengths of 512-bit and 1024-bit (requires TCP/IP for VSE/ESA V1.5E)
- Asymmetric encryption of randomly generated symmetric keys using the RSA algorithm with key length of 2048-bit (requires TCP/IP for VSE/ESA V1.5E and a Crypto Express2, PCIXCC, or higher, crypto feature)
- Encryption of single SAM files, VSAM files, or VSE Library members
- Encryption of virtual or real tapes
- Support of hardware-accelerated compression before encryption
- Encryption of complete backups made with any backup tool either from IBM or vendors
- Output of encrypted data on disk, virtual tape, or real tape
The CP Assist for Cryptographic Function (CPACF), available on IBM eServer® z890 and z990 and IBM System z9 EC and z9 BC servers, is required. In addition, the Encryption Facility for z/VSE exploits IBM System z hardware technology, including hardware-assisted compression and Crypto Express2.
The Encryption Facility for z/VSE is designed to be compatible with the Encryption Facility System z format provided as part of the Encryption Services feature in Encryption Facility for z/OS V1.1 and V1.2 (5655-P97). This support allows you to exchange an encrypted file created by Encryption Facility for z/VSE or z/OS between your internal data centers in conjunction with your external business partners and vendors who have installed any of the following: Encryption Facility for z/VSE feature, Encryption Facility for z/OS Encryption Services feature (using System z format), or the no-charge Encryption Facility for z/OS Client Web download (either Java-based Client or Decryption Client for z/OS). The Encryption Facility for z/VSE is not designed to support the data format of the Encryption Facility for z/OS DFSMSdss Encryption feature or the OpenPGP format of the Encryption Facility for z/OS Encryption Services feature.
Customers can use the Encryption Facility for z/OS Client, which runs on non-VSE platforms, to decrypt data that has been encrypted with Encryption Facility for z/VSE. The Encryption Facility for z/OS Client is not part of the Encryption Facility for z/VSE package.
The Encryption Facility for z/OS Client is a no-cost, separately licensed program (which is offered as is, with no warranty) and is designed to enable the exchange of encrypted data between z/OS systems that have the Encryption Facility installed and systems running on z/OS and other platforms that need the supported functions. The Encryption Facility for z/OS Client consists of the following:
- Java-based Client. The Java-based Client can be used on z/OS and any platform that supports Java. The Java-based Client supports both the decryption of data that was created on a z/OS or z/VSE system using the Encryption Facility System z format, and the encryption of data to be sent to a z/OS or z/VSE system, where the file will be decrypted using the Encryption Facility System z format. Note that Java is not available on z/VSE platforms.
- Decryption Client for z/OS. The Decryption Client for z/OS is supported on z/OS systems only. The Decryption Client for z/OS supports decryption of data that was created on a z/OS or z/VSE system using the Encryption Facility System z format.
You can download the Encryption Facility for z/OS Client from
For a detailed description of the Encryption Facility for z/OS, refer to Software Announcement 207-008 , dated January 16, 2007.
Note: The terms and conditions for the no-charge Encryption Facility for z/OS Client only allow the use of the Encryption Facility for z/OS Client for decrypting information or data that was encrypted by IBM's Encryption Facility for z/OS or IBM's Encryption Facility for z/VSE, or for encrypting information or data to be decrypted by IBM's Encryption Facility for z/OS or IBM's Encryption Facility for z/VSE.
The following table shows possible choices:
Decrypt data using System z format with: Encryption Encrypt data using Services EF for Decryption Java-based System z format feature of z/VSE Client for Client with: EF for z/OS z/OS Encryption Services feature of EF for z/OS x x x x EF for z/VSE x x x x Java-based Client x x - - x Permitted - Not permitted per Terms and Conditions
Back to top
Helping to protect data (such as private personal information) from loss and inadvertent or deliberate compromise is a critical concern for businesses. To help address this issue, IBM Encryption Facility for z/VSE extends the scope of IBM's mainframe encryption capabilities to support the exchange of encrypted files with business partners.
The Encryption Facility for z/VSE complements the tape encryption solution provided by IBM's System Storage TS1120 tape drives. The TS1120 tape drive, with encryption enabled, is designed to provide a data protection solution that has the ability to off-load the encryption processing from the server to the tape drive. It is designed to provide a cost-effective encryption solution for the large volumes of data involved in data archive and backup activities.
While the Encryption Facility for z/VSE can be used to encrypt tapes intended for data archive, the TS1120 is the preferred solution for uses such as archive, backup, or internal exchange. The Encryption Facility for z/VSE provides a highly flexible solution for exchanging encrypted tapes with your business partners that do not have an encrypting TS1120 drive.
Hardware and software support services
SmoothStart and Installation Services:
IBM SmoothStart and Installation Services are not provided.
Back to top
Refer to Software Announcement 207-003 , dated January 9, 2007, IBM z/VSE V4.
Business Partner information
If you are a Direct Reseller - System Reseller acquiring products from IBM, you may link directly to Business Partner information for this announcement. A PartnerWorld ID and password are required (use IBM ID).
Back to top
Specified operating environment
The Encryption Facility for z/VSE® will operate on the following IBM servers:
- IBM System z9 Enterprise Class
- IBM System z9 Business Class
- IBM eServer® zSeries® 990
- IBM eServer zSeries 890
The cryptographic options for Encryption Facility for z/VSE have the following requirements:
- For the PASSWORD option, use CPACF only.
- For the Clear-TDES and Clear-AES-128 (no ENCTDES), use CPACF only.
For RSA keys (bit length 2048), use one of the following:
- Crypto Express2-accelerator mode (CEX2A)
- Crypto Express2-coprocessor mode (CEX2C)
- PCIX Cryptographic Coprocessor (PCIXCC)
- The Encryption Facility for z/VSE requires z/VSE 4.1 with one or more individual PTFs. For details, refer to the z/VSE homepage after general availability
- For public encryption, TCP/IP for VSE/ESA V1.5E, or higher, is required.
- For RSA keys (bit length 1024) TCP/IP for VSE/ESA V1.5E, or higher, is required.
- For RSA keys (bit length 2048) refer to the Hardware requirements section.
Software requirements for the Encryption Facility for z/OS® are described in the Encryption Facility for z/OS documentation. For details, refer to Software Announcement 207-008 , dated January 16, 2007.
Security, auditability, and control
The announced programs use the security and auditability features of the operating system software.
The customer is responsible for evaluation, selection, and implementation of security features,
administrative procedures, and appropriate controls in application systems and communication
Back to top
Order IBM Encryption Facility for z/VSE through the Internet
ShopzSeries provides an easy way to plan and order System z software upgrades. This now includes VM and VSE. Using ShopzSeries, you can quickly generate orders for VM SDOs and VSE SIPOs. Additionally, ShopzSeries will ensure your order is technically correct (that is, ensures any co-req or pre-req or incompatibility conditions are resolved to ensure timely order placement and processing). ShopzSeries is available in the United States and several countries in Europe. In countries where ShopzSeries is not available yet, contact your IBM representative (or IBM Business Partner) to handle your order via the traditional IBM ordering process. For more details and availability, visit the ShopzSeries Web site at
This feature can be ordered as an MES for installed users of z/VSE Central Functions V8. The charge type selected must be the same as the base program; for example, one-time charge, monthly license charge, and graduated one-time charge.
Orders for new licenses can be placed on November 27, 2007.
Registered customers can access IBMLink for ordering information and charges.
Shipment will not occur before the availability date. Orders entered after the planned availability date will be assigned a schedule date for the week following order entry.
New users of IBM Encryption Facility for z/VSE should specify:
Type: 5609 Model: ZV4 (SIPO SPO) Type: 5686 Model: CF8 (CF)
To order a basic license, or a DSLO or MOSP license for IBM Encryption Facility V1.1 for z/VSE, specify the program number, the feature number 9001 for asset registration, and one of the following graduated monthly license charge feature numbers as applicable and corresponding to the processor group that contains the designated machine.
DSLO: Distributed System License Option
MOSP: S/390® Multiple Operating Systems PR/SM
Entitlement License option/ identifier Description Pricing metric S014BJL IBM Encryption Facility Processor Based, for z/VSE Basic MLC, DSLO MLC, MOSP Basic MLC, MOSP DSLO MLC
Workload license charge (WLC) basic license
Flat workload license charge features
Flat workload license charge Basic license monthly license charge Entitlement License option/ identifier Description Pricing metric S014BJL IBM Encryption Facility Basic MLC, Flat WLC for z/VSE
Tiered workload license charge (TWLC)
To order TWLC software, specify the TWLC charge feature number from the table below.
Entitlement License option/ identifier Description pricing metric S014BJL IBM Encryption Facility Basic MLC, Tiered WLC for z/VSE
Growth opportunity license charge (GOLC): To order a basic license, specify the program number and the correct level.
Specify the GOLC monthly license option.
Entitlement License option/ identifier Description Pricing metric S014BJL IBM Encryption Facility Basic MLC, GOLC for z/VSE
System z entry license charge (zELC): The program IBM Encryption Facility for z/VSE will operate on the following IBM servers only:
- IBM System z9 Enterprise Class
- IBM System z9 Business Class
- IBM eServer zSeries 990
- IBM eServer zSeries 890
Specify the zELC monthly license option.
Entitlement License option/ identifier Description pricing metric S014BJL IBM Encryption Facility Basic MLC, zELC for z/VSE
Single version charging: To elect single version charging, the customer must notify and identify to IBM the prior program and replacement program and the designated machine the programs are operating on.
Basic machine-readable material
IBM Encryption Facility for z/VSE order: To order, select the feature number of the desired distribution medium. Basic machine-readable material for the licensed program will be shipped on 3480, 3590, or 3592 tape cartridges, on CD-ROM, or via Electronic Delivery.
Order feature numbers are:
Feature number Description 4400 3480 Tape Cartridge (compressed) U.S. English 4401 3590 Tape Cartridge U.S. English 4402 3592 Tape Cartridge U.S. English 4403 CD-ROM U.S. English
Feature number Description 4410 3480 Tape Cartridge (compressed) Japanese 4411 3590 Tape Cartridge Japanese 4412 3592 Tape Cartridge Japanese 4413 CD-ROM Japanese
IBM Encryption Facility for z/VSE
Order Program feature number Description number 5686-CF8 IBM Encryption Facility for z/VSE 4400, 4401 4402, 4403
Customization options: Select the appropriate feature numbers to customize your order to specify the delivery options desired. These features can be specified on the initial or MES orders.
Example: If publications are not desired for the initial order, specify feature number 3470 to ship media only. For future updates, specify feature number 3480 to ship media updates only. If, in the future, publication updates are required, order an MES to remove feature number 3480; then, the publications will ship with the next release of the program.
Feature Description 3444 Serial Number Only (suppresses shipment of media and documentation) 3470 Ship Media Only (suppresses initial shipment of documentation) 3471 Ship Documentation Only (suppresses initial shipment of media) 7150 Electronic Delivery 7151 100% Electronic Delivery Update Shipments Feature Description 3480 Ship Media Updates Only (suppresses update shipment of documentation) 3481 Ship Documentation Only (suppresses update shipment of media) 3482 Suppress Updates (suppresses update shipment of media and documentation) Expedite Shipments Feature Description 3445 Local IBM Office Expedite (for IBM use only) 3446 Customer Expedite Process Charge
Expedite shipments will be processed to receive 72-hour delivery from the time IBM Software Delivery and Fulfillment (SDF) receives the order. SDF will then ship the order via overnight air transportation.
Optional machine-readable material: To order, select the feature number for the desired distribution medium.
With Encryption Facility for z/VSE, no optional machine-readable source material will be available.
DSLO license: Ordering a DSLO feature will result in IBM maintaining a record of this customer location as a DSLO user only. All material for the DSLO license will be provided through the basic license location. If a user selects DSLO, no other feature numbers are valid for this order and no program materials or updates will be shipped.
Midrange workload license charges (MWLC) for IBM z/VSE V4 ordering information: Midrange workload license charges (MWLC) is a monthly license charge price metric on the IBM System z9 Business Class (z9 BC) and the IBM System z9 Enterprise Class (z9 EC) servers that applies to z/VSE V4 and 12 key VSE middleware programs such as CICS® TS for VSE, DB2® Server for VSE, and ACF/VTAM® for VSE. MWLC is available on z9 BC and z9 EC servers with z/VSE V4.
Midrange workload license charge
Entitlement License option/ identifier Description Pricing metric S014BJL IBM Encryption Facility MLC, MWLC for z/VSE
Extended license charge (ELC) basic license
To order a basic license, specify the appropriate program and feature number, if required, for asset registration. Specify the applicable Extended License Charge feature(s). Also, specify the feature number of the desired distribution medium.
Processors with assigned capacity above 80 MSUs will now have VM and VSE software prices based on the CPU service unit capacity of the processor. The ELC price structure will have a Base Charge for 80 MSU capacity and an incremental Per MSU charge for all additional MSUs above the 80 MSU base.
Specify the applicable ELC license option.
Entitlement License option/ identifier Description Pricing metric S014BJL IBM Encryption Facility for z/VSE ELC Including 80 MSU, Basic Per User Base ELC Above 80 MSU, Per Usage Additional Quantity ELC Above 80 MSU, Per Block of 50 MSU Additional Quantity
Terms and conditions
Licensing: The following apply to products ordered with Extended License Charges (ELC):
- Z125-6018 ICA Attachment for Extended License Charges, which should be signed by the customer
- Z125-6019 ICA Exhibit for Extended License Charges
Subsequent updates (technical newsletters or revisions between releases) to the publications shipped with the product will be distributed to the user of record for as long as a license for this software remains in effect. A separate publication order or subscription is not needed.
IBM Operational Support Services SupportLine:
Back to top
For all local charges, contact your IBM representative.
Back to top
To order, contact the Americas Call Centers, your local IBM representative, or your IBM Business Partner.
To identify your local IBM representative or IBM Business Partner, call 800-IBM-4YOU (426-4968).
Phone: 800-IBM-CALL (426-2255) Fax: 800-2IBM-FAX (242-6329) Internet: firstname.lastname@example.org Mail: IBM Teleweb Customer Support ibm.com Sales Execution Center, Americas North 3500 Steeles Ave. East, Tower 3/4 Markham, Ontario Canada L3R 2Z1 Reference: LE001
The Americas Call Centers, our national direct marketing organization, can add your name to the mailing list for catalogs of IBM products.
Note: Shipments will begin after the planned availability date.
Back to top