Feedback

IBM Encryption Facility for z/VSE, V1.1.0 helps secure data

IBM United States Software Announcement 207-229
October 9, 2007

 

 ENUS207229.PDF (135KB)

 

Table of contents  Document options  
TOC link At a glance TOC link Reference information
TOC link Overview TOC link Technical information
TOC link Key prerequisites TOC link Ordering information
TOC link Planned availability date TOC link Prices
TOC link Description TOC link Order now
TOC link Product positioning  
 
Printable version Printable version

 
At a glance

IBM Encryption Facility for z/VSE can help you:

  • Secure business and customer data
  • Address regulatory requirements
  • Protect data from loss and inadvertent or deliberate compromise
  • Enable sharing of sensitive information across platforms with partners, vendors, and customers
  • Enable decrypting and encrypting of data to be exchanged between z/VSE and non-z/VSE platforms

For ordering, contact:

Your IBM representative, an IBM Business Partner, or IBM Americas Call Centers at 800-IBM-CALL (Reference: LE001).
 
Back topBack to top
 

Overview

Businesses today are focused on the importance of securing customer and business data from loss and inadvertent or deliberate compromise. In addition, increasing regulatory requirements are driving the need for data security. The IBM Encryption Facility for z/VSE® applies the powerful encryption capabilities of the IBM mainframe to allow you to encrypt sensitive information to be exchanged with your partners, suppliers, and customers.

The Encryption Facility for z/VSE Version 1 Release 1 feature is designed to be compatible with the Encryption Facility System z™ format provided as part of the Encryption Services feature in Encryption Facility for z/OS® V1.1 and V1.2 (5655-P97). It allows you to exchange an encrypted file between your internal mainframe data centers, or exchange an encrypted file with your external business partners and vendors who have installed any of the following: Encryption Facility for z/VSE feature, Encryption Facility for z/OS Encryption Services feature (using System z format), or the no-charge Encryption Facility for z/OS Client Web download (either Java™-based client or Decryption Client for z/OS). The Encryption Facility for z/VSE V1.1 is packaged as an optional, priced feature of VSE Central Functions V8.1 (5686-CF8).

Reference: Software Announcement 207-003 , dated January 9, 2007.
 
Back topBack to top
 

Key prerequisites

Refer to the Hardware requirements and Software requirements sections for details.
 
Back topBack to top
 

Planned availability date

November 30, 2007
 
Back topBack to top
 

Description

.

The need for creating secure copies of business data is a critical security concern. Encrypting data that can be recovered at any time offers a high degree of privacy protection from unwanted access. Encryption Facility (EF) for z/VSE may help provide this protection by offering encryption of data for exchange between different systems and platforms and for archiving and backup purposes.

Encryption Facility for z/VSE is a priced optional feature. Support includes, but is not limited to:

  • Password-based encryption of session keys
  • Data encryption with a randomly generated symmetric session key using AES-128 or Triple-DES algorithms
  • Asymmetric encryption of randomly generated symmetric keys using the RSA algorithm with key lengths of 512-bit and 1024-bit (requires TCP/IP for VSE/ESA™ V1.5E)
  • Asymmetric encryption of randomly generated symmetric keys using the RSA algorithm with key length of 2048-bit (requires TCP/IP for VSE/ESA V1.5E and a Crypto Express2, PCIXCC, or higher, crypto feature)
  • Encryption of single SAM files, VSAM files, or VSE Library members
  • Encryption of virtual or real tapes
  • Support of hardware-accelerated compression before encryption
  • Encryption of complete backups made with any backup tool either from IBM or vendors
  • Output of encrypted data on disk, virtual tape, or real tape

The CP Assist for Cryptographic Function (CPACF), available on IBM eServer® z890 and z990 and IBM System z9™ EC and z9 BC servers, is required. In addition, the Encryption Facility for z/VSE exploits IBM System z hardware technology, including hardware-assisted compression and Crypto Express2.

The Encryption Facility for z/VSE is designed to be compatible with the Encryption Facility System z format provided as part of the Encryption Services feature in Encryption Facility for z/OS V1.1 and V1.2 (5655-P97). This support allows you to exchange an encrypted file created by Encryption Facility for z/VSE or z/OS between your internal data centers in conjunction with your external business partners and vendors who have installed any of the following: Encryption Facility for z/VSE feature, Encryption Facility for z/OS Encryption Services feature (using System z format), or the no-charge Encryption Facility for z/OS Client Web download (either Java-based Client or Decryption Client for z/OS). The Encryption Facility for z/VSE is not designed to support the data format of the Encryption Facility for z/OS DFSMSdss™ Encryption feature or the OpenPGP format of the Encryption Facility for z/OS Encryption Services feature.

Customers can use the Encryption Facility for z/OS Client, which runs on non-VSE platforms, to decrypt data that has been encrypted with Encryption Facility for z/VSE. The Encryption Facility for z/OS Client is not part of the Encryption Facility for z/VSE package.

The Encryption Facility for z/OS Client is a no-cost, separately licensed program (which is offered as is, with no warranty) and is designed to enable the exchange of encrypted data between z/OS systems that have the Encryption Facility installed and systems running on z/OS and other platforms that need the supported functions. The Encryption Facility for z/OS Client consists of the following:

  • Java-based Client. The Java-based Client can be used on z/OS and any platform that supports Java. The Java-based Client supports both the decryption of data that was created on a z/OS or z/VSE system using the Encryption Facility System z format, and the encryption of data to be sent to a z/OS or z/VSE system, where the file will be decrypted using the Encryption Facility System z format. Note that Java is not available on z/VSE platforms.
  • Decryption Client for z/OS. The Decryption Client for z/OS is supported on z/OS systems only. The Decryption Client for z/OS supports decryption of data that was created on a z/OS or z/VSE system using the Encryption Facility System z format.

You can download the Encryption Facility for z/OS Client from

For a detailed description of the Encryption Facility for z/OS, refer to Software Announcement 207-008 , dated January 16, 2007.

Note: The terms and conditions for the no-charge Encryption Facility for z/OS Client only allow the use of the Encryption Facility for z/OS Client for decrypting information or data that was encrypted by IBM's Encryption Facility for z/OS or IBM's Encryption Facility for z/VSE, or for encrypting information or data to be decrypted by IBM's Encryption Facility for z/OS or IBM's Encryption Facility for z/VSE.

The following table shows possible choices:

                        Decrypt data using System z format with:
 
                        Encryption
Encrypt data using      Services     EF for    Decryption    Java-based
System z format         feature of   z/VSE     Client for    Client
with:                   EF for z/OS            z/OS
 
Encryption Services
feature of EF for z/OS      x           x           x           x
EF for z/VSE                x           x           x           x
Java-based Client           x           x           -           -
 
x  Permitted
-  Not permitted per Terms and Conditions

 
Back topBack to top
 
Product positioning

Helping to protect data (such as private personal information) from loss and inadvertent or deliberate compromise is a critical concern for businesses. To help address this issue, IBM Encryption Facility for z/VSE extends the scope of IBM's mainframe encryption capabilities to support the exchange of encrypted files with business partners.

The Encryption Facility for z/VSE complements the tape encryption solution provided by IBM's System Storage™ TS1120 tape drives. The TS1120 tape drive, with encryption enabled, is designed to provide a data protection solution that has the ability to off-load the encryption processing from the server to the tape drive. It is designed to provide a cost-effective encryption solution for the large volumes of data involved in data archive and backup activities.

While the Encryption Facility for z/VSE can be used to encrypt tapes intended for data archive, the TS1120 is the preferred solution for uses such as archive, backup, or internal exchange. The Encryption Facility for z/VSE provides a highly flexible solution for exchanging encrypted tapes with your business partners that do not have an encrypting TS1120 drive.

Hardware and software support services

SmoothStart™ and Installation Services: IBM SmoothStart and Installation Services are not provided.
 
Back topBack to top
 

Reference information

Refer to Software Announcement 207-003 , dated January 9, 2007, IBM z/VSE V4.

Business Partner information

If you are a Direct Reseller - System Reseller acquiring products from IBM, you may link directly to Business Partner information for this announcement. A PartnerWorld ID and password are required (use IBM ID).

BP Attachment for Announcement Letter 207-229

Trademarks

 
System z, VSE/ESA, System z9, DFSMSdss, System Storage, and SmoothStart are trademarks of International Business Machines Corporation in the United States or other countries or both.
 
z/VSE, z/OS, and eServer are registered trademarks of International Business Machines Corporation in the United States or other countries or both.
 
Java is a trademark of Sun Microsystems, Inc.
 
Other company, product, and service names may be trademarks or service marks of others.

 
Back topBack to top
 
Technical information

Specified operating environment

Hardware requirements

The Encryption Facility for z/VSE® will operate on the following IBM servers:

  • IBM System z9™ Enterprise Class
  • IBM System z9 Business Class
  • IBM eServer® zSeries® 990
  • IBM eServer zSeries 890

The cryptographic options for Encryption Facility for z/VSE have the following requirements:

  • For the PASSWORD option, use CPACF only.
  • For the Clear-TDES and Clear-AES-128 (no ENCTDES), use CPACF only.
  • For RSA keys (bit length 2048), use one of the following:
    • Crypto Express2-accelerator mode (CEX2A)
    • Crypto Express2-coprocessor mode (CEX2C)
    • PCIX Cryptographic Coprocessor (PCIXCC)

Software requirements

  • The Encryption Facility for z/VSE requires z/VSE 4.1 with one or more individual PTFs. For details, refer to the z/VSE homepage after general availability
  • For public encryption, TCP/IP for VSE/ESA™ V1.5E, or higher, is required.
  • For RSA keys (bit length 1024) TCP/IP for VSE/ESA V1.5E, or higher, is required.
  • For RSA keys (bit length 2048) refer to the Hardware requirements section.

Software requirements for the Encryption Facility for z/OS® are described in the Encryption Facility for z/OS documentation. For details, refer to Software Announcement 207-008 , dated January 16, 2007.

Security, auditability, and control

The announced programs use the security and auditability features of the operating system software. The customer is responsible for evaluation, selection, and implementation of security features, administrative procedures, and appropriate controls in application systems and communication facilities.
 
Back topBack to top
 

Ordering information

Order IBM Encryption Facility for z/VSE through the Internet

ShopzSeries provides an easy way to plan and order System z™ software upgrades. This now includes VM and VSE. Using ShopzSeries, you can quickly generate orders for VM SDOs and VSE SIPOs. Additionally, ShopzSeries will ensure your order is technically correct (that is, ensures any co-req or pre-req or incompatibility conditions are resolved to ensure timely order placement and processing). ShopzSeries is available in the United States and several countries in Europe. In countries where ShopzSeries is not available yet, contact your IBM representative (or IBM Business Partner) to handle your order via the traditional IBM ordering process. For more details and availability, visit the ShopzSeries Web site at

Current licensees

This feature can be ordered as an MES for installed users of z/VSE Central Functions V8. The charge type selected must be the same as the base program; for example, one-time charge, monthly license charge, and graduated one-time charge.

New licensees

Orders for new licenses can be placed on November 27, 2007.

Registered customers can access IBMLink™ for ordering information and charges.

Shipment will not occur before the availability date. Orders entered after the planned availability date will be assigned a schedule date for the week following order entry.

New users of IBM Encryption Facility for z/VSE should specify:

        Type: 5609       Model: ZV4 (SIPO SPO)
        Type: 5686       Model: CF8 (CF)

To order a basic license, or a DSLO or MOSP license for IBM Encryption Facility V1.1 for z/VSE, specify the program number, the feature number 9001 for asset registration, and one of the following graduated monthly license charge feature numbers as applicable and corresponding to the processor group that contains the designated machine.

DSLO: Distributed System License Option

MOSP: S/390® Multiple Operating Systems — PR/SM™

Entitlement                            License option/
identifier   Description               Pricing metric
 
S014BJL      IBM Encryption Facility   Processor Based,
              for z/VSE                Basic MLC,  DSLO MLC,
                                       MOSP Basic MLC, MOSP DSLO MLC

Workload license charge (WLC) basic license

Flat workload license charge features

Flat workload license charge
Basic license monthly license charge
 
Entitlement                            License option/
identifier   Description               Pricing metric
 
S014BJL      IBM Encryption Facility   Basic MLC, Flat WLC
              for z/VSE

Tiered workload license charge (TWLC)

To order TWLC software, specify the TWLC charge feature number from the table below.

Entitlement                            License option/
identifier   Description               pricing metric
 
S014BJL      IBM Encryption Facility   Basic MLC, Tiered WLC
              for z/VSE

Growth opportunity license charge (GOLC): To order a basic license, specify the program number and the correct level.

Specify the GOLC monthly license option.

Entitlement                            License option/
identifier   Description               Pricing metric
 
S014BJL      IBM Encryption Facility   Basic MLC, GOLC
              for z/VSE

System z entry license charge (zELC): The program IBM Encryption Facility for z/VSE will operate on the following IBM servers only:

  • IBM System z9 Enterprise Class
  • IBM System z9 Business Class
  • IBM eServer zSeries 990
  • IBM eServer zSeries 890

Specify the zELC monthly license option.

Entitlement                            License option/
identifier   Description               pricing metric
 
S014BJL      IBM Encryption Facility   Basic MLC, zELC
              for z/VSE

Single version charging: To elect single version charging, the customer must notify and identify to IBM the prior program and replacement program and the designated machine the programs are operating on.

Basic machine-readable material

IBM Encryption Facility for z/VSE order: To order, select the feature number of the desired distribution medium. Basic machine-readable material for the licensed program will be shipped on 3480, 3590, or 3592 tape cartridges, on CD-ROM, or via Electronic Delivery.

Order feature numbers are:

Feature
number   Description
 
 
4400     3480 Tape Cartridge (compressed) U.S. English
4401     3590 Tape Cartridge U.S. English
4402     3592 Tape Cartridge U.S. English
4403     CD-ROM U.S. English

Feature
number   Description
 
4410     3480 Tape Cartridge (compressed) Japanese
4411     3590 Tape Cartridge Japanese
4412     3592 Tape Cartridge Japanese
4413     CD-ROM Japanese

IBM Encryption Facility for z/VSE

                                              Order
Program                                       feature
number    Description                         number
 
5686-CF8  IBM Encryption Facility for z/VSE   4400, 4401
                                              4402, 4403

Customization options: Select the appropriate feature numbers to customize your order to specify the delivery options desired. These features can be specified on the initial or MES orders.

Example: If publications are not desired for the initial order, specify feature number 3470 to ship media only. For future updates, specify feature number 3480 to ship media updates only. If, in the future, publication updates are required, order an MES to remove feature number 3480; then, the publications will ship with the next release of the program.

Initial Shipments

 Feature             Description
 
 
 3444                Serial Number Only
                     (suppresses shipment of media and documentation)
 
 3470                Ship Media Only
                     (suppresses initial shipment of documentation)
 
 3471                Ship Documentation Only
                     (suppresses initial shipment of media)
 
 7150                Electronic Delivery
 
 7151                100% Electronic Delivery
 

Update Shipments

 
 Feature             Description
 
 
 3480                Ship Media Updates Only
                     (suppresses update shipment of documentation)
 
 3481                Ship Documentation Only
                     (suppresses update shipment of media)
 
 3482                Suppress Updates
                     (suppresses update shipment of media and
                     documentation)
 

Expedite Shipments

 
 Feature             Description
 
 
 3445                Local IBM Office Expedite
                     (for IBM use only)
 
 3446                Customer Expedite Process Charge
 

Expedite shipments will be processed to receive 72-hour delivery from the time IBM Software Delivery and Fulfillment (SDF) receives the order. SDF will then ship the order via overnight air transportation.

Optional machine-readable material: To order, select the feature number for the desired distribution medium.

With Encryption Facility for z/VSE, no optional machine-readable source material will be available.

DSLO license: Ordering a DSLO feature will result in IBM maintaining a record of this customer location as a DSLO user only. All material for the DSLO license will be provided through the basic license location. If a user selects DSLO, no other feature numbers are valid for this order and no program materials or updates will be shipped.

Midrange workload license charges (MWLC) for IBM z/VSE V4 ordering information: Midrange workload license charges (MWLC) is a monthly license charge price metric on the IBM System z9 Business Class (z9 BC) and the IBM System z9 Enterprise Class (z9 EC) servers that applies to z/VSE V4 and 12 key VSE middleware programs such as CICS® TS for VSE, DB2® Server for VSE, and ACF/VTAM® for VSE. MWLC is available on z9 BC and z9 EC servers with z/VSE V4.

Midrange workload license charge

 
Entitlement                            License option/
identifier   Description               Pricing metric
 
S014BJL      IBM Encryption Facility   MLC, MWLC
              for z/VSE

Extended license charge (ELC) basic license

To order a basic license, specify the appropriate program and feature number, if required, for asset registration. Specify the applicable Extended License Charge feature(s). Also, specify the feature number of the desired distribution medium.

Processors with assigned capacity above 80 MSUs will now have VM and VSE software prices based on the CPU service unit capacity of the processor. The ELC price structure will have a Base Charge for 80 MSU capacity and an incremental Per MSU charge for all additional MSUs above the 80 MSU base.

Specify the applicable ELC license option.

Entitlement                        License option/
identifier   Description           Pricing metric
 
S014BJL      IBM Encryption
              Facility for z/VSE   ELC Including 80 MSU,
                                    Basic Per User Base
                                   ELC Above 80 MSU,
                                    Per Usage Additional
                                    Quantity
                                   ELC Above 80 MSU,
                                    Per Block of 50 MSU
                                    Additional Quantity

Terms and conditions

Licensing: The following apply to products ordered with Extended License Charges (ELC):

  1. Z125-6018 ICA Attachment for Extended License Charges, which should be signed by the customer
  2. Z125-6019 ICA Exhibit for Extended License Charges

Subsequent updates (technical newsletters or revisions between releases) to the publications shipped with the product will be distributed to the user of record for as long as a license for this software remains in effect. A separate publication order or subscription is not needed.

IBM Operational Support Services — SupportLine: Yes
 
Back topBack to top
 

Prices

For all local charges, contact your IBM representative.
 
Back topBack to top
 

Order now

To order, contact the Americas Call Centers, your local IBM representative, or your IBM Business Partner.

To identify your local IBM representative or IBM Business Partner, call 800-IBM-4YOU (426-4968).

 Phone:      800-IBM-CALL (426-2255)
 Fax:        800-2IBM-FAX (242-6329)
 Internet:   callserv@ca.ibm.com
 Mail:       IBM Teleweb Customer Support
             ibm.com Sales Execution Center, Americas North
             3500 Steeles Ave. East, Tower 3/4
             Markham, Ontario
             Canada
             L3R 2Z1
 
 Reference:  LE001

The Americas Call Centers, our national direct marketing organization, can add your name to the mailing list for catalogs of IBM products.

Note: Shipments will begin after the planned availability date.

Trademarks

 
System z9, VSE/ESA, System z, IBMLink, and PR/SM are trademarks of International Business Machines Corporation in the United States or other countries or both.
 
z/VSE, eServer, zSeries, z/OS, S/390, CICS, DB2, and ACF/VTAM are registered trademarks of International Business Machines Corporation in the United States or other countries or both.
 
Other company, product, and service names may be trademarks or service marks of others.

Back to topBack to top
 

 
Printable version Printable version