IBM System z10 - Delivering security-rich offerings to
protect your data
IBM United States
Hardware Announcement 109-678
October 20, 2009
 ENUS109-678.PDF (145KB)
|
For many years the IBM® mainframe has been acknowledged as a platform of
choice for running mission-critical workloads. The System z10 Enterprise Class
and Business Class servers have built on these strengths to deliver leadership
capabilities to help mitigate risk for your business, to simplify the management
of business-critical data, to offer the agility and responsiveness that businesses
require in today's ever-changing environment, to help reduce the costs of
maintaining, managing, and operating the proliferation of small servers, and
to provide flexibility and choice to users. Improvements being announced today
include:
- Managing risk
- Next generation of cryptographic feature with Crypto Express3
- z/TPF support for Crypto Express3 accelerator
- Stronger cryptography encryption for TKE protocol authentication
- TKE smart card support
- Simplified key management with TKE 6.0 Workstation
- New HMC security features to help protect against malware and help with
FIPS 140-2 level 1 security
- EAL5 Common Criteria certification for System z10 EC and System z10 BC
platforms
- Improving service
- Performance improvements with OSA-Express3 optimized latency mode (OLM)
for the z/OS® environment
- Configuration flexibility with four-port exploitation for OSA-Express3
1000BASE-T and two-port exploitation for OSA-Express3-2P 1000BASE-T Ethernet
Integrated Console Controllers (ICC)
- Simplified FICON® problem
determination with HMC improvements
- Simplified usability with Crypto Express3 migration wizard
- Usability enhancements with TKE 6.0
- New z/OS Messaging
for STP
- Throughput improvements with Protected Key CPACF
- Reducing cost
- Improved Capacity for Planned Event (CPE), which allows you to select
the capacity to meet your business needs rather than providing temporary access
to all dormant capacity
- One-port Crypto Express3 for System z10 BC
- Foundation for future virtualization growth with z/VM® V6.1
For ordering, contact your IBM representative, an IBM Business Partner,
or IBM Americas
Call Centers at 800-IBM-CALL (Reference: YE001).
Back to top
As the pace of business continues to accelerate and the planet becomes
smarter, the physical and digital foundations on which progress depends are
straining to keep up. They're too complex, too inefficient, and too inflexible.
With our dynamic infrastructure strategy, IBM is positioned to help clients succeed
in this new world, addressing today's challenges to improve service, reduce
cost, and manage risk, while also laying the foundation for what is to come.
We are helping clients address the increasing cost and complexity of infrastructure,
link and manage all their IT and business assets, and make their business
and IT infrastructure as dynamic as the business demands.
The System z10 family of servers is well positioned to participate in this
new dynamic model. It delivers many innovative technologies for flexible
enterprise computing and includes proven leadership capabilities for security,
availability, scalability, virtualization, and management. As environmental
concerns raise the focus on energy consumption, the System z10 is designed
to reduce energy usage and save floor space when consolidating workloads from
distributed servers. The System z10 specialty engines continue to help users
expand the use of the mainframe for a broad set of applications, while helping
to lower the cost of ownership.
Protection of the IT infrastructure and data continues to be of key importance.
This announcement strengthens the System z10 position in security with the
next generation of cryptographic feature. The new Crypto Express3 is a state-of-the-art,
tamper-sensing and tamper-responding programmable cryptographic feature available
for the System z10. This feature can be configured as a secure key coprocessor
or an accelerator. The tamper-resistant hardware security module, which is
contained on the Crypto Express3, is designed to meet the FIPS 140-2 Level
4 security requirements for hardware security modules. This new generation
in cryptography raises the bar in error checking by using a two lock-step
cross-checking CPUs process for enhanced error detection and fault isolation
of cryptographic operations performed by this coprocessor. New usability
enhancements in this announcement enable the grouping of domains across multiple
coprocessor features, helping to simplify the management and migration of
coprocessor configuration with a new TKE Migration wizard.
Back to top
Refer to the Hardware requirements and Software requirements sections of this announcement.
Back to top
Improved Capacity for Planned Events options will be available December
31, 2009.
TKE 6.0 Workstation will be available January 1, 2010.
Four-port exploitation for OSA-Express3 1000BASE-T (#3367) and two-port
exploitation for OSA-Express3-2P 1000BASE-T (#3369) for OSA-ICC will be available
in the first quarter of 2010.
All other new-build and MES functions and features described in this announcement
will be available November 20, 2009.
Back to top
Security
The newest-generation cryptographic feature - Crypto
Express3
Crypto Express3 represents the newest-generation cryptographic feature
designed to complement the cryptographic functions of CPACF. The Crypto Express3
resides in the I/O cage of the z10 EC and the I/O drawer of the z10 BC, and
continues to support all of the cryptographic functions available on Crypto
Express2.
Crypto Express3 is a state-of-the-art, tamper-sensing and tamper-responding,
programmable cryptographic feature. The cryptographic electronics and microprocessor
provide a secure cryptographic environment using two PCI-Express (PCI-E) adapters.
Each PCIe adapter contains dual processors that operate in parallel to support
the IBM Common
Cryptographic Architecture (CCA) with high reliability.
Crypto Express3 applications
The Crypto Express3 feature is suited to applications requiring high-speed,
security-sensitive, RSA acceleration, cryptographic operations for data encryption
and digital signing, secure management, and use of cryptographic keys, or
custom cryptographic applications. These can include financial applications
such as PIN generation and verification in automated teller and point-of-sale
(POS) transaction servers, remote key loading of ATMs and POS terminals, Web-serving
applications, Public Key Infrastructure applications, smart card applications,
and custom proprietary solutions. Applications can benefit from the strong
security characteristics of the coprocessor and the opportunity to offload
computationally intensive cryptographic processing.
Crypto Express3-1P
An option of one PCI-Express adapter per feature, in addition to the current
two PCI-Express adapters per feature, is being offered for the z10 BC to help
customers scale their Crypto Express investments for their business needs.
The Crypto Express3-1P feature with one PCI-Express adapter may be defined
as either a Coprocessor or an Accelerator. A minimum of two features must
be ordered.
Crypto Express3 key features
Key features of Crypto Express3 include:
- Dynamic power management to maximize RSA performance while keeping within
temperature limits of the tamper-responding package
- For virtualization, the ability of all logical partitions (LPARs) in all
Logical Channel Subsystems (LCSSs) to access the Crypto Express3 feature,
up to 32 LPARs per feature
- Improved reliability, availability, and serviceability (RAS); even better
than the excellent RAS offered by the Crypto Express2 feature
- Secure code loading that enables the updating of functionality while installed
in application systems
- Lock-step checking of dual CPUs for enhanced error detection and fault
isolation of cryptographic operations performed by a coprocessor when a PCI-E
adapter is defined as a coprocessor
- Dynamic addition and configuration of cryptographic features to logical
partitions without an outage
- Updated cryptographic algorithms used in loading the Licensed Internal
Code (LIC) with the TKE workstation to keep in step with current recommendations
for cryptographic strength
- Support for smart card applications using Europay, MasterCard, and Visa
specifications
Crypto Express3 is designed to provide improved performance for symmetric
and asymmetric operations.
Crypto Express3 continues to support the following features:
- Cryptographic key generation
- Pseudo Random Number Generation (PRNG)
- Random Number Generation Long (RNGL) - 8 bytes to 8096 bytes
- Personal identification number (PIN) processing
- PIN generation, verification, and translation functions
Each Crypto Express3 feature may be configured as:
- Two PCI-E cryptographic coprocessors (default mode)
- One PCI-E cryptographic coprocessor and one PCI-E cryptographic accelerator
- Two PCI-E cryptographic accelerators
Crypto Express3 PCI-E adapter defined as a coprocessor
When one or both of the two PCI-E cryptographic adapters are configured
as a coprocessor, the adapter, which contains a tamper-resistant hardware
security module designed for Federal Information Processing Standard (FIPS)
140-2 Level 4 certification, can be used to:
- Encrypt and decrypt data by utilizing secret-key algorithms. Algorithms
supported for data confidentiality are:
- Single-length key DES
- Double-length key DES
- Triple-length key DES
- AES algorithms that have 128-, 192-, and 256-bit data-encrypting keys
- Generate, install, and distribute cryptographic keys securely using both
public and secret key cryptographic methods
- Generate, verify, and translate personal identification numbers (PINs)
- Generate, verify, and translate 13- through 19-digit personal account
numbers (PANs)
- Ensure the integrity of data by using message authentication codes (MACs),
hashing algorithms, and Rivest-Shamir-Adelman (RSA) public key algorithm (PKA)
digital signatures
- Perform financial PIN processing and other specialized banking functions
- Manage DES, TDES, AES, and RSA keys
- Offer highly secure encryption processing, use of secure encrypted key
values, and User Defined Extensions (UDX) to CCA
- Provide secure remote key loading of encryption keys to ATMs, point of
sale terminals (POS), and PIN entry devices
- Exchange cryptographic keys between IBM CCA and non-CCA servers
- Generate high-quality random numbers for keys and other cryptographic
applications
Crypto Express3 accelerator
The Crypto Express3 accelerator is configured by the installation process
so that it uses only a subset of the coprocessor functions at a higher speed.
When one or both of the two PCI-E cryptographic adapters are configured as
an accelerator, the Crypto Express3 feature may be used for:
- High-performance clear-key RSA functions
- Acceleration of modular arithmetic operations, the RSA cryptographic operations
used with the SSL/TLS protocol
- Offloading of compute-intensive RSA public-key and private-key cryptographic
operations employed in the SSL protocol
Supported functions include:
- PKA Decrypt (CSNDPKD), with PKCS-1.2 formatting
- PKA Encrypt (CSNDPKE), with zero-pad formatting
- Digital Signature Verify
The RSA encryption and decryption functions support key lengths of 512
bits to 4,096 bits, in the Modulus Exponent (ME) and Chinese Remainder Theorem
(CRT) formats.
More information on IBM System z10 cryptographic performance can be found
on the IBM System
z® Security Web site at
- http:// www.ibm.com/systems/z/advantages/security/z10cryptography.html
For Crypto Express3 prerequisites, refer to the Software requirements section of this announcement.
z/TPF support for Crypto Express3 accelerator
z/TPF Version 1.1 with PTFs supports RSA Keys of 1024- and 2048-bit lengths
for the following applications:
- Data privacy and confidentiality: RSA key pair generation for data encryption
and decryption
- Authentication: RSA digital signature generation and verification to associate
a person with data or objects based on knowledge that is associated with the
data or object
CP Assist for Cryptographic Function (CPACF)
The CP Assist for Cryptographic Function is available on every processor
unit defined as a CP. It provides a set of symmetric cryptographic functions
that enhance the encryption/decryption performance of clear-key operations
for SSL, Virtual Private Network (VPN), and data storing applications not
requiring a high level of security such as FIPS 140-2 level 4.
Cryptographic keys must be protected by the application system, as these
keys are provided in the clear-key form to the CPACF. CPACF must be explicitly
enabled, using a no-charge enablement feature (#3863). SHA-1, SHA-224, SHA-256,
SHA-384, and SHA-512 are shipped enabled on all servers with processor units
(PUs) defined as CPs, IFLs, zIIPs, or zAAPs.
The CP Assist for Cryptographic Function offers:
- For data privacy and confidentiality
- Data Encryption Standard (DES)
- Triple Data Encryption Standard (TDES)
- Advanced Encryption Standard (AES) for 128-bit, 192-bit, and 256-bit keys
- For data integrity
- Secure Hash Algorithms
- SHA-1: 160 bit
- SHA-2: 224, 256, 384, and 512 bit
- For message authentication codes (MAC)
- Single-key MAC
- Double-key MAC
For CPACF prerequisites, refer to the Software requirements section
of this announcement.
Protected key CPACF - blending clear-key and secure-key
cryptography
The security of encryption relies upon keeping the value of the key a secret.
A secure key should NEVER exist in the clear outside of the
secure boundary of the card. If and when a secure key needs to exist outside
of the tamper-resistant hardware it should be encrypted under another key,
usually the master key.
An enhancement to Central Processor Assist to Cryptographic Function (CPACF)
is designed to help facilitate the continued privacy of cryptographic key
material when used by the CPACF for high-performance data encryption. Leveraging
the unique z/Architecture®,
protected key CPACF helps to ensure that key material is not visible to applications
or operating systems when used for encryption operations.
Protected key CPACF is designed to provide significant throughput improvements
for large volumes of data and low latency for small blocks of data. In addition,
an enhancement to the information management tool, IBM Encryption Tool for IMS™ and DB2® Databases,
improves performance for protected key applications.
For Protected Key CPACF prerequisites, refer to the Software requirements section of this announcement.
Stronger cryptography encryption for TKE protocols inbound/outbound
authentication
TKE uses cryptographic algorithms and protocols in communication with the
target cryptographic adapters in the host systems it administers. Cryptography
is first used to verify that each target adapter is a valid IBM cryptographic
coprocessor. It then ensures there are secure messages between the TKE workstation
and the target Crypto Express2 and Crypto Express3 feature.
The cryptography has been updated to keep pace with industry developments
and with recommendations from experts and standards organizations.
The following enhancements have been made:
- TKE Certificate Authorities (CAs) initialized on a TKE workstation with
TKE 6.0 LIC can issue certificates with 2048-bit keys. Previous versions of
TKE used 1024-bit keys.
- The transport key used to encrypt sensitive data sent between the TKE
workstation and a Crypto Express3 coprocessor has been strengthened from a
192-bit TDES key to a 256-bit AES key.
- The signature key used by the TKE workstation and the Crypto Express3
coprocessor has been strengthened from 1024-bit to a maximum of 4096-bit strength.
- Replies sent by a Crypto Express3 coprocessor on the host are signed with
a 4096-bit key.
TKE smart card support
TKE 6.0 contains support to increase the key strength for TKE Certificate
Authority (CA) smart cards, TKE smart cards, and signature keys stored on
smart cards from 1024-bit to 2048-bit strength.
Only feature number 0884 smart cards with the feature number 0885 smart
card reader support the creation of TKE CA smart cards, TKE smart cards, or
signature keys with the new 2048-bit key strength. Existing feature number
0888 smart cards and feature number 0887 smart card readers are limited to
1024-bit key strengths.
Simplified key management with TKE 6.0 workstation
The feature number 0840 Trusted Key Entry (TKE) workstation and the feature
number 0858 TKE 6.0 level of Licensed Internal Code are optional features
on the System z10. The TKE 6.0 Licensed Internal Code (LIC) is loaded on the
TKE workstation prior to shipment. The TKE workstation offers security-rich
local and remote key management, providing authorized persons a method of
operational and master key entry, identification, exchange, separation, and
update. The TKE workstation supports connectivity to an Ethernet Local Area
Network (LAN) operating at 10 or 100 Mbps. Up to ten TKE workstations can
be ordered.
TKE feature number 0840 will be available on z9™ BC, z9 EC, z10 BC, and z10 EC servers, beginning
January 1, 2010.
Common Criteria Evaluation Assurance Level 5 (EAL5)
The System z10 has Common Criteria Evaluation Assurance Level 5 (EAL5)
certification for security of logical partitions. System z security is one of the many
reasons why the world's top banks and retailers rely on the IBM mainframe
to help secure sensitive business transactions.
Simplified usability with Crypto Express3 migration
wizard
A wizard is now available to allow users to collect configuration data
from a Crypto Express2 and Crypto Express3 coprocessor and migrate the data
to a different Crypto Express coprocessor. The target Crypto Express coprocessor
must have the same or greater capabilities.
Benefits of using this wizard include:
- Reduces migration steps, thereby minimizing user errors
- Minimizes the number of user "clicks"
- Significantly reduces migration task duration
Usability enhancements with TKE 6.0
Trusted Key Entry (TKE) 6.0 Licensed Internal Code (LIC) includes domain
grouping. This is a significant usability enhancement. The TKE 6.0 LIC provides
capabilities for:
- Grouping of up to 16 domains across one or more cryptographic adapters.
These adapters may be installed in one or more servers or LPARs. Grouping
of domains applies to Crypto Express3 and Crypto Express2 features.
- Greater flexibility and efficiency by executing domain-scoped commands
on every domain in the group. For example, a TKE user can load master key
parts to all domains with one command.
- Efficiency by executing Crypto Express2 and Crypto Express3 scoped commands
on every coprocessor in the group. This allows a substantial reduction of
the time required for loading new master keys from a TKE workstation into
a Crypto Express3 or Crypto Express2 feature.
Networking
Response time improvements with OSA-Express3 optimized
latency mode
Optimized latency mode (OLM) can help improve performance for z/OS workloads
with demanding low-latency requirements. This includes interactive workloads
such as SAP using DB2 Connect™. OLM can help improve performance
for applications that have a critical requirement to minimize response times
for inbound and outbound data when servicing remote clients. This enhancement
applies exclusively to OSA-Express3 QDIO mode (CHPID type OSD).
For prerequisites, refer to the Software requirements section
of this announcement.
Configuration flexibility with four-port exploitation
for OSA-ICC
Integrated Console Controllers (ICC) allow the System z10 to help reduce
cost and complexity by eliminating the requirement for external console controllers.
You can now exploit the four ports on an OSA-Express3 1000BASE-T Ethernet
feature (#3367) on the z10 EC and z10 BC, or the two ports on an OSA-Express3-2P
1000BASE-T on a z10 BC (#3369), when defining the feature as an Integrated
Console Controller (OSA-ICC) for TN3270E, local non-SNA DFT, 3270 emulation,
and 328x printer emulation. There are two PCI-E adapters per feature and two
channel path identifiers (CHPIDs) to be assigned. Each PCI-E adapter has two
ports, but prior to this only one of the two PCI-E adapter ports was available
for use when defined as CHPID type OSC. Removal of this restriction can improve
configuration flexibility by allowing the ability to connect two local LAN
segments to each CHPID.
OSA-ICC continues to support 120 sessions per CHPID.
Four-port exploitation for OSA-Express3 1000BASE-T (feature number 3367)
and two-port exploitation for OSA-Express3-2P 1000BASE-T (feature number 3369)
for OSA-ICC will be available in the first quarter of 2010.
For prerequisites, refer to the Software requirements section
of this announcement.
HMC/SE
New HMC security features
The Hardware Management Console (HMC) and Support Element (SE) versions
2.10.2 provide a new feature called Digitally Signed Firmware (Licensed Internal
Code). This new feature provides the following benefits.
- It helps ensure no malware can be installed on System z products during LICC updates.
- It enables, with other existing security functions, System z10 CPACF functions
to comply to Federal Information Processing Standard (FIPS) 140-2 Level 1
for Cryptographic Licensed Internal Code (LIC) changes.
This new Digitally Signed Firmware follows the System z focus of security for the
Hardware Management Console and Support Element. More details of the security
aspects of the Hardware Management Console and Support Element are described
in the z10 publication System z Hardware Management Console Security, which
can be found in the z10 Technical Notes area on IBM Resource Link™.
Serviceability enhancement for FICON channels
Problem determination can now be simplified by using the Hardware Management
Console (HMC) to more quickly pinpoint fiber optic cabling issues in your
Storage Area Network (SAN) fabric without IBM service personnel involvement.
All FICON channel
error information is forwarded to the HMC where it is analyzed to help detect
and report the trends and thresholds for all FICON channels on System z10. The Fibre
Channel Analyzer task on the HMC can be used to display analyzed information
about errors on FICON channels
(CHPID type FC) of attached Support Elements. Data includes information about
the PCHID, CHPID, channel type, source link address, and destination link
address of where the error occurred. This report shows an aggregate view of
the data and can span multiple systems.
Capacity on Demand
Improved Capacity for Planned Events options
Capacity for Planned Events (CPE) allows for the temporary access to dormant
capacity intended to replace capacity lost within the enterprise due to a
planned event such as a facility upgrade or system relocation. CPE is similar
to CBU in that it can be used to replace lost capacity; however it differs
in its scope and intent. Where CBU addresses disaster recovery scenarios that
can take up to three months to remedy, CPE is intended for short-duration
events like those previously mentioned.
CPE is changing with this announcement. CPE now allows you to select the
capacity to meet your business needs rather than providing temporary access
to all dormant capacity.
Improved Capacity for Planned Events options will be available December
31, 2009.
Parallel Sysplex and Server Time Protocol
(STP)
Improved STP system management with new z/OS messaging
This new function is designed to generate z/OS messages when various hardware events
that affect the External Time Sources (ETSs) configured for an STP-only Coordinated
Timing Network (CTN) occur. This may improve problem determination and correction
times. Previously, the messages were generated only on the Hardware Management
Console (HMC).
The ability to generate z/OS messages is supported on IBM System z10 and System z9® servers with z/OS V1.11 with
enabling support rolled back to z/OS V1.10 and V1.9.
Virtualization
Foundation for future virtualization growth with z/VM V6.1
Version 6 Release 1 (V6.1) is the newest version of z/VM and is intended to be the base for
all future z/VM enhancements.
This release implements a new Architecture Level Set (ALS) available only
on the IBM System
z10 Enterprise Class server and System z10 Business Class server and future
generations of System
z servers. System z10 technology together with z/VM V6.1:
- Acknowledges the highly attractive economics of workload consolidation
on the highly secure and reliable System z10 servers designed to reduce energy
usage and save floor space
- Allows z/VM to
take advantage of newer hardware technology for future exploitation
Guest LAN and Virtual Switch support has been updated in z/VM V6.1 to
use cache prefetch capabilities that are exclusive to the IBM System z10
and later platforms in order to give the hardware hints about likely memory
access patterns. This enables the hardware to prefetch data into the processor
cache so that the processor does not have to wait for data to be moved from
main memory. Avoidance of a "cache miss" may help improve the performance
of heavy guest-to-guest streaming workloads.
z/VM V6.1
is planned for availability October 23, 2009. More information about z/VM V6.1 can
be found in "IBM z/VM V6.1
- Foundation for future virtualization growth," Software Announcement 209-401, dated October 20, 2009.
Accessibility by people with disabilities
A U.S. Section 508 Voluntary Product Accessibility Template (VPAT) containing
details on accessibility compliance can be requested at
- http://www.ibm.com/able/product_accessibility/index.html
Section 508 of the U.S. Rehabilitation Act
System z10 servers are capable on delivery, when used in accordance with
IBM's associated documentation, of satisfying the applicable requirements
of Section 508 of the Rehabilitation Act of 1973, 29 U.S.C. Section 794d,
as implemented by 36 C.F.R. Part 1194, provided that any Assistive Technology
used with the product properly interoperates with it.
Back to top
The future does run on System z. The System z10 design quad-core processor
chip represents a revolution in the IBM System z family of products. The new
processor chip allows expanded scalability, and when combined with larger
memory capacity, faster internal bandwidth, and more subcapacity options,
it offers greater growth and enables consolidation on a new level. Businesses
of all sizes can use the mainframe to run legacy work and should consider
using their mainframe to run new applications using hundreds or thousands
of virtual servers in a single energy-efficient server.
Protection of the IT infrastructure continues to be important. The System
z10 processor chip has on-board cryptographic functions called CP Assist for
Cryptographic Function (CPACF). These standard clear-key integrated cryptographic
coprocessors provide high-speed cryptography for protecting data in storage.
The new Protected Key CPACF is a blending of clear-key and secure-key cryptography
and is intended to help facilitate the continued privacy of cryptographic
key materials when used by the CPACF for high-performance data encryption. IBM announced
Crypto Express3, a state-of-the-art, tamper-sensing and tamper-responding
programmable cryptographic feature available for the System z10. Usability
enhancements to the optional Trusted Key Entry (TKE) workstation enable the
grouping of domains across multiple coprocessor features, helping to simplify
the management and migration of coprocessor configuration with a new TKE Migration
wizard.
IBM is
strengthening the System z10 relationship with z/OS V1R11 Communications Server and the
OSA-Express3 with this announcement. An enhancement may improve response time
for interactive workloads when configuring the OSA-Express3 to operate in
a new mode - optimized latency mode (OLM). This is intended to help reduce
the cost of running applications that have a critical requirement to quickly
send and receive data when communicating with a remote client.
The System z10 continues to stand by the Mainframe Charter announced in
2003. We continue to provide value to our customers with unique specialty
engines, energy advantages, and generation-to-generation price/performance
gains. We know that innovation matters to you and we have delivered new z10
processor chip performance, unmatched scalability from the smallest z10 BC
to the largest z10 EC, just-in-time capacity, improvements in I/O and networking
that allow for faster access to data, and unprecedented resiliency and security.
We have a vibrant community with a strong Academic Initiative, new applications
available using Linux® on System z, and over 6,300 applications
available from over 1,700 ISVs. Our commitment delivers a compelling case
for the future to run on the System z10.
Back to top
Power Sequence Controller (PSC) feature quantities
The optional PSC feature provides the ability to turn on and off specific
control units from the central processor complex (CPC). IBM intends to
make three changes in the area of PSC support:
- IBM intends
for System z10 to be the last platform to support greater than two Power Sequence
Controller (PSC) features (#6501).
- Systems with water-cooling will further limit the maximum quantity of
PSC features to one.
- IBM intends
for System z10 to be the last platform to allow the PSC feature to be ordered
individually when not part of a new-build server or when not part of a box
MES order.
Support for optional overhead cabling
On future System
z servers, IBM intends
to support optional overhead cabling. This would be applicable to some data
center environments and would apply to cabling for I/O (fiber optic and 1000BASE-T
Ethernet). Overhead cabling is designed to provide an additional option and
increased flexibility, to help remove floor hazards in a non-raised-floor
environment, and to help increase air flow in a raised-floor environment.
Removal of specific smart card features
The IBM System
z10 EC and System z10 BC will be the last platforms to support smart card
feature number #0888 and the #0887 smart card reader. The #0888 smart card
has been replaced by the #0884 smart card. The #0887 smart card reader has
been replaced by the #0885 smart card reader. The #0885 smart card reader
and the #0884 smart card were made available on October 28, 2008. Refer to
"IBM System
z10 Enterprise Class - The future runs on System z10, the future begins today,"
Hardware Announcement 108-794, dated October 21, 2008.
Customers should begin to migrate information from the #0888 smart card
to the #0884 smart card to prepare for the change. Refer to the Trusted
Key Entry PCIX Workstation User's Guide for instructions on how to make
backups of TKE Certificate Authority (CA) smart cards and how to move key
material from one TKE smart card to another.
Removal of Crypto Express2 feature
The IBM System
z10 EC and z10 BC will be the last servers to offer Crypto Express2 (#0863)
as a feature, either as part of a new-build order, or carried forward on an
upgrade.
All statements regarding IBM's plans, directions, and intent are subject
to change or withdrawal without notice. Any reliance on these statements
of general direction is at the relying party's sole risk and will not create
liability or obligation for IBM.
Back to top
More information on z/VM V6.1 can be found in "IBM z/VM V6.1 - Foundation for future virtualization
growth," Software Announcement 209-401, dated October 20, 2009.
Back to top
Machine
Description Type Model Feature
System z10 EC 2097 E12
E26
E40
E56
E64
TKE 6.0 Workstation 0840
TKE 6.0 LIC 0858
Crypto Express3 0864
1 CPE Capacity Unit 0116
100 CPE Capacity Unit 0117
10000 CPE Capacity Unit 0118
1 CPE Capacity Unit-IFL 0119
100 CPE Capacity Unit-IFL 0120
1 CPE Capacity Unit-ICF 0121
100 CPE Capacity Unit-ICF 0122
1 CPE Capacity Unit-zAAP 0123
100 CPE Capacity Unit-zAAP 0124
1 CPE Capacity Unit-zIIP 0125
100 CPE Capacity Unit-zIIP 0126
1 CPE Capacity Unit-SAP 0127
100 CPE Capacity Unit-SAP 0128
System z10 BC 2098 E10
TKE 6.0 Workstation 0840
TKE 6.0 LIC 0858
Crypto Express3 0864
Crypto Express3-1P 0871
1 CPE Capacity Unit 0116
100 CPE Capacity Unit 0117
10000 CPE Capacity Unit 0118
1 CPE Capacity Unit-IFL 0119
100 CPE Capacity Unit-IFL 0120
1 CPE Capacity Unit-ICF 0121
100 CPE Capacity Unit-ICF 0122
1 CPE Capacity Unit-zAAP 0123
100 CPE Capacity Unit-zAAP 0124
1 CPE Capacity Unit-zIIP 0125
100 CPE Capacity Unit-zIIP 0126
1 CPE Capacity Unit-SAP 0127
100 CPE Capacity Unit-SAP 0128
System z9 BC 2096 S07
R07
TKE 6.0 Workstation 0840
TKE 6.0 LIC 0858
System z9 EC 2094 S08
S18
S28
S38
S54
TKE 6.0 Workstation 0840
TKE 6.0 LIC 0858
Business Partner information
If you are a Direct Reseller - System Reseller acquiring products from IBM,
you may link directly to Business Partner information for this announcement.
A PartnerWorld® ID
and password are required (use IBM ID).
- https://www.ibm.com/partnerworld/mem/sla.jsp?num=109-678
Back to top
Visit the following Web site for additional information
- http://www.ibm.com/training/us
Call IBM IT Education Services at 800-IBM-TEACH (426-8322)
for catalogs, schedules, and enrollments.
Back to top
The following publications are available now in the Library section
of Resource
Link:
Title Order number
z10 EC System Overview SA22-1084
z10 BC System Overview SA22-1085
z10 EC Installation Manual for Physical Planning (IMPP) GC28-6865
z10 BC Installation Manual for Physical Planning (IMPP) GC28-6875
System z Functional Matrix ZSW0-1335
z10 PR/SM™ Planning Guide SB10-7153
The following publications are shipped with the product and available in
the Library section of Resource Link:
Title Order number
System z Service Guide for TKE Workstations GC28-6862
z10 EC Installation Manual GC28-6864
z10 EC Service Guide GC28-6866
z10 EC Safety Inspection GC28-6870
z10 BC Installation Manual GC28-6874
z10 BC Safety Inspection GC28-6877
z10 BC Service Guide GC28-6878
Systems Safety Notices G229-9054
System z Statement of Limited Warranty GC28-6883
The following publications will be available at planned availability in
the Library section of Resource Link:
Title Order number
System z API for Java™ API-JAVA
System z Application Programming Interfaces SB10-7030
System z HMC Operations Guide (Version 2.10.2) SC28-6881
System z CIM Management Interface SB10-7154
System z CHPID Mapping Tool User's Guide GC28-6825
System z Service Guide for HMCs and SEs GC28-6861
z10 Capacity on Demand User's Guide SC28-6871
z10 SE Operations Guide (Version 2.10.2) SC28-6882
Publications for System z10 can be obtained at Resource Link by accessing the
following Web site
- http://www.ibm.com/servers/resourcelink
Using the instructions on the Resource Link panels, obtain a
user ID and password. Resource Link has been designed for easy access
and navigation.
The following IBM Redbooks® have been updated:
Title Order number
IBM System z Connectivity Handbook SG24-5444
IBM System z10 Enterprise Class Technical Introduction SG24-7515
IBM System z10 Enterprise Class Technical Guide SG24-7516
IBM System z10 Business Class Technical Overview SG24-7632
For other IBM Redbooks publications,
refer to
- http://www.redbooks.ibm.com/
Back to top
Global Technology Services
IBM services
include business consulting, outsourcing, hosting services, applications,
and other technology management.
These services help you learn about, plan, install, manage, or optimize
your IT infrastructure to be an On Demand Business. They can help you integrate
your high-speed networks, storage systems, application servers, wireless protocols,
and an array of platforms, middleware, and communications software for IBM and
many non-IBM offerings. IBM is your one-stop shop for IT support needs.
For details on available services, contact your IBM representative or visit
- http://www.ibm.com/services/
For details on available IBM Business Continuity and Recovery Services, contact
your IBM representative
or visit
- http://www.ibm.com/services/continuity
For details on education offerings related to specific products, visit
- http://www.ibm.com/services/learning/index.html
Select your country, and then select the product as the category.
Back to top
Specified operating environment
Hardware requirements
You should review the PSP buckets for minimum Machine Change Levels
(MCLs) and software PTF levels before IPLing operating systems. To support
new functions and features, MCLs are required.
Descriptions of the MCLs are available now through Resource Link
Access Resource
Link at
- http://www.ibm.com/servers/resourcelink
Select: Fixes, Hardware, Exception Letters.
Click on System z10 EC or System z10 BC.
Click on Driver xxx Customer Exception Letter.
The most recent driver information is at the top of the list.
Peripheral hardware and device attachments
IBM devices
previously attached to IBM System z9 and zSeries® servers are supported for attachment
to System z10 channels, unless otherwise noted. The subject I/O devices must
meet ESCON® or
FICON/FCP architecture requirements to be supported. I/O devices that meet
OEMI architecture requirements are supported only using an external converter.
Prerequisite Engineering Change Levels may be required. For further detail,
contact IBM service
personnel.
While the System z10 supports devices as described above, IBM does not commit
to provide support or service for an IBM device that has reached its End of Service
effective date as announced by IBM.
Note:IBM cannot
confirm the accuracy of performance, compatibility, or any other claims related
to non-IBM products. Questions regarding the capabilities of non-IBM products
should be addressed to the suppliers of those products.
Software requirements
Listed are the operating system minimum versions and releases. Select the
releases appropriate to your operating system environments.
Note: Refer to the z/OS, z/VM, and z/VSE™ subsets of the 2097DEVICE and 2098DEVICE
Preventive Service Planning (PSP) bucket prior to installing a System z10.
OSA-Express3 optimized latency mode (OLM) on System z10 requires
at a minimum:
- z/OS V1.11
with PTFs
- z/VM V5.3
with PTFs for guest exploitation
OSA-Express3 1000BASE-T (#3367) and OSA-Express3-2P 1000BASE-T
(#3369)
CHPID type OSC supporting TN3270E and non-SNA DFT on System z10 requires
at minimum:
- z/OS V1.7
with the IBM Lifecycle
Extension for z/OS V1.7
(5637-A01)
- z/OS V1.8
with the IBM Lifecycle
Extension for z/OS V1.8
(5638-A01)
- z/VM V5.3
- z/VSE V4.1
- TPF 4.1 and z/TPF 1.1
Crypto Express3 and Crypto Express3-1P on the System z10 requires
at a minimum:
- z/OS:
- z/VM V5.3
with PTFs for guest exploitation.
- zVSE V4.2 and IBM TCP/IP for VSE/ESA™ V1.5.0 with PTFs.
- z/TPF V1.1 (acceleration mode only).
- Linux on System
z distributions:
- Current Novell SUSE and Red Hat distributions support the same functionality
as Crypto Express2. Secure key is not supported.
Note: Crypto Express3-1P is available only on the System z10 BC.
Note:z/VSE supports
clear-key RSA operations only. z/VM V5.3 and later support clear- and
secure-key operations.
z/VM support
for Crypto Express3 on System z10 requires at a minimum z/VM V5.3 with
PTFs, planned to be available in November 2009. It is intended to provide:
- The ability to dedicate any available domain to a guest for clear-key
and secure-key cryptographic functions.
- The ability for guests to share all available, non-dedicated domains for
clear-key cryptographic functions.
- Enhancements to the CP QUERY CRYPTO APQS to display information about
both shared and dedicated cryptographic domains. Prior to this enhancement,
the command only displayed user information for dedicated domains.
Each Crypto Express2 and Crypto Express3 feature contains two cryptographic
coprocessors, each with 16 cryptographic domains. Up to 256 domains can be
configured for use within a single z/VM system.
Each Crypto Express2-1P and Crypto Express3-1P feature contains a single
cryptographic coprocessor with support for 16 cryptographic domains. Up to
128 domains can be configured for use within a single z/VM system when using 1P.
CP Assist for Cryptographic Function (CPACF) (#3863) on the System
z10 requires at a minimum:
- z/OS
- z/VSE V4.1
and IBM TCP/IP
for VSE/ESA V1.5.0
with PTFs.
- z/VM V5.3.
- z/TPF V1.1.
- TPF V4.1.
- Linux on System
z distributions:
- Current releases of Red Hat and Novell SUSE.
Protected Key CP Assist for Cryptographic Function (CPACF) on the
System z10 requires at a minimum:
- z/OS:
- Linux on System
z - IBM is
working with its Linux distribution partners to include support in future Linux on System
z distribution releases.
STP System Management with new z/OS Messaging On System z10 requires
at a minimum:
- z/OS V1.11
- z/OS V1.9
and V1.10 with PTFs
Planning information
Customer responsibilities
Information on customer responsibilities for site preparation can be found
in the Library section of Resource Link at
- http://www.ibm.com/servers/resourcelink
Cable orders
Fiber optic cable orders
Fiber optic cables for the z10 EC, z10 BC, z9 EC, z9 BC,
z990, and z890 are available from IBM Site and Facilities Services.
IBM Site and Facilities Services has
a comprehensive set of scalable solutions to address IBM cabling requirements, from product-level
to enterprise-level. The IBM Facilities Cabling Services - fiber transport system
and the IBM IT
Facilities Assessment, Design, and Construction Services - optimized airflow
assessment for cabling, offered by IBM Site and Facilities Services, provide
services for small, medium, and large enterprises:
- Assessment and planning for IBM Fiber Transport System (FTS) trunking
components
- Planning and installation services for individual fiber optic connections
IBM Global Technology Services has the expertise
and personnel available to effectively plan and deploy the appropriate cabling
with the future in mind. These services may include assessment, planning,
consultation, cable selection, installation, and documentation, depending
upon the services selected.
These services are designed to be right-sized
for your products or the end-to-end enterprise, and to take into consideration
the requirements for all of the protocols and media types supported on the
System z10, System
z9, and zSeries (ESCON, FICON,
Coupling Links, and OSA) whether the focus is the data center, the Storage
Area Network (SAN), the Local Area Network (LAN), or the end-to-end enterprise.
IBM Site and Facilities Services is
designed to deliver convenient, packaged services to help reduce the complexity
of planning, ordering, and installing fiber optic cables. The appropriate
fiber cabling is selected based upon the product requirements and the installed
fiber plant.
The services are packaged as follows:
Under IBM Facilities Cabling Services there
is the option to provide IBM Fiber Transport System (FTS) trunking commodities
(fiber optic trunk cables, fiber harnesses, and panel-mount boxes) for connecting
to the z10 EC, z10 BC, z9 EC, z9 BC, z990, and z890. IBM can reduce the cable clutter and cable
bulk under the floor. An analysis of the channel configuration and any existing
fiber optic cabling is performed to determine the required FTS trunking commodities. IBM can
also help organize the entire enterprise. This option includes enterprise
planning, new cables, fiber optic trunking commodities, installation, and
documentation.
Under IBM IT Facilities Assessment, Design, and
Construction Services there is the option to provide the optimized airflow
assessment for cabling to provide you with a comprehensive review of your
existing data center cabling infrastructure. This service provides an expert
analysis of the overall cabling design required to help improve data center
airflow for optimized cooling, and to facilitate operational efficiency through
simplified change management.
Contact IBM Global Technology Services for details.
Refer to the services section of Resource Link for
further details. Access Resource Link at
- http://www.ibm.com/servers/resourcelink
Cabling responsibilities
Fiber optic cables, cable planning, labeling, and placement are all customer
responsibilities for new installations and upgrades. Fiber optic conversion
kits and Mode Conditioning Patch (MCP) cables are not orderable as features
on a z10 EC and z10 BC. Installation Planning Representatives (IPRs) and
System Service Representatives (SSRs) will not perform the fiber optic cabling
tasks without a services contract.
The following tasks are required to be performed by the customer prior
to machine installation:
- All fiber optic cable planning.
- All purchasing of correct fiber optic cables.
- All installation of any required Mode Conditioning Patch (MCP) cables.
- All installation of any required Conversion Kits.
- All routing of fiber optic cables to correct floor cutouts for proper
installation to server.
- Use the Physical Channel Identifier (PCHID) report or the report from
the Channel Path Identifier (CHPID) Mapping Tool to accurately route all cables.
- All labeling of fiber optic cables with PCHID numbers for proper installation
to server.
- Use the PCHID report or the report from the CHPID Mapping Tool to accurately
label all cables.
Additional service charges may be incurred during the server installation
if the above cabling tasks are not accomplished as required.
Fiber Quick Connect (FQC), a fiber harness integrated in the z10 EC and
z10 BC frame for "quick" connect, is offered as a feature on the z10 EC and
z10 BC for connection to ESCON and FICON LX channels.
Cables for ICB links continue to be available as features. Refer to the Special
features section of the Sales Manual on the Web for a list of these
features and cables for ICB links
- http://www.ibm.com/common/ssi/OIX.wss
For further details also refer to the Installation Manual for Physical
Planning (IMPP), available on Resource Link.
Note:IBM Site and Facilities Services can satisfy
your fiber optic as well as your copper cabling requirements.
Security, auditability, and control
The z10 EC and z10 BC use the security and auditability features and functions
of host hardware, host software, and application software.
The customer is responsible for evaluation, selection, and implementation
of security features, administrative procedures, and appropriate controls
in application systems and communications facilities.
Back to top
IBM has
transformed its delivery of hardware and software support services to help
you achieve higher system availability. Electronic Services is a Web-enabled
solution that offers an exclusive, no-additional-charge enhancement to the
service and support available for IBM servers. These services are designed
to provide the opportunity for greater system availability with faster problem
resolution and preemptive monitoring. Electronic Services comprises two separate,
but complementary, elements: Electronic Services news page and Electronic
Services Agent.
The Electronic Services news page is a single Internet entry point that
replaces the multiple entry points traditionally used to access IBM Internet services
and support. The news page enables you to gain easier access to IBM resources
for assistance in resolving technical problems.
The Electronic
Service Agent™ is no-additional-charge software that resides on your server.
It monitors events and transmits system inventory information to IBM on a periodic,
client-defined timetable. The Electronic Service Agent automatically
reports hardware problems to IBM. Early knowledge about potential problems enables IBM to
deliver proactive service that may result in higher system availability and
performance. In addition, information collected through the Service Agent
is made available to IBM service support representatives when they help answer
your questions or diagnose problems. Installation and use of IBM Electronic
Service Agent for problem reporting enables IBM to provide better support and service
for your IBM server.
To learn how Electronic Services can work for you, visit
- http://www.ibm.com/support/electronic
Back to top
MES discount applicable
No
Field installable feature
Yes
Warranty period
One year
Features assume the same warranty or maintenance terms as the machine in
which they are installed for the full warranty or maintenance period announced
for such machine.
Customer setup
No
Machine code
Same license terms and conditions as base machine
Back to top
For all charges, contact your IBM representative.
Mach EW MMMC Init/
Description type Mod Feat ** Fe indicat MES
System z10 EC 2097 E12 X
E26 X
E40 X
E56 X
E64 X
TKE 6.0 Workstation 0840 ** Both
TKE 6.0 LIC 0858 ** Both
Crypto Express3 0864 ** Both
1 CPE Capacity Unit 0116 ** Both
100 CPE Capacity Unit 0117 ** Both
10000 CPE Capacity Unit 0118 ** Both
1 CPE Capacity Unit-IFL 0119 ** Both
100 CPE Capacity Unit-IFL 0120 ** Both
1 CPE Capacity Unit-ICF 0121 ** Both
100 CPE Capacity Unit-ICF 0122 ** Both
1 CPE Capacity Unit-zAAP 0123 ** Both
100 CPE Capacity Unit-zAAP 0124 ** Both
1 CPE Capacity Unit-zIIP 0125 ** Both
100 CPE Capacity Unit-zIIP 0126 ** Both
1 CPE Capacity Unit-SAP 0127 ** Both
100 CPE Capacity Unit-SAP 0128 ** Both
Mach EW MMMC Init/
Description type Mod Feat ** Fe indicat MES
System z10 BC 2098 E10 X
TKE 6.0 Workstation 0840 ** Both
TKE 6.0 LIC 0858 ** Both
Crypto Express3 0864 ** Both
Crypto Express3-1P 0871 ** Both
1 CPE Capacity Unit 0116 ** Both
100 CPE Capacity Unit 0117 ** Both
10000 CPE Capacity Unit 0118 ** Both
1 CPE Capacity Unit-IFL 0119 ** Both
100 CPE Capacity Unit-IFL 0120 ** Both
1 CPE Capacity Unit-ICF 0121 ** Both
100 CPE Capacity Unit-ICF 0122 ** Both
1 CPE Capacity Unit-zAAP 0123 ** Both
100 CPE Capacity Unit-zAAP 0124 ** Both
1 CPE Capacity Unit-zIIP 0125 ** Both
100 CPE Capacity Unit-zIIP 0126 ** Both
1 CPE Capacity Unit-SAP 0127 ** Both
100 CPE Capacity Unit-SAP 0128 ** Both
Mach EW MMMC Init/
Description type Mod Feat ** Fe indicat MES
System z9 BC 2096 S07 X
R07
TKE 6.0 Workstation 0840 ** Both
TKE 6.0 LIC 0858 ** Both
Mach EW MMMC Init/
Description type Mod Feat ** Fe indicat MES
System z9 EC 2094 S08 X
S18
S28
S38
S58
TKE 6.0 Workstation 0840 ** Both
TKE 6.0 LIC 0858 ** Both
** If field installed on a purchased machine, parts
removed or replaced become the property of IBM and must be returned.
Trademarks
IMS, z9, DB2 Connect, Resource Link, PR/SM, z/VSE, VSE/ESA and Electronic Service Agent are trademarks of IBM Corporation in the United States, other countries, or both.
IBM, z/OS, FICON, z/VM, System z, z/Architecture, DB2, System z9, PartnerWorld, Redbooks, zSeries and ESCON are registered trademarks of IBM Corporation in the United States, other countries, or both.
Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both.
Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both.
Other company, product, and service names may be trademarks or service marks of others.
Terms of use
IBM products
and services which are announced and available in your country can be ordered
under the applicable standard agreements, terms, conditions, and prices in
effect at the time. IBM reserves the right to modify or withdraw this announcement
at any time without notice. This announcement is provided for your information
only. Additional terms of use are located
at
- http://www.ibm.com/legal/us/en/
For the most current information regarding IBM products, consult your IBM representative
or reseller, or visit the IBM worldwide contacts page
- http://www.ibm.com/planetwide/us/
Back to top
Printable version
