IBM System z10 - Delivering security-rich offerings to protect your data

IBM United States Hardware Announcement 109-678
October 20, 2009

 
 ENUS109-678.PDF (146KB)

Table of contents   Document options  
Overview Overview Product number Product number
Key prerequisites Key prerequisites Publications Publications
Planned availability date Planned availability date Technical information Technical information
Description Description Terms and conditions Terms and conditions
Product positioning Product positioning Prices Prices
Statement of general direction Statement of general direction
 
Printable version Printable version

(Corrected on December 3, 2009)

Revised text for Response time improvements with OSA-Express3 optimized latency mode in Description section.
 
Top rule
At a glance
Bottom rule

For many years the IBM® mainframe has been acknowledged as a platform of choice for running mission-critical workloads. The System z10 Enterprise Class and Business Class servers have built on these strengths to deliver leadership capabilities to help mitigate risk for your business, to simplify the management of business-critical data, to offer the agility and responsiveness that businesses require in today's ever-changing environment, to help reduce the costs of maintaining, managing, and operating the proliferation of small servers, and to provide flexibility and choice to users. Improvements being announced today include:

  • Managing risk
    • Next generation of cryptographic feature with Crypto Express3
    • z/TPF support for Crypto Express3 accelerator
    • Stronger cryptography encryption for TKE protocol authentication
    • TKE smart card support
    • Simplified key management with TKE 6.0 Workstation
    • New HMC security features to help protect against malware and help with FIPS 140-2 level 1 security
    • EAL5 Common Criteria certification for System z10 EC and System z10 BC platforms
  • Improving service
    • Performance improvements with OSA-Express3 optimized latency mode (OLM) for the z/OS® environment
    • Configuration flexibility with four-port exploitation for OSA-Express3 1000BASE-T and two-port exploitation for OSA-Express3-2P 1000BASE-T Ethernet Integrated Console Controllers (ICC)
    • Simplified FICON® problem determination with HMC improvements
    • Simplified usability with Crypto Express3 migration wizard
    • Usability enhancements with TKE 6.0
    • New z/OS Messaging for STP
    • Throughput improvements with Protected Key CPACF
  • Reducing cost
    • Improved Capacity for Planned Event (CPE), which allows you to select the capacity to meet your business needs rather than providing temporary access to all dormant capacity
    • One-port Crypto Express3 for System z10 BC
    • Foundation for future virtualization growth with z/VM® V6.1

For ordering, contact your IBM representative, an IBM Business Partner, or IBM Americas Call Centers at 800-IBM-CALL (Reference: YE001).


 
Back to topBack to top
 
Top rule
Overview
Bottom rule

As the pace of business continues to accelerate and the planet becomes smarter, the physical and digital foundations on which progress depends are straining to keep up. They're too complex, too inefficient, and too inflexible. With our dynamic infrastructure strategy, IBM is positioned to help clients succeed in this new world, addressing today's challenges to improve service, reduce cost, and manage risk, while also laying the foundation for what is to come. We are helping clients address the increasing cost and complexity of infrastructure, link and manage all their IT and business assets, and make their business and IT infrastructure as dynamic as the business demands.

The System z10 family of servers is well positioned to participate in this new dynamic model. It delivers many innovative technologies for flexible enterprise computing and includes proven leadership capabilities for security, availability, scalability, virtualization, and management. As environmental concerns raise the focus on energy consumption, the System z10 is designed to reduce energy usage and save floor space when consolidating workloads from distributed servers. The System z10 specialty engines continue to help users expand the use of the mainframe for a broad set of applications, while helping to lower the cost of ownership.

Protection of the IT infrastructure and data continues to be of key importance. This announcement strengthens the System z10 position in security with the next generation of cryptographic feature. The new Crypto Express3 is a state-of-the-art, tamper-sensing and tamper-responding programmable cryptographic feature available for the System z10. This feature can be configured as a secure key coprocessor or an accelerator. The tamper-resistant hardware security module, which is contained on the Crypto Express3, is designed to meet the FIPS 140-2 Level 4 security requirements for hardware security modules. This new generation in cryptography raises the bar in error checking by using a two lock-step cross-checking CPUs process for enhanced error detection and fault isolation of cryptographic operations performed by this coprocessor. New usability enhancements in this announcement enable the grouping of domains across multiple coprocessor features, helping to simplify the management and migration of coprocessor configuration with a new TKE Migration wizard.


 
Back to topBack to top
 
Top rule
Key prerequisites
Bottom rule

Refer to the Hardware requirements and Software requirements sections of this announcement.


 
Back to topBack to top
 
Top rule
Planned availability date
Bottom rule

Improved Capacity for Planned Events options will be available December 31, 2009.

TKE 6.0 Workstation will be available January 1, 2010.

Four-port exploitation for OSA-Express3 1000BASE-T (#3367) and two-port exploitation for OSA-Express3-2P 1000BASE-T (#3369) for OSA-ICC will be available in the first quarter of 2010.

All other new-build and MES functions and features described in this announcement will be available November 20, 2009.

HiperSockets network traffic analyzer will be available in the first quarter, 2010.


 
Back to topBack to top
 
Top rule
Description
Bottom rule

Security

The newest-generation cryptographic feature - Crypto Express3

Crypto Express3 represents the newest-generation cryptographic feature designed to complement the cryptographic functions of CPACF. The Crypto Express3 resides in the I/O cage of the z10 EC and the I/O drawer of the z10 BC, and continues to support all of the cryptographic functions available on Crypto Express2.

Crypto Express3 is a state-of-the-art, tamper-sensing and tamper-responding, programmable cryptographic feature. The cryptographic electronics and microprocessor provide a secure cryptographic environment using two PCI-Express (PCI-E) adapters. Each PCIe adapter contains dual processors that operate in parallel to support the IBM Common Cryptographic Architecture (CCA) with high reliability.

Crypto Express3 applications

The Crypto Express3 feature is suited to applications requiring high-speed, security-sensitive, RSA acceleration, cryptographic operations for data encryption and digital signing, secure management, and use of cryptographic keys, or custom cryptographic applications. These can include financial applications such as PIN generation and verification in automated teller and point-of-sale (POS) transaction servers, remote key loading of ATMs and POS terminals, Web-serving applications, Public Key Infrastructure applications, smart card applications, and custom proprietary solutions. Applications can benefit from the strong security characteristics of the coprocessor and the opportunity to offload computationally intensive cryptographic processing.

Crypto Express3-1P

An option of one PCI-Express adapter per feature, in addition to the current two PCI-Express adapters per feature, is being offered for the z10 BC to help customers scale their Crypto Express investments for their business needs.

The Crypto Express3-1P feature with one PCI-Express adapter may be defined as either a Coprocessor or an Accelerator. A minimum of two features must be ordered.

Crypto Express3 key features

Key features of Crypto Express3 include:

  • Dynamic power management to maximize RSA performance while keeping within temperature limits of the tamper-responding package
  • For virtualization, the ability of all logical partitions (LPARs) in all Logical Channel Subsystems (LCSSs) to access the Crypto Express3 feature, up to 32 LPARs per feature
  • Improved reliability, availability, and serviceability (RAS); even better than the excellent RAS offered by the Crypto Express2 feature
  • Secure code loading that enables the updating of functionality while installed in application systems
  • Lock-step checking of dual CPUs for enhanced error detection and fault isolation of cryptographic operations performed by a coprocessor when a PCI-E adapter is defined as a coprocessor
  • Dynamic addition and configuration of cryptographic features to logical partitions without an outage
  • Updated cryptographic algorithms used in loading the Licensed Internal Code (LIC) with the TKE workstation to keep in step with current recommendations for cryptographic strength
  • Support for smart card applications using Europay, MasterCard, and Visa specifications

Crypto Express3 is designed to provide improved performance for symmetric and asymmetric operations.

Crypto Express3 continues to support the following features:

  • Cryptographic key generation
    • Pseudo Random Number Generation (PRNG)
    • Random Number Generation Long (RNGL) - 8 bytes to 8096 bytes
  • Personal identification number (PIN) processing
    • PIN generation, verification, and translation functions

Each Crypto Express3 feature may be configured as:

  • Two PCI-E cryptographic coprocessors (default mode)
  • One PCI-E cryptographic coprocessor and one PCI-E cryptographic accelerator
  • Two PCI-E cryptographic accelerators
Crypto Express3 PCI-E adapter defined as a coprocessor

When one or both of the two PCI-E cryptographic adapters are configured as a coprocessor, the adapter, which contains a tamper-resistant hardware security module designed for Federal Information Processing Standard (FIPS) 140-2 Level 4 certification, can be used to:

  • Encrypt and decrypt data by utilizing secret-key algorithms. Algorithms supported for data confidentiality are:
    • Single-length key DES
    • Double-length key DES
    • Triple-length key DES
    • AES algorithms that have 128-, 192-, and 256-bit data-encrypting keys
  • Generate, install, and distribute cryptographic keys securely using both public and secret key cryptographic methods
  • Generate, verify, and translate personal identification numbers (PINs)
  • Generate, verify, and translate 13- through 19-digit personal account numbers (PANs)
  • Ensure the integrity of data by using message authentication codes (MACs), hashing algorithms, and Rivest-Shamir-Adelman (RSA) public key algorithm (PKA) digital signatures
  • Perform financial PIN processing and other specialized banking functions
  • Manage DES, TDES, AES, and RSA keys
  • Offer highly secure encryption processing, use of secure encrypted key values, and User Defined Extensions (UDX) to CCA
  • Provide secure remote key loading of encryption keys to ATMs, point of sale terminals (POS), and PIN entry devices
  • Exchange cryptographic keys between IBM CCA and non-CCA servers
  • Generate high-quality random numbers for keys and other cryptographic applications
Crypto Express3 accelerator

The Crypto Express3 accelerator is configured by the installation process so that it uses only a subset of the coprocessor functions at a higher speed. When one or both of the two PCI-E cryptographic adapters are configured as an accelerator, the Crypto Express3 feature may be used for:

  • High-performance clear-key RSA functions
  • Acceleration of modular arithmetic operations, the RSA cryptographic operations used with the SSL/TLS protocol
  • Offloading of compute-intensive RSA public-key and private-key cryptographic operations employed in the SSL protocol

Supported functions include:

  • PKA Decrypt (CSNDPKD), with PKCS-1.2 formatting
  • PKA Encrypt (CSNDPKE), with zero-pad formatting
  • Digital Signature Verify

The RSA encryption and decryption functions support key lengths of 512 bits to 4,096 bits, in the Modulus Exponent (ME) and Chinese Remainder Theorem (CRT) formats.

More information on IBM System z10 cryptographic performance can be found on the IBM System z® Security Web site at

http:// www.ibm.com/systems/z/advantages/security/z10cryptography.html

For Crypto Express3 prerequisites, refer to the Software requirements section of this announcement.

z/TPF support for Crypto Express3 accelerator

z/TPF Version 1.1 with PTFs supports RSA Keys of 1024- and 2048-bit lengths for the following applications:

  • Data privacy and confidentiality: RSA key pair generation for data encryption and decryption
  • Authentication: RSA digital signature generation and verification to associate a person with data or objects based on knowledge that is associated with the data or object
CP Assist for Cryptographic Function (CPACF)

The CP Assist for Cryptographic Function is available on every processor unit defined as a CP. It provides a set of symmetric cryptographic functions that enhance the encryption/decryption performance of clear-key operations for SSL, Virtual Private Network (VPN), and data storing applications not requiring a high level of security such as FIPS 140-2 level 4.

Cryptographic keys must be protected by the application system, as these keys are provided in the clear-key form to the CPACF. CPACF must be explicitly enabled, using a no-charge enablement feature (#3863). SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512 are shipped enabled on all servers with processor units (PUs) defined as CPs, IFLs, zIIPs, or zAAPs.

The CP Assist for Cryptographic Function offers:

  • For data privacy and confidentiality
    • Data Encryption Standard (DES)
    • Triple Data Encryption Standard (TDES)
    • Advanced Encryption Standard (AES) for 128-bit, 192-bit, and 256-bit keys
  • For data integrity
    • Secure Hash Algorithms
      • SHA-1: 160 bit
      • SHA-2: 224, 256, 384, and 512 bit
  • For message authentication codes (MAC)
    • Single-key MAC
    • Double-key MAC

For CPACF prerequisites, refer to the Software requirements section of this announcement.

Protected key CPACF - blending clear-key and secure-key cryptography

The security of encryption relies upon keeping the value of the key a secret. A secure key should NEVER exist in the clear outside of the secure boundary of the card. If and when a secure key needs to exist outside of the tamper-resistant hardware it should be encrypted under another key, usually the master key.

An enhancement to Central Processor Assist to Cryptographic Function (CPACF) is designed to help facilitate the continued privacy of cryptographic key material when used by the CPACF for high-performance data encryption. Leveraging the unique z/Architecture®, protected key CPACF helps to ensure that key material is not visible to applications or operating systems when used for encryption operations.

Protected key CPACF is designed to provide significant throughput improvements for large volumes of data and low latency for small blocks of data. In addition, an enhancement to the information management tool, IBM Encryption Tool for IMS™ and DB2® Databases, improves performance for protected key applications.

For Protected Key CPACF prerequisites, refer to the Software requirements section of this announcement.

Stronger cryptography encryption for TKE protocols inbound/outbound authentication

TKE uses cryptographic algorithms and protocols in communication with the target cryptographic adapters in the host systems it administers. Cryptography is first used to verify that each target adapter is a valid IBM cryptographic coprocessor. It then ensures there are secure messages between the TKE workstation and the target Crypto Express2 and Crypto Express3 feature.

The cryptography has been updated to keep pace with industry developments and with recommendations from experts and standards organizations.

The following enhancements have been made:

  • TKE Certificate Authorities (CAs) initialized on a TKE workstation with TKE 6.0 LIC can issue certificates with 2048-bit keys. Previous versions of TKE used 1024-bit keys.
  • The transport key used to encrypt sensitive data sent between the TKE workstation and a Crypto Express3 coprocessor has been strengthened from a 192-bit TDES key to a 256-bit AES key.
  • The signature key used by the TKE workstation and the Crypto Express3 coprocessor has been strengthened from 1024-bit to a maximum of 4096-bit strength.
  • Replies sent by a Crypto Express3 coprocessor on the host are signed with a 4096-bit key.
TKE smart card support

TKE 6.0 contains support to increase the key strength for TKE Certificate Authority (CA) smart cards, TKE smart cards, and signature keys stored on smart cards from 1024-bit to 2048-bit strength.

Only feature number 0884 smart cards with the feature number 0885 smart card reader support the creation of TKE CA smart cards, TKE smart cards, or signature keys with the new 2048-bit key strength. Existing feature number 0888 smart cards and feature number 0887 smart card readers are limited to 1024-bit key strengths.

Simplified key management with TKE 6.0 workstation

The feature number 0840 Trusted Key Entry (TKE) workstation and the feature number 0858 TKE 6.0 level of Licensed Internal Code are optional features on the System z10. The TKE 6.0 Licensed Internal Code (LIC) is loaded on the TKE workstation prior to shipment. The TKE workstation offers security-rich local and remote key management, providing authorized persons a method of operational and master key entry, identification, exchange, separation, and update. The TKE workstation supports connectivity to an Ethernet Local Area Network (LAN) operating at 10 or 100 Mbps. Up to ten TKE workstations can be ordered.

TKE feature number 0840 will be available on z9™ BC, z9 EC, z10 BC, and z10 EC servers, beginning January 1, 2010.

Common Criteria Evaluation Assurance Level 5 (EAL5)

The System z10 has Common Criteria Evaluation Assurance Level 5 (EAL5) certification for security of logical partitions. System z security is one of the many reasons why the world's top banks and retailers rely on the IBM mainframe to help secure sensitive business transactions.

Simplified usability with Crypto Express3 migration wizard

A wizard is now available to allow users to collect configuration data from a Crypto Express2 and Crypto Express3 coprocessor and migrate the data to a different Crypto Express coprocessor. The target Crypto Express coprocessor must have the same or greater capabilities.

Benefits of using this wizard include:

  • Reduces migration steps, thereby minimizing user errors
  • Minimizes the number of user "clicks"
  • Significantly reduces migration task duration
Usability enhancements with TKE 6.0

Trusted Key Entry (TKE) 6.0 Licensed Internal Code (LIC) includes domain grouping. This is a significant usability enhancement. The TKE 6.0 LIC provides capabilities for:

  • Grouping of up to 16 domains across one or more cryptographic adapters. These adapters may be installed in one or more servers or LPARs. Grouping of domains applies to Crypto Express3 and Crypto Express2 features.
  • Greater flexibility and efficiency by executing domain-scoped commands on every domain in the group. For example, a TKE user can load master key parts to all domains with one command.
  • Efficiency by executing Crypto Express2 and Crypto Express3 scoped commands on every coprocessor in the group. This allows a substantial reduction of the time required for loading new master keys from a TKE workstation into a Crypto Express3 or Crypto Express2 feature.

Networking

Response time improvements with OSA-Express3 optimized latency mode

Optimized latency mode (OLM) can help improve performance for z/OS workloads with demanding low-latency requirements. This includes interactive workloads such as SAP using DB2 Connect™. OLM can help improve performance for applications that have a critical requirement to minimize response times for inbound and outbound data when servicing remote clients. This enhancement applies exclusively to OSA-Express3 QDIO mode (CHPID type OSD).

For prerequisites, refer to the Software requirements section of this announcement.

HiperSockets network traffic analyzer (HS NTA)

Problem isolation and resolution can now be made simpler by an enhancement to the HiperSockets architecture. This function is designed to allow tracing of Layer 2 and Layer 3 HiperSockets network traffic. HS NTA allows Linux on System z to control the trace for the internal virtual LAN to capture the records into host memory and storage (file systems) using Linux on System z tools to format, edit, and process the trace records for analysis by system programmers and network administrators.

Configuration flexibility with four-port exploitation for OSA-ICC

Integrated Console Controllers (ICC) allow the System z10 to help reduce cost and complexity by eliminating the requirement for external console controllers.

You can now exploit the four ports on an OSA-Express3 1000BASE-T Ethernet feature (#3367) on the z10 EC and z10 BC, or the two ports on an OSA-Express3-2P 1000BASE-T on a z10 BC (#3369), when defining the feature as an Integrated Console Controller (OSA-ICC) for TN3270E, local non-SNA DFT, 3270 emulation, and 328x printer emulation. There are two PCI-E adapters per feature and two channel path identifiers (CHPIDs) to be assigned. Each PCI-E adapter has two ports, but prior to this only one of the two PCI-E adapter ports was available for use when defined as CHPID type OSC. Removal of this restriction can improve configuration flexibility by allowing the ability to connect two local LAN segments to each CHPID.

OSA-ICC continues to support 120 sessions per CHPID.

Four-port exploitation for OSA-Express3 1000BASE-T (feature number 3367) and two-port exploitation for OSA-Express3-2P 1000BASE-T (feature number 3369) for OSA-ICC will be available in the first quarter of 2010.

For prerequisites, refer to the Software requirements section of this announcement.

HMC/SE

New HMC security features

The Hardware Management Console (HMC) and Support Element (SE) versions 2.10.2 provide a new feature called Digitally Signed Firmware (Licensed Internal Code). This new feature provides the following benefits.

  • It helps ensure no malware can be installed on System z products during LICC updates.
  • It enables, with other existing security functions, System z10 CPACF functions to comply to Federal Information Processing Standard (FIPS) 140-2 Level 1 for Cryptographic Licensed Internal Code (LIC) changes.

This new Digitally Signed Firmware follows the System z focus of security for the Hardware Management Console and Support Element. More details of the security aspects of the Hardware Management Console and Support Element are described in the z10 publication System z Hardware Management Console Security, which can be found in the z10 Technical Notes area on IBM Resource Link™.

Serviceability enhancement for FICON channels

Problem determination can now be simplified by using the Hardware Management Console (HMC) to more quickly pinpoint fiber optic cabling issues in your Storage Area Network (SAN) fabric without IBM service personnel involvement.

All FICON channel error information is forwarded to the HMC where it is analyzed to help detect and report the trends and thresholds for all FICON channels on System z10. The Fibre Channel Analyzer task on the HMC can be used to display analyzed information about errors on FICON channels (CHPID type FC) of attached Support Elements. Data includes information about the PCHID, CHPID, channel type, source link address, and destination link address of where the error occurred. This report shows an aggregate view of the data and can span multiple systems.

Capacity on Demand

Improved Capacity for Planned Events options

Capacity for Planned Events (CPE) allows for the temporary access to dormant capacity intended to replace capacity lost within the enterprise due to a planned event such as a facility upgrade or system relocation. CPE is similar to CBU in that it can be used to replace lost capacity; however it differs in its scope and intent. Where CBU addresses disaster recovery scenarios that can take up to three months to remedy, CPE is intended for short-duration events like those previously mentioned.

CPE is changing with this announcement. CPE now allows you to select the capacity to meet your business needs rather than providing temporary access to all dormant capacity.

Improved Capacity for Planned Events options will be available December 31, 2009.

Parallel Sysplex and Server Time Protocol (STP)

Improved STP system management with new z/OS messaging

This new function is designed to generate z/OS messages when various hardware events that affect the External Time Sources (ETSs) configured for an STP-only Coordinated Timing Network (CTN) occur. This may improve problem determination and correction times. Previously, the messages were generated only on the Hardware Management Console (HMC).

The ability to generate z/OS messages is supported on IBM System z10 and System z9® servers with z/OS V1.11 with enabling support rolled back to z/OS V1.10 and V1.9.

Virtualization

Foundation for future virtualization growth with z/VM V6.1

Version 6 Release 1 (V6.1) is the newest version of z/VM and is intended to be the base for all future z/VM enhancements. This release implements a new Architecture Level Set (ALS) available only on the IBM System z10 Enterprise Class server and System z10 Business Class server and future generations of System z servers. System z10 technology together with z/VM V6.1:

  • Acknowledges the highly attractive economics of workload consolidation on the highly secure and reliable System z10 servers designed to reduce energy usage and save floor space
  • Allows z/VM to take advantage of newer hardware technology for future exploitation

Guest LAN and Virtual Switch support has been updated in z/VM V6.1 to use cache prefetch capabilities that are exclusive to the IBM System z10 and later platforms in order to give the hardware hints about likely memory access patterns. This enables the hardware to prefetch data into the processor cache so that the processor does not have to wait for data to be moved from main memory. Avoidance of a "cache miss" may help improve the performance of heavy guest-to-guest streaming workloads.

z/VM V6.1 is planned for availability October 23, 2009. More information about z/VM V6.1 can be found in "IBM z/VM V6.1 - Foundation for future virtualization growth," Software Announcement 209-401, dated October 20, 2009.

Accessibility by people with disabilities

A U.S. Section 508 Voluntary Product Accessibility Template (VPAT) containing details on accessibility compliance can be requested at

http://www.ibm.com/able/product_accessibility/index.html

Section 508 of the U.S. Rehabilitation Act

System z10 servers are capable on delivery, when used in accordance with IBM's associated documentation, of satisfying the applicable requirements of Section 508 of the Rehabilitation Act of 1973, 29 U.S.C. Section 794d, as implemented by 36 C.F.R. Part 1194, provided that any Assistive Technology used with the product properly interoperates with it.


 
Back to topBack to top
 
Top rule
Product positioning
Bottom rule

The future does run on System z. The System z10 design quad-core processor chip represents a revolution in the IBM System z family of products. The new processor chip allows expanded scalability, and when combined with larger memory capacity, faster internal bandwidth, and more subcapacity options, it offers greater growth and enables consolidation on a new level. Businesses of all sizes can use the mainframe to run legacy work and should consider using their mainframe to run new applications using hundreds or thousands of virtual servers in a single energy-efficient server.

Protection of the IT infrastructure continues to be important. The System z10 processor chip has on-board cryptographic functions called CP Assist for Cryptographic Function (CPACF). These standard clear-key integrated cryptographic coprocessors provide high-speed cryptography for protecting data in storage. The new Protected Key CPACF is a blending of clear-key and secure-key cryptography and is intended to help facilitate the continued privacy of cryptographic key materials when used by the CPACF for high-performance data encryption. IBM announced Crypto Express3, a state-of-the-art, tamper-sensing and tamper-responding programmable cryptographic feature available for the System z10. Usability enhancements to the optional Trusted Key Entry (TKE) workstation enable the grouping of domains across multiple coprocessor features, helping to simplify the management and migration of coprocessor configuration with a new TKE Migration wizard.

IBM is strengthening the System z10 relationship with z/OS V1R11 Communications Server and the OSA-Express3 with this announcement. An enhancement may improve response time for interactive workloads when configuring the OSA-Express3 to operate in a new mode - optimized latency mode (OLM). This is intended to help reduce the cost of running applications that have a critical requirement to quickly send and receive data when communicating with a remote client.

The System z10 continues to stand by the Mainframe Charter announced in 2003. We continue to provide value to our customers with unique specialty engines, energy advantages, and generation-to-generation price/performance gains. We know that innovation matters to you and we have delivered new z10 processor chip performance, unmatched scalability from the smallest z10 BC to the largest z10 EC, just-in-time capacity, improvements in I/O and networking that allow for faster access to data, and unprecedented resiliency and security. We have a vibrant community with a strong Academic Initiative, new applications available using Linux® on System z, and over 6,300 applications available from over 1,700 ISVs. Our commitment delivers a compelling case for the future to run on the System z10.


 
Back to topBack to top
 
Top rule
Statement of general direction
Bottom rule

Power Sequence Controller (PSC) feature quantities

The optional PSC feature provides the ability to turn on and off specific control units from the central processor complex (CPC). IBM intends to make three changes in the area of PSC support:

  1. IBM intends for System z10 to be the last platform to support greater than two Power Sequence Controller (PSC) features (#6501).
  2. Systems with water-cooling will further limit the maximum quantity of PSC features to one.
  3. IBM intends for System z10 to be the last platform to allow the PSC feature to be ordered individually when not part of a new-build server or when not part of a box MES order.
Support for optional overhead cabling

On future System z servers, IBM intends to support optional overhead cabling. This would be applicable to some data center environments and would apply to cabling for I/O (fiber optic and 1000BASE-T Ethernet). Overhead cabling is designed to provide an additional option and increased flexibility, to help remove floor hazards in a non-raised-floor environment, and to help increase air flow in a raised-floor environment.

Removal of specific smart card features

The IBM System z10 EC and System z10 BC will be the last platforms to support smart card feature number #0888 and the #0887 smart card reader. The #0888 smart card has been replaced by the #0884 smart card. The #0887 smart card reader has been replaced by the #0885 smart card reader. The #0885 smart card reader and the #0884 smart card were made available on October 28, 2008. Refer to "IBM System z10 Enterprise Class - The future runs on System z10, the future begins today," Hardware Announcement 108-794, dated October 21, 2008.

Customers should begin to migrate information from the #0888 smart card to the #0884 smart card to prepare for the change. Refer to the Trusted Key Entry PCIX Workstation User's Guide for instructions on how to make backups of TKE Certificate Authority (CA) smart cards and how to move key material from one TKE smart card to another.

Removal of Crypto Express2 feature

The IBM System z10 EC and z10 BC will be the last servers to offer Crypto Express2 (#0863) as a feature, either as part of a new-build order, or carried forward on an upgrade.

All statements regarding IBM's plans, directions, and intent are subject to change or withdrawal without notice. Any reliance on these statements of general direction is at the relying party's sole risk and will not create liability or obligation for IBM.


 
Back to topBack to top
 
Top rule
Reference information
Bottom rule

More information on z/VM V6.1 can be found in "IBM z/VM V6.1 - Foundation for future virtualization growth," Software Announcement 209-401, dated October 20, 2009.


 
Back to topBack to top
 
Top rule
Product number
Bottom rule

 
                                Machine
Description                     Type     Model  Feature
 
System z10 EC                   2097     E12
                                         E26
                                         E40
                                         E56
                                         E64
 
TKE 6.0 Workstation                             0840
TKE 6.0 LIC                                     0858
Crypto Express3                                 0864
1 CPE Capacity Unit                             0116
100 CPE Capacity Unit                           0117
10000 CPE Capacity Unit                         0118
1 CPE Capacity Unit-IFL                         0119
100 CPE Capacity Unit-IFL                       0120
1 CPE Capacity Unit-ICF                         0121
100 CPE Capacity Unit-ICF                       0122
1 CPE Capacity Unit-zAAP                        0123
100 CPE Capacity Unit-zAAP                      0124
1 CPE Capacity Unit-zIIP                        0125
100 CPE Capacity Unit-zIIP                      0126
1 CPE Capacity Unit-SAP                         0127
100 CPE Capacity Unit-SAP                       0128
 
 
System z10 BC                   2098     E10
 
TKE 6.0 Workstation                             0840
TKE 6.0 LIC                                     0858
Crypto Express3                                 0864
Crypto Express3-1P                              0871
1 CPE Capacity Unit                             0116
100 CPE Capacity Unit                           0117
10000 CPE Capacity Unit                         0118
1 CPE Capacity Unit-IFL                         0119
100 CPE Capacity Unit-IFL                       0120
1 CPE Capacity Unit-ICF                         0121
100 CPE Capacity Unit-ICF                       0122
1 CPE Capacity Unit-zAAP                        0123
100 CPE Capacity Unit-zAAP                      0124
1 CPE Capacity Unit-zIIP                        0125
100 CPE Capacity Unit-zIIP                      0126
1 CPE Capacity Unit-SAP                         0127
100 CPE Capacity Unit-SAP                       0128
 
 
System z9 BC                    2096     S07
                                         R07
 
TKE 6.0 Workstation                             0840
TKE 6.0 LIC                                     0858
 
 
System z9 EC                    2094     S08
                                         S18
                                         S28
                                         S38
                                         S54
 
TKE 6.0 Workstation                             0840
TKE 6.0 LIC                                     0858 

Business Partner information

If you are a Direct Reseller - System Reseller acquiring products from IBM, you may link directly to Business Partner information for this announcement. A PartnerWorld® ID and password are required (use IBM ID).

https://www.ibm.com/partnerworld/mem/sla.jsp?num=109-678

 
Back to topBack to top
 
Top rule
Education support
Bottom rule

Visit the following Web site for additional information

http://www.ibm.com/training/us

Call IBM IT Education Services at 800-IBM-TEACH (426-8322) for catalogs, schedules, and enrollments.


 
Back to topBack to top
 
Top rule
Publications
Bottom rule

The following publications are available now in the Library section of Resource Link:

 
           Title                                        Order number
 
z10 EC System Overview                                  SA22-1084
z10 BC System Overview                                  SA22-1085
z10 EC Installation Manual for Physical Planning (IMPP) GC28-6865
z10 BC Installation Manual for Physical Planning (IMPP) GC28-6875
System z Functional Matrix                              ZSW0-1335
z10 PR/SM™ Planning Guide                               SB10-7153

The following publications are shipped with the product and available in the Library section of Resource Link:

 
           Title                                        Order number
 
System z Service Guide for TKE Workstations             GC28-6862
z10 EC Installation Manual                              GC28-6864
z10 EC Service Guide                                    GC28-6866
z10 EC Safety Inspection                                GC28-6870
z10 BC Installation Manual                              GC28-6874
z10 BC Safety Inspection                                GC28-6877
z10 BC Service Guide                                    GC28-6878
Systems Safety Notices                                  G229-9054
System z Statement of Limited Warranty                  GC28-6883 

The following publications will be available at planned availability in the Library section of Resource Link:

 
           Title                                        Order number
 
System z API for Java™                                  API-JAVA
System z Application Programming Interfaces             SB10-7030
System z HMC Operations Guide (Version 2.10.2)          SC28-6881
System z CIM Management Interface                       SB10-7154
System z CHPID Mapping Tool User's Guide                GC28-6825
System z Service Guide for HMCs and SEs                 GC28-6861
z10 Capacity on Demand User's Guide                     SC28-6871
z10 SE Operations Guide (Version 2.10.2)                SC28-6882 

Publications for System z10 can be obtained at Resource Link by accessing the following Web site

http://www.ibm.com/servers/resourcelink

Using the instructions on the Resource Link panels, obtain a user ID and password. Resource Link has been designed for easy access and navigation.

The following IBM Redbooks® have been updated:

           Title                                       Order number
 
IBM System z Connectivity Handbook                     SG24-5444
IBM System z10 Enterprise Class Technical Introduction SG24-7515
IBM System z10 Enterprise Class Technical Guide        SG24-7516
IBM System z10 Business Class Technical Overview       SG24-7632 

For other IBM Redbooks publications, refer to

http://www.redbooks.ibm.com/

 
Back to topBack to top
 
Top rule
Services
Bottom rule

Global Technology Services

IBM services include business consulting, outsourcing, hosting services, applications, and other technology management.

These services help you learn about, plan, install, manage, or optimize your IT infrastructure to be an On Demand Business. They can help you integrate your high-speed networks, storage systems, application servers, wireless protocols, and an array of platforms, middleware, and communications software for IBM and many non-IBM offerings. IBM is your one-stop shop for IT support needs.

For details on available services, contact your IBM representative or visit

http://www.ibm.com/services/

For details on available IBM Business Continuity and Recovery Services, contact your IBM representative or visit

http://www.ibm.com/services/continuity

For details on education offerings related to specific products, visit

http://www.ibm.com/services/learning/index.html

Select your country, and then select the product as the category.


 
Back to topBack to top
 
Top rule
Technical information
Bottom rule

Specified operating environment

Hardware requirements

You should review the PSP buckets for minimum Machine Change Levels (MCLs) and software PTF levels before IPLing operating systems. To support new functions and features, MCLs are required.

Descriptions of the MCLs are available now through Resource Link

Access Resource Link at

http://www.ibm.com/servers/resourcelink

Select: Fixes, Hardware, Exception Letters.

Click on System z10 EC or System z10 BC.

Click on Driver xxx Customer Exception Letter.

The most recent driver information is at the top of the list.

Peripheral hardware and device attachments

IBM devices previously attached to IBM System z9 and zSeries® servers are supported for attachment to System z10 channels, unless otherwise noted. The subject I/O devices must meet ESCON® or FICON/FCP architecture requirements to be supported. I/O devices that meet OEMI architecture requirements are supported only using an external converter. Prerequisite Engineering Change Levels may be required. For further detail, contact IBM service personnel.

While the System z10 supports devices as described above, IBM does not commit to provide support or service for an IBM device that has reached its End of Service effective date as announced by IBM.

Note:IBM cannot confirm the accuracy of performance, compatibility, or any other claims related to non-IBM products. Questions regarding the capabilities of non-IBM products should be addressed to the suppliers of those products.

Software requirements

Listed are the operating system minimum versions and releases. Select the releases appropriate to your operating system environments.

Note: Refer to the z/OS, z/VM, and z/VSE™ subsets of the 2097DEVICE and 2098DEVICE Preventive Service Planning (PSP) bucket prior to installing a System z10.

OSA-Express3 optimized latency mode (OLM) on System z10 requires at a minimum:

  • z/OS V1.11 with PTFs
  • z/VM V5.3 with PTFs for guest exploitation

OSA-Express3 1000BASE-T (#3367) and OSA-Express3-2P 1000BASE-T (#3369)

CHPID type OSC supporting TN3270E and non-SNA DFT on System z10 requires at minimum:

  • z/OS V1.7 with the IBM Lifecycle Extension for z/OS V1.7 (5637-A01)
  • z/OS V1.8 with the IBM Lifecycle Extension for z/OS V1.8 (5638-A01)
  • z/VM V5.3
  • z/VSE V4.1
  • TPF 4.1 and z/TPF 1.1

Crypto Express3 and Crypto Express3-1P on the System z10 requires at a minimum:

  • z/OS:
  • z/VM V5.3 with PTFs for guest exploitation.
  • zVSE V4.2 and IBM TCP/IP for VSE/ESA™ V1.5.0 with PTFs.
  • z/TPF V1.1 (acceleration mode only).
  • Linux on System z distributions:
    • Current Novell SUSE and Red Hat distributions support the same functionality as Crypto Express2. Secure key is not supported.

Note: Crypto Express3-1P is available only on the System z10 BC.

Note:z/VSE supports clear-key RSA operations only. z/VM V5.3 and later support clear- and secure-key operations.

z/VM support for Crypto Express3 on System z10 requires at a minimum z/VM V5.3 with PTFs, planned to be available in November 2009. It is intended to provide:

  • The ability to dedicate any available domain to a guest for clear-key and secure-key cryptographic functions.
  • The ability for guests to share all available, non-dedicated domains for clear-key cryptographic functions.
  • Enhancements to the CP QUERY CRYPTO APQS to display information about both shared and dedicated cryptographic domains. Prior to this enhancement, the command only displayed user information for dedicated domains.

Each Crypto Express2 and Crypto Express3 feature contains two cryptographic coprocessors, each with 16 cryptographic domains. Up to 256 domains can be configured for use within a single z/VM system.

Each Crypto Express2-1P and Crypto Express3-1P feature contains a single cryptographic coprocessor with support for 16 cryptographic domains. Up to 128 domains can be configured for use within a single z/VM system when using 1P.

CP Assist for Cryptographic Function (CPACF) (#3863) on the System z10 requires at a minimum:

  • z/OS
  • z/VSE V4.1 and IBM TCP/IP for VSE/ESA V1.5.0 with PTFs.
  • z/VM V5.3.
  • z/TPF V1.1.
  • TPF V4.1.
  • Linux on System z distributions:
    • Current releases of Red Hat and Novell SUSE.

Protected Key CP Assist for Cryptographic Function (CPACF) on the System z10 requires at a minimum:

  • z/OS:
  • Linux on System z - IBM is working with its Linux distribution partners to include support in future Linux on System z distribution releases.

STP System Management with new z/OS Messaging On System z10 requires at a minimum:

  • z/OS V1.11
  • z/OS V1.9 and V1.10 with PTFs

Planning information

Customer responsibilities

Information on customer responsibilities for site preparation can be found in the Library section of Resource Link at

http://www.ibm.com/servers/resourcelink
Cable orders
Fiber optic cable orders

Fiber optic cables for the z10 EC, z10 BC, z9 EC, z9 BC, z990, and z890 are available from IBM Site and Facilities Services.

IBM Site and Facilities Services has a comprehensive set of scalable solutions to address IBM cabling requirements, from product-level to enterprise-level. The IBM Facilities Cabling Services - fiber transport system and the IBM IT Facilities Assessment, Design, and Construction Services - optimized airflow assessment for cabling, offered by IBM Site and Facilities Services, provide services for small, medium, and large enterprises:

  • Assessment and planning for IBM Fiber Transport System (FTS) trunking components
  • Planning and installation services for individual fiber optic connections

IBM Global Technology Services has the expertise and personnel available to effectively plan and deploy the appropriate cabling with the future in mind. These services may include assessment, planning, consultation, cable selection, installation, and documentation, depending upon the services selected.

These services are designed to be right-sized for your products or the end-to-end enterprise, and to take into consideration the requirements for all of the protocols and media types supported on the System z10, System z9, and zSeries (ESCON, FICON, Coupling Links, and OSA) whether the focus is the data center, the Storage Area Network (SAN), the Local Area Network (LAN), or the end-to-end enterprise.

IBM Site and Facilities Services is designed to deliver convenient, packaged services to help reduce the complexity of planning, ordering, and installing fiber optic cables. The appropriate fiber cabling is selected based upon the product requirements and the installed fiber plant.

The services are packaged as follows:

Under IBM Facilities Cabling Services there is the option to provide IBM Fiber Transport System (FTS) trunking commodities (fiber optic trunk cables, fiber harnesses, and panel-mount boxes) for connecting to the z10 EC, z10 BC, z9 EC, z9 BC, z990, and z890. IBM can reduce the cable clutter and cable bulk under the floor. An analysis of the channel configuration and any existing fiber optic cabling is performed to determine the required FTS trunking commodities. IBM can also help organize the entire enterprise. This option includes enterprise planning, new cables, fiber optic trunking commodities, installation, and documentation.

Under IBM IT Facilities Assessment, Design, and Construction Services there is the option to provide the optimized airflow assessment for cabling to provide you with a comprehensive review of your existing data center cabling infrastructure. This service provides an expert analysis of the overall cabling design required to help improve data center airflow for optimized cooling, and to facilitate operational efficiency through simplified change management.

Contact IBM Global Technology Services for details.

Refer to the services section of Resource Link for further details. Access Resource Link at

http://www.ibm.com/servers/resourcelink
Cabling responsibilities

Fiber optic cables, cable planning, labeling, and placement are all customer responsibilities for new installations and upgrades. Fiber optic conversion kits and Mode Conditioning Patch (MCP) cables are not orderable as features on a z10 EC and z10 BC. Installation Planning Representatives (IPRs) and System Service Representatives (SSRs) will not perform the fiber optic cabling tasks without a services contract.

The following tasks are required to be performed by the customer prior to machine installation:

  • All fiber optic cable planning.
  • All purchasing of correct fiber optic cables.
  • All installation of any required Mode Conditioning Patch (MCP) cables.
  • All installation of any required Conversion Kits.
  • All routing of fiber optic cables to correct floor cutouts for proper installation to server.
    • Use the Physical Channel Identifier (PCHID) report or the report from the Channel Path Identifier (CHPID) Mapping Tool to accurately route all cables.
  • All labeling of fiber optic cables with PCHID numbers for proper installation to server.
    • Use the PCHID report or the report from the CHPID Mapping Tool to accurately label all cables.

Additional service charges may be incurred during the server installation if the above cabling tasks are not accomplished as required.

Fiber Quick Connect (FQC), a fiber harness integrated in the z10 EC and z10 BC frame for "quick" connect, is offered as a feature on the z10 EC and z10 BC for connection to ESCON and FICON LX channels.

Cables for ICB links continue to be available as features. Refer to the Special features section of the Sales Manual on the Web for a list of these features and cables for ICB links

http://www.ibm.com/common/ssi/OIX.wss

For further details also refer to the Installation Manual for Physical Planning (IMPP), available on Resource Link.

Note:IBM Site and Facilities Services can satisfy your fiber optic as well as your copper cabling requirements.

Security, auditability, and control

The z10 EC and z10 BC use the security and auditability features and functions of host hardware, host software, and application software.

The customer is responsible for evaluation, selection, and implementation of security features, administrative procedures, and appropriate controls in application systems and communications facilities.


 
Back to topBack to top
 
Top rule
IBM Electronic Services
Bottom rule

IBM has transformed its delivery of hardware and software support services to help you achieve higher system availability. Electronic Services is a Web-enabled solution that offers an exclusive, no-additional-charge enhancement to the service and support available for IBM servers. These services are designed to provide the opportunity for greater system availability with faster problem resolution and preemptive monitoring. Electronic Services comprises two separate, but complementary, elements: Electronic Services news page and Electronic Services Agent.

The Electronic Services news page is a single Internet entry point that replaces the multiple entry points traditionally used to access IBM Internet services and support. The news page enables you to gain easier access to IBM resources for assistance in resolving technical problems.

The Electronic Service Agent™ is no-additional-charge software that resides on your server. It monitors events and transmits system inventory information to IBM on a periodic, client-defined timetable. The Electronic Service Agent automatically reports hardware problems to IBM. Early knowledge about potential problems enables IBM to deliver proactive service that may result in higher system availability and performance. In addition, information collected through the Service Agent is made available to IBM service support representatives when they help answer your questions or diagnose problems. Installation and use of IBM Electronic Service Agent for problem reporting enables IBM to provide better support and service for your IBM server.

To learn how Electronic Services can work for you, visit

http://www.ibm.com/support/electronic

 
Back to topBack to top
 
Top rule
Terms and conditions
Bottom rule

MES discount applicable

No

Field installable feature

Yes

Warranty period

One year

Features assume the same warranty or maintenance terms as the machine in which they are installed for the full warranty or maintenance period announced for such machine.

Customer setup

No

Machine code

Same license terms and conditions as base machine


 
Back to topBack to top
 
Top rule
Prices
Bottom rule

For all charges, contact your IBM representative.

                    Mach                  EW MMMC    Init/
Description         type     Mod Feat  ** Fe indicat MES
 
System z10 EC       2097     E12                X
                             E26                X
                             E40                X
                             E56                X
                             E64                X
 
TKE 6.0 Workstation              0840  **            Both
TKE 6.0 LIC                      0858  **            Both
Crypto Express3                  0864  **            Both
1 CPE Capacity Unit              0116  **            Both
100 CPE Capacity Unit            0117  **            Both
10000 CPE Capacity Unit          0118  **            Both
1 CPE Capacity Unit-IFL          0119  **            Both
100 CPE Capacity Unit-IFL        0120  **            Both
1 CPE Capacity Unit-ICF          0121  **            Both
100 CPE Capacity Unit-ICF        0122  **            Both
1 CPE Capacity Unit-zAAP         0123  **            Both
100 CPE Capacity Unit-zAAP       0124  **            Both
1 CPE Capacity Unit-zIIP         0125  **            Both
100 CPE Capacity Unit-zIIP       0126  **            Both
1 CPE Capacity Unit-SAP          0127  **            Both
100 CPE Capacity Unit-SAP        0128  **            Both
                    Mach                  EW MMMC    Init/
Description         type     Mod Feat  ** Fe indicat MES
 
System z10 BC       2098     E10                X
 
TKE 6.0 Workstation              0840  **            Both
TKE 6.0 LIC                      0858  **            Both
Crypto Express3                  0864  **            Both
Crypto Express3-1P               0871  **            Both
1 CPE Capacity Unit              0116  **            Both
100 CPE Capacity Unit            0117  **            Both
10000 CPE Capacity Unit          0118  **            Both
1 CPE Capacity Unit-IFL          0119  **            Both
100 CPE Capacity Unit-IFL        0120  **            Both
1 CPE Capacity Unit-ICF          0121  **            Both
100 CPE Capacity Unit-ICF        0122  **            Both
1 CPE Capacity Unit-zAAP         0123  **            Both
100 CPE Capacity Unit-zAAP       0124  **            Both
1 CPE Capacity Unit-zIIP         0125  **            Both
100 CPE Capacity Unit-zIIP       0126  **            Both
1 CPE Capacity Unit-SAP          0127  **            Both
100 CPE Capacity Unit-SAP        0128  **            Both
                    Mach                  EW MMMC    Init/
Description         type     Mod Feat  ** Fe indicat MES
 
System z9 BC        2096     S07                X
                             R07
 
TKE 6.0 Workstation              0840  **            Both
TKE 6.0 LIC                      0858  **            Both 
                    Mach                  EW MMMC    Init/
Description         type     Mod Feat  ** Fe indicat MES
 
System z9 EC        2094     S08                X
                             S18
                             S28
                             S38
                             S58
 
TKE 6.0 Workstation              0840  **            Both
TKE 6.0 LIC                      0858  **            Both 

** If field installed on a purchased machine, parts removed or replaced become the property of IBM and must be returned.

Trademarks

IMS, z9, DB2 Connect, Resource Link, PR/SM, z/VSE, VSE/ESA and Electronic Service Agent are trademarks of IBM Corporation in the United States, other countries, or both.

IBM, z/OS, FICON, z/VM, System z, z/Architecture, DB2, System z9, PartnerWorld, Redbooks, zSeries and ESCON are registered trademarks of IBM Corporation in the United States, other countries, or both.

Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both.

Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both.

Other company, product, and service names may be trademarks or service marks of others.

Terms of use

IBM products and services which are announced and available in your country can be ordered under the applicable standard agreements, terms, conditions, and prices in effect at the time. IBM reserves the right to modify or withdraw this announcement at any time without notice. This announcement is provided for your information only. Additional terms of use are located at

http://www.ibm.com/legal/us/en/

For the most current information regarding IBM products, consult your IBM representative or reseller, or visit the IBM worldwide contacts page

http://www.ibm.com/planetwide/us/

 

Back to topBack to top
 
Bottom grey rule
 
Printable version Printable version