IBM 890 manual Ldap, Icsf, a restriction where the private key had to reside in the RACF database

z/OS SSL support includes the ability for applications to create multiple SSL environments within a single process. An application can now modify environment attributes without terminating any SSL sessions already underway.

•IPv6 Support: This support allows System SSL to be used in an IPv6 network confi guration. It also enables System SSL to support both IPv4 and IPv6 Internet pro- tocol addresses.

•Performance is improved with CRL Caching: Today, SSL supports certifi cate revocation lists (CRLs) stored in an LDAP server. Each time a certifi cate needs to be validated, a request is made to the LDAP server to get the list of CRLs. CRL Caching enables applications to request that the retrieved list of CRLs be cached for a defi ned length of time.

•Support for the AES Symmetric Cipher for SSL V3 and TLS Connections: System SSL supports the Advanced Encryption Standard (AES), which provides data encryp- tion using 128-bit or 256-bit keys for SSL V3.0 and TLS V1.0 connections.

•Support for DSS (Digital Signature Standard) Certifi cates: System SSL has been enhanced to support Digital Sig- nature Standard certifi cates defi ned by the FIPS (Federal Information Processing Standard) 186-1 Standard.

•System SSL of RSA Private Keys Stored in ICSF: With z/OS 1.4, support is introduced that is designed to allow a certifi cate’s private key to reside in ICSF thus lifting

a restriction where the private key had to reside in the RACF database.

•Failover LDAP provides greater availability: You can now specify a list of Security Server-LDAP servers to be used for storing certifi cate revocation lists (CRLs). When certifi cate validation is being performed, this list will be used to determine which LDAP server to connect to for the CRL information.

•Simplifi ed administration with the ability to export and import certifi cate chains using PKCS#7 format fi les

LDAP

z/OS provides industry-standard Lightweight Directory Pro- tocol (LDAP) services supporting thousands of concurrent clients. Client access to information in multiple directories is supported with the LDAP protocol. The LDAP server supports thousands of concurrent clients, increasing the maximum number of concurrently connected clients by an order of magnitude.

Enhancements:

•Mandatory Authentication Methods (required by IETF RFC 2829) are supported in z/OS 1.4: The CRAM-MD5 and DIGEST-MD5 authentication methods have been added. The methods avoid fl owing the user’s password over the connection to the server. The LDAP Server, the C/C++ APIs, and the utilities are updated with this sup- port. Interoperability is improved for any applications that make use of these methods.

•TLS: z/OS LDAP now provides support for TLS (Trans- port Layer Security) as defi ned in IETF RFC 2830 as an alternative to SSL support. It also provides support, via an LDAP extended operation, that allows applications to selectively activate TLS for certain LDAP operations at the application’s discretion.

•Support for IPv6 and 64-bit addressing

•Peer-to-peer replication provides failover support for server availability. If a primary master server fails, there is now a backup master to which LDAP operations can be directed.

•Large group support helps improve LDAP server perfor- mance when maintaining large access groups contain- ing many members.

ICSF

Integrated Cryptographic Service Facility (ICSF) is a part of z/OS which provides cryptographic functions for data security, data integrity, personal identifi cation, digital