IBM 890 manual PKI Services, Firewall, Network Authentication Service

signatures, and the management of cryptographic keys. These functions are provided via APIs intended to deliver the highly scalable and available security features of z/OS and the zSeries servers. Together with cryptography features of the IBM zSeries servers, z/OS is designed to provide high performance SSL, which can benefi t applica- tions that use System SSL, such as the z/OS HTTP Server and WebSphere, TN3270, and CICS Transaction Gateway server.

ICSF provides support for the z990 and z890 PCIX Cryp- tographic Coprocessor (PCIXCC), a replacement for the PCICC and the CMOS Cryptographic Coprocessor Facility that were found on the z900 and z800. All of the equivalent PCICC functions offered on the PCIXCC are expected to be implemented with higher performance. In addition, PCIXCC implements the functions on the CMOS Crypto- graphic Coprocessor Facility used by known applications. PCIXCC supports secure cryptographic functions, use of secure encrypted key values and user-defi ned extensions.

PKI Services

PKI Services is a z/OS component that provides a com- plete Certifi cate Authority (CA) package for full certifi cate life cycle management. Customers can be their own Cer- tifi cate Authority, with the scale and availability provided by z/OS. This can result in signifi cant savings over third party options.

•User request driven via customizable Web pages for browser or server certifi cates

•Automatic or administrator approval process adminis- tered via same Web interface

•End user / administrator revocation process

•Certifi cate validation service for z/OS applications

Firewall

•Firewall Technologies provide sysplex-wide Security Association Support: This function is designed to enable VPN (virtual private network) security associations to be dynamically reestablished on a backup processor in a sysplex when a Dynamic Virtual IP Address (DVIPA) takeover occurs. When the Dynamic Virtual IP Address give-back occurs, the security association is designed to be reestablished on the original processor in the sysplex. When used in conjunction with z/OS Communi- cations Server’s TCP/IP DVIPA takeover/give-back capa- bility, this function provides customers with improved availability of IPSec security associations.

Network Authentication Service

•Network Authentication Services, provide authentica- tion, delegation and data confi dentiality services that are interoperable with other industry implementations based on the MIT Kerberos V5 reference implementa- tion. Network Authentication Service, administered with RACF commands, supports both the native Kerberos API functions as well as the GSS-API Kerberos security mechanism and does not require DCE.

•IPv6 supported by Kerberos with z/OS 1.4 for improved network security scalability

•Kerberos in z/OS 1.4 provides an alternative database to RACF by offering support for its own registry database using the UNIX System Services NDBM (New Database Manager) support. NDBM provides full Kerberos admin- istration support.