Support for IPv6 and 64-bit addressing

Peer-to-peer replication provides failover support for server availability. If a primary master server fails, there is now a backup master to which LDAP operations can be directed.

Large group support helps improve LDAP server perfor- mance when maintaining large access groups contain- ing many members.

ICSF

Integrated Cryptographic Service Facility (ICSF) is a part of z/OS which provides cryptographic functions for data security, data integrity, personal identifi cation, digital signatures, and the management of cryptographic keys. These functions are provided via APIs intended to deliver the highly scalable and available security features of z/OS and the zSeries servers. Together with cryptography fea- tures of zSeries servers, z/OS is designed to provide high performance SSL, which can benefi t applications that use System SSL, such as the z/OS HTTP Server and Web- Sphere, TN3270, and CICS Transaction Gateway server.

ICSF provides support for the z990 and z890 PCIX Cryp- tographic Coprocessor (PCIXCC), a replacement for the PCICC and the CMOS Cryptographic Coprocessor Facility that were found on the z900 and z800. All of the equivalent PCICC functions offered on the PCIXCC are expected to be implemented with higher performance. In addition, PCIXCC implements the functions on the CMOS Crypto- graphic Coprocessor Facility used by known applications. PCIXCC supports secure cryptographic functions, use of secure encrypted key values and user-defi ned extensions.

PKI Services

PKI Services is a z/OS component that provides a com- plete Certifi cate Authority (CA) package for full certifi cate life cycle management. Customers can be their own Cer- tifi cate Authority, with the scale and availability provided by z/OS. This can result in signifi cant savings over third party options.

User request driven via customizable Web pages for browser or server certifi cates

Automatic or administrator approval process adminis- tered via same Web interface

End user / administrator revocation process

Certifi cate validation service for z/OS applications

Firewall

Firewall Technologies provide sysplex-wide Security Association Support: This function is designed to enable VPN (virtual private network) security associations to be dynamically reestablished on a backup processor in a sysplex when a Dynamic Virtual IP Address (DVIPA) takeover occurs. When the Dynamic Virtual IP Address give-back occurs, the security association is designed to be reestablished on the original processor in the sysplex. When used in conjunction with z/OS Communi- cations Server’s TCP/IP DVIPA takeover/give-back capa- bility, this function provides customers with improved availability of IPSec security associations.

66

Page 66
Image 66
IBM z/OS manual PKI Services, Firewall