72
signatures, and the management of cryptographic keys.
These functions are provided via APIs intended to deliver
the highly scalable and available security features of z/OS
and the zSeries servers. Together with cryptography
features of the IBM zSeries servers, z/OS is designed to
provide high performance SSL, which can benefi t applica-
tions that use System SSL, such as the z/OS HTTP Server
and WebSphere, TN3270, and CICS Transaction Gateway
server.
ICSF provides support for the z990 and z890 PCIX Cryp-
tographic Coprocessor (PCIXCC), a replacement for the
PCICC and the CMOS Cryptographic Coprocessor Facility
that were found on the z900 and z800. All of the equivalent
PCICC functions offered on the PCIXCC are expected to
be implemented with higher performance. In addition,
PCIXCC implements the functions on the CMOS Crypto-
graphic Coprocessor Facility used by known applications.
PCIXCC supports secure cryptographic functions, use of
secure encrypted key values and user-defi ned extensions.
PKI Services
PKI Services is a z/OS component that provides a com-
plete Certifi cate Authority (CA) package for full certifi cate
life cycle management. Customers can be their own Cer-
tifi cate Authority, with the scale and availability provided by
z/OS. This can result in signifi cant savings over third party
options.
• User request driven via customizable Web pages for
browser or server certifi cates
• Automatic or administrator approval process adminis-
tered via same Web interface
• End user / administrator revocation process
• Certifi cate validation service for z/OS applications
Firewall
• Firewall Technologies provide sysplex-wide Security
Association Support: This function is designed to enable
VPN (virtual private network) security associations to
be dynamically reestablished on a backup processor in
a sysplex when a Dynamic Virtual IP Address (DVIPA)
takeover occurs. When the Dynamic Virtual IP Address
give-back occurs, the security association is designed
to be reestablished on the original processor in the
sysplex. When used in conjunction with z/OS Communi-
cations Server’s TCP/IP DVIPA takeover/give-back capa-
bility, this function provides customers with improved
availability of IPSec security associations.
Network Authentication Service
• Network Authentication Services, provide authentica-
tion, delegation and data confi dentiality services that
are interoperable with other industry implementations
based on the MIT Kerberos V5 reference implementa-
tion. Network Authentication Service, administered with
RACF commands, supports both the native Kerberos
API functions as well as the GSS-API Kerberos security
mechanism and does not require DCE.
• IPv6 supported by Kerberos with z/OS 1.4 for improved
network security scalability
• Kerberos in z/OS 1.4 provides an alternative database to
RACF by offering support for its own registry database
using the UNIX System Services NDBM (New Database
Manager) support. NDBM provides full Kerberos admin-
istration support.