Advertisement
Server is planned to support both 128-bit and 256-bit key lengths for these
algorithms.
– Support for the use of Hashed Message Authentication Mode (HMAC) in
conjunction with the SHA-256, SHA-384, and SHA-512 algorithms. These
algorithms are intended to be used as the basis for data origin authentication
and integrity verification. The new algorithms, HMAC-SHA-256-128, HMAC-
SHA-384-192, and HMAC-SHA-512-256, are designed to help ensure that data
is authentic and has not been modified in transit. Versions of these algorithms
that are not truncated are available as Pseudo-Random Functions (PRFs). These
algorithms are called PRF-HMAC-SHA-256, PRF-HMAC-SHA-384, and PRF-
HMAC-SHA-512
– Support for an authentication algorithm, AES128-XCBC-96, that can help ensure
data is authentic and not modified in transit.
– Support for Elliptic Curve Digital Signature Algorithm (ECDSA) authentication.
– Support for Elliptic Curve Diffie-Hellman (ECDH) key agreement
• z/OS Communications Server IPSec and IKE support is planned to leverage z/
OS cryptographic modules that are designed to address the Federal Information
Processing Standard (FIPS) 140-2 security requirements for cryptographic
modules. FIPS 140 defines a set of security requirements for cryptographic
modules to obtain higher degrees of assurance regarding the integrity of those
modules. FIPS 140-2 provides four increasing, qualitative levels of security
intended to cover a wide range of potential applications and environments. z/OS
V1.12 Communications Server support is planned to be configurable such that it
will only utilize underlying security modules (System SSL and ICSF's PKCS #11
capabilities) that are operating in FIPS 140 mode. System SSL and ICSF's PKCS
#11 capabilities) are designed to address the requirements for FIPS 140-2 level 1.
• RFC 4301 compliance for IPSec filter rules is planned to become mandatory.
RFC 4301 "Security Architecture for the Internet Protocol" specifies the base
architecture for IPSec-compliant systems, including restrictions on the routing of
fragmented packets. Compliance enforcement may require minor changes to IP
filters for IP traffic that is routed through z/OS. The Configuration Assistant will be
designed to identify any non-compliant IP filters and policy agent will not install an
IPSec policy that contains any non-compliant IP filters.
• In prior releases, System SSL supported X.509 certificates with RSA key sizes
up to 2048 bits for use in PKCS#11 tokens. In V1.12, System SSL gskkyman
is planned to be enhanced to support the creation and management of X.509
certificates and keys within a PKCS#11 token that have RSA key sizes up to 4096
bits, DSA keys, and Diffie-Hellman keys. These X.509 certificates and keys are
planned to be usable through the System SSL APIs.
Availability
Resilience that helps reduce risk from outages
There is more to "availability" than just the server being up -- the application
and the data must be available as well. For the System z platform this means
hardware, I/O connectivity, operating system, subsystem, database, and application
availability, too. The System z hardware is designed to reduce planned and
unplanned outages through the use of self-healing capabilities, redundant
componentry, dynamic sparing, and the ability for concurrent upgrades and
microcode changes. Data availability and integrity are upheld with capabilities such
as address space isolation, storage protect keys, I/O channel redundancy, and I/O
error checking.
Beyond the single system is z/OS Parallel Sysplex clustering (see also the
and performance
data sharing applications and data with not only continuous availability for both
planned and unplanned outages, but also near-linear scalability and read/write
access to shared data across all systems in the sysplex for data sharing applications.
z/OS also has error checking, fault tolerance, isolation, error recovery, and Parallel
Sysplex capabilities that it continues to enhance every year. Unlike other operating
systems, z/OS plans to advance in a new, innovative direction for availability. z/
OS is planned to extend its proactive learning, monitoring, and analysis, to enable
IBM United States Software Announcement
210-008
section). Parallel Sysplex clustering is designed to provide your
IBM is a registered trademark of International Business Machines Corporation
Scalability
18
Advertisement
