IBM z/OS User Manual

66

• Support for IPv6 and 64-bit addressing

• Peer-to-peer replication provides failover support for

server availability. If a primary master server fails, there

is now a backup master to which LDAP operations can

be directed.

• Large group support helps improve LDAP server perfor-

mance when maintaining large access groups contain-

ing many members.

ICSF

Integrated Cryptographic Service Facility (ICSF) is a part

of z/OS which provides cryptographic functions for data

security, data integrity, personal identifi cation, digital

signatures, and the management of cryptographic keys.

These functions are provided via APIs intended to deliver

the highly scalable and available security features of z/OS

and the zSeries servers. Together with cryptography fea-

tures of zSeries servers, z/OS is designed to provide high

performance SSL, which can benefi t applications that use

System SSL, such as the z/OS HTTP Server and Web-

Sphere, TN3270, and CICS Transaction Gateway server.

ICSF provides support for the z990 and z890 PCIX Cryp-

tographic Coprocessor (PCIXCC), a replacement for the

PCICC and the CMOS Cryptographic Coprocessor Facility

that were found on the z900 and z800. All of the equivalent

PCICC functions offered on the PCIXCC are expected to

be implemented with higher performance. In addition,

PCIXCC implements the functions on the CMOS Crypto-

graphic Coprocessor Facility used by known applications.

PCIXCC supports secure cryptographic functions, use of

secure encrypted key values and user-defi ned extensions.

PKI Services

PKI Services is a z/OS component that provides a com-

plete Certifi cate Authority (CA) package for full certifi cate

life cycle management. Customers can be their own Cer-

tifi cate Authority, with the scale and availability provided by

z/OS. This can result in signifi cant savings over third party

options.

• User request driven via customizable Web pages for

browser or server certifi cates

• Automatic or administrator approval process adminis-

tered via same Web interface

• End user / administrator revocation process

• Certifi cate validation service for z/OS applications

Firewall

• Firewall Technologies provide sysplex-wide Security

Association Support: This function is designed to enable

VPN (virtual private network) security associations to

be dynamically reestablished on a backup processor in

a sysplex when a Dynamic Virtual IP Address (DVIPA)

takeover occurs. When the Dynamic Virtual IP Address

give-back occurs, the security association is designed

to be reestablished on the original processor in the

sysplex. When used in conjunction with z/OS Communi-

cations Server’s TCP/IP DVIPA takeover/give-back capa-

bility, this function provides customers with improved

availability of IPSec security associations.