z/OS V2.1 includes the following enhancements for PKI Services:
- PKI Services can now generate Extended Validation (EV) X.509 digital certificates.
- Support has been added for the Apache-based IBM HTTP Server version 7 (IHS7), as well as Websphere Application Server (WAS) version 7 and 8.
- When the ICSF Enterprise PKCS#11 coprocessor is available, PKI Services can exploit this feature to provide hardware protection of private keys used by the PKI Services CA certificate, and any certificates for which PKI Services generates the key pairs, against discovery and tampering.
- PKI Services can be configured to generate a message when certificate revocation list (CRL) processing has ended, to allow the automation of follow-on actions such as CRL archival.
- Optional granular controls have been added to allow or restrict the authority of PKI Services administrators based on the certificate authority (CA) domain, the administrative action, and the certificate type.
- PKI Services can restrict its intermediate Certificate Authority (CA) certificate from issuing another subordinate CA certificate that may follow it.
- The optional DB2 back-end support is enhanced for improved performance and to allow customization of the backing DB2 tables.
z/OS V1.13 includes the following enhancements for PKI Services:
- PKI Services can now use a hardware Elliptic Curve Cryptography (ECC) certificate as the Certificate Authority (CA) certificate.
- DB2 can now be used to provide the back-end storage for the PKI Services issued certificate list (ICL) and object storage.
- Customers who expect to issue and manage a large number of certificates can now exploit the relilability and scalability of DB2 to store and manage their certificates.
- New utilities are provided to help existing PKI Services customers migrate their existing VSAM back-end storage to DB2.
- Browser Support Enhancements
- PKI Services now permits users of Mozilla-based browsers on Windows and Linux platforms to generate certificates using smart cards.
- PKI Services has added support for Internet Explorer version 8 browsers.
- PKI Services now supports large certificate revocation lists (CRLs), which can be helpful for customers whose applications can support only a limited number of CRL distribution points.
z/OS V1.12 includes the following enhancements for PKI Services:
- PKI Services can now generate, verify, and sign certificates using Elliptic Curve Cryptography (ECC) keys, in addition to RSA keys.
- Certificate Management Protocol (CMP) support is added, designed to support the use of z/OS PKI Services through standardized devices.
- Support has been added for additional certificate extensions:
- Subject Alternate Name to allow alternate identities to be bound to the certificate. Multiple instances of Alternate Domain, Alternate IP Address, Alternate E-Mail Address, and Alternate URL identities may be specified in the Subject Alternate name extension.
- Customized extensions.
- New utilities permit the PKI administrator to post certificates and CRLs upon demand, and allow the administrator to schedule PKI Services maintenance tasks to run at specified times.
- Validity dates beyond the year 2038 are supported.
- The maximum size of a Subject Distinguished Name is increased to 1024 bytes.
z/OS V1.11 includes the following enhancements for PKI Services:
- The PKI Services CA can now generate the key pair to be used in creating a certificate, if the requestor asks for this function.
- Key pairs generated by the PKI Services CA can be recovered at a later time, if the requestor should lose the key pair.
- Includes support for the SHA-256 signing algorithm
- PKI Services web pages are now implemented using XML and JSP, to facilitate PKI Services integration with other applications.
- The maximum size of a Subject Distinguished Name is increased to 1024 bytes [when PTF UA52092 is installed on the PKI server system].
Other enhancements to PKI Services that were provided in prior releases and carried forward to the current versions include:
- Simple Certificate Enrollment Protocol (SCEP) support [z/OS V1.8].
- The ability to run multiple PKI Services instance on a single z/OS image [z/OS V1.8].
- Automated renewal of expiring certificates and the ability to query expiring certificates [z/OS V1.9].
- Provide an embedded link which contains the transaction ID of the request for the requestor to pick up the certificate.
- Support SDBM credentials for LDAP when posting certificates and certificate revocation lists (CRLs) to an LDAP repository [z/OS V1.9].
- Support of 2-byte UTF8 characters that map to the IBM 1047 code page character set [z/OS V1.10].
PKI Services for z/OS V1 R5 certified "Identrus Compliant"
The Identrus Compliant program certifies that PKI Services, provided by z/OS V1.5 and higher, meet Identrus specifications and interoperability requirements providing a solid foundation for trust between financial institutions and their customers. [More information]
Instructions for configuring PKI Services for Identrus compliance are provided by IBM on an as-needed basis. For information, contact email@example.com