z/OS V2.2 includes the following enhancements for PKI Services:
- The ability to require approvals from multiple PKI Services administrators for a certificate request before issuing the requested certificate ("NxM" request authentication factor).
- Enhancements to the support for the Online Certificate Status Protocol (OSCP) to comply with recent revisions to the protocol standard (RFC 6277), and to support OCSP clients using z/OS System SSL.
- Support for the Websphere Application Server (WAS) version 8.5 and the Apache-based IBM HTTP Server version 9.
- Enhancements to support the Internet Explorer 11 browser.
Other enhancements to PKI Services that were provided in prior releases and carried forward to the current versions include:
- Sample PKI Services web pages implemented using XML and JSP [V1.11].
- The ability to use DB2 as the back-end storage for the PKI Services issued certificate list (ICL) and object storage, plus utilities to migrate existing VSAM based ICLs and object storage to DB2 [V1.13]. The DB2 tables used as the backing storage can be customized [V2.1].
- The ability to generate key pairs to be used in the creation of a certificate, and the ability to recover these generated keys at a later time if the keys become lost [V1.11].
- The ability to provide hardware protection for the private keys used PKI Services Certificate Authority (CA) certificate and those for which PKI Services generated the key pairs, when the ICSF Enterprise PKCS#11 coprocessor is available [V2.1].
- The ability to generate, verify, and sign certificates using Elliptic Curve Cryptography (ECC) key in addition to RSA keys [V1.12], and to use a hardware ECC certificate as the CA certificate [V1.13].
- The ability to allow or restrict the authority of PKI Services administrators based on the CA domain, the administrative action being performed, and the certificate type [V2.1].
- The ability to generate Extended Validation (EV) X.509 certificates [V2.1].
- The ability to prohibit an intermediate CA certificate from issuing another subordinate CA certificate that may follow it [V2.1].
- The ability to generate certificates using smart cards from Mozilla-based browser clients running on Windows and Linux platforms [V1.13].
- The ability to post certificates and certificate revocation lists (CRLs) upon demand and the ability to schedule internal PKI Services maintenance tasks to run at specified times [V1.12]. Large CRLs are supported for customers with applications that support only a limited number of CRL distribution points [V1.13], and PKI Services can be configured to generate a message when CRL processing is completed to allow for automation of follow-on actions such as CRL archiving [V2.1].
- The ability to query for expiring certificates and to configure for automated renewal of expiring certificates [V1.9].
- Support for the following protocols: Simple Certificate Enrollment Protocol (SCEP) [V1.8] and Certificate Management Protocol (CMP) for using PKI Services through standardized devices [V1.12].
- Support for the Websphere Application Server (WAS) version 8 and the Apache-based IBM HTTP Server [V2.1].
- Support for the following certificate extensions: customized extensions; Subject Alternate Name, allowing for multiple instaces of Alternate Domain, Alternate IP Address, Alternate E-Mail Address, and Alternate URL [V1.12].
- Support for: SHA-256 signing algorithm [V1.11]; 1024-byte Subject Distinguished Names in certificates [V1.12]; expiration dates beyond year 2038 [V1.12]; SDBM credentials for LDAP when posting certificates and CRLs to LDAP repositories [V1.9]; multiple PKI Services instances operating within a single z/OS image [V1.8].
PKI Services for z/OS V1 R5 certified "Identrus Compliant"
The Identrus Compliant program certifies that PKI Services, provided by z/OS V1.5 and higher, meet Identrus specifications and interoperability requirements providing a solid foundation for trust between financial institutions and their customers. [More information]
Instructions for configuring PKI Services for Identrus compliance are provided by IBM on an as-needed basis. For information, contact email@example.com