Skip to main content

 
IBM Systems  > Mainframe servers  > Operating systems  > 

PKI Services for z/OS

Overview: What's New?

  
Overview Components Standards Additional Information
Overview   |   What's New?   |   Frequently Asked Questions

z/OS V1.13 includes the following enhancements for PKI Services:
  • PKI Services can now use a hardware Elliptic Curve Cryptography (ECC) certificate as the Certificate Authority (CA) certificate.
  • DB2 can now be used to provide the back-end storage for the PKI Services issued certificate list (ICL) and object storage.
    • Customers who expect to issue and manage a large number of certificates can now exploit the relilability and scalability of DB2 to store and manage their certificates.
    • New utilities are provided to help existing PKI Services customers migrate their existing VSAM back-end storage to DB2.
  • Browser Support Enhancements
    • PKI Services now permits users of Mozilla-based browsers on Windows and Linux platforms to generate certificates using smart cards.
    • PKI Services has added support for Internet Explorer version 8 browsers.
  • PKI Services now supports large certificate revocation lists (CRLs), which can be helpful for customers whose applications can support only a limited number of CRL distribution points.
  
 
z/OS V1.12 includes the following enhancements for PKI Services:
  • PKI Services can now generate, verify, and sign certificates using Elliptic Curve Cryptography (ECC) keys, in addition to RSA keys.
  • Certificate Management Protocol (CMP) support is added, designed to support the use of z/OS PKI Services through standardized devices.
  • Support has been added for additional certificate extensions:
    • Subject Alternate Name to allow alternate identities to be bound to the certificate. Multiple instances of Alternate Domain, Alternate IP Address, Alternate E-Mail Address, and Alternate URL identities may be specified in the Subject Alternate name extension.
    • Customized extensions.
  • New utilities permit the PKI administrator to post certificates and CRLs upon demand, and allow the administrator to schedule PKI Services maintenance tasks to run at specified times.
  • Validity dates beyond the year 2038 are supported.
  • The maximum size of a Subject Distinguished Name is increased to 1024 bytes.
  
 
z/OS V1.11 includes the following enhancements for PKI Services:
  • The PKI Services CA can now generate the key pair to be used in creating a certificate, if the requestor asks for this function.
  • Key pairs generated by the PKI Services CA can be recovered at a later time, if the requestor should lose the key pair.
  • Includes support for the SHA-256 signing algorithm
  • PKI Services web pages are now implemented using XML and JSP, to facilitate PKI Services integration with other applications.
  • The maximum size of a Subject Distinguished Name is increased to 1024 bytes [when PTF UA52092 is installed on the PKI server system].
  
 
z/OS V1.10 includes the following enhancements for PKI Services:
  • Enable PKI Services to accept 2 byte UTF8 characters that map to code page 1047 in the CA/RA certificate and to create certificates with such characters
  • Remove the dependency on OCSF from the PKI Services daemon (Note: PKI Services Trust Policy still needs OCSF though)
  • Add three Distinguished Name attribute types - Domain Component, Distinguished Name Qualifier and User ID
  • Provide an embedded link which contains the transaction ID of the request for the requestor to pick up the certificate.
  
 
z/OS V1.9 includes the following enhancements for PKI Services:
  • Automate certificate renewal which sends renewal certificates to end-users via email when the expiration date is approaching.
  • Support query on expiring certificates. Administrators can submit a query based on the number of days the certificates will become expired.
  • Extend the email notification function to the administrators. When there is a request pending for approval, notification is sent. The notification can be sent whenever there is a new request or sent once a day for all the new requests.
  • The validity period of the certificate is increased to 9999 days (more than 27 years).
  • Allow the use of SDBM credentials for the LDAP administrator ID which PKI Services uses to post certificates and CRLs.
  
 
z/OS V1.8 includes the following enhancements for PKI Services:

The following enhancements enabled PKI Services to be more competitive with other Certificate Authority products.

  • Simple Certificate Enrollment Protocol (SCEP) support which allows SCEP enabled clients (usually routers) to automatically request certificates.
  • Enable multiple instances of PKI Services to run on a single z/OS image.
  • Support more commonly used distinguished name qualifiers, extension values for certificates.
  
 
PKI Services for z/OS V1 R5 certified "Identrus Compliant"

The Identrus Compliant program certifies that PKI Services, provided by z/OS V1.5 and higher, meet Identrus specifications and interoperability requirements providing a solid foundation for trust between financial institutions and their customers. [More information]

Instructions for configuring PKI Services for Identrus compliance are provided by IBM on an as-needed basis. For information, contact wchoi@us.ibm.com

  

 
We're here to help
Easy ways to get the answers you need..