(OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE...

388
SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

Transcript of (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE...

Page 1: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

SecureZIP™ for zSeries (OS/390 and z/OS)

User’s Guide

SZZU-V8R1000

PKWARE Inc.

Page 2: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

PKWARE Inc. 9009 Springboro Pike Miamisburg, Ohio 45342 Sales: 937-847-2374 Support: 937-847-2687 Fax: 937-847-2375 Web Site: http://www.pkware.com Sales - Email: [email protected] Support - http://www.pkware.com/support 8.1 Edition (2005) SecureZIP for zSeries™, PKZIP for zSeries™, PKZIP for MVS™, SecureZIP for iSeries™, PKZIP for iSeries™, PKZIP for OS/400™, PKZIP for VSE™, PKZIP for UNIX™, SecureZIP for Windows™, and PKZIP for Windows™ are just a few of the many members in the PKZIP® family. PKWARE Inc. would like to thank all the individuals and companies -- including our customers, resellers, distributors, and technology partners -- who have helped make PKZIP® the industry standard for Trusted ZIP solutions. PKZIP® enables our customers to efficiently and securely transmit and store information across systems of all sizes, ranging from desktops to mainframes. This edition applies to the following PKWARE Inc. licensed program: SecureZIP for zSeries™ (Version 8, Release 1, 2005) PKZIP(R) is a registered trademark of PKWARE(R) Inc. SecureZIP is a trademark of PKWARE(R) Inc. Other product names mentioned in this manual may be a trademark or registered trademarks of their respective companies and are hereby acknowledged. Any reference to licensed programs or other material, belonging to any company, is not intended to state or imply that such programs or material are available or may be used. The copyright in this work is owned by PKWARE Inc., and the document is issued in confidence for the purpose only for which it is supplied. It must not be reproduced in whole or in part or used for tendering purposes except under an agreement or with the consent in writing of PKWARE Inc., and then only on condition that this notice is included in any such reproduction. No information as to the contents or subject matter of this document or any part thereof either directly or indirectly arising there from shall be given or communicated in any manner whatsoever to a third party being an individual firm or company or any employee thereof without the prior consent in writing of PKWARE Inc. Copyright © 1989 - 2005 PKWARE Inc. All rights reserved.

Page 3: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

iii

Contents

PREFACE............................................................................................................. 1 Notices.........................................................................................................................1 About this Manual.......................................................................................................1 Conventions Used in this Manual .............................................................................2 SecureZIP Manuals.....................................................................................................3 Related IBM Publications...........................................................................................3 Related Information on the Internet..........................................................................4 User Help and Contact Information ..........................................................................4

1 AN INTRODUCTION TO SECUREZIP FOR ZSERIES.................................. 5 Data Compression......................................................................................................6 ZIP Archives ................................................................................................................6 Cyclic Redundancy Check.........................................................................................7 Distinctive Features of SecureZIP for zSeries.........................................................7 Encryption using passwords and/or digital certificates.........................................8 Cross Platform Compatibility ....................................................................................8

2 INTRODUCTION TO DATA SECURITY ...................................................... 10 SecureZIP for zSeries Security Basics...................................................................10

Operating System Levels........................................................................................11 Digital Certificate Formats.......................................................................................11 SecureZIP for Windows Compatibility.....................................................................11 General Information to Help You Get Started.........................................................11

Encryption .................................................................................................................14 Authentication...........................................................................................................15

Data Integrity...........................................................................................................15 Digital Signature Validation.....................................................................................15 Digital Signature Source Validation ........................................................................16

Page 4: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

iv

Public-Key Infrastructure and Digital Certificates ................................................16 Public-Key Infrastructure (PKI) ...............................................................................16 x.509 .......................................................................................................................17 Digital Certificates ...................................................................................................17 Certificate Authority (CA) ........................................................................................17 Private Key..............................................................................................................17 Public Key ...............................................................................................................18 Certificate Authority and Root Certificates..............................................................18

Setting Up Stores for Digital Certificates on zOS .................................................18 Setting Up the Certificate Stores.............................................................................18 Updating the Certificate Stores ...............................................................................20

Types of Encryption Algorithms .............................................................................20 FIPS 46-3, Data Encryption Standard (DES)..........................................................20 Triple DES Algorithm (3DES)..................................................................................21 Advanced Encryption Standard (AES)....................................................................21 Comparison of the 3DES and AES Algorithms.......................................................21 RC4 .........................................................................................................................22

Key Management ......................................................................................................22 Passwords and PINS................................................................................................23 Recipient Based Encryption....................................................................................23 Random Number Generation...................................................................................23 Integrity of Public and Private Keys .......................................................................24

3 SECUREZIP FOR ZSERIES RELEASE INFORMATION ............................ 25 Release Summary.....................................................................................................25

New Features..........................................................................................................25 New Commands and Defaults ................................................................................27 Command Changes ................................................................................................30 Message Changes ..................................................................................................32 Enhancements for Secure Data..............................................................................37

Restrictions for SecureZIP for zSeries ...................................................................37 Region Size and Storage..........................................................................................39 SMS Dataclass Considerations...............................................................................40

Note for users of PKZIP for MVS and PKZIP for zSeries 5.6 .................................41 Reserved DDNAMEs.................................................................................................41

SYSPRINT ..............................................................................................................42 PKSPRINT ..............................................................................................................42 PKNODUMP ...........................................................................................................42

Use of System Utilities.............................................................................................42 SORT ......................................................................................................................42 Access Method Services.........................................................................................42 IEBGENER..............................................................................................................42 GRS/ENQ................................................................................................................42

Page 5: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

v

4 LICENSING .................................................................................................. 44 Initializing the License .............................................................................................44

Evaluation Period....................................................................................................44 Release Licensing...................................................................................................44 Show System Information .......................................................................................44 Reporting the SecureZIP for zSeries License.........................................................45 Applying a License Key or Authorization Code.......................................................46

SecureZIP for zSeries Grace Period .......................................................................46 Running a Disaster Recovery Test .........................................................................47

5 GETTING STARTED WITH SECUREZIP FOR ZSERIES ........................... 48 Introduction to SecureZIP for zSeries ....................................................................48 Invoking SECZIP or SECUNZIP Using JCL ............................................................49

Return Codes ..........................................................................................................50 Compressing a Dataset............................................................................................50

Notes for Dataset Compression..............................................................................51 Viewing the Contents of an Archive .......................................................................51

Notes for Viewing the Contents of an Archive ........................................................52 ACTION(VIEWDETAIL) ..........................................................................................52

Decompressing a Dataset........................................................................................53 Notes for Decompressing a Dataset .......................................................................53

Updating or Refreshing a File .................................................................................54 Invoking SecureZIP for zSeries Services...............................................................54

Invoking SECZIP or SECUNZIP From JCL (Batch or Started Task)......................54 Invoking SECZIP or SECUNZIP as Called Programs Under TSO .........................55 Invoking ZIP or UNZIP TSO Command Line Interface...........................................55

Valid ZIP Actions ......................................................................................................56 Valid ZIP Options ......................................................................................................57 Valid UNZIP Actions .................................................................................................57

Invoking the SecureZIP for zSeries ISPF Panel Interface......................................59 Configuration Manager ............................................................................................59

Making Changes to the Defaults.............................................................................60 Assembling Your Changes .....................................................................................60 Inputs ......................................................................................................................60

Configuration Manager Processing: Managing Control Statements .................61 Control Statement Definitions .................................................................................61

Troubleshooting .......................................................................................................62 SecureZIP for zSeries Messages ...........................................................................62 Debugging Controls ................................................................................................62

6 ABOUT SECURITY, CERTIFICATES AND ENCRYPTION......................... 63 Terms and Acronyms Used in This Chapter..........................................................63 Accessing Certificates .............................................................................................64

Page 6: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

vi

Configuration Profile ................................................................................................64 Contents of the Configuration Profile ......................................................................64 Data Base (DB) Profile (Local Certificate Store).....................................................65 LDAP Profile (Networked Certificate Store)............................................................65 Recipient Searches.................................................................................................66

Local Certificate Stores............................................................................................67 Access x.509 Public and Private Key Certificates ..................................................67 Authentication and Certificate Validation Policies...................................................68 Other Profile Commands ........................................................................................70 SecureZIP Certificate Store Administration and Configuration...............................71

Run-Time Configuration...........................................................................................71 Runtime Configuration Panel ..................................................................................72 Runtime Configuration Panel: Certificate Stores ....................................................72 SecureZIP Runtime Configuration Panel Undefined ..............................................74 SecureZIP Runtime Configuration Panel with DB Profile Defined..........................74 SecureZIP Runtime Configuration Panel with Private Certificate Location ............75

Filename Encryption ................................................................................................75 How SecureZIP for zSeries Encrypts File Names ..................................................75 When SecureZIP for zSeries Encrypts File Names ................................................76 Encrypting File Names When You Update an Archive ...........................................76 Opening and Viewing an Archive That Has Encrypted File Names .......................76 Input Required To View Recipients in a Filename Encrypted Archive ...................76 View of Recipients in a Filename Encrypted Archive .............................................77 View Detail of an Archive that Has Encrypted File Names.....................................78 Decrypting a Filename-Encrypted Archive .............................................................79

Security Examples....................................................................................................79 SecureZip using Recipients or Combo ...................................................................79 Zip Compress File(s) to an Archive FIle (Option ‘Z’ ) Using Recipients .................80 SecureZIP Encryption Using Individual Recipients as Input...................................81 SecureZIP Certificate Report Option ......................................................................82 SecureZIP Verification Window ..............................................................................83 SecureZIP Encryption Using Individual Recipients-Generated JCL.......................83 SecureZIP Encryption Using Recipient Job Output Listing with VERBOSE...........83 SecureZIP Encryption Using Recipient Job Output Listing Without VERBOSE.....85 SecureZIP Encryption Using a Recipients List .......................................................86 Editing the Recipients List.......................................................................................86 SecureZIP Encryption Using a Recipients List .......................................................86 SecureZIP Halt Process Request ...........................................................................87 SecureZIP Encryption Using LDAP Search for Recipients.....................................87 SecureZIP Encryption Using LDAP Search for Recipients-Generated JCL...........88 SecureZIP Encryption Using LDAP Search for Recipients - Output.......................88 Selecting Filename Encryption ...............................................................................90 Panel Option “Z” - Selecting Filename Encryption..................................................90 Zip Compress File(s) to an Archive FIle (Option ‘Z’ ) Using Passwords.................90 SecureZIP Encryption .............................................................................................91 Cryptographic Algorithms........................................................................................91

UNZip File(s) from an Archive (Option ‘U’ ) Using Recipients.............................93 Unzip Panel (Option ‘U’ ) Using Recipients ............................................................94 Unzip Output Using Recipients ...............................................................................94

View Display the Contents of an Archive File (Option ‘V’ ) .................................95

Page 7: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

vii

View Detail Display .................................................................................................96 Incorrect Password Use...........................................................................................97

7 FILE SELECTION AND NAME PROCESSING ......................................... 100 ZIP Processing File Selection ...............................................................................100 Primary File Selection Inputs ................................................................................100 Cataloged Dataset Name Filter Requests ............................................................100 Exclusion Filters .....................................................................................................101 INFILE DD Requests ...............................................................................................101 JES2 SYSIN INFILE Support..................................................................................101 Input ZIP Archive Files ...........................................................................................102 File Selection Processing Notes ...........................................................................102 Cataloged Dataset Name and INFILE Request Restrictions ..............................103 ZIP File Names ........................................................................................................104

Summary of Commands Affecting ZIP Filename..................................................104 Essentials for running SECZIP and SECUNZIP...................................................105

SECUNZIP ............................................................................................................105

8 ZIP FILES ................................................................................................... 107 Data Formats - Text or Binary ...............................................................................107 Data Format - Text Records...................................................................................108 Data Format - Binary Records...............................................................................109 File Attributes..........................................................................................................109

Data Set Name Transformation ............................................................................110 Large File Considerations .....................................................................................110 Determining File Size .............................................................................................110

9 FILE PROCESSING ................................................................................... 112 File Support.............................................................................................................112 Sequential Files ......................................................................................................113

Compressing Sequential Files ..............................................................................113 Extracting Records into a Sequential File.............................................................114 Managing a Sequential File ZIP Archive...............................................................114 Processing GDGs .................................................................................................114 File Concatenation for ZIP Processing .................................................................115

PDS and PDSE Members .......................................................................................115 Selecting PDS Members for Compression ...........................................................115 Extracting Data into a PDS ...................................................................................116 Managing ZIP Archives as PDS Members ...........................................................116 Load Libraries .......................................................................................................117

Page 8: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

viii

VSAM Files ..............................................................................................................117 Compressing a VSAM File....................................................................................118 Extracting Data into a VSAM File..........................................................................119 Managing a VSAM ZIP Archive ............................................................................121

Magnetic Tapes and Cartridges ............................................................................121 Copying a Tape-Based Archive to a Disk File ......................................................122 Compressing Data from Tape...............................................................................122 Extracting Data onto Tape ....................................................................................123 Managing a ZIP Archive on Tape .........................................................................124

10 COMMANDS .............................................................................................. 126 Command Syntax ...................................................................................................126 File Selections vs. Commands..............................................................................127

&SYSUID ..............................................................................................................127 Summary of Available Commands .......................................................................127 Command Details ...................................................................................................142

Command Icon Legend.........................................................................................145

11 ZIP ARCHIVES........................................................................................... 276 “Old” ZIP Archive ...................................................................................................277 “Temporary” Dataset..............................................................................................277 “New” ZIP Archive ..................................................................................................278

12 PROCESSING WITH GZIP ........................................................................ 279 What is GZIP? .........................................................................................................279 Why use GZIP? .......................................................................................................279 SecureZIP for zSeries Implementation Notes for GZIP.......................................280

GZIP Restrictions ..................................................................................................280 GZIP Extensions ...................................................................................................280 Processing GZIP Archives ....................................................................................281

13 USING THE ISPF INTERFACE.................................................................. 282 Getting Started with the ISPF Interface ................................................................282 Configuration (Option ‘C’)......................................................................................283 Defaults (Options ZD and UD) ...............................................................................284

Primary Commands ..............................................................................................285 Changing Default Options.....................................................................................286 Including Changed Defaults..................................................................................286

View Archive (Option ‘V’) .......................................................................................286 Setting VIEW Options ...........................................................................................287 Primary Commands ..............................................................................................289 Line Commands....................................................................................................290 Display Fields........................................................................................................291

Page 9: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

ix

Using Security .......................................................................................................293 Archive Authenticated ...........................................................................................293 File Signers ...........................................................................................................294

Zip (Option ‘Z’) ........................................................................................................295 Using Security .......................................................................................................297 Select Password Protect.......................................................................................297 Select Recipients ..................................................................................................298 Archive Signing .....................................................................................................298 File Signing ...........................................................................................................299 Archive Authentication ..........................................................................................299

UNZIP (Option ‘U’) ..................................................................................................300 Using Security .......................................................................................................302 Select Password Protect.......................................................................................302 Select Recipients ..................................................................................................303 Archive Authentication ..........................................................................................303 File Authentication.................................................................................................304

SYSPRINT Browse (Option ‘S’) .............................................................................304 Messages (Option ‘M’)............................................................................................304 License Display (Option ‘L’) ..................................................................................306 Certificate Stores (Option ‘CS’).............................................................................307 What’s New (Option ‘W’) ........................................................................................307 Contact PKWARE (Option ‘A’)...............................................................................307

14 USER API PROCESSING .......................................................................... 308 Overview..................................................................................................................308

Data Record Transformation API for ZIP processing. ..........................................308 File Name Manipulation API for UNZIP processing..............................................308

Invocation................................................................................................................308 Negation of API processing ..................................................................................309 Execution Environment .........................................................................................309 File Name Manipulation API .................................................................................310 Data Record Transformation API..........................................................................310

User API Samples ...................................................................................................311 JCL and Sample Programs....................................................................................311

Assembler .............................................................................................................311 Assembler Source.................................................................................................311 Assembler JCL......................................................................................................312 Assembler Source.................................................................................................312 DCTMAPIU DSECT ..............................................................................................313 COBOL..................................................................................................................313 COBOL JCL ..........................................................................................................313 COBMAPIU copy member ....................................................................................314 Sample input file - SAMPDAPI..............................................................................314

Output from sample jobs .......................................................................................315 ASMFNAPI Sample Output...................................................................................315 XSMFNAPI Sample Output...................................................................................315

Page 10: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

x

User API_Module Program Exception Trap..........................................................316

15 INVOKING SECZIP/SECUNZIP FROM AN APPLICATION PROGRAM .. 318 CALLZIPA Sample Assembly Source to Call SECZIP.........................................319 CALLZIPC Sample COBOL Source to Call SECZIP.............................................321 CALLZIPP Sample PL/I Source to Call SECZIP ...................................................322 CALLZIPR Sample REXX Source to Call SECZIP................................................323 CALLZC Sample C source program to call SECZIP............................................324 CALLZCPP Sample C++ program source to call SECZIP...................................325

A LICENSING REQUIREMENTS .................................................................. 328 Licensed Types.......................................................................................................328 Product Features ....................................................................................................329 Licensing Environment ..........................................................................................330

Evaluation Period..................................................................................................330 Release Licensing.................................................................................................330 Current Use License .............................................................................................330 Reporting...............................................................................................................330 Show System Information .....................................................................................332 Conditional Use.....................................................................................................332

B SAMPLE JOBSTREAMS ........................................................................... 333 Example 1: Zip PDS to an Archive .......................................................................333 Example 2: Zip PDS to an Archive .......................................................................334 Example 3: Zip VSAM KSDS to an Archive.........................................................335 Example 4: Summary View of a Dataset..............................................................335 Example 5: Summary View of a Dataset..............................................................336 Example 6: View with Detail of an Archive..........................................................337 Example 7: Unzip an Archive to PDS...................................................................339 Example 8: Unzip an Archive to PDS...................................................................340 Example 9: Unzip an Archive to VSAM KSDS ....................................................341

C 3490 INSTALLATION JCL (COPYCART) ................................................. 342

D MAKING CODE PAGE TRANSLATE TABLES (EDCICONV) .................. 352 Translation Tables ..................................................................................................352 Code Page Support ................................................................................................352 International Code Page Support..........................................................................353 Code Conversion Utility.........................................................................................353

Page 11: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

xi

Translate Table Generation ...................................................................................354 Sample Job..............................................................................................................354

E FIPS-197 AES CERTIFICATION OF PKZIP .............................................. 356

F CONTACT INFORMATION ........................................................................ 357 PKWARE, Inc...........................................................................................................357

PROBLEM REPORTING ......................................................................................357 General .................................................................................................................357 Licensing ...............................................................................................................358 ISPF ......................................................................................................................358 FTP SERVER requirements .................................................................................359

GLOSSARY...................................................................................................... 360

INDEX............................................................................................................... 368

Page 12: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

xii

Page 13: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

1

Preface

SecureZIP for zSeries provides powerful, easy-to-use data compression and data protection on the mainframe. SecureZIP for zSeries delivers high performance data compression and protects data with digital signatures and up to 256-bit password- or certificate-based encryption powered by trusted RSA® BSAFE. Based on the widely-adopted ZIP format, SecureZIP files can be accessed on all major platforms throughout the enterprise—from mainframe to PC.

Notices Licensing requirements have changed for this release. See Chapter 4 and Appendix A for details.

About this Manual This manual provides the information needed to use SecureZIP for zSeries in an operational environment. It is assumed that anyone using this manual has a good understanding of JCL and data set processing. Note that the contents of this manual applies to the following operating systems:

OS/390 – Version 2.10 and above.

z/OS - all releases.

• Chapter 1. An introduction to SecureZIP for zSeries. Provides a general description of the product suite applicable to all supported platforms. This chapter also describes the features of the SecureZIP for zSeries product and provides a simple description of how it is used to compress and decompress datasets.

• Chapter 2. Provides a general discussion on data security along with specific implementations of encryption.

• Chapter 3. Provides more detailed examples of how specific file types should be processed by SecureZIP for zSeries. This chapter also details the new features and functions for SecureZIP for zSeries.

• Chapter 4. This chapter explains licensing of SecureZIP for zSeries and provides information on invoking the 5-day grace period and disaster recovery tests.

• Chapter 5. Provides general information on invoking SECZIP and SECUNZIP, the two main component programs of SecureZIP for zSeries. This chapter explains the

Page 14: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

2

details associated with compression, decompression, restrictions, migration, and an overview of SECZIP processing.

• Chapter 6. Provides details on security and authentication, including ISPF screen images and examples.

• Chapter 7. Provides a summary of ZIP file processing procedures, including filtering, file selection, requests, and the basic essentials for running SECZIP and SECUNZIP.

• Chapter 8. Explains ZIP file formats (text or binary), files attributes, and file size considerations.

• Chapter 9. Provides information about the types of files that are supported by SecureZIP for zSeries, such as sequential files, PDS, or PDSE members, and VSAM files.

• Chapter 10. A reference of the SecureZIP for zSeries commands and messages.

• Chapter 11. Explains the possible states of an archive during processing and the functions of associated formats.

• Chapter 12. Provides an overview of how to process GZIP files and archives, including information about GZIP restrictions and extensions.

• Chapter 13. Provides instructions on the use of other facilities provided with SecureZIP for zSeries, specifically the ISPF panel interface, to include setting options for configuration, defaults, and viewing archives.

• Chapter 14. Provides information on the User Application Programming Interface or USER API.

• Chapter 15. Provides information on calling SECZIP and SECUNZIP.

• Appendix A. Licensing

• Appendix B. Sample Jobstreams

• Appendix C. 3490 Installation JCL

• Appendix D. Making Code Page Translate Tables

• Appendix E. FIPS-197 AES Certification

• Appendix F. Contact Information

• Glossary. Explains terms related to compression and encryption

Conventions Used in this Manual Throughout this manual, the following conventions are used:

The use of the Courier font indicates text that may be found in job control language (JCL), parameter controls, or printed output.

The use of italics in a command line indicates a value that must be substituted by the user, for example, a data set name. It may also be used to indicate the title of an associated manual or the title of a chapter within this manual.

Bullets (•) indicate items (or instructions) in a list.

Page 15: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

3

The use of <angle brackets> in a command definition indicates a mandatory parameter.

The use of [square brackets] in a command definition indicates an optional parameter.

A vertical bar (|) in a command definition is used to separate mutually exclusive parameter options or modifiers.

SecureZIP Manuals SecureZIP for zSeries product manuals include:

• User’s Guide - Provides detailed information on the product set in OS/390 and z/OS operating environments. Also provides a general introduction to data compression, SECZIP-specific data compression, and an overview of how to use SecureZIP for zSeries, SECZIP control cards, and parameters.

• Messages and Codes Guide - Provides information on the messages and codes that are displayed on the consoles, printed outputs, and associated terminals.

• System Administrator’s Guide - Provides detailed information to assist the system administrator to install and manage SecureZIP for zSeries in an operational environment. Topics include:

o System planning and administration

o Installation, licensing and configuration

o Verifying the installation

o Security administration overview

o Certificate store management

Related IBM Publications IBM Manuals relating to the SecureZIP for zSeries product include:

• System Codes - Documents the completion codes issued by the operating system when it terminates a task or an address space. Describes the wait state codes placed in the program status word (PSW) when the system begins a wait state. Describes the causes of loops.

• System Messages - Documents the messages issued by the OS/390 operating system. The descriptions explain why the component issued the message, give the actions of the operating system, and suggest responses by the applications programmer, system programmer, and/or operator.

• JES2 Messages - Documents the messages issued by the JES2 subsystem. The descriptions explain why the component issued the message, give the actions of the operating system, and suggest responses by the applications programmer, system programmer, and/or operator.

• JCL User's Guide - Describes the job control tasks needed to enter jobs into the operating system, control the system's processing of jobs, and request the resources

Page 16: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

4

needed to run jobs. To perform the tasks, programmers code job control statements. The user's guide assists in deciding how to perform job control tasks.

• JCL Reference - Describes the job control tasks needed to enter jobs into the operating system, control the system's processing of jobs, and request the resources needed to run jobs. To perform the tasks, programmers code job control statements. The reference guide; is designed to be used while coding the statements.

• Access Methods Services - Documents the functions that are available with Virtual Storage Access Method (VSAM) and describes the IDCAMS commands that can be issued to control VSAM datasets.

• TSO/E Command Reference - Documents the functions of the TRANSMIT and RECEIVE Command Facility used for the distribution and allocation of SecureZIP for zSeries installation libraries.

Related Information on the Internet PKWARE, Inc.

www.pkware.com

FTP site

Product Downloads

Product Manuals

National Institutes of Standards

Computer Security Resource Center - http://csrc.ncsl.nist.gov

Information on the AES development - http://csrc.nist.gov/encryption/aes/

Information on Key Management - http://csrc.nist.gov/CryptoToolkit/tkkeymgmt.html

RSA BSAFE® Content Library – http://www.rsasecurity.com/content_library.asp

User Help and Contact Information For Licensing, please contact the Sales Division at 937-847-2374 or email [email protected].

For Technical Support assistance, please contact the Product Services Division at 937-847-2687 or visit the support web site

Appendix F lists the types of information needed to resolve issues with the product.

Page 17: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

5

1 An Introduction to SecureZIP for zSeries

Built on the award-winning PKZIP, SecureZIP for zSeries enables you to create and extract ZIP archives and archives of other types and, with the new security features, to use passwords and/or digital certificates to strongly encrypt archives and archived files. Strong, digital certificate-based encryption enables you to encrypt files just for the people you want to see them.

With its advanced password and certificate-based security features, SecureZIP for zSeries offers multiple methods of encryption and is an excellent choice for secure messaging and storage. As with PKZIP, SecureZIP for zSeries offers various methods and levels of compression and a host of other powerful features.

Note: Both PKZIP for zSeries and SecureZIP for zSeries can apply strong password-based encryption, and all current PKZIP desktop products recognize digital signatures and can decrypt strongly encrypted files. However, to do strong, certificate-based encryption requires the premium, SecureZIP for zSeries edition.

SecureZIP for zSeries can access certificates in directory servers via an LDAP compliant interface. SecureZIP for zSeries can look for certificates in LDAP certificate stores. SecureZIP for zSeries can automatically search these stores for recipients to whom you are sending an email message so that you can use their keys when encrypting an attachment. This requires the separately licensed Directory Integration module.

The Directory Integration module enables you to access certificates stored in remote directories as well as certificates on the local machine. This feature extends your ability to work with certificates that belong to your colleagues in the enterprise as well as customers, partners, and vendors.

SecureZIP for zSeries contains two main programs: SECZIP and SECUNZIP. The SECZIP program compresses or otherwise stores files into a ZIP format archive; the SECUNZIP program extracts files compressed by SECZIP. Processing control is available through the use of customized option modules, shared command lists, and individual job inputs. In addition to file selection, features such as compression levels and performance selections can be specified.

To guarantee data integrity, 32-bit Cyclic Redundancy Check (CRC) is a standard feature.

A ZIP archive is platform-independent; therefore, data compressed (zipped) on one platform, such as UNIX or Windows, can be decompressed (unzipped) on another platform, such as OS/390 or z/OS by using a compatible version of the SECUNZIP program.

Page 18: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

6

Data Compression Data compression reduces file size. A compressed data file uses less storage space and can be transferred faster. A data file to be compressed (a ZIP candidate) is compressed to a compact size (ZIPPED file). To use the file again, it must be uncompressed or extracted to its original size (UNZIPPED file).

For example, a simple data compression technique is the Run-Length Encoding method. This method works when repeating characters are evident in a data stream. The run of characters is represented in a compressed form as a single character with its count.

Example: B 2 2 2 2 E H H H H H H H H H

Compressed: B *4 2 E H*9

However, to perform a thorough compression operation, more advanced algorithms and enhanced techniques are required which work at the bit level and allow for noncontiguous iterations of bit strings. SecureZIP for zSeries uses such methods to achieve maximum results.

ZIP Archives SecureZIP for zSeries stores compressed data files into ZIP archives. There is no limit to the number of archives you may create.

A ZIP archive refers to any valid ZIP-format file created by a ZIP-compatible product.

PKWARE's Application Note on the .ZIP file format provides developers a general description and technical details of the ZIP specification. This specification is periodically revised according to the publication policy statement as new features are added to ensure the continued interoperability of ZIP applications.

With the ZIP64 feature available in SecureZIP for zSeries and PKZIP for zSeries release 5.6 and higher, over 4 billion files can be managed within a single archive. The ZIP archive architecture supports Exabyte (64-bit) sizes for files in an archive. ZIP archives themselves can exceed 4 gigabytes for specified access methods and device media.

With ZIP products prior to release 4.5 (and PKZIP for MVS products), an archive can store up to 65,535 files. Files up to 4 gigabytes in size can be compressed, and an archive is limited to 4 gigabytes in size.

For each file in an archive, the following information is stored with the compressed data:

• Filename

• File directory date and time

• File’s initial CRC value. See Cyclic Redundancy Check

• Method of compression used

• ZIP Version required for file extraction

• File size, uncompressed

• File size, compressed

Some files may contain the following additional information:

Page 19: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

7

• The version of ZIP that created the file

• File attributes

• A comment about the file

• A comment about the archive

• Platform specific attributes (see Cross Platform Compatibility)

Cyclic Redundancy Check A Cyclic Redundancy Check (CRC) is performed to check the integrity of a data file when it is restored from a ZIP archive.

While a file is compressed, a SECZIP algorithm computes a 32-bit hexadecimal value for its data. That CRC value is stored with the file in the ZIP archive. When the data in the file is extracted, SecureZIP for zSeries processes it again by the same algorithm to produce a second CRC value and compares the two. If the data has not changed, the values will be the same. If the two CRC values do not match, data may have been corrupted in the ZIP archive during file transfer operations, and SecureZIP for zSeries reports the failure.

Distinctive Features of SecureZIP for zSeries Distinctive features of SecureZIP for the z/OS and OS/390 operating environments include:

• Ability to access certificates in directory servers through an LDAP-compliant interface. SecureZIP can look for certificates in LDAP certificate stores and automatically search these stores for recipients to whom you are sending an email message so that you can use their keys when encrypting an attachment. (Requires the optional Directory Integration module.)

• Ability to process execution from ISPF Panels, as a TSO/E command, within TSO/E REXX EXECs or CLISTs, from an application program, or a stand-alone batch utility.

• A robust ISPF panel interface that displays the ZIP archive directory in a table format and enables selection of individual archived (zipped) files for browsing, viewing, extracting, or deleting.

• Compression and extraction of datasets of the following types on DASD:

• Sequential files.

• PDS and PDSE members.

• VSAM files (KSDS, ESDS, RRDS).

• JES2 subsystem input files (for example, //ddname DD *).

• Command extensions allowing greater flexibility in file selection.

• Unique filename translation to/from system/390 DSNAME conventions and the UNIX-style names typically found in zip archives.

• Compressing and extracting of datasets of the following types on tape or cartridge:

• Sequential files.

Page 20: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

8

• Compressing and extracting of files to OS/390 and z/OS Load Libraries.

• Compressing and extracting of files to Generation Data Groups (GDGs).

• GDG files can be used as a ZIP archive.

• Retention of dataset allocation information, such as dataset organization, device type, and DCB/Cluster attributes. Preservation of this information allows for duplication of the file with the same characteristics during the UNZIP process. Support of ZIP archives within the following dataset organizations:

• Sequential files (DASD, Tape, or Cartridge).

• PDS and PDSE members.

• VSAM ESDS.

• Selection of datasets for processing based upon user-specified control statements, DD JCL specifications, or user-defined filtering lists.

• Execution on OS/390 2.10 and higher. SecureZIP also executes on a z/OS system IPL’d in 64-bit mode.

• Execution in AMODE 31, using storage primarily above the 16-Mb line. However, certain operating system control blocks and system services require virtual storage below the 16-Mb line. The amount of virtual storage available within each of these areas of an address space will limit the use of some performance options (for example, multi-tasking and temporary files in storage) and capabilities.

• Defaults customizable during installation. Multiple defaults modules may be created for use in a variety of application needs.

• Use of pre-defined command files saved in a place selected by the user or system administrator. These can be referenced by multiple jobs or users, thus eliminating the need for individual JCL command streams, or used in combination with individual job inputs to provide a consistent set of processing controls.

Certain features of SecureZIP for zSeries are separately licensed (see Appendix A).

Encryption using passwords and/or digital certificates SecureZIP for zSeries can encrypt data for security control with digital certificates and/or provide a password lockout for extracting data. Varying security levels are available with multiple encryption algorithms. See Chapter 2 for a complete description of security features in SecureZIP for zSeries.

Cross Platform Compatibility SecureZIP for zSeries was designed for cross-platform use and enables you to move data among different computer operating environments. Archives created with SecureZIP for zSeries are compatible with PKZIP for zSeries, PKZIP for MVS, PKZIP for iSeries, PKZIP for OS/400, PKZIP for VSE, PKZIP for UNIX, PKZIP for LINUX, PKZIP for DOS, and PKZIP for Windows. All of these products use the the same ZIP archive file format and can work with each other’s archives. As a result, data can be zipped on one platform—for

Page 21: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

9

example, UNIX—and unzipped onto another platform, such as OS/400. SecureZIP for zSeries automatically converts the data between EBCDIC and ASCII, so files prepared on the host are readable on any PC or UNIX system.

The following table lists ZIP features supported on different platforms and the version of the ZIP file format Application Note where the features appear.

ZIP Feature ZIP AppNote Version MVS/zSeries OS400/iSeries Default 1.0

File represents a volume label

1.1 Not supported Not supported

File represents a folder 2.0 Not supported Not supported

Deflate compression 2.0 2.x 2.x

Traditional encryption 2.0 2.x 2.x

Deflate64 compression 2.1 Not supported Not supported

DCL Implode compression 2.5 Not supported Not supported

File is a patched data set 2.7 Not supported Not supported

File uses Zip64 size extensions

4.5 5.6 5.6

BZip2 compression 4.6 Not supported Not supported

DES encryption 5.0 8.0 8.0

3DES encryption 5.0 8.0 8.0

RC2 encryption 5.0 Not supported Not supported

RC4 encryption 5.0 8.0 8.0

AES encryption 5.1 5.5 5.5

Certificate encryption using non-OAEP key wrapping

6.1 8.0 8.0

Central directory encryption (file name encryption)

6.2 8.0 8.0

If you want to transfer data across platforms using any other “ZIP compatible” product, you should check with the supplier first to confirm which versions of PKZIP it is compatible with.

Page 22: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

10

2 Introduction to Data Security

In this chapter we will detail how SecureZIP for zSeries can strongly encrypt data for security control and protection. Much of the reference information in this chapter is from the National Institutes of Standards and Technology. The NIST Computer Security Resource Center web site, http://csrc.ncsl.nist.gov/, contains FAQs and documentation relating to computer security along with the Federal Information Processing Standard (FIPS) documents. The PKWARE web site, www.pkware.com, also contains information relating to security and links to the RSA Security, Inc., Web site that provides detailed information on the BSAFE® implementation used in SecureZIP for zSeries.

The following sections describe encryption, types of algorithms: in use, information about specific mandates requiring the use of secure data, and how SecureZIP for zSeries secures that data. Examples are provided in Chapter 6.

See Chapter 10 for documentation for the commands.

SecureZIP for zSeries Security Basics SecureZIP for zSeries security functions include strong encryption tools using RSA BSAFE and the PKWARE implementation of the Advanced Encryption Standard. SecureZIP for zSeries provides the option for password encryption using RC4, DES, 3DES and AES.

SecureZIP for zSeries uses a multi-layer key generation process, based on a user-specified password of up to 200 characters, and/or a users digital certificate, that creates a unique internal key for each file being processed. The same password will result in a different system-generated key for each file.

SecureZIP for zSeries also implements Cipher Block Chaining (CBC) to further enhance industry standard encryption algorithms. This feature ensures that each block of data is uniquely modified, further protecting the data from fraudulent access.

SecureZIP for zSeries encryption is activated through the use of the PASSWORD and RECIPIENT commands. If a value is present for either setting, whether through commands or default settings, then encryption will be attempted in accordance with other settings (for example, ENCRYPTION_METHOD). However, if ENCRYPTION_METHOD=NONE is specified, then encryption will be bypassed.

Page 23: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

11

Archives created under PKZIP for Windows and PKZIP for UNIX using the encryption setting Strong: Recipient List or Password can be decrypted with the password on zSeries systems running release 8.0 or later.

SecureZIP for zSeries signing and authentication features are activated through the use of the SIGN_ARCHIVE, SIGN_FILES and AUTHCHK commands.

Operating System Levels OS/390 2.10 or any zOS release is required to run certificate-based operations. If your operating system is not at this level, you will receive the message, ZPEN100E Certificate-Based functions require a minimum operating system…. You will receive a RC=12.

Digital Certificate Formats SecureZIP for zSeries requires that X.509 certificates be used and that they conform to specific formats depending on the type being accessed or administered. See the section “Setting Up Stores for Digital Certificates on zOS,” later in this chapter, for more information.

SecureZIP for Windows Compatibility Windows users running pre-XP versions of Windows may experience a problem decrypting depending on the way in which private-key certificates are imported on the system. Unless the dialog check box “Mark the private key as exportable” is selected when certificates are imported on pre-XP Windows, Windows will allow an AES encrypted file to be decrypted only if the master session key is wrapped with 3DES.

A new command, Secure_OPT_MSK3DES, is introduced with RECIPIENT processing which allows the SecureZip user to create AES-encrypted files that are compatible with older Windows workstations. When turned on, the MSK3DES flag is set in the NDH/DIB, indicating that the master session key information is protected with 3DES when recipients are specified.

PKZIP for Windows has a variance in processing for versions 6.0 and 7.x because of an issue with OAEP encryption processing. PKZIP for Windows 5.0 through 6.0 used OAEP. However, OAEP was found to be incompatible with smart cards, so versions 6.1 and later set a NO_OAEP flag in the NDH/DIB flags and no longer create OAEP encryption-mode files by default.

SecureZIP for zSeries always sets NO_OAEP; therefore, PKZIP for Windows 5.0 - 6.0 will not be able to read recipient-list encrypted files from the large platforms.

SecureZIP for zSeries should be able to detect whether the NO_OAEP flag is set and successfully extract in either case. No change in logic is required within the SecureZIP high-level code, but the low-level EVTCERTD code should handle the switch based on the flag.

General Information to Help You Get Started

How do I activate encryption in SecureZIP for zSeries? Encryption is activated through the use of the PASSWORD (and/or RECIPIENT for SecureZIP) commands. If a value is present for either setting, whether through commands or default settings, then encryption will be attempted in accordance with other settings (such as

Page 24: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

12

ENCRYPTION_METHOD). However, if ENCRYPTION_METHOD=NONE is specified, then encryption will be bypassed.

Note that certificate-based encryption for recipients is only supported by SecureZIP, not by PKZIP versions of the product. Also, this mode of encryption requires that one of the strong encryption methods (minimum 128-bit) be selected.

How does MASTER_RECIPIENT affect activation? When SecureZIP is being used to encrypt data, either with RECIPIENT or PASSWORD, then a recipient specified by MASTER_RECIPIENT will be automatically included. However, MASTER_RECIPIENT does not trigger encryption.

How does recipient-based encryption differ from password? Password-based encryption depends on both the sender and receiver knowing, and providing input (the password), in clear text. The password is used to derive a binary master session key for each decryption run. No key information is kept within the ZIP archive, therefore both parties must retain the password in an external location.

Recipient-based encryption provides a means by which the master session key (MSK) information can be hidden, protected, and carried within the ZIP archive. This is done by using technique known as digital enveloping with public key encryption. The technique requires that the creating process have a copy of the recipient's public key digital certificate, which is used to protect and store the MSK. The receiving side must have a copy of the recipient's private key digital certificate. With these two pieces of information in place, there is no need for users to retain or recall a password for decryption.

What is a Digital Certificate Store? Recipient-based encryption requires that public and private key certificates be used by SecureZip for zSeries. These are kept in file streams encoded according to the X.509 standard. A certificate store is the location of where various types of certificates are kept and accessed.

The primary stores used by SecureZip for zSeries include:

• CSPUB: Certificate store for individual public-key X.509 certificates on the local system.

• CSPRVT: Certificate store for individual private-key X.509 certificates on the local system.

• CSCA: Certificate store for certificate authority public-key X.509 certificates on the local system.

• CSROOT: Certificate store for the trusted root public-key X.509 certificates on the local system.

• LDAP: Certificate store for individual public-key X.509 certificates accessible via a TCPIP network.

Can both recipient-based and password encryption be used together? Yes. When both RECIPIENT and PASSWORD settings are used, to encrypt a file, the master session key is derived from the password and is also protected by using public key encryption.

Page 25: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

13

This means that the file can be decrypted either by supplying the password or by providing access to a private key associated with a public key used to encrypt.

How does ENCRYPTION_METHOD pertain to recipient or password encryption? Public/private key encryption using BSAFE digitally envelopes the master session key information. Once the master session key is determined, an independent file session key is derived (which is unique for each file) to encrypt the file data with a symmetric algorithm specified by ENCRYPTION_METHOD. Several algorithms are supplied with SecureZip for zSeries. Any algorithm may be specified for use with a password, but only those prefixed with “BSAFE” are valid for use with recipient-based encryption.

Which encryption settings should I choose? Various external factors such as legislative requirements or corporate policy may influence your selection an algorithm or mode of encryption. However, in general, certificate-based encryption is considered more secure than password-based encryption.

Except for the older 96-bit “Standard” SecureZip for zSeries encryption algorithm, encryption algorithms are provided at a minimum of 128 bits.

PKWARE supports interoperability among OS/390, zOS, OS400, iSeries, UNIX and Windows for all algorithms provided with ENCRYPTION_METHOD for PKWARE products at release 8.0 and later. Older releases of PKWARE products, including PKZIP for VSE and PKZIP for VM, support “Standard” 96-bit encryption.

When RECIPIENT PKI exchanges are required, then ENCRYPTION_METHOD must specify an algorithm whose name begins with “BSAFE”.

Password-based AES encryption is supported by PKWARE products at release 5.5 or higher.

BSAFE_AES and AES password-based encryption are 100% compatible. Archives created with PKZIP for zSeries Release 5.5 can be bi-directionally exchanged with SecureZip or PKZIP products using the BSAFE AES algorithms.

The BSAFE algorithms provided for the OS/390 and zSeries products are high-performance algorithms. The 128-bit BSAFE algorithms out-perform the older 96-bit PKZIP “Standard” algorithm.

How many recipients can be specified? The ZIP file format specification allows for a maximum list size of 3,275 recipients. This can be restricted further by other file attributes associated with the data and by run-time capacity limitations (such as virtual storage). (Approximately 20 bytes are required for each recipient within the ZIP archive central directory record for each file. This area is limited to 64K in size).

What are digital signatures? A digital signature is an unforgeable mechanism that ensures that the file to which it is attached originates from the owner of the signature and is unchanged since it was signed. The private key from a user’s digital certificate is used to attach a digital signature. The signature is authenticated by application of the public key from the certificate.

Files in a ZIP archive can be digitally signed, and an archive itself can be digitally signed. An archive is signed by attaching a signature to its central directory, which contains archive meta-data, including the list of files in the archive.

Page 26: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

14

A signed ZIP archive can contain files that are signed or unsigned (or both). Signing an archive enables people who receive it to confirm that the archive as a whole is not changed. Signing only files in an archive enables people to confirm that the individual signed files are unchanged but does not guarantee that files have not been added or removed.

SecureZIP for Windows can use certificates to sign files and to authenticate digital signatures on files that you receive from others.

SecureZIP for zSeries provides an informational message that a ZIP archive central directory signature exists. SecureZIP for zSeries prevents a ZIP archive from being altered in-place when its central directory is signed.

What is file name encryption? Someone who cannot decrypt the contents of an archive may still be able to infer sensitive information just from the unencrypted names of files. To prevent this, you can encrypt the names of files in addition to their contents. Encrypted file names can be viewed in the clear—that is, unencrypted—only when the archive is opened by an intended recipient, if the archive was encrypted using a recipient list, or by someone who has the password, if the archive was encrypted using a password.

SecureZip for zSeries encrypts file names using your current settings for (strong) encryption method and algorithm. File names can be encrypted using either strong password encryption or a recipient list (or both). You must use one of the strong encryption methods: you cannot encrypt file names using traditional encryption.

Encrypting names of files and folders in an archive encrypts and hides a good deal of other internal information about the archive as well. To encrypt file names, SecureZip for zSeries encrypts the archive's central directory, where virtually all such metadata about the archive is stored. Be aware, however, that archive comments are not encrypted even when you encrypt file names. Do not put sensitive information in an archive comment.

An archive that contains encrypted file names requires PKZIP for zSeries 8.0 or SecureZIP for zSeries 8.0 or later to open it. SecureZIP for zSeries 8.0 can use passwords, recipients, or a combination of the two to do filename encryption. With PKZIP for zSeries, only passwords can be used to do filename encryption.

Encryption Encryption provides confidentiality for data. Unencrypted data is called plaintext. Encryption transforms the plaintext data into an unreadable form, called ciphertext, using an encryption key. Decryption transforms the ciphertext back into plaintext using a decryption key.

Several algorithms have been approved in FIPS for the encryption of general purpose data. Each of these algorithms is a symmetric key algorithm, where the encryption key is the same as the decryption key. SecureZIP for zSeries uses symmetric key algorithms when encrypting user data.

In order to maintain the confidentiality of the data encrypted by a key, the key must be known only by the entities that are authorized to access the data. These symmetric key algorithms are commonly known as block cipher algorithms because the encryption and decryption processes each operate on blocks (chunks) of data of a fixed size.

Page 27: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

15

FIPS 46-3 and FIPS 197 have been approved for the encryption of general-purpose data. The protection of keys is discussed below under “Key Management.”

Authentication Authentication is the process of validating digital signatures that may be attached to files in an archive or to an archive’s central directory.

Authentication is a separate operation from data encryption. Whereas encryption is concerned with preventing parties from accessing sensitive data (such as private medical or financial information), authentication confirms that information actually comes unchanged from the purported source.

Authenticating digitally signed data both verifies the signature and validates the signed data.

Data Integrity SecureZIP uses a Cyclic Redundancy Check (CRC) to ensure that data is successfully transferred into and out of a ZIP archive. The CRC process creates a unique hash value “thumbprint” from the original data stream. The thumbprint is regenerated at the receiving end and compared with the hash of the source for equality. The thumbprint value is stored independently of the data stream and is used during UNZIP processing to complete validation of the data.

SecureZIP extends the concept of the CRC in two ways for the purpose of providing a tamper-resistant container within the ZIP archive. First, more rigorous HASH algorithms (MD5 and SHA-1) are used (as specified by the SIGN_HASHALG command) in place of the 32-bit CRC to accurately reflect the uniqueness of the data stream. Second, the hash value is encrypted within a digital signature using a private-key certificate to protect it from tampering.

For more information regarding SHA-1 (Secure Hash Algorithm), see FIPS PUB 180-1, describing the Secure Hash Standard, at http://www.itl.nist.gov/fipspubs/fip180-1.htm.

SecureZIP for zSeries provides two commands, SIGN_ARCHIVE and SIGN_FILES, to intiate the creation of digital signatures within the ZIP archive. The AUTHCHK command is used to perform a tamper check operation using the digital signature and hash.

Digital Signature Validation SecureZIP makes use of certificate-based encryption within the public key infrastructure (PKI) to generate and validate digital signatures. PKI provides an authentication chain for certificates to guarantee that the signature was created by the purported source. SecureZIP supports the certificate chain authentication process by including necessary identification information within the ZIP archive. Subsequently, the certificate(s) used for signing can be authenticated through a complete chain of trust.

To complete the chain of trust, a root (or self-signed) certificate representing the certificate’s issuing organization is installed on the authenticating system. This provides the receiving organization with the authority to declare how the final trust sequence should be treated. Signatures based on certificates from certificate authorities (CA) that are not authorized or trusted are declared as being untrusted by SecureZIP.

Page 28: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

16

Additional facets of validating a certificate’s viability for use include a defined range of dates within which a certificate may be used and whether the certificate has been declared to have been revoked. Configurable SecureZIP policies (EXPIRED and REVOKED attributes) provide support to ensure that the certificates involved in authentication also adhere to these restrictions.

SecureZIP for zSeries provides a means to install and access the certificates necessary for signing and authentication. The AUTHCHK command, along with configured policy settings governs the type (archive directory or data files) and level of authentication that is to be performed.

Digital Signature Source Validation A final step in completing the authentication process is to ensure that the archive and/or file data was sent from a particular source. Up to this point, using the previous two aspects of authentication, we are certain that the archive directory and/or files were signed with a private-key certificate that came from a trusted source (CA) and that the data stream has not been tampered with since it was placed into the ZIP archive. However, these steps alone do not guarantee that a different party under the same root/CA chain did not perform the signing operation.

SecureZIP for zSeries provides an optional parameter in the AUTHCHK command to declare the specific party from whom the data is expected.

Public-Key Infrastructure and Digital Certificates

Public-Key Infrastructure (PKI) Use of digital certificates for encryption and digital signing relies on a combination of supporting elements known as a public-key infrastructure (PKI). These elements include software applications such as SecureZIP that work with certificates and keys as well as underlying technologies and services.

The heart of PKI is a mechanism by which two cryptographic keys associated with a piece of data called a certificate are used for encryption/decryption and for digital signing and authentication. The keys look like long character strings but represent very large numbers. One of the keys is private and must be kept secure so that only its owner can use it. The other is a public key that may be freely distributed for anyone to use to encrypt data intended for the owner of the certificate or to authenticate signatures.

How the Keys Are Used With encryption/decryption, a copy of the public key is used to encrypt data such that only the possessor of the private key can decrypt it. Thus anyone with the public key can encrypt for a recipient, and only the targeted recipient has the key with which to decrypt.

With digital signing and authentication, the owner of the certificate uses the private key to sign data, and anyone with access to a copy of the certificate containing the public key can authenticate the signature and be assured that the signed data really proceeds unchanged from the signer.

Page 29: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

17

Authentication has one additional step. As an assurance that the signer is who he says he is—that the certificate with Bob’s name on it is not fraudulent—the signer’s certificate itself is signed by an issuing certificate authority (CA). The CA in effect vouches that Bob is who he says he is. The CA signature is authenticated using the public key of the CA certificate used. This CA certificate too may be signed, but at some point the trust chain stops with a self-signed root CA certificate that is simply trusted. The PKI provides for these several layers of end-user public key certificates, intermediate CA certificates, and root certificates, as well as for users’ private keys.

x.509 X.509 is an International Telecommunication Union (ITU-T) standard for PKI. X.509 specifies, among other things, standard formats for public-key certificates. A public-key certificate consists of the public portion of an asymmetric cryptographic key (the public key), together with identity information, such as a person’s name, all signed by a certificate authority. The CA essentially guarantees that the public key belongs to the named entity.

Digital Certificates A digital certificate is a special message that contains a public key and identify information, such as the owner’s name and perhaps email address, about the owner. An ordinary, end-user digital certificate is digitally signed by the CA that issued it to warrant that the CA issued the certificate and has received satisfactory documentation that the owner of the certificate is who he says he is. This warrant, from a trusted CA, enables the certificate to be used to support digital signing and authentication, and encryption of data uniquely for the owner of a certificate.

For example, Web servers frequently use digital certificates to authenticate the server to a user and create an encrypted communications session to protect transmitted secret information such as Personal Identification Numbers (PINs) and passwords.

Similarly, an email message may be digitally signed, enabling the recipient of the message to authenticate its authorship and that it was not altered during transmission.

To use PKI technology in SecureZIP for zSeries for encryption and to attach digital signatures, you must have a digital certificate. To learn how to get a digital certificate and to use certificates for encryption, see Chapter 6.

Certificate Authority (CA) A certificate authority (CA) is a company (usually) that, for a fee, will issue a public-key certificate. The CA signs the certificate to warrant that the CA issued the certificate and has received satisfactory documentation that the owner of the new certificate is who he says he is.

Private Key A digital certificate contains both private and public portions of an asymmetric cryptographic key together with identity information, such as a person's name and (possibly) email address. The private portion of the key is called the private key and is used to decrypt data encrypted with the associated public key and to attach digital signatures.

Page 30: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

18

A private key must be accessible solely by the owner of the certificate because it represents that person and provides access to encrypted data intended only for the owner.

SecureZIP for zSeries uses a private key maintained in x.509 PKCS#12 format. This means that the private key cannot be accessed unless a password is entered for each SecureZIP request.

Public Key A public key consists of the public portion of an asymmetric cryptographic key in a certificate that also contains identity information, such as the certificate owner’s name.

The public key is used to authenticate digital signatures created with the private key and to encrypt files for the owner of the key’s certificate.

For information on the digital enveloping process SecureZIP for zSeries uses for certificate-based encryption, see the Secure .ZIP Envelopes whitepaper at the PKWARE Web site.

Certificate Authority and Root Certificates End entity certificates and their related keys are used for signing and authentication. They are created at the end of the trust hierarchy of certificate authorities. Each certificate is signed by its CA issuer and is identified in the “Issued By” field in the end certificate. In turn, a CA certificate can also be issued by a higher level CA. Such certificates are known as intermediate CA certificates. At the top of the issuing chain is a self-signed certificate known as the root.

SecureZIP for zSeries uses public-key certificates in PKCS#7 format. The intermediate CA certificates are maintained independently from the ROOT certificates.

Setting Up Stores for Digital Certificates on zOS To use certificates for encryption/decryption or digital signing/authentication, SecureZIP needs to access the keys in the certificates.

Unlike Windows, zOS does not have a native facility for storing digital certificates and converting them into a form that SecureZIP can use. To address this, SecureZIP provides a utility program to set up and manage certificate stores on zOS for use with SecureZIP.

Setting Up the Certificate Stores The PKWARE utility used to administer the local certificate store is accessed through an ISPF dialog. The CREATE option assists you in setting up the store and imports certificates you want SecureZIP to use. For detailed instructions on creating certificate stores on zOS, refer to the SecureZIP for zSeries System Administrator’s Guide.

The utility procedure maintains the stores listed in the following table.

Page 31: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

19

Store Description Public

A store for end-entity certificates used to identify encryption recipients or for authentication of digital signatures. Certificate files in this store contain only public keys; they do not contain private keys. SecureZIP for zSeries represents these certificates held in the local certificate store through the ISPF interface as “CER” entries. Other system types may refer to this store as “Other People” or “Address Book”

Private A store for end-entity certificate files with their respective private keys. Private keys are used to decrypt files or perform digital signing. SecureZIP for zSeries represents these certificates held in the local certificate store through the ISPF interface as “PFX” entries.

(Private keys in the this store are encrypted using PKCS#8 format and PKCS#5 version 2.)

Other system types may refer to this store as “Personal” or “MY Store”

Intermediate Certificate Authority

A store of issuing certificates files associated with the end-entity certificates. These certificates are used to authenticate the validity of an end-entity digital signature on a receiving system. They are also included in a SecureZIP archive when a signing operation is performed.

Other system types may refer to this store as “CA”

Trusted Root Certificate Authority

A store of issuing certificates that are classified as “self signed,” meaning that each one is at the top of a hierarchy of issuing CAs. These certificates are used to authenticate the validity of an end-entity digital signature on a receiving system. They are deemed to be “trusted” by virtue of their installation on an authenticating system. They are also included in a SecureZIP archive when a signing operation is performed.

Other system types may refer to this store as “ROOT” The local certificate store administrative utility sets up the certificate stores as physical files containing X.509 certificates, with a VSAM index structure providing search and selection capabilities.

A SecureZIP for zSeries “create” dialog is provided to lead a systems administrator through the steps needed to allocate and prime a new local certificate store. Sample test certificates are installed to each store type, making it ready for use. In addition, a configuration file is generated that should be made accessible for SecureZIP users for use in encryption, decryption, signing, and authentication requests. The configuration file may be included explicity through an INCLUDE_CMD command, or implicitly by activating it through the PARMLIB configuration of the SecureZP defaults module.

A set of high-level qualifiers is used to control the allocation of the physical store data sets and index components. This permits multiple distinct local certificate stores to be created, administered and accessed independently within a system. This is useful for segregating test from production, or other departmental separation. Data set protection may then be applied to various components to control update or read access as needed.

RACF ALTER authority (or equivalent) must be granted to the systems administrator responsible for creating a new certificate store. This authority is also required for creating

Page 32: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

20

backups, performing recovery operations, or performing some synchronization tasks which re-allocate components.

Updating the Certificate Stores X.509 certificates may be added to the local certificate store through the SecureZIP local certificate store administration tool. These certificates are frequently obtained through another platform and transferred (binary) to the operational zOS system for installation.

Important Note: All X.509 certificates should be transferred to the local zOS environment in binary mode with no translation.

When certificates are added, the certificate administration tool determines the appropriate store location based on the certificate type specified and dynamically builds an index entry for future search and selection.

SecureZIP can import certificates and keys in the following file formats:

Format Description PEM Contains a single end-entity public-key certificate. It may be in

Base-64 encoded (ascii text with ascii headers) or DER-encoded binary format.

Common file extensions: .pem, .cer, .key

PKCS#12 Contains a single end-entity private-key certificate (which also contains and its public keys). By definition, it is in binary format.

Common file extensions: .pfx, .p12

PKCS#7 Contains one or more CA (and or Root) certificates

Common file extension: .p7b

You must tell the certificate store administrative dialog what certificate file-type and key-type to import. The utility copies the existing certificates and keys from their specified location and adds them to the appropriate store locations. When transferring certificates to the zOS environment in preparation for an import to the local certificate store, be sure to allocate the file they are stored in as sequential, with a DCB RECFM of F, FB, V or VB.

RACF UPDATE authority (or equivalent) must be granted to the systems administrator responsible for altering the certificate store. This authority is also required when performing the on-line Synchronize function.

Types of Encryption Algorithms

FIPS 46-3, Data Encryption Standard (DES) The FIPS (Federal Information Processing Standards) specification 46-3 formerly specified the DES algorithm for use in Federal government applications. In 2004, the specification was changed such that DES is no longer approved for Federal government applications.

Page 33: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

21

Triple DES Algorithm (3DES) Triple DES is a more recent algorithm related to DES. Triple DES is a method for encrypting data in 64-bit blocks using three 56-bit keys by combining three successive invocations of the DES algorithm.

ANSI X9.52 specifies seven modes of operation for 3DES and three keying options: 1) the three keys may be identical (one key 3DES), 2) the first and third key may be the same but different from the second key (two key 3DES), or 3) all three keys may be different (three key 3DES). One key 3DES is equivalent to DES under the same key; therefore, one key 3DES, like DES, will not be approved after 2004. Two key 3DES provides more security than one key 3DES (or DES), and three key 3DES achieves the highest level of security for 3DES. NIST recommends the use of three different 56-bit keys in Triple DES for Federal Government sensitive/unclassified applications.

SecureZIP for zSeries uses three-key 3DES when Triple DES is selected as the data encryption algorithm.

Advanced Encryption Standard (AES) The Advanced Encryption Standard (AES) encryption algorithm specified in FIPS 197 is the result of a multiyear, worldwide competition to develop a replacement algorithm for DES. The winning algorithm (originally known as Rijndael) was announced in 2000 and adopted in FIPS 197 in 2001.

The AES algorithm encrypts and decrypts data in 128-bit blocks, with three possible key sizes: 128, 192, or 256 bits. The nomenclature for the AES algorithm for the different key sizes is AES-x, where x is the size of the AES key. NIST considers all three AES key sizes adequate for Federal Government sensitive/unclassified applications.

Please see http://www.nist.gov/public_affairs/releases/g00-176.htm a press release recapping NIST’s position

SecureZIP for zSeries uses AES as the default encryption algorithm.

Comparison of the 3DES and AES Algorithms Both the 3DES and AES algorithms are considered to be secure for the foreseeable future. Below are some points of comparison:

• 3DES builds on DES implementations and is readily available in many cryptographic products and protocols. The AES algorithm is new; although many implementers are quickly adding the algorithm to their products, and protocols are being modified to incorporate the algorithm, it may be several years before the AES algorithm is as pervasive as 3DES.

• The AES algorithm was designed to provide better performance (e.g., faster speed) than 3DES.

• Although the security of block cipher algorithms is difficult to quantify, the AES algorithm, at any of the key sizes, appears to provide greater security than 3DES. In particular, the best attack known against AES-128 is to try every possible 128-bit key (i.e., perform an exhaustive key search, also known as a brute force attack)). By contrast, although three key 3DES has a 168-bit key, there is a “shortcut” attack on

Page 34: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

22

3DES that is comparable, in the number of required operations, to performing an exhaustive key search on 112-bit keys. However, unlike exhaustive key search, this shortcut attack requires a lot of memory. Assuming that such shortcut attacks are not discovered for the AES algorithm, the uses of the AES algorithm may be more appropriate for the protection of high-risk or long-term data.

• The smallest AES key size is 128 bits; the recommended key size for 3DES is 168 bits. The smaller key size means that fewer resources are needed for the generation, exchange, and storage of key bits.

• The AES block size is 128 bits; the 3DES block size is 64 bits. For some constrained environments, the smaller block size may be preferred; however, the larger AES block size is more suitable for cryptographic applications, especially those requiring data authentication on large amounts of data.

See http://www.nist.gov/public_affairs/releases/g00-176.htm for a press release describing NIST’s position on the two algorithms.

With a block cipher algorithm, the same plaintext block will always encrypt to the same ciphertext block whenever the same key is used. If the multiple blocks in a typical message were to be encrypted separately, an adversary could easily substitute individual blocks, possibly without detection. Furthermore, data patterns in the plaintext would be apparent in the ciphertext. Cryptographic modes of operation have been defined to alleviate these problems by combining the basic cryptographic algorithm with a feedback of the information derived from the cryptographic operation.

FIPS 81, DES Modes of Operation, defines four confidentiality (encryption) modes for the DES algorithm specified in FIPS 46-3: the Electronic Codebook (ECB) mode, the Cipher Block Chaining (CBC) mode, the Cipher Feedback (CFB) mode, and the Output Feedback (OFB) mode.

SecureZIP for zSeries uses Cipher Block Chaining for data encryption.

RC4 The RC4 algorithm is a stream cipher designed by Rivest for RSA Security. It is a variable key-size stream cipher with byte-oriented operations. The algorithm is based on the use of a random permutation. Analysis shows that the period of the cipher is overwhelmingly likely to be greater than 10100. Eight to sixteen machine operations are required per output byte, and the cipher can be expected to run very quickly in software. Independent analysts have scrutinized the algorithm and it is considered secure.

RC4 is used for secure communications, as in the encryption of traffic to and from secure web sites using the SSL protocol.

Key Management The proper management of cryptographic keys is essential to the effective use of cryptography for security. Keys are like the combination of a safe. If the combination becomes known to an adversary, the strongest safe provides no security against penetration. Similarly, poor key management can easily compromise strong algorithms. Ultimately, the security of information protected by cryptography directly depends on the strength of the keys, the effectiveness of mechanisms and protocols associated with keys, and the protection afforded the keys.

Page 35: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

23

Cryptography can be rendered ineffective by the use of weak products, inappropriate algorithm pairing, poor physical security, and the use of weak protocols. All keys need to be protected against modification, and secret and private keys need to be protected against unauthorized disclosure. Key management provides the foundation for the secure generation, storage, distribution, and destruction of keys.

Further information is available on key management at the NIST Computer Security Resource Center web site, http://csrc.nist.gov/CryptoToolkit/tkkeymgmt.html

Passwords and PINS FIPS 112, Password Usage, provides guidance on the generation and management of passwords used to authenticate the identity of a system user and, in some instances, to grant or deny access to private or shared data. This standard recognizes that passwords are widely used in computer systems and networks for these purposes, although passwords are not the only method of personal authentication, and the standard does not endorse the use of passwords as the best method.

The password used to encrypt a file with SecureZIP for zSeries may be from 1 to 200 characters in length. Different passwords may be used for various files within a ZIP archive, although only one password may be specified per run.

The password is not stored in the ZIP archive and, as a result, care must be taken to keep passwords secure and accessible by some other source.

Recipient Based Encryption Password-based encryption depends on both the sender and receiver knowing, and providing intellectual input (the password) in clear text. The password is used to derive a binary master session key for each decryption run. No key information is kept within the ZIP archive, therefore both parties must retain the password in an external location.

Recipient-based encryption provides a means by which the master session key (MSK) information can be hidden, protected, and carried within the ZIP archive. This is done by using a technique known as digital enveloping with public key encryption. The technique requires that the creating process have a copy of the recipient's public key digital certificate, which is used to protect and store the MSK. In addition, the receiving side must have a copy of the recipient's private key digital certificate. With these two pieces of information in place, there is no need for users to retain or recall a password for decryption.

Random Number Generation Random numbers are used within many cryptographic applications, such as the generation of keys and other cryptographic values, the generation of digital signatures, and challenge response protocols. Some approved algorithms to produce random numbers have been specified in FIPS 186-2, Digital Signature Standard. An effort is in progress by the Financial Services Committee of ANSI to develop a random number generation standard.

Page 36: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

24

Integrity of Public and Private Keys Public and private keys must be managed properly to ensure their integrity. The key owner is responsible for protecting private keys. The private signature key must be kept under the sole control of the owner to prevent its misuse. The integrity of the public key, by contrast, is established through a digital certificate issued by a certification authority (CA) that cryptographically binds the individual’s identity to his or her public key. Binding the individual’s identity to the public key enables the key to be reliably used, for example, to authenticate signatures created with the corresponding private key.

A PKI includes the ability to recover from situations where an individual’s private signature key is lost, stolen, compromised, or destroyed. This is done by revoking the digital certificate that contains the private signature key’s corresponding public key (discussed further below). The user then creates or is issued a new public/private signature key pair and receives a new digital certificate for the new public key.

Page 37: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

25

3 SecureZIP for zSeries Release Information

Release Summary

New Features New features in SecureZIP for zSeries Release 8.1 include:

• Advanced signing and authentication security features. SecureZIP for zSeries offers the ability to digitally sign the archive directory and/or files for secure messaging and storage.

• New SIGN_ARCHIVE command

• New SIGN_FILES command

• New AUTCHK command

• New return code = 6 for authentication failures

• Add PKSUPPRC(ZPEN035E) Archive Authentication Failure

• Add PKSUPPRC(ZPEN045E) File Authentication Failure

• Add PKSUPPRC(ZPEN039E) Archive Authentication Incomplete

• Add PKSUPPRC(ZPEN049E) File Authentication Incomplete

• Add PKSUPPRC(ZPEN057W) Certificate Validation Failed

• New SIGNAL_ZIP64 command

New features in SecureZIP for zSeries Release 8.0 include:

• Advanced password and certificate-based security features. SecureZIP for zSeries offers multiple methods of encryption and is an excellent choice for secure messaging and storage.

• Access certificates in directory servers via an LDAP compliant interface. SecureZIP for zSeries can look for certificates in LDAP certificate stores. SecureZIP for zSeries can automatically search these stores for recipients to whom you are sending an email message so that you can use their keys when encrypting an attachment. Requires the optional Directory Integration Feature.

Page 38: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

26

• BSAFE® Encryption

• Add PKSUPPRC(ZPEN002W) Algorithm not supported by this release.

• Add PKSUPPRC(ZPEN020W) FILENAME_ENCRYPTION has been deactivated in the output archive

New features introduced with PKZIP for zSeries Release 5.6:

• ZIP64 Large File Support to:

• Compress files > 4 gigabytes in size

• Compress up to 4 billion files (previously 65,535)

• Handle filenames up to 1,024 characters (previously 256)

• Allow for archives > 4 gigabytes in size

• Provide faster archive directory search processing

• Virtual Storage Constraint Relief by reducing file management control block sizes.

• A new User API for UNZIP file name transformation - allowing users to generate their own MVS names from UNIX-based file names. This feature utilizes the new FILENAME_API suite of commands

• A new User API for ZIP Data Record transformation - allowing users to filter records and convert binary numeric data to clear text display numerics prior to compression. This feature utilizes the new DATA_TRANS_API suite of commands

• Add INCLUDE_CMD command that assists the user in converting EBCDIC records into the correct TEXT format for a different platform target.

• Add INCLUDE_SFX command that adds a self-extracting program to the beginning of the archive for extraction on specified releases of AIX, HP/UX, LINUX, Sun Solaris or Windows.

• A new summary processing report at the end of each invocation.

• Add FILENAME_SELECT_CASE command to control case-insensitivity for UNZIP filename selection.

• Add LICENSE_WTO_INFO control switch to support automation traps for license expiration events.

• Add ARCHIVE_MULTIVOL, OUTFILE_MULTIVOL and TEMP_SPACE_MULTIVOL commands to support extended multi-volume allocation support for archives, output files and work files.

• Add PKSUPPRC(ZPCM032W) to suppress RC=4 when cataloged files are not found to be compressed.

New features introduced with PKZIP for MVS Release 5.5:

• Advanced Encryption (password-based, using the AES encryption algorithm)

• Improved Compression

• Enhanced File Filtering Capabilities

• PASSWORD echo masking

Page 39: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

27

• Add ACTION(COPY)

• Add CHECK_SYSIN_MEMBER command

• Add ENCRYPTION_METHOD command

• Add EXCLUDE command

• Add KEY_PROTECT_LEVEL command

• Add PKSUPPRC command

• Add PRESERVE_CMD_SPACE command

• Rebuilt Messages Manual

• DOC Memory Usage Info

• DOC Abend S213-30 (IEC143I) when competing with UNZIP to PDS

• PANVALET Subsystem Support for command input

New Commands and Defaults The following commands or their default values were introduced in the specified release.

Release Command Description Values 8.1 AUTHCHK Perform an authentication check

against a signed archive directory or files

User-selectable

8.1 PKSUPPRC(ZPEN035E) Archive authentication failed User-selectable

8.1 PKSUPPRC(ZPEN039E) Archive authentication unsuccessful

User-selectable

8.1 PKSUPPRC(ZPEN045E) File authentication failed User-selectable

8.1 PKSUPPRC(ZPEN049E) File authentication unsuccessful User-selectable

8.1 PKSUPPRC(ZPEN057W) Certificate Validation Failed User-selectable

8.1 SIGN_ARCHIVE Sign the archive central directory User-selectable

8.1 SIGN_FILES Sign files added to the archive User-selectable

8.1 SIGN_HASHALG Specify digital signature hash algorithm

User-selectable

8.1 SIGNAL_ZIP64 Provides control over the creation of archives using ZIP64 extensions

User-selectable

8.1 TRANSLATE_TABLE_DATA Load module containing translation tables for EBCDIC/ASCII Text data conversion.

EBC#8859

8.1 TRANSLATE_TABLE_FILEINFO Load module containing translation tables for EBCDIC/ASCII File name and password conversion.

EBC#8859

8.0 ENCRYPT_CERT_LIMIT Restricts the number of certificates used for each encrypted file

User-supplied

Page 40: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

28

Release Command Description Values 8.0 FILENAME_ENCRYPTION Specifies whether the archive

central directory is to be strongly encrypted

Y|N|blank)

8.0 LDAP_ENCRYPT_CERT_SELECT Restricts the number or type of certificates used in encrypting a file.

User-supplied

8.0 MASTER_RECIPIENT This enables an enterprise to decrypt and access the file(s) when other RECIPIENTs are no longer able or eligible.

User-supplied

8.0 PKSUPPRC(ZPEN002W) Algorithm not supported for this release.

User-selectable

8.0 PKSUPPRC(ZPEN020W) FILENAME_ENCRYPTION has been deactivated in the output archive

User-selectable

8.0 RECIPIENT Identifies the eligible party that may decrypt the file(s)

User-supplied

8.0 SECUREZIP_CONFIG Specifies a member that contains the cert store configuration commands to be included during processing

User-supplied

The following commands were introduced in the 5.x releases.

Release Command Description Values 5.6 ARCHIVE_FASTSEEK Performance improvement for

archive read access. Y|N

5.6 ARCHIVE_SPACE_MULTIVOL Control multi-volume allocation of the archive data set.

Y|N

5.6 DATA_TRANS_API_ERRLIM Unused at this time 0

5.6 DATA_TRANS_API_ERROR Intended action when a user API program error occurs.

STOPRUN, IGNORE, ABEND

5.6 DATA_TRANS_API_LANGUAGE Programming language/linkage used for the DATA_TRANS_API user program.

ASM, COBOL

5.6 DATA_TRANS_API_NAME Load module name of User program used to modify data records during SECZIP processing.

User-supplied

5.6 DATA_TRANS_API_PARM Data string to be passed to the User API program.

User-supplied

5.6 DATA_TRANS_API_TRACE Tracing level for API operation. 0 – 4

5.6 DATA_TRANS_API_WORKSIZE Size of persistent work area provided by SECZIP to the user program.

4096

5.6 FILENAME_API_ERRLIM Unused at this time 0

Page 41: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

29

Release Command Description Values 5.6 FILENAME_API_ERROR Intended action when a user API

program error occurs. STOPRUN, IGNORE, ABEND

5.6 FILENAME_API_LANGUAGE Programming language/linkage used for the FILENAME_API user program.

ASM, COBOL

5.6 FILENAME_API_NAME Load module name of User program used to convert archive file names to MVS Data Set names during EXTRACT processing.

User-supplied

5.6 FILENAME_API_PARM Data string to be passed to the User API program.

User-supplied

5.6 FILENAME_API_TRACE Tracing level for API operation. 0 – 4

5.6 FILENAME_API_WORKSIZE Size of persistent work area provided by SECUNZIP to the user program.

4096

5.6 FILENAME_SELECT_CASE Affect archive filename selection case sensitivity.

M (mixed)

U (upper)

5.6 INCLUDE_CMD Include batched commands from a partitioned library.

User-supplied member

5.6 INCLUDE_SFX Create a self-extracting archive SFXAIX SFXWIN SFXHP SFXSUN SFXLNX2I

5.6 LICENSE_WTO_INFO Support console message automation for expiring license. (Specify in the defaults module).

Y|N

5.6 NOAPI The Language Environment CEEPIPI environment associated with User API programs (such as DATA_TRANS_API) will not be initialized.

User-supplied

5.6 OUTFILE_SPACE_MULTIVOL Control multi-volume allocation of an Output data set during EXTRACT.

Y|N

5.6 PKSUPPRC(ZPCM032W) Override the default RC=4 that is generated when a requested file is not found for ZIP processing.

User-selectable

5.6 TEMP_SPACE_MULTIVOL Control multi-volume allocation of Temporary work files.

Y|N

5.5 CHECK_SYSIN_MEMBER Verifies a command input stored in a PDS or PDSE member.

Y|N

5.5 DATA_TYPE(DETECTX) Provides automatic detection and translation of ASCII text during UNZIP processing (similar to DETECT for ZIP processing).

Default remains as “DETECT”.

5.5 EXCLUDE Enhanced file filtering capabilities. User-supplied

5.5 KEY_PROTECT_LEVEL Specifies a relative intensity of 1 / 2

Page 42: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

30

Release Command Description Values encryption key protection.

5.5 PKSUPPRC Allows the return code to be suppressed on certain conditions.

ZPAM092E - Nothing to do.

ZPAM093W - No Files match: Initializing/Copying Archive.

ZPEX013 - Truncation.

5.5 PRESERVE_CMD_SPACE Preserves or removes blanks proceeded by a “|”.

Y|N

5.5 SUPPRESS_DYNALLOC_MSGS Specifies that the dynamic allocation messages in job log be suppressed.

NODYNMSGS

Command Changes The default values for the following commands have been changed. When assembling an existing installation defaults module (ACZDFLT), these values should be reviewed for applicability and adjusted as required.

Upgrade Notes • Installations suppressing the //SYSIN PDS member verification for performance

reasons with PROC_OPT1=N (available with PKZIP for MVS 5.0.10 maintenance) in ACZDFLT should change to CHECK_SYSIN_MEMBER=N in the assembly of ACZDFLT. PROC_OPT1 is longer used for this purpose in PKZIP for MVS Release 5.5 or SecureZIP for zSeries.

• Installations controlling the //SYSPRINT DCB attributes with PROC_OPT2 (available with PKZIP for MVS 5.0.10 maintenance) in ACZDFLT should change to SYSPRINT_DCB in the assembly of ACZDFLT. PROC_OPT2 is no longer used for this purpose in PKZIP for MVS Release 5.5 or SecureZIP for zSeries.

• Installations utilizing the filename case-insensitivity feature with PROC_OPT3=U (available with PKZIP for MVS 5.5.0 maintenance) in ACZDFLT should change to FILENAME_SELECT_CASE=U in the assembly of ACZDFLT. PROC_OPT3 is no longer used for this purpose in SecureZIP for zSeries.

• Upgrade note: Installations previously using text translation tables other than EBC#8859 for TRANSLATE_TABLE_DATA or TRANSLATE_TABLE_FILEINFO should review the data translation characters used. The newer default tables in EBC#8859 use the IBM ICONV standard character sets for IBM-1047 EBCDIC and ISO-8859-1 ASCII. In general, the newer default table is better for general-purpose text translation than the older ASCIIUS, ASCIIUSE, ASCIIUK, and ASCIIUKE tables. However, the older tables are still provided for compatibility in case installation-dependent processing requires translation of specialized character sets.

Page 43: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

31

Release Command Old Values New Values 8.0 ENCRYPTION_METHOD STANDARD

AES128

AES192

AES256

STANDARD

AES128

AES192

AES256

BSAFE_AES128

BSAFE_AES192

BSAFE_AES256

BSAFE_DES

BSAFE_3DES

BSAFE_RC4

5.6 No changes since PKZIP for MVS 5.5

5.5 ARCHIVE_DIR_BLOCKS 10 56

5.5 ARCHIVE_SPACE_PRIMARY 100 10

5.5 ARCHIVE_SPACE_SECONDARY 100 10

5.5 ARCHIVE_SPACE_TYPE TRK CYL

5.5 ARCHIVE_UNIT SYSALLDA SYSDA

5.5 COMPRESSION_LEVEL NORMAL SUPERFAST

5.5 MULTI_THREAD_LIMIT 1 3

5.5 OUTFILE_SPACE_TYPE TRK CYL

5.5 OUTFILE_SPACE_PRIMARY 100 10

5.5 OUTFILE_SPACE_SECONDARY 100 10

5.5 OUTFILE_UNIT SYSALLDA SYSDA

5.5 PASSWORD Increased Maximum length to 200 characters.

5.5 PARMLIB_DSNAME_ZIP NULLFILE

5.5 PARMLIB_DSNAME_UNZIP NULLFILE

5.5 PROCESS_ALIAS N Y

5.5 SAVE_FILE_ATTRIBUTES BOTH CENTRAL

5.5 TEMP_UNIT NULL SYSDA

5.5 VSAM_SPACE_PRIMARY 100 10

5.5 VSAM_SPACE_SECONDARY 100 10

5.5 VSAM_SPACE_TYPE TRK CYL

Page 44: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

32

Message Changes The table below identifies new and changed messages for SecureZIP for zSeries Version 8.0. Be sure to review this table before using SecureZIP for zSeries Version 8.0. (The SECZIP.MVS.HELP library contains the actual message text and explanation for each).

Message ID number New Changed IEF238D X

ZPAM046E X

ZPAM046I X

ZPAM046W X

ZPAM096E X

ZPAM203E X

ZPAM290I X

ZPAM312C X

ZPAM319I X

ZPAM320I X

ZPAM321I X

ZPAM322I X

ZPAM323I X

ZPAM324I X

ZPAM325I X

ZPAM326I X

ZPAM700I X

ZPAM702I X

ZPAM710I X

ZPAM711I X

ZPAM712I X

ZPAM713I X

ZPAM713I X

ZPAM796W X

ZPAP001E X

ZPAP003E X

ZPAP008E X

ZPAP009E X

ZPAP102E X

ZPCM009E X

ZPCM021C X

Page 45: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

33

Message ID number New Changed ZPCM021I X

ZPCM022C X

ZPCM022I X

ZPCM023C X

ZPCM023I X

ZPCM024C X

ZPCM024I X

ZPCM025C X

ZPCM025I X

ZPCM027I X

ZPCM028I X

ZPCM046E X

ZPCM902E X

ZPCS121E X

ZPCS200I X

ZPCS201W X

ZPCS202W X

ZPCS203W X

ZPCS211I X

ZPEN007E X

ZPEN008E X

ZPEN009E X

ZPEN010I X

ZPEN011W X

ZPEN013I X

ZPEN014I X

ZPEN015I X

ZPEN017E X

ZPEN018W X

ZPEN019W X

ZPEN020W X

ZPEN021I X

ZPEN022C X

ZPEN022I X

ZPEN023I X

Page 46: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

34

Message ID number New Changed ZPEN032I X

ZPEN035I X

ZPEN039E X

ZPEN049E X

ZPEN100E X

ZPEN101E X

ZPEN101E X

ZPEN102E X

ZPEN103E X

ZPEN103E X

ZPEN104E X

ZPEN105E X

ZPEN105E X

ZPEN109T X

ZPEN109T X

ZPEN110I X

ZPEN121E X

ZPEX004I X

ZPEX014W X

ZPEX016W X

ZPEX017W X

ZPEX081E X

ZPEX083I X

ZPEX193W X

ZPEX193W X

ZPLI235E X

ZPMT901E X

The table below identifies new and changed messages for PKZIP for zSeries Version 5.6.

Message ID number New Changed ZPAM007I X

ZPAM014I X

ZPAM017I X

ZPAM032I X

ZPAM033I X

Page 47: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

35

Message ID number New Changed ZPAM045W X

ZPAM085W X

ZPAM094E X

ZPAM095E X

ZPAM140I X

ZPAM162I X

ZPAM163E X

ZPAM203E X

ZPAM204E X

ZPAM254I X

ZPAM255I X

ZPAM560I X

ZPAM561I X

ZPAM700I X

ZPAM701E X

ZPAM910I X

ZPAM950E X

ZPAP001I X

ZPAP001E X

ZPAP002E X

ZPAP003E X

ZPAP004E X

ZPAP005E X

ZPAP006E X

ZPAP007E X

ZPAP008E X

ZPAP009E X

ZPAP010I X

ZPAP011I X

ZPAP020E X

ZPAP021E X

ZPAP050E X

ZPAP051E X

ZPAP090E X

ZPAP091E X

Page 48: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

36

Message ID number New Changed ZPAP100I X

ZPAP101E X

ZPAP102E X

ZPAP200I X

ZPAP201E X

ZPAP202E X

ZPAP290E X

ZPCM032W X

ZPCM045W X

ZPCM901E X

ZPCM902E X

ZPCO085E X

ZPCO111I X

ZPEX111I X

ZPFM080E X

ZPFM080I X

ZPFM560I X

The table below identifies new and changed messages for PKZIP for MVS Version 5.5.

Message ID number New Changed ZPAM010I X

ZPAM082W X

ZPAM255I X

ZPAM291I X

ZPAM292I X

ZPEN001I X

ZPEN002W X

ZPEN003W X

ZPEN004E X

ZPCM019E X

ZPCM203E X

ZPEX082E X

ZPEX083I X

Page 49: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

37

Enhancements for Secure Data The following enhancements for strong security were introduced with PKZIP for MVS 5.5 and are carried forward to SecureZIP for zSeries.

• The ENCRYPTION_METHOD command

• The password will no longer be echoed in the SYSPRINT stream. The value ‘PASSWORD(**********)” will be displayed instead.

• When entering passwords on the ISPF panels, the input field has been changed to non-display. A password verification field has been added on the password prompting screens to assist you in verifying that the correct password has been entered. However, the password may be displayed by selecting a panel option.

Restrictions for SecureZIP for zSeries • The following restrictions apply to SecureZIP for zSeries:

• In environments that do not use the Integrated Catalog Facility (ICF), SECZIP cannot function fully. It is unable to rename the temporary dataset it creates as a ZIP archive to the name specified by you. The integrity of the ZIP archive is not impaired in any way and archived files can be extracted successfully. However, the temporary dataset name of the ZIP archive should be changed to the name required by you after SECZIP has completed.

• When two (or more) files from a ZIP archive are extracted with the same MVS dataset name, the last file will overwrite any previous file(s).

• When a dataset is spread over more than 31 volumes, SecureZIP for zSeries may not restore the dataset to the identical volumes.

• Extracting to a GDG dataset via OUTFILE_DD will result in the use of the user-specified DCB values. The user must ensure that these values are appropriate to the record lengths being written.

• The number of files or PDS members that can process in one operation may be restricted by the number of concurrent DD’s that can be used in the address space, such as, the size of the TIOT. For further information on this limit, see the documentation for DD statements in the IBM JCL User’s Guide.

• Some IDCAMS DEFINE Cluster options can be specified at the Cluster and Data (and Index if appropriate) levels. However, a few of these options, when specified using ARCH* or OUT* commands during SECZIP or SECUNZIP operations, will set only the Data (and Index) components. This is because some ARCHIVE_* and OUTFILE_* commands which apply to Cluster, Data, and Index components, currently set both the data and index attributes, and ignore the Cluster level component. These may in future, set the Cluster level option only. Commands that may change in this way are shown in the following table. For these commands, it is recommended that the ARCHDATA* and ARCHINDX, or OUTDATA* and OUTINDX* options be used.

Page 50: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

38

SECUNZIP Command

Comments

ARCHEEXT Is effectively the same as setting both ARCHDATAEEXT and ARCHINDXEEXT.

ARCHOWNER Is effectively the same as setting both ARCHDATAOWNER and ARCHINDXOWNER.

OUTEEXT Is effectively the same as setting both OUTDATAEEXT and OUTINDXEEXT.

OUTOWNER Is effectively the same as setting both OUTDATAOWNER and OUTINDXOWNER.

• When processing tape datasets without a tape license, SECZIP and SECUNZIP may request that a tape be mounted prior to checking that the product is not actually licensed to process the tape. In this circumstance, the tape mount must be satisfied before SecureZIP for zSeries processing will proceed, even when this processing will just inform you that it is not possible to process the tape.

• PDS members containing positioning information (for example load members with overlay sections) are not supported. In certain circumstances these might be processed with unpredictable results.

• PDSE program objects are not currently supported in native format. IEBCOPY should first be used to offload the PDSE Library to a sequential file and the resulting sequential file can be archived. Subsequently, after extracting the unloaded version of the PDSE, it can be reloaded with IEBCOPY.

• GZIP (GNU zip) file processing has a number of restrictions as documented in Chapter 12.

• Dataset alias entries can be used to select datasets, however, the true name will be used to process filename associations in the archive. The dataset alias name is not retained.

• Values for dynamic allocation requests by SecureZIP for zSeries may be added, altered, or removed by installation-dependent storage management services, for example, DF/SMS. Allocation results may be different from those specified by SecureZIP for zSeries commands or default values.

• SecureZIP for zSeries makes use of access method services user I/O routines for SYSIN and SYSPRINT file requests. OEM products and/or installation-written routines that modify standard IBM processing for these exits should not be active during SECZIP processing.

• The OS/390 - dependent data types, such as binary load modules, may not be usable on other platforms. That is, SecureZIP for zSeries does not convert executable programs from one system platform to another.

• Although it is possible for archives to be appended to other archives in a dataset during a ZIP process—for example, DISP(=MOD,CATLG, in MVS, or using the UNIX append”>>” operator for files)—this is not recommended. The result is that “dead” archives are carried along in the file, and various ZIP products will read the file differently, with some looking for the ZIP archive directory structure from the beginning, others from the end of the file.

Page 51: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

39

SecureZIP for zSeries attempts to read the first archive found from the beginning of the file, for performance reasons and to perfom an archive integrity check. If an inconsistency in the initial header structures exist, a secondary search from the back of the archive will be attempted. SecureZIP for zSeries will accept up to 64k of non-archive data at the end of the archive file when searching for the end of the directory (from the back). This limit does not apply when the local directory structure is intact.

For more information regarding data formats, see Chapter 8.

• SecureZIP for zSeries is designed to work with archives and compression methods starting with the PKZIP 2.x standard. Although the implode algorithm was used in PKZIP 1.x, SecureZIP for zSeries 8.0 retains the ability to extract the older compression method’s files.

• Internal to the Zip archive, file dates are saved as a count of the number of years from 1980. Because only six bits are used to store this date, a limit of 64 years (2**^) can be symbolized. This representation will successfully allow dates to be shown through the year 2043.

• IBM has restricted licensing for some components of zOS.e, such as Language Environment Compatibility Preinitialization (CEEPIPI) for some languages. Therefore some languages cannot be used for the SECZIP User API facility when running under zOS.e. (SecureZIP for zSeries uses CEEPIPI to prepare the language environment for high-level language user API programs.)

Region Size and Storage Older versions of PKZIP (v2.x) used work files to translate and then compress data before adding it to an archive file. Using these work files, very little REGION space was needed to run a job, since this space was used to handle the processing once the REGION had been consumed. Note that this approach can create a substantial amount of I/O.

SecureZIP for zSeries Version 8.0 recommends the REGION value of 32M or higher. A value greater than 16,384K or 16M and less than or equal to 32,768K or 32M gives the job all the storage available below 16 megabytes. The resulting size of the region below 16 megabytes is installation-dependent. The extended region size is the default value of 32 megabytes. The purpose behind this requirement is to increase speed and reduce I/O. However, if you run out of virtual storage then temporary files must be used to hold work space information. MEMORY_MODEL(MEDIUM or SMALL), will give SECZIP the outlet that it needs to handle the condition.

SECZIP processing, attempts to keep file management control information and compressed data in 31-bit virtual storage to maximize performance. In the event that 31-bit storage is constrained (by combinations of installation restrictions, high file volumes, and high data volumes), the following commands may be used to reduce 31-bit storage requirements for a given run.

• DATA_STORAGE

• MULTI_THREAD_LIMIT

• MEMORY_MODEL(SMALL|MEDIUM|LARGE) controls where file management control blocks are held, such as, control blocks describing an archive file with its attributes.

Page 52: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

40

When MEMORY_MODEL(LARGE) is specified or defaulted, all SECZIP control blocks are held in 31-bit virtual storage.

When either SMALL or MEDIUM is specified, the file descriptor information is spilled to a set of work files to be sorted, merged, and selected. Note that file descriptors are built for both files existing in the input archive and new files to be selected, so the aggregate count must be managed. Approximate sizes for each file descriptor are as follows:

• VSAM - 2.5K.

• Sequential - 800 bytes.

• PDS/PDSE - 800 bytes for base dataset + 224 bytes per member.

• DATA_STORAGE(MAX|xM) controls the amount of 31-bit virtual storage used to hold transient compressed data. When the amount of storage specified is exceeded, the data is processed through work files (controlled by the TEMP_... suite of commands).

• MULTI_THREAD_LIMIT(number) specifies the number of concurrent subtask sets to run for ZIP or UNZIP processing. When a count greater than 1 is used, additional copies of modules, work areas, and buffers are allocated to handle the processing.

SMS Dataclass Considerations SecureZIP parameters overlap with several SMS data class parameters. In general, SMS data class specifications will provide default values in place of SecureZIP default settings. Explicit SecureZIP commands (SYSIN, PARMLIB, included command streams and EXEC PARM values) will be presented to dynamic allocation as overrides for any default setting.

Due to the way DFSMS handles override requests, sub-groups of parameters are defined in SecureZIP to assist with control of where default values should come from. These subgroups are:

• Allocation SPACE

• Directory Blocks

• Volume Count

• DCB Attributes

DFSMS data classes may or may not contain values for all of the attribute sets above. SecureZIP provides a means of identifying which sets of attributes should be expected to be handled by SMS data classes so that SecureZIP does not specify its own default values. (DFSMS receives control after SecureZIP has built its list and does not provide a means by which SecureZIP can systematically pre-determine which values will be provided by SMS).

DFSMS groups allocation type (cylinders, tracks, etc.), primary space, and secondary space into a category. If even one of these values is provided in an allocation request, then SMS will not provide its default values for the remaining entries.

For example, if ARCHIVE_SPACE_PRIMARY is provided as a command, then SecureZIP needs to supply the TYPE and SECONDARY default values even if a DATACLASS is specified.

DFSMS treats the Directory Block allocation value separately from other space parameters. In the previous example, SecureZIP will not provide its default ARCHIVE_DIRBLKS value even

Page 53: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

41

though it provides the other allocation attributes. This is consistent with SMS data class operations.

SecureZIP makes use of temporary files during various phases of processing that have very specific DCB attribute requirements. For this reason, SecureZIP will specify the necessary overrides regardless of TEMPFILE_DATACLASS usage.

Note for users of PKZIP for MVS and PKZIP for zSeries 5.6 Previous levels of maintenance for release 5.6 specified a volume count even if it was 1. The maintenance level associated with fix TT1777 eliminated VOLCNT=1 from the allocation request. In addition, the maximum number specified for any of the MULTIVOL=Y commands is now 59 to be consistent with system limitations for DASD devices. If a unit type other than DASD is assigned (either explicitly or indirectly through SMS), and a volume count greater than 59 is desired, then MULTIVOL=N should be specified in SecureZIP, and an SMS data class should be designated which can assign the desired volume count.

Reserved DDNAMEs The following DDNAMES are reserved for use by SecureZIP for zSeries:

ARCHTEMP - used for STAGE_TAPE_TO_DISK(y).

PKSPRINT - alternate SYSPRINT DD name when directed to a file.

ZPDIRIN - used when processing requires input archive file descriptors to be spilled to work file.

ZPDIRSRT - used when processing requires input archive file descriptors to be sorted in a work file.

ZPFILIN - used when input file descriptors requires sorting.

ZPFILSRT - used when input file descriptors require sorting.

ZIPCDS - license control dataset.

FNETMPCD - used for various FILENAME_ENCRYPTION processes.

The following DDNAMES are reserved, but may be modified with a customized ACZDFLT module:

ARCHIN - ARCHIVE_INFILE

ARCHOUT - ARCHIVE_OUTFILE

PARMLIB - DDNAME_PARMLIB

SYSIN - DDNAME_SYSIN

SYSPRINT - DDNAME_SYSPRINT

ZPSRTIN - DDNAME_ZPSORTIN

ZPSRTOUT - DDNAME_ZPSORTOUT

Page 54: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

42

SYSPRINT By default (unless overriden in the ACZDFLT module with DDNAME_SYSPRINT, //SYSPRINT is used for SECZIP logging. This does not conflict with utilities used internally unless the SYSPRINT is directed to a physical file . Because utilities such as SORT may use a different set of DCB characteristics than SECZIP, a change to PKSPRINT for sysout will occur.

PKSPRINT //PKSPRINT is used when the SORT utility is internally invoked and the //SYSPRINT DD statement is determined to be allocated as a non-JES SYSOUT file. If not already allocated to the jobstep, SECZIP will dynamically allocate this DD to the SYSOUT= value specified in SYSPRINT_SYSOUT_CLASS from the installation defaults module.

PKNODUMP If allocated to the job step before invoking SECZIP, a //SYSABEND DD will not be dynamically allocated.

Use of System Utilities

SORT SecureZIP for zSeries uses the system SORT utility to manage archive directory entries, during both match/merge procedures and View processing.

Access Method Services SecureZIP for zSeries invokes this utility to locate cataloged files, define VSAM clusters, and handle Delete/Rename processing for an updated archive.

IEBGENER IEBGENER is called to open the PANVALET input stream (according to the DDNAME_SYSIN specification in the active ACZDFLT module) and copy the data. The temporary file will be dynamically allocated with the TEMP_SPACE_TYPE settings.

GRS/ENQ Data set serialization is normally performed through the use of the allocation DISP value. This makes use of the SYSDSN major name for GRS/ENQ processing.

When archive creation or update processing is performed with dynamic allocation, a temporary ZIP archive data set is created with DISP=NEW,CATLG. The input archive (if one exists) is allocated as DISP=OLD to ensure that only one update process is performed against the logical archive at a time. Once the temporary target archive has been successfully updated, the original input archive is deleted, and the new temporary archive is renamed to the original name.

Page 55: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

43

When an output archive or extract target (outfile) is intended to be a member of a partitioned data set, an allocation is performed for the data set with a disposition in accordance with the setting for OUTFILE_PDS_ENQ. In addition, an exclusive ENQ with a major name of SPFEDIT is performed against the member.

SecureZIP for zSeries update processing for administration of the local certificate store uses DISP=OLD serialization against the VSAM Cluster specified in the profile for CSPUB_DBX=. Run-time processing for SECZIP and SECUNZIP performs a SYSDSN ENQ for this data set as DISP=SHR. This allows multiple run-time users for certificate store searches, or one administrative update process. Jobs requiring read access for locating certificates wait until an update process completes and then continue processing.

License control data set (ZIPCDS DD) access is normally performed with DISP=SHR allocation. However, when a newly accessed feature requires that an update be done, an additional ENQ is performed using QNAME(PKZIPCDS) for the update process to serialize on.

The SecureZIP for zSeries programs are not re-entrant. To protect run-time integrity against inadvertent simultaneous calls into the mainline programs, a STEP level ENQ is performed with QNAME(PKZIP) RNAME(RUNNING).

Page 56: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

44

4 Licensing

Initializing the License

Evaluation Period You may obtain a key from the Sales Division to use to generate an evaluation license that allows full use of the product for 30 days. Contact PKWARE anytime during this period to obtain licensing to use the product beyond the initial period.

You can reach the Sales Division at 937-847-2374 or email [email protected].

For technical support, contact the Product Services Division at 937-847-2687 or online at http://www.pkware.com/support.

When you receive the license control card information from PKWARE, you build the license data set using the Build License program. There is a sample job stream in member LICUPDAT in the installation data set (INSTLIB). Executing this job stream updates the LICENSE data set and reports the license status of SecureZIP for zSeries at your location.

Release Licensing Each release of SecureZIP for zSeries requires that a new license key be obtained from Customer Service and that a new license record be generated. The new release will fail with the message ZPLI901E Product License is Invalid if the license data set is used from a previous release.

Show System Information To display hardware and software information at your location, run the sample job stream in member LICSHSYS in the Installation Data set (seczip.mvs.INSTLIB). Executing this job stream displays a Show System Information report.

Page 57: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

45

Following is a sample of the report:

ZPLI210I PKWARE - Display System Information - Version 8.1 SecureZIP(TM) is a trademark of PKWARE (R), Inc. PKZIP (R) is a registered trademark of PKWARE (R), INC. For Licensing, please contact the Sales Division at 937-847-2374 or email [email protected] For Technical Support assistance, please contact the Product Services Division at 937-847-2687 or go on-line at http://www.pkware.com/support Thursday 03/18/2004 (2004.078) 09:20:31 CPU model 2066 with 1 online Service units per second per online CPU is 5612.07. Approximate total MIPS (SUs/SEC / 48.5 * #CPUs) is 115.71. Central Processing Complex (CPC) Node Descriptor: CPC ND = 002066.0B1.IBM.02.00000001263B CPC ID = 00 Type(002066) Model(0B1) Manufacturer(IBM) Plant(02) Seq Num(00000001263B) CPU serial number for CPU 0 is 04263B2066 (4263B), version code 00, Model(0B1). JES2 z/OS 1.4 DFSMS z/OS 1.3.0 Model from CPC SI

Reporting the SecureZIP for zSeries License The procedures below describe how to obtain this report.

• Edit the SECZIP.MVS.INSTLIB(LICPRINT) member, supply a job card, and substitute the default line below. In the line, SECZIP.MVS represents the high-level qualifier for your installation.

000400 //LICENSE PROC HLVL=SECZIP.MVS

After you submit this job, the output should give you a return code of zero (RC=00) and the following additional lines.

ZPLI200I A LICENSE REPORT HAS BEEN REQUESTED ON 02/02/05 AT 9:56am VER: 8.1 IN PKZIP.MVS.LICENSE ZPLI200I For Technical Support assistance, please contact Product Services Division ZPLI200I at 937-847-2687 or go on-line at http://www.pkware.com/support ******************************************************************************************* ZPLI200I SecureZIP (TM) IS LICENSED TO CUSTOMER # 000012805 ZPLI200I - CUSTOMER NAME - PKWARE, INC ZPLI200I CPU model 2066 with 1 online ZPLI200I Service units per second per online CPU is 5612.07 ZPLI200I Approximate total MIPS (SUs/SEC / 48.5 * #CPUs) is 115.71 ZPLI200I CEC MSU per hour capacity is 20 - LPAR MSU per hour capacity is 20 ZPLI200I Central Processing Complex (CPC) Node Descriptor: CPC ND = 002066.0B1.IBM.02.00000001263B ZPLI200I CPC ID = 00 Type(002066) Model(0B1) Manufacturer(IBM) Plant(02) Seq Num(00000001263B) ZPLI200I CPU serial number for CPU 0 is 04263B2066 (4263B), version code 00, model 0B1. ZPLI200I Model from CPC SI ******************************************************************************************* ZPLI200I COMPRESSION IS LICENSED ON THE FOLLOWING PROCESSORS ZPLI200I SERIAL# *0263B PROCESSOR TYPE 2066 VERSION/MODEL 0B1 WITH AN EXPIRATION DATE OF 02/28/2400 ZPLI200I DECOMPRESSION IS LICENSED ON THE FOLLOWING PROCESSORS ZPLI200I SERIAL# *0263B PROCESSOR TYPE 2066 VERSION/MODEL 0B1 WITH AN EXPIRATION DATE OF 02/28/2400

Page 58: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

46

ZPLI200I DECRYPTION IS LICENSED ON THE FOLLOWING PROCESSORS ZPLI200I SERIAL# *0263B PROCESSOR TYPE 2066 VERSION/MODEL 0B1 WITH AN EXPIRATION DATE OF 02/28/2400 ZPLI200I GZIP SUPPORTED FILES LICENSED ON THE FOLLOWING PROCESSORS ZPLI200I SERIAL# *0263B PROCESSOR TYPE 2066 VERSION/MODEL 0B1 WITH AN EXPIRATION DATE OF 02/28/2400 ZPLI200I ISPF IS LICENSED ON THE FOLLOWING PROCESSORS ZPLI200I SERIAL# *0263B PROCESSOR TYPE 2066 VERSION/MODEL 0B1 WITH AN EXPIRATION DATE OF 02/28/2400 ZPLI200I COMMAND LINE INTERFACE IS LICENSED ON THE FOLLOWING PROCESSORS ZPLI200I SERIAL# *0263B PROCESSOR TYPE 2066 VERSION/MODEL 0B1 WITH AN EXPIRATION DATE OF 02/28/2400 ZPLI200I ADVANCED ENCRYPTION MODULE IS LICENSED ON THE FOLLOWING PROCESSORS ZPLI200I SERIAL# *0263B PROCESSOR TYPE 2066 VERSION/MODEL 0B1 WITH AN EXPIRATION DATE OF 02/28/2400 ZPLI200I DIRECTORY INTEGRATION MODULE IS LICENSED ON THE FOLLOWING PROCESSORS ZPLI200I SERIAL# *0263B PROCESSOR TYPE 2066 VERSION/MODEL 0B1 WITH AN EXPIRATION DATE OF 02/28/2400 ZPLI200I SELF EXTRACTION CREATOR IS LICENSED ON THE FOLLOWING PROCESSORS ZPLI200I SERIAL# *0263B PROCESSOR TYPE 2066 VERSION/MODEL 0B1 WITH AN EXPIRATION DATE OF 02/28/2400

Applying a License Key or Authorization Code • Transfer the license file, provided by PKWARE, from the PC to the host. Be sure to

convert the data from ASCII to EBCDIC and insert CR/LFs. Alternatively, you can copy the authorization code from the text file and paste it to the LICENSE member of the INSTLIB.

• After the file has been transferred or copied to the host, edit the INSTLIB(LICUPDAT) member, supply a job card, and modify the following line of JCL:

000400 //LICENSE PROC HLVL=SECZIP.MVS,URUNIT=SYSDA,URVOL=WORK01

In this line, SECZIP.MVS is your high level qualifier for your installation. URUNIT and URVOL are the target unit and volume for the installed SECZIP product.

SecureZIP for zSeries Grace Period PKWARE recognizes that there may be periods where the licensing environment established by the customer is no longer valid. Circumstances such as disaster recovery processing or the installation or upgrade of new processors will affect the environment.

To accommodate the installation, SecureZIP for zSeries has a process that will allow you to continue to use the product for a grace period of five days when the established licensing environment is no longer valid. Note that the user must have write authority on the license dataset to invoke the grace period. This authority is only required the first time PKZIP/PKUNZIP is run after a CPU change has occurred; it is not required after the grace period has been successfully invoked (this is one time per CPU, not one time per IPL).

During the grace period, error messages will be displayed on the console (and the printout) for each execution of SecureZIP for zSeries. At the end of the period, if the license is not updated, the product will no longer function for the new CPUs except to VIEW an archive. The five-day grace period is designed so that the program will not cease to function on a weekend or the Monday following the five-day grace period. You must contact PKWARE at

Page 59: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

47

[email protected] during the grace period to obtain licensing to allow extended use.

Running a Disaster Recovery Test There are no special procedures necessary in order for you to use SECZIP during a disaster recovery test. Because SECZIP licensing allows for such contingencies, you can perform the following process to have SECZIP run at the DR site with a RC=00.

1. First, copy the production image of SECZIP from the production system over to the Disaster Recovery system.

2. Once on the system, simply run SECZIP from the CPU you want, and SECZIP will run conditionally for five days with a RC=00.

Again, it is important to contact PKWARE [email protected] within this time frame if necessary to resolve the licensing conflict.

Page 60: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

48

5 Getting Started with SecureZIP for zSeries

SecureZIP for zSeries is a broad, flexible product on the OS/390 and z/OS platforms, allowing for compression/decompression and encryption of files. It is fully compliant with other ZIP-compatible compression products running on other operating systems. However, if you are licensed for SecureZIP for zSeries Advanced Encryption, this feature is only compatible with other PKWARE products enabled for this feature.

Because the ZIP standard for text data storage is ASCII, SecureZIP for zSeries facilitates conversion between the ASCII and EBCDIC character sets. Therefore, compressed text files can be transferred between IBM mainframe environments and systems using either character set. Some of these platforms include DOS, Windows, UNIX/Linux, and iSeries.

In addition to ZIP archive format support, SecureZIP for zSeries can also produce and manipulate (GNU) GZIP-format archives. Additional information on this subject can be found in Chapter 12.

Introduction to SecureZIP for zSeries SecureZIP for zSeries consists of two separate executable programs:

• SECZIP - Compresses datasets into an archive.

• SECUNZIP - Decompresses and extracts datasets from an archive

To use either of these programs, you must specify:

• Commands, which tell SECZIP or SECUNZIP what processing they are to perform and how they are to do it. Commands are identified by a preceding hyphen (“–”). For example, –ARCHIVE_DSN is the command that designates the dataset name for the ZIP archive containing compressed data.

• File selections, which identify the files to be compressed into an archive (SECZIP) or decompressed from an archive (SECUNZIP). File selections are distinguished from commands because they are not preceded by a hyphen.

Commands and file selections can be specified in a number of ways. The most common way, which is the way that will be used in the examples presented in this chapter, is to run SECZIP and SECUNZIP as batch jobs using JCL and specify the commands and file selections through SYSIN, as shown in the next section.

Page 61: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

49

Invoking SECZIP or SECUNZIP Using JCL In these examples, you will be running SecureZIP for zSeries in batch by submitting JCL. SecureZIP for zSeries can also be executed using the ISPF panels interface, called from a user written program, or from a TSO environment with REXX or CLISTS.

The example below demonstrates the basic JCL statements required to run SECZIP.

//<job card>1 //ZIP EXEC PGM=SECZIP2,REGION=8M3 //STEPLIB4 DD DISP=SHR,DSN=SECZIP.MVS.LOAD //SYSPRINT5 DD SYSOUT=* //SYSIN6 DD * -ARCHIVE_DSN(MY.ARCHIVE.ZIP) 7 <commands>7 /* //

Notes to the example above

1. <job card> should be replaced with the job details required for running this job, in accordance with your installation standards.

2. To add, update, freshen, delete, or view compressed files within a ZIP archive, use the ‘SECZIP’ program. To extract, test, or view compressed files in a ZIP archive use the ‘SECUNZIP’ program.

3. SecureZIP for zSeries should normally run within a region size of 32Mb; however, this value is dependent on the number and type of files being processed. If you encounter storage problems, then this value should be increased if possible.

4. STEPLIB specifies the library that contains SecureZIP for zSeries. SECZIP may be placed in the JOBLIB DD or in one of the libraries shared by all MVS processing, for example, LNKLST, in which case there is no need to use the STEPLIB DD.

5. SYSPRINT contains all the message output by SECZIP. A SYSABEND DD card will be dynamically allocated by default if one is not supplied.

6. SYSIN is the usual mechanism for supplying commands to SECZIP. Alternatively you can use the PARM parameter on the EXEC statement, the //PARMLIB DD, or a combination of all three.

7. Commands, such as this one, specify the processing to be carried out.

Page 62: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

50

Return Codes SECZIP issues a completion code dependent on the results of the processing that was carried out. The completion code can take the following values:

0 Processing has completed without errors being detected.

4 A warning message has been output but processing has continued.

6 An authentication error was encountered while processing a signed archive central directory or File.

8 or higher An error has occurred during processing; refer to the error messages for more details.

12 A syntax error or configuration setup error was encountered. The command and/or combination of commands should be reviewed. The error can include inappropriate processing when attempting to locate digital certificates for encryption or authentication functions.

The final completion code issued is the maximum value of the conditions found during the sum. A return code greater than zero indicates that there are one or more warning or error messages in the job output.

Compressing a Dataset The following example shows how to compress a data set using SecureZIP for zSeries.

//ZIP EXEC PGM=SECZIP,REGION=8M //STEPLIB DD DISP=SHR,DSN=SECZIP.MVS.V56.LOAD //SYSPRINT DD SYSOUT=* //SYSIN DD * -ARCHIVE_DSNAME(MY.ARCHIVE.FILE.ZIP) -ARCHIVE_UNIT(SYSDA) MY.INPUT.DATA.SEQ /*

This step will give the following output:

ZPLI001I SecureZIP for zSeries (TM), Data Compression, Version 8.0 - 09/06/02 ZPLI001I Copyright. 2004 PKWARE Inc. All Rights Reserved. ZPLI001I SecureZIP(TM) is a trademark of PKWARE (R), Inc. ZPLI001I Registered, Processor Type=7060 Processor Group=00 Serial Number=00052 ZPLI001I OS Level: HBB7703 SP6.1.0 -ARCHIVE_DSN(MY.ARCHIVE.FILE.ZIP) -ARCHIVE_UNIT(SYSDA) MY.INPUT.DATA.SEQ ZPAM030I OUTPUT Archive opened: MY.ARCHIVE.FILE.ZIP ZPAM253I ADDED File MY.INPUT.DATA.SEQ ZPAM254I as MY/INPUT/DATA/SEQ ZPAM255I (DEFLATED 93%/93%) ZPMT002I PKZIP processing complete. RC=00000000 0(Dec)

In this case, the sequential data set MY.INPUT.DATA.SEQ is to be compressed into the new ZIP archive MY.ARCHIVE.FILE.ZIP, which is created on a SYSDA volume.

Page 63: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

51

Notes for Dataset Compression • A ZIP archive can be considered as a large envelope or box into which the compressed

files are placed. Note, however, that an empty dataset is not the same as an empty archive. ZIP archives created by SecureZIP for zSeries cannot be pre-allocated; only SecureZIP for zSeries should be used to create new archives.

• You tell SECZIP how to create the ZIP archive. By default ZIP archives are created as sequential datasets and allocated using half track blocking. However, you have full control over the type of archive created and how it is created using the various ARCHIVE_* commands.

• SECZIP compresses datasets using a file selection. Any command that does not begin with a “–” is considered to be a file selection. In the previous example, we told SECZIP to compress the sequential dataset MY.INPUT.DATA.SEQ.

• You can specify a file for compression via an INFILE_DD statement if you prefer, but a file selection has the advantage of wildcards. For example, to compress a specific group of files, you could type MY.INPUT.DATA.*. This file selection would inform SECZIP to compress every dataset that begins with the previous qualifying nodes. SECZIP can compress up to 65,535 datasets or up to 4Gb of data.

• To ensure cross platform compatibility, all MVS dataset names are converted to the standard SECZIP UNIX format, such as, MY/INPUT/DATA/SEQ. When you unzip the file, the conversion is reversed to recreate the original MVS name. See ZIPPED_DSN_SEPARATOR for more information about the character used to separate levels.

The compressed version of the sequential data set in a ZIP archive is sometimes called a zipped file.

Viewing the Contents of an Archive The following example shows how to use SecureZIP for zSeries to view the contents of the ZIP archive created in the previous example.

//STPZIP EXEC PGM=SECZIP //STEPLIB DD DISP=SHR,DSN=SECZIP.MVS.LOAD //SYSPRINT DD SYSOUT=* //SYSIN DD * -ARCHIVE_DSN(MY.ARCHIVE.FILE.ZIP) -ACTION(VIEW) /*

This step yields output similar to the following:

ZPLI001I SecureZIP(TM) for zSeries, Version 8.1 - 02/11/05 14.26 ZPLI001I Copyright. 1989-2005 PKWARE Inc. All Rights Reserved. ZPLI001I SecureZIP(TM) is a trademark of PKWARE (R), Inc. ZPLI001I Registered, Processor Type=7060 Processor Group=00 Serial Number=00052 ZPLI001I OS Level: HBB7707 SP7.0.4 -ARCHIVE_DSN(MY.ARCHIVE.FILE.ZIP) -ACTION(VIEW) ZPAM030I INPUT Archive opened: MY.ARCHIVE.FILE.ZIP ZPAM014I There are 1 file(s) in the input Archive.

Page 64: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

52

ZPAM012I ZIP comment: SecureZIP for zSeries by PKWARE ZPAM013I ********************************************************************** ZPAM015I Length Method Size Ratio Date Time CRC-32 Name ZPAM016I ------------- ------------ ------------- ----- ---------- ZPAM017I 1,067 Dflt-Norm 81 92% 01/16/2005 11:54 C7A3091B MY/INPUT/DATA/SEQ ZPAM016I ------------- ------------ ZPAM019I 1,067 81 92% ZPAM013I *********************************************************************** ZPAM140I FILES: VIEWED EXCLUDED BYPASSED IN ERROR ZPAM140I 1 0 0 0 ZPMT002I PKZIP processing complete. RC=00000000 0(Dec)

Notes for Viewing the Contents of an Archive • The ACTION(VIEW) command is available through the program SECZIP or SECUNZIP.

• The ACTION(VIEW) command has various options that can be used to tailor the output. For example, if the archive contains multiple files, the output can be sorted by the file’s attributes, including name, size, and compression ratio.

• This example demonstrates a standard view of the archive. It displays information about the files in the archive including the original length of the file, the compression method, and the compressed file size.

ACTION(VIEWDETAIL) One especially useful option is the ACTION(VIEWDETAIL) control card. It displays the full technical details, including any file attributes stored, for each file in the archive.

//STPZIP EXEC PGM=SECZIP //STEPLIB DD DISP=SHR,DSN=SECZIP.MVS.LOAD //SYSPRINT DD SYSOUT=* //SYSIN DD * -ARCHIVE_DSN(MY.ARCHIVE.FILE.ZIP) -ACTION(VIEWDETAIL) /*

This step produces output like the following:

ZPLI001I SecureZIP(TM) for zSeries, Version 8.1 - 02/11/05 14.26 ZPLI001I Copyright. 1989-2005 PKWARE Inc. All Rights Reserved. ZPLI001I SecureZIP(TM) is a trademark of PKWARE (R), Inc. ZPLI001I Registered, Processor Type=7060 Processor Group=00 Serial Number=00052 ZPLI001I OS Level: HBB7707 SP7.0.4 -ARCHIVE_DSN(MY.ARCHIVE.FILE.ZIP) -ACTION(VIEWDETAIL) ZPAM030I INPUT Archive opened: MY.ARCHIVE.FILE.ZIP ZPAM014I There are 1 file(s) in the input Archive. ZPAM012I ZIP comment: SecureZIP for zSeries by PKWARE ZPAM013I ****************************************** ZPAM001I Filename: MY/INPUT/DATA/SEQ ZPAM002I File type: TEXT ZPAM003I Date/Time: 16-JAN-2005 11:54:06 ZPAM004I Compression Method: Deflate- Normal ZPAM005I Compressed Size: 81 ZPAM006I Uncompressed Size: 1,067 ZPAM007I 32-bit CRC: C7A3091B ZPAM008I Created by: PK zSeries 8.1 ZPAM009I Needed to extract: ZipSpec 2.0

Page 65: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

53

ZPAM301I File Type: NONVSAM SEQUENTIAL ZPAM303I File Record Format: FB ZPAM304I File Allocation Type: TRK ZPAM305I File Primary Space Allocated: 1 ZPAM306I File Secondary Space Allocated: 1 ZPAM307I File Record Size: 80 ZPAM308I File Block Size: 3120 ZPAM309I File Volume(s) Used: SUP001 ZPAM310I File Creation Date: 2005/01/14 ZPAM311I File Referenced Date: 2005/01/16 ZPAM319I SMS Management Class: SUPPORT ZPAM000I SMS Storage Class: SUPPORT ZPAM013I ********************************************************* ZPAM140I FILES: VIEWED EXCLUDED BYPASSED IN ERROR ZPAM140I 1 0 0 0 ZPMT002I PKZIP processing complete. RC=00000000 0(Dec)

Note: The order in which attributes are displayed may vary.

Decompressing a Dataset The following example shows how to extract, or unzip, a data set using SecureZIP for zSeries.

//UNZIP EXEC PGM=SECUNZIP,REGION=8M //STEPLIB DD DISP=SHR,DSN=SECZIP.MVS.LOAD //SYSPRINT DD SYSOUT=* //SYSIN DD * -ARCHIVE_DSN(MY.ARCHIVE.FILE.ZIP) -OUTFILE_UNIT(SYSDA) /*

This step produces output like the following:

ZPLI001I SecureZIP(TM) for zSeries, Version 8.1 - 02/11/05 14.26 ZPLI001I Copyright. 1989-2005 PKWARE Inc. All Rights Reserved. ZPLI001I SecureZIP(TM) is a trademark of PKWARE (R), Inc. ZPLI001I Registered, Processor Type=7060 Processor Group=00 Serial Number=00052 ZPLI001I OS Level: HBB7707 SP7.0.4 -ARCHIVE_DSN(MY.ARCHIVE.FILE.ZIP) -OUTFILE_UNIT(SYSDA) ZPAM030I INPUT Archive opened: MY.ARCHIVE.FILE.ZIP ZPEX002I MY/INPUT/DATA/SEQ ZPEX003I Extracted to MY.INPUT.DATA.SEQ ZPAM140I FILES: EXTRACTED EXCLUDED BYPASSED IN ERROR ZPAM140I 1 0 0 0 ZPMT002I PKZIP processing complete. RC=00000000 0(Dec)

Notes for Decompressing a Dataset • To extract files from an archive, you must call the SECUNZIP program.

• The extracted dataset is created dynamically according to the stored file attributes, if any, or the OUTFILE DD attributes supplied in the job allocation. In this case, the

Page 66: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

54

dataset is recreated on a SYSDA volume. Information required to create the dataset that is not provided by the stored file attributes or by the OUTFILE allocation may be defaulted by SECUNZIP.

• By default, SECUNZIP tries to extract every file that is compressed and stored inside the ZIP file or archive. To extract just one file, or selected files, you must explicitly select the files you wish to extract or decompress. Wildcards can be used in the file selection to have SECUNZIP extract a suite of like datasets.

• If the extracted dataset already exists, then (by default) SECUNZIP does not overwrite it.

• To overwrite a dataset or PDS member, use the OUTFILE_OVERWRITE command. To add new members to existing PDS's, use the INSERT_MEMBER command. Alternatively you can use the UNZIPPED_DSN command to give the extracted file a new name.

Updating or Refreshing a File You cannot ACTION(ADD) a file that already exists in a ZIP archive. However, you can replace it by using the ACTION(UPDATE) or ACTION(FRESHEN) commands.

The ACTION(UPDATE) and ACTION(FRESHEN) commands differ in their processing of files that do not already exist in the archive: If a file selected for compression does not already exist in the archive, ACTION(UPDATE) adds it, but ACTION(FRESHEN) ignores it.

Invoking SecureZIP for zSeries Services There are several ways to use SecureZIP for zSeries in the OS/390 and z/OS operating environments. These include:

• Batch JCL job-steps.

• Started task JCL.

• Executed from TSO CLIST/REXX.

• TSO command line interface.

• ISPF panel.

The following sections provide a brief overview of these interfaces. Subsequent sections in this chapter describe basic functions using the JCL interface.

Invoking SECZIP or SECUNZIP From JCL (Batch or Started Task) SecureZIP for zSeries programs can be executed from a batch job or STC. See seczip.mvs.INSTLIB(IVPBASIC) for a sample JOB, or use the ISPF interface to generate JCL for a batch job.

Page 67: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

55

Invoking SECZIP or SECUNZIP as Called Programs Under TSO SecureZIP for zSeries batch interface programs can be executed within a TSO CLIST or REXX EXEC provided that the proper FILE allocations (TSO equivalent of DD statements) are made.

The following samples show how allocations can be done to invoke SecureZIP for zSeries.

CLIST Call - Read commands from a member and put messages to a pre-allocated FB132 file.

PROC 0 ALLOC F(SYSIN) DA('seczip.mvs.INSTLIB(SAMPVIEW)') SHR ALLOC F(SYSPRINT) DA('USERID.QZ.SYSOUT') SHR CALL 'seczip.mvs.LOAD(SECUNZIP)' FREE F(SYSIN,SYSPRINT)

REXX Call - Pass commands as a parm and allocate a new SYSPRINT file to browse.

/* Rexx Sample call of SECUNZIP for -VIEW with no SYSIN */ /* First allocate a SYSPRINT output file for later browsing */ Address TSO "attrib dcbout recfm(f b) lrecl(132) blksize(27984)" "ALLOC F(SYSPRINT) da(my.sysprint) new catalog cylinders " , "using(dcbout) space(1,1)" /* Define the command list to pass (without SYSIN) */ callparms = "-NOSYSIN -ARCHIVE(USERID.MY.ZIP) -VIEWBRIEF" /* Invoke SECUNZIP */ Address LINKMVS "SECUNZIP callparms" /* Free the work files and browse the output */ Address TSO "free f(DCBOUT,SYSPRINT)" Address ISPEXEC "browse dataset(my.sysprint)"

Invoking ZIP or UNZIP TSO Command Line Interface A subset of SecureZIP for zSeries features can be invoked from the ZIP and UNZIP REXX EXECs. These commands are intended to approximate the SECZIP and SECUNZIP DOS-based commands with similar command syntax. In addition to the standard commands being passed as input options, several shorthand Actions and Options are provided with this interface (see the tables below).

Syntax ZIP <-action> [-options] <Archive_name> <File_names>

UNZIP <-action> [-options] <Archive_name> <File_names>

Page 68: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

56

Valid ZIP Actions

'–a' '–ACTION(ADD)'

'–d' '–ACTION(DELETE)'

'–f' '–ACTION(FRESHEN)'

'–u' '–ACTION(UPDATE)'

'–v' '–ACTION(VIEW)'

'–vbd' '–ACTION(VIEWDATE)'

'–vn' '–ACTION(VIEWNAME)'

'–vo' '–ACTION(VIEWOFFSET)'

'–vp' '–ACTION(VIEWPERCENT)'

'–vs' '–ACTION(VIEWSIZE)'

'–vr' '–ACTION(VIEWREVERSE)'

'–vrd' '–ACTION(VIEWDATEREVERSE)'

'–vrn' '–ACTION(VIEWNAMEREVERSE)'

'–vro' '–ACTION(VIEWOFFSETREVERSE)'

'–vrp' '–ACTION(VIEWPERCENTREVERSE)'

'–vrs' '–ACTION(VIEWSIZEREVERSE)'

'–vb' '–ACTION(VIEWBRIEF)'

'–vbd' '–ACTION(VIEWBRIEFDATE)'

'–vbn' '–ACTION(VIEWBRIEFNAME)'

'–vbo' '–ACTION(VIEWBRIEFOFFSET)'

'–vbp' '–ACTION(VIEWBRIEFPERCENT)'

'–vbs' '–ACTION(VIEWBRIEFSIZE)'

'–vbr' '–ACTION(VIEWBRIEFREVERSE)'

'–vbrd' '–ACTION(VIEWBRIEFDATEREVERSE)'

'–vbrn' '–ACTION(VIEWBRIEFNAMEREVERSE)'

'–vbro' '–ACTION(VIEWBRIEFOFFSETREVERSE)'

'–vbrp' '–ACTION(VIEWBRIEFPERCENTREVERSE)'

'–vbrs' '–ACTION(VIEWBRIEFSIZEREVERSE)'

'–vt' '–ACTION(VIEWDETAIL)'

'–vtd' '–ACTION(VIEWDETAILDATE)'

Page 69: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

57

Valid ZIP Options

'–vtn' '–ACTION(VIEWDETAILNAME)'

'–vto' '–ACTION(VIEWDETAILOFFSET)'

'–vtp' '–ACTION(VIEWDETAILPERCENT)'

'–vts' '–ACTION(VIEWDETAILSIZE)'

'–vtr' '–ACTION(VIEWDETAILREVERSE)'

'–vtrd' '–ACTION(VIEWDETAILDATEREVERSE)'

'–vtrn' '–ACTION(VIEWDETAILNAMEREVERSE)'

'–vtro' '–ACTION(VIEWDETAILOFFSETREVERSE)'

'–vtrp' '–ACTION(VIEWDETAILPERCENTREVERSE)'

'–vtrs' '–ACTION(VIEWDETAILSIZEREVERSE)'

'–ex' '–COMPRESSION_LEVEL(MAXIMUM)'

'–en' '–COMPRESSION_LEVEL(NORMAL)'

'–ef' '–COMPRESSION_LEVEL(FAST)'

'–es' '–COMPRESSION_LEVEL(SUPERFAST)'

'–e0' '–COMPRESSION_LEVEL(STORE)'

‘–s…’ secure with encryption where “…”=password

‘–noprompt’ When being run from an ISPF environment, the default is for the interpreted commands to be displayed in an EDIT session allowing you an opportunity to alter the commands. This option will bypass this feature, as well as, the ISPF browse of SYSPRINT when the function is complete.

Valid UNZIP Actions

'–e' '–ACTION(EXTRACT)'

'–o' '–OUTFILE_OVERWRITE(Y)'

'–v' '–ACTION(VIEW)'

'–t' '–ACTION(TEST)'

'–vbd' '–ACTION(VIEWDATE)'

'–vn' '–ACTION(VIEWNAME)'

'–vo' '–ACTION(VIEWOFFSET)'

'–vp' '–ACTION(VIEWPERCENT)'

'–vs' '–ACTION(VIEWSIZE)'

'–vr' '–ACTION(VIEWREVERSE)'

'–vrd' '–ACTION(VIEWDATEREVERSE)'

'–vrn' '–ACTION(VIEWNAMEREVERSE)'

Page 70: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

58

'–vro' '–ACTION(VIEWOFFSETREVERSE)'

'–vrp' '–ACTION(VIEWPERCENTREVERSE)'

'–vrs' '–ACTION(VIEWSIZEREVERSE)'

'–vb' '–ACTION(VIEWBRIEF)'

'–vbd' '–ACTION(VIEWBRIEFDATE)'

'–vbn' '–ACTION(VIEWBRIEFNAME)'

'–vbo' '–ACTION(VIEWBRIEFOFFSET)'

'–vbp' '–ACTION(VIEWBRIEFPERCENT)'

'–vbs' '–ACTION(VIEWBRIEFSIZE)'

'–vbr' '–ACTION(VIEWBRIEFREVERSE)'

'–vbrd' '–ACTION(VIEWBRIEFDATEREVERSE)'

'–vbrn' '–ACTION(VIEWBRIEFNAMEREVERSE)'

'–vbro' '–ACTION(VIEWBRIEFOFFSETREVERSE)'

'–vbrp' '–ACTION(VIEWBRIEFPERCENTREVERSE)'

'–vbrs' '–ACTION(VIEWBRIEFSIZEREVERSE)'

'–vt' '–ACTION(VIEWDETAIL)'

'–vtd' '–ACTION(VIEWDETAILDATE)'

'–vtn' '–ACTION(VIEWDETAILNAME)'

'–vto' '–ACTION(VIEWDETAILOFFSET)'

'–vtp' '–ACTION(VIEWDETAILPERCENT)'

'–vts' '–ACTION(VIEWDETAILSIZE)'

'–vtr' '–ACTION(VIEWDETAILREVERSE)'

'–vtrd' '–ACTION(VIEWDETAILDATEREVERSE)'

'–vtrn' '–ACTION(VIEWDETAILNAMEREVERSE)'

'–vtro' '–ACTION(VIEWDETAILOFFSETREVERSE)'

'–vtrp' '–ACTION(VIEWDETAILPERCENTREVERSE)'

'–vtrs' '–ACTION(VIEWDETAILSIZEREVERSE)'

To compress and store all of a user’s files into an archive, type the following:

ZIP –a 'MY.CLI.TEST.ZIP' '&SYSUID.** '

Page 71: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

59

Invoking the SecureZIP for zSeries ISPF Panel Interface The ISPF panel interface provides a simple way for a TSO user to either build batch JCL or invoke foreground SecureZIP for zSeries services. The panel interface also provides a dynamic table interface to display ZIPPED files within a ZIP archive allowing line-command selection for browsing, viewing, and extracting.

SecureZIP 8.1 OPTION ===> C Config Modify Run-time Configuration Settings ZD Zip Defaults Modify Default ZIP Command Settings UD Unzip Defaults Modify Default UNZIP Command Settings U Unzip Decompress, Decrypt, Authenticate File(s) in an Archive V View Display the Contents of a Zip Archive Z Zip Compress, Encrypt, Sign File(s) into a Zip Archive S Sysprint Browse Log of Last Foreground Execution M Messages Message ID lookup L License Display License Information CS Cert Store Certificate Store Administration and Configuration W What's New Browse Information on Changes Since Last Release P Contact PKWARE Browse Information on How to Contact PKWARE X EXIT For HELP Press PF1

The ISPF interface is covered in detail in Chapter 13. Instructions on installaton and implementation can be found in Chapter 4.

Configuration Manager In releases of PKZIP for MVS version 2, users were allowed to create a configuration file that allowed PKZIP to accept different parameters during a run of PKZIP or PKUNZIP. SecureZIP for zSeries has extended the means of allowing the user to control the defaults that SECZIP and SECUNZIP use during a job.

First, edit SECZIP.MVS.INSTLIB(ACZDFLT) to set defaults for SECZIP. These defaults are then assembled into SECZIP.MVS.LOAD by using the ASMDFLT member of INSTLIB. The ACZDFLT's module gives you extended flexibility to make SECZIP work the way you want it to.

ACZDFLT is a data-only CSECT that uses macro MCZDFLTS to generate the table data. An installation can customize the values for this module by adding appropriate variable data to the invocation of MCZDFLTS in the ACZDFLT module source.

Multiple versions of ACZDFLT may be assembled and linked into an execution load library for use with the DM execution parameter. Doing this allows multiple configurations to be pre-defined and used. In addition to the //PARMLIB DD for the configuration file, //CONFIG DD is also supported for compatibility with PKZIP for MVS version 2.

Page 72: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

60

Making Changes to the Defaults Within the ACZDFLT’s member, one variable (at least) must coincide with your installation’s SECZIP high-level qualifier. This variable is the LICENSE_HLQ parameter. SECZIP accesses your SECZIP.MVS.LICENSE data set during every execution of ZIP or UNZIP. Providing your installation’s high level qualifier for the LICENSE_HLQ parameter tells SECZIP where to find it.

*********************************************************** MCZDFLTS TYPE=CSECT, * LICENSE_HLQ=SECZIP.MVS * ***********************************************************

Remember that the SECZIP.MVS.INSTLIB(ACZDFLT) is a configuration member. Therefore, besides providing the high level qualifier for your installation, you can re-establish new defaults for SECZIP and SECUNZIP processing. Below is an example that shows other parameters that can be coded.

*********************************************************** MCZDFLTS TYPE=CSECT, * LICENSE_HLQ=SECZIP.MVS * PARMLIB_DSNAME_ZIP=NULLFILE, * PARMLIB_DSNAME_UNZIP=NULLFILE, * ARCHIVE_UNIT=SYSDA, * TEMP_UNIT=SYSDA, * COMPRESSION_LEVEL=SUPERFAST, * CRLF=C * ***************** Bottom of Data **************************

Assembling Your Changes After editing the ASMDFLT member of SECZIP.MVS.INSTLIB, modify the ASMDFLT JCL member per your JCL Standards and submit the job to assemble SECZIP.MVS.INSTLIB(ACZDFLT) into SECZIP.MVS.LOAD. For every execution of ZIP and UNZIP, SECZIP will refer to this assembled ACZDFLT module in your LOAD library.

Inputs User inputs to SecureZIP for zSeries can come from various sources and formats, as described in the following tables:

Page 73: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

61

User Input Sources (MVS)

ACZDFLT or other customized defaults modules.

The installation defaults module, which is provided at installation time, or modified and re-assembled by the systems programmer responsible for installation changes.

Installation Configuration File A list of commands can be defined in a sequential file (or PDS member). This file can either be dynamically allocated (file name defined in ACZDFLT), or explicitly allocated through the //PARMLIB DD statement.

//SYSIN DD A batch, started-task or TSO user may provide this DD statement to input control statements.

EXEC PGM … PARM= A batch job or started task can pass a subset of parameters through the execution PARM= statement.

API Call Parm When calling SECZIP from an application program, this set of parameters acts like EXEC PARM= above.

Processing Order of Control Statements In general, after the loading of the defaults module ACZDFLT, control statements are read sequentially from the various sources in the order below.

1. Configuration File (//PARMLIB DD or dynamically allocated).

2. EXEC PARM, or API Call Parm.

3. //SYSIN DD.

Exceptions to this order are for commands providing early initialization control through the EXEC PARM.

–DM ACZDFLT <= Defaults Module selection.

–ECHO.

Configuration Manager Processing: Managing Control Statements

Control Statement Definitions Control statements are managed via an internal control table, ACMTABLE. This table determines which command values are permitted for each command and provides validation information to the Configuration Manager.

Keywords, formats, and values generated in the defaults module are kept in synchronization with internal module control information maintained in ACMTABLE (which is used programmatically by Configuration Manager routines to parse control statements). The control statement values are mapped directly to the defaults module values for use.

Default values for the commands are held in module ACZDFLT, which is loaded at run time. A sample source module is provided (seczip.mvs.INSTLIB(ASMDFLT)) that can be assembled to change the defaults for the installation.

Page 74: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

62

In addition, ACZDFLT can be assembled as a different load module name to create custom profiles of defaults for a variety of needs. A different flavor of ACZDFLT can be requested at execution time by using the JCL EXEC parameter –DM nnnnnnnn, where nnnnnnnn is the name of the module to use instead of ACZDFLT.

The ISPF interface has 2 options UD and ZD that allow you to see and set values for many of the commands. This may be used as a reference when trying to determine which of the available command values to use.

The batch SHOW_SETTINGS command may also be helpful as a reference to command names and their default values.

Troubleshooting

SecureZIP for zSeries Messages SecureZIP for zSeries writes messages to SYSPRINT (or other output DD file as specified by the defaults module) that indicate whether processing is successful. Each message type is defined with a unique message ID starting with “ZP” (see the SecureZIP for zSeries Messages and Codes Guide for specific format information).

The volume of messages that are written to SYSPRINT is controlled by the command LOGGING_LEVEL. Additional processing information is displayed when VERBOSE is requested. This does not affect the output of critical error messages, which are written regardless of the level requested.

Explanatory information regarding messages can also be found on-line via the ISPF interface, or by browsing the SECZIP.MVS.HELP members.

Debugging Controls To see which processing options are in effect, code SHOW_SETTINGS as the last SYSIN command or EXE PARM to display all final parameter values.

When isses concerning non-VSAM data set allocation arise, specify TRACE_DYNALLOC(3) to see values used for individual files.

When issues concerning VSAM Cluster definitions arise, use TRACE_AMS(1) to see control cards passed to IDCAMS.

Page 75: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

63

6 About Security, Certificates and Encryption

This chapter discusses how you utilize SecureZIP for zSeries to secure your data. Elements that are required to make a SecureZIP for zSeries archive are discussed in detail. These elements, when selectively used, combine to create a SecureZIP for zSeries archive or to allow the extraction of a file or files from a SecureZIP for zSeries archive.

A series of ISPF panels are used to assist you in building and maintaining the SecureZIP certificate store. These panels are standard with SecureZIP for zSeries. The chapter provides ISPF screens and SecureZIP commands used to accomplish these task, along with notes and comments.

Terms and Acronyms Used in This Chapter SecureZIP for zSeries introduces new terminology to users that are familiar with PKZIP. These expressions relate to the security features in SecureZIP for zSeries.

• Public Key Certificate(s)

• Private Key Certificate(s)

• Data Base Profile (Local Certificate Store)

• LDAP Profile (Networked Certificate Store)

• Password

• RECIPIENT

• MASTER RECIPIENT

• Configuration Profile

• Certificate Store

• Common Name

• Path

• Cert Configuration

• PING

• TCPIP

• User Certificate

Page 76: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

64

• Certificate Authority

• Recipient DataBase

• Recipient Searches

• Filename Encryption

• Authentication

• File Signing

• Archive Signing

Accessing Certificates SecureZIP for zSeries provides access to certificates through a sets of local files, either sequential, PDS or PDSE, and VSAM index paths when control card requests are present.

In addition, RECIPIENT(LDAP"...) requests are resolved through configured network definitions.

The recipient of a file that has been encrypted with a public key must supply a matching private key to decrypt and UNZIP the file. This is done by using the RECIPIENT command to specify the location of the private-key certificate and the password required to access it. This password is unrelated to any password used to encrypt the file; it is used solely to access the recipient’s private key.

RECIPIENT commands may be included in the command input stream directly or through the INCLUDE_CMD command. A Private-Cert profile designates a saved repository of the private-key certificates. When SecureZIP for zSeries dialogs prepare batch JCL or UNZIP call streams, these commands will be automatically included when file decryption is requested.

Configuration Profile A configuration profile is a collection of SecureZIP for zSeries commands that describes the SecureZIP environment. At execution time this profile is read to locate appropriate certificate stores and index. SecureZIP provides various means by which the configuration information can be supplied. Contact your organization’s technical support staff for instructions regarding access to the configuration.

Contents of the Configuration Profile Execution configuration values may be supplied in any of the following ways. It is highly recommended that the command sources be coordinated in logical groups (local certificate store settings or LDAP settings) so that overrides are not overly complex.

• Direct commands in the SYSIN stream.

When accepted, these commands take precedence over other sources.

• INCLUDE_CMD indirect reading of profile commands.

This is the method employed when you specify a file location through the SecureZIP Active DB Profile: field. When accepted, these commands take precedence over

Page 77: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

65

profiles read by the Defaults module, but may be overridden by SYSIN commands.

• Defaults module indirect reading of profile commands.

This is the method employed when you specify UNDEFINED in the SecureZIP Active DB Profile: field.

Data Base (DB) Profile (Local Certificate Store) When you specify recipients for certificate-based encryption, SecureZIP for zSeries must be able to locate the recipients’ public-key certficates. One way to designate recipients is through the DB: form of the RECIPIENT command. This allows for recipient selection based on name or email address through a configured database of certificates on the system that is executing SecureZIP for zSeries.

Your organization’s technical support staff is responsible for configuring the local certificate store and should provide you with information on which profile data set—typically a member of a partitioned data set—to use. Below is a sample of the contents of the data base profile.

} Active Store Configuration: 'SECZIP.MVS.PROFILES(DBPROF)' -{CSPUB=4;1;SECZIP.MVS.CERTSTOR.PUBLIC} -{CSPRVT=4;1;SECZIP.MVS.CERTSTOR.PRIVATE} -{CSPUB_DBX=SECZIP.MVS.CERTSTOR.DBX} -{CSPUB_DBX_PATH_CN=SECZIP.MVS.CERTSTOR.PATHCN} -{CSPUB_DBX_PATH_EM=SECZIP.MVS.CERTSTOR.PATHEM} -{CSPUB_DBX_PATH_PUBKEY=SECZIP.MVS.CERTSTOR.PATHPUBK} -{CSCA=1;0;SECZIP.MVS.CERTSTOR.P7CA} -{CSROOT=1;0;SECZIP.MVS.CERTSTOR.P7ROOT} -{VALSIGN=TRUSTED,EXPIRED,NOTREVOKED} -{VALENCRYPT=TRUSTED,EXPIRED,NOTREVOKED} -{AUTHENTICATE=TRUSTED,EXPIRED,NOTREVOKED,TAMPERCHECK}

LDAP Profile (Networked Certificate Store) When you specify recipients for certificate-based encryption, SecureZIP for zSeries must be able to locate the recipients’ public-key certficates. One way to designate which recipients to include is through the LDAP interface to a directory server: form of the RECIPIENT command. This approach allows for recipient selection based on name, email address, or other installation-configured LDAP fields. One or more LDAP-compliant servers may be configured for searching.

The technical support staff responsible for configuring the LDAP compliant directory that stores certificates will provide you with information of which profile data set—typically a member of a partitioned data set—to use. Below is a sample of the contents of the file.

* ------------------------------------------------- * * zSeries LDAP access * * ------------------------------------------------- * * --- * Primary LDAP * --- -{LDAP=1;192.168.9.12;389;0;0;;;*EMAIL;| o=pkware,c=US,cn=user,dc=cosmos,dc=pkzip,dc=com} * ---

Page 78: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

66

Note: The LDAP profile may not contain any encryption certificate validation policies. If the end user specifies only the LDAP profile without a local certificate store, then the SecureZIP default validation settings of TRUSTED and REVOKED will be enforced for the run. This will cause the job to fail during validation of the trusted certificate path because there are no CA and/or root certificates available for processing. If you wish to execute the SecureZIP job with the LDAP profile only, then you must include the validation policy in the job stream (see sample below), or add the VALENCRYPT policy statement to the LDAP profile.

-INCLUDE_CMD(SECZIP.MVS.PROFILES(LDAP)) -RECIPIENT(LDAP:CN=PKWARE TEST4,R) -{VALENCRYPT=NOTTRUSTED,EXPIRED,NOTREVOKED}

Recipient Searches When RECIPIENT requests are made for either the local certificate store ("DB:"), an LDAP directory ("LDAP:") or both ("SYSTEM:"), a set of search criteria are provided. The search criteria of Email address ("EM=" or "mail=") and Common Name ("CN=") are accepted by both the DB: and LDAP: service providers.

When multiple RECIPIENT requests are made, two or more search criteria may resolve to the same recipient certificate. For example, if both EM= and CN= are used in different RECIPIENT (or MASTER_RECIPIENT) requests, both may find the same public key certificate. The first entry found will be used, and any duplicate copies of the same certificate will be ignored, resulting in only one representation of the certificate.

A search for an individual by name or email address may return multiple digital certificates, whether from the same certificate store source or not. In this case, more than one representation of an individual can be included in the run.

LDAP searching can be accomplished with direct RECIPIENT requests:

-RECIPIENT(LDAP:search_criteria)

or implicitly:

-RECIPIENT(*system:search_criteria).

In either case, the certificate store configuration settings define the order in which the LDAP servers are searched. However, in the case of using *system, local certificate stores are searched prior to any of the configured LDAPs.

When multiple stores are to be searched (*system: or LDAP:), all RECIPIENT requests are searched in one store before the next store is referenced. If a RECIPIENT request finds one or more entries in one store, subsequent stores are not searched. This means that it is possible for generic LDAP search criteria to bypass entries defined in subsequent LDAP servers. RECIPIENT requests that were not satisfied at all by the higher-level store search continue to be searched for.

Example: Search LDAP’s for RECIPIENT matches

LDAP #1 0 entries 0 matches

LDAP #2 3 entries 3 matches

Add entry LDAP #1 has an entry added matching RECIPIENT

Page 79: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

67

LDAP #1 1 entry 1 match

LDAP #2 3 entries 0 matches

Local Certificate Stores

Access x.509 Public and Private Key Certificates See also Chapter 2 for an overview of certificate stores.

SecureZIP for zSeries introduces a new subtask, CSERV, that utilizes RSA’s BSAFE Cert-C Toolkit to access X.509 public- and private-key certificates. The access to the various certificate stores by this task is governed by various forms of the RECIPIENT, SIGN_ARCHIVE, SIGN_FILES and AUTHCHK commands, as well as by a suite of configuration commands.

The configuration commands are read either through SYSIN, INCLUDE_CMD(parmlib) or SECUREZIP_CONFIG specifications.

The syntax of the commands is -{ ... }. The semi-colon (;) is used as a parameter delimiter.

-{CSPUB=type;Seq;string PUB} -{CSPRVT=type;Seq;string Prvt} -{CSCA=type;Seq;string CA} -{CSROOT=type;Seq;string Root} -{CSPUB_DBX=vsam_cluster_base_index} -{CSPUB_DBX_PATH_CN=vsam_path_through_AIX_for_Common_Name} -{CSPUB_DBX_PATH_EM=vsam_path_through_AIX_for_Email_address} -{CSPUB_DBX_PATH_PUBKEY=vsam_path_through_AIX_for_PublicKey} -{AUTHENTICATE=TRUSTED,EXPIRED,REVOKED,TAMPERCHECK} -{VALSIGN=TRUSTED,EXPIRED,NOTREVOKED} -{VALENCRYPT=TRUSTED,EXPIRED,NOTREVOKED} -{RESET}

Where:

• type (*PATH 0) (FILE 1) (*DB 2) (*LDAP 3) (*PDS 4)

• Seq 0 through 9 (Cert Store search order)

• LDAP - timeout of 0 results in system settings

• user of NULL or ";;" will use "anonymous" login

Page 80: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

68

Certificate Store References –{CSxxx}

If not supplied through configuration changes, the defaults are:

{CSPUB=1;9;DUMMY} {CSPRVT=1;9;DUMMY} {CSCA=1;9;DUMMY} {CSROOT=1;9;DUMMY} {CSPUB_DBX=SECZIP.CERTSTOR.PUBLIC.DBX} {CSPUB_DBX_PATH_CN=SECZIP.CERTSTOR.PATHCN} {CSPUB_DBX_PATH_EM=SECZIP.CERTSTOR.PATHEM} {CSPUB_DBX_PATH_PUBKEY=SECZIP.CERTSTOR.PATHPUBK}

The local zSeries certificate store for public-key certificates (configuration settings for {CSPUB_...}), can be built as a PDS[E] indexing scheme for common name and email address searches. This is accomplished through a VSAM base cluster and a set of alternate index paths to access the appropriate field types.

The PDS[E] and the VSAM suite are managed as a unit and should not be manipulated independently from the supplied SecureZIP utilities. When no public-key store (CSPUB=) PDS[E] is specified, then the indexing (CSPUB_DBX...) files are not accessed.

The CSCA (Certificate Authority) and CSROOT (Trusted Root Certificate Authority) certificates are maintained in repective sequential files in X.509 PKCS#7 format.

Overrides to {CSxxx…} or {LDAP…} configuration commands can be done through input command streams or included members. However, you must take care to coordinate overrides so that intermixed PATHS do not result in different databases or indexes being used when resolving the various search criteria.

Authentication and Certificate Validation Policies Certificate validation may be done when activities in the following functional areas are performed:

• Recipient based encryption

• Archive or file signing

• Authentication of digital signatures for files and/or archive directory

Validation policies are passed to SECZIP and SECUNZIP to govern various aspects of certificate validation at execution time. The policies are defined in configuration profile settings and may also be included as override commands for individual executions of SECZIP and SECUNZIP.

The policy command settings are coded in the same format as other certificate store profile commands, with the syntax -{...}

Each functional area supports a single policy statement with its associated settings. The CERTSTORE Policy Setup panel will generate a policy statement for each functional area for use in the certificate store profile.

• -{AUTHENTICATE=...}

• -{VALENCRYPT=...}

• -{VALSIGN=...}

Page 81: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

69

{AUTHENTICATE} Policy

The {AUTHENTICATE} setting can be used within an include member that contains configuration commands, or within the standard command stream. It defines the level of processing that AUTHCHK commands will perform. The last AUTHENTICATE command found in the input stream will be used for processing and fully defines the signature authentication elements to be verified. The default settings may be changed by the SecureZIP administrator at any time. However, if this command is not supplied, all supported elements default to being checked. Elements include:

• [NO]TAMPERCHECK – The signature associated with the archive or file(s) involved will be used to verify that the content has not been altered since the archive was built.

• [NOT]EXPIRED – The digital certificates used to originally perform the signing operation contain internal date ranges of validity. The AUTHCHK operation will fail if any of the certificates in the trust chain are not found to be within their stated data range. Note that an end-certificate may have expired at the time that the archive is being accessed, and NOTEXPIRED may be used to continue processing.

• [NOT]REVOKED – A certificate owner may request that the issuing certificate authority declare a certificate to be revoked and thereby no longer consider that certificate to be valid. The AUTHCHK operation will fail if any of the certificates in the trust chain are found to have been revoked or if the revocation status could not be determined.

• [NOT]TRUSTED – Each end-certificate used in the signature must be traced back to a trusted root certificate. The CACA and CSROOT stores on the local system performing the authentication check will be accessed to determine if the entire certificate chain can be trusted. Although the Root (“self-signed”) certificate may be included within the archive, it MUST also exist in the CSROOT store to complete the TRUSTED state.

{VALSIGN} Policy

The {VALSIGN} setting can be used within an include member that contains configuration commands, or within the standard command stream. It defines the level of processing that SIGN_FILES and SIGN_ARCHIVE commands will perform during SECZIP execution. The last VALSIGN command found in the input stream will be used for processing and fully defines the signing certificate elements to be verified. The default settings may be changed by the SecureZIP administrator at any time. However, if this command is not supplied, all supported elements default to being checked. Elements include:

• [NOT]EXPIRED – The digital certificates used to originally perform the signing operation contain internal date ranges of validity. The AUTHCHK operation will fail if any of the certificates in the trust chain are not found to be within their stated data range. Note that an end-certificate may have expired at the time that the archive is being accessed, and NOTEXPIRED may be used to continue processing.

• [NOT]REVOKED – A certificate owner may request that the issuing certificate authority declare a certificate to be revoked and thereby no longer consider that certificate to be valid. The AUTHCHK operation will fail if any of the certificates in the trust chain are found to have been revoked or if the revocation status could not be determined.

• [NOT]TRUSTED – Each end-certificate used in the signature must be traced back to a trusted root certificate. The CACA and CSROOT stores on the local system performing the authentication check will be accessed to determine if the entire certificate chain can

Page 82: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

70

be trusted. Although the Root (“self-signed”) certificate may be included within the archive, it MUST also exist in the CSROOT store to complete the TRUSTED state.

{VALENCRYPT} Policy

The {VALENCRYPT} setting can be used within an include member that contains configuration commands, or within the standard command stream. It defines the level of processing that RECIPIENT-based encryption requests will perform during SECZIP execution. The last VALENCRYPT command found in the input stream will be used for processing and fully defines the signing certificate elements to be verified. The default settings may be changed by the SecureZIP administrator at any time. However, if this command is not supplied, all supported elements default to being checked. Elements include:

• [NOT]EXPIRED – The digital certificates used to originally perform the signing operation contain internal date ranges of validity. The AUTHCHK operation will fail if any of the certificates in the trust chain are not found to be within their stated data range. Note that an end certificate may have expired at the time that the archive is being accessed. NOTEXPIRED may be used to continue processing.

• [NOT]REVOKED – A certificate owner may request that the issuing certificate authority declare a certificate to be revoked and thereby no longer consider that certificate to be valid. The AUTHCHK operation will fail if any of the certificates in the trust chain are found to have been revoked or if the revocation status could not be determined.

• [NOT]TRUSTED – Each end-certificate used in the signature must be traced back to a trusted root certificate. The CACA and CSROOT stores on the local system performing the authentication check will be accessed to determine if the entire certificate chain can be trusted. Although the root (“self-signed”) certificate may be included within the archive, it must also exist in the CSROOT store to complete the TRUSTED state.

Other Profile Commands

{RESET} Clearing the Active Configuration

The {RESET} command can be used at the beginning of an include member that contains configuration commands, or within the standard command stream to “clear” all existing {CSxxx…} and {LDAP…} configuration commands that may have been previously loaded. This will help avoid mixed entries if an incomplete set of overrides is present. Remember that the defaults module may include settings for the configuration commands even if commands are not explicitly coded at run-time. The default settings may be changed by the SecureZIP administrator at any time.

Execution Time SecureZIP for zSeries is commonly run as a batch job step utility to place one or more files into a SecureZIP container (archive) prior to subsequent processing (such as transporting to an off-board system). Processing considerations when utilizing recipient-based encryption include:

• Using INCLUDE_CMD to reference the local certificate store configuration control records (created by the initial setup in Certificate Store Administration) in the SYSIN command stream

Page 83: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

71

• Using the RECIPIENT command to trigger certificate-based encryption. (Optionally, the RECIPIENT command used for extraction (decryption) may be referenced via INCLUDE_CMD to protect the password information contained within it.)

• Having dataset-level READ authority (via RACF or equivalent product) to the private-key certificate and referenced command files necessary to access the certificate

• Performing JCL return code checking within the job stream after the SECZIP program has completed to test the success of Encryption/Decryption processing

Security Considerations To ensure the continued integrity of private-key certificates within an organization, special attention should be paid to protecting access to them.

The X.509 PKCS#12 certificate format supported by SecureZIP has an inherent security mechanism designed to protect the private keys within the transportable certificate by way of an access password. This means that, without the appropriate password, the private keys cannot be accessed from the private-key PKCS#12 digital certificate (on any system or location).

RACF READ authority (or equivalent) must be granted to the job accessing certificate store, X.509 certificate file and the referenced input stream containing the command having the certificate request (and password for a private-key certificate).

To perform a decryption operation, SecureZIP for zSeries requires read access to the PKCS#12 private-key certificate (file or PDS member), as well as a command (RECIPIENT) containing the corresponding password. Similarly, the signing and authentication commands (SIGN_ARCHIVE, SIGN_FILES and AUTCHK) may reference private keys. The following should be considered when using SecureZIP to access private keys:

• Password information will be masked out in SecureZIP SYSPRINT output.

• If jobstream inputs can be viewed by operational staff members, then an indirect reference to the command(s) containing the password should be considered.

• Read protection of command files containing passwords

• Read protection of PKCS#12 certificate files

• Optionally use ECHO=N within the command sequence to eliminate the command from showing in the SYSPRINT output.

SecureZIP Certificate Store Administration and Configuration For detailed instructions on certificate store configuration and management, LDAP configuration, and other x.509 certificate utilities, see the SecureZIP for zSeries System Administrator’s Guide.

Run-Time Configuration The Runtime Configuration panel is used for entering configuration information for the ISPF SecureZIP interface (option C). That information includes active load library, default options files, job card and other miscellaneous information.

Page 84: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

72

A panel for SecureZIP certificate store settings must be configured as well. A message at the bottom of the configuration panel directs you to press “Enter” to view the SecureZIP certificate store settings.

Runtime Configuration Panel

SecureZIP Runtime Configuration OPTION ===> More: - Initial Execution Default Command Settings Defaults module.....: ACZDFLT (ACZDFLT) ZIP processing......: 'SECZIP.MVS.INSTLIB(CMDZIP)' UNZIP processing....: 'SECZIP.MVS.INSTLIB(CMDUNZIP)' Foreground Processing Controls Use TSO Prefix : N (Y/N) Lowest Acceptable RC: 4 (0,4,8) SYSPRINT Allocation Type : CYLS (BLKS,TRKS,CYL) Primary : 3 Secondary : 1 Batch Job Card information //FPDCS1 JOB 'ACCOUNTING INFO',CLASS=A,REGION=8M, // MSGCLASS=H,MSGLEVEL=(1,1),NOTIFY=&SYSUID //* Hit ENTER for SecureZIP Certificate Store Settings To EXIT Press PF3 For HELP Press PF1

Runtime Configuration Panel: Certificate Stores

PKZC001S SecureZIP Runtime Configuration Option ===> Certificate Store Settings ( ENTER to validate PF7/PF8 to scroll) / to Edit the file M to Display a member selection list Private-Cert > 'SECZIP.MVS.JCL(CERTPROF)' DB Profile > 'SECZIP.MVS.PROFILES(DB810X)' LDAP Profile > 'SECZIP.MVS.JCL(LDAPFPD1)' ZIP Recipient List > 'SECZIP.MVS.CERTSTOR.PROFILES($RECIPS)' UNZIP Recipient List> UNDEFINED Archive Signing > 'SECZIP.MVS.CERTSTOR.PROFILES($SIGNARC)' File Signing > 'SECZIP.MVS.CERTSTOR.PROFILES($SIGNFIL)' Authenticate Archive> 'SECZIP.MVS.CERTSTOR.PROFILES($AUTHARC)' Authenticate Files > 'SECZIP.MVS.CERTSTOR.PROFILES($AUTHFIL)' Authenticate Files > 'SECZIP.MVS.CERTSTOR.PROFILES($AUTHFIL)' ------------------------------------------------------------------------------- ***** Top of Data ************************************************************** Private-key Certificate Recipient(s): ===================================== *---------------------------------------------------------------------* * Profile SECZIP.MVS.JCL(certprof) * *---------------------------------------------------------------------* *-recipient(db:cn=PKWARE TEST1,R,PASSWORD=PKWARE) *-recipient(dsn://'SECZIP.IVP.CERT.ADMIN04.PFX',password=password)

Page 85: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

73

Local Certificate Store DB Profile: ============================== *** * LOCAL CERTIFICATE STORE CONFIGURATION CONTROL * * Include this member in SecureZIP runs requiring Local Certificate * Store RECIPIENTS, SIGN_ARCHIVE, SIGN_FILES and AUTHCHK signatories. *** -{CSPUB=4;1;SECZIP.MVSSTD.CERTSTOR.PUBLIC} -{CSPRVT=4;1;SECZIP.MVSSTD.CERTSTOR.PRIVATE} -{CSPUB_DBX=SECZIP.MVSSTD.CERTSTOR.DBX} -{CSPUB_DBX_PATH_CN=SECZIP.MVSSTD.CERTSTOR.PATHCN} -{CSPUB_DBX_PATH_EM=SECZIP.MVSSTD.CERTSTOR.PATHEM} -{CSPUB_DBX_PATH_PUBKEY=SECZIP.MVSSTD.CERTSTOR.PATHPUBK} -{CSCA=1;0;SECZIP.MVSSTD.CERTSTOR.P7CA} -{CSROOT=1;0;SECZIP.MVSSTD.CERTSTOR.P7ROOT} -{AUTHENTICATE=TRUSTED,EXPIRED,REVOKED,TAMPERCHECK} *{VALSIGN=TRUSTED,EXPIRED,REVOKED} *{VALENCRYPT=TRUSTED,EXPIRED,REVOKED} LDAP Configuration Profile: =========================== -{LDAP=1;ASI4;4389;0;0;;;*CN;o=PKWARE} Saved Recipient List: ===================== *RECIPIENT(DB:CN=PKWARE Test1,PASSWORD=PKWARE) Saved Archive Signing List: =========================== -SIGN_ARCHIVE(DB:CN=PKWARE Test1,PASSWORD=PKWARE) Saved File Signing List: ======================== -SIGN_FILES(DB:CN=PKWARE Test1,PASSWORD=PKWARE) -SIGN_FILES(DB:CN=PKWARE Test2,PASSWORD=PKWARE) -SIGN_FILES(DB:CN=PKWARE Test3,PASSWORD=PKWARE) -SIGN_FILES(DB:CN=PKWARE Test4,PASSWORD=PKWARE) Saved Archive Authentication List: ================================== -AUTHCHK(ARCHIVE,DB:CN=PKWARE Test1) Saved File Authentication List: =============================== 1AUTHCHK(FILES,DB:CN=PKWARE Test1,PASSWORD=PKWARE) -SIGN_FILES(DB:CN=PKWARE Test4,PASSWORD=PKWARE) Saved Archive Authentication List: ================================== -AUTHCHK(ARCHIVE,DB:CN=PKWARE Test1) Saved File Authentication List: =============================== 1AUTHCHK(FILES,DB:CN=PKWARE Test1,PASSWORD=PKWARE) ***** Bottom of Data *******************************************

The preceding panel is used for entering configuration information for certificate profiles and for editing saved control cards used in certificate processing.

That information includes the locations of the private-key certificate, the data base profile, and the LDAP profile. You must specify the location of private-key certificates. For the locations of the DB and/or LDAP profiles, contact your SecureZIP administrator.

Page 86: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

74

SecureZIP Runtime Configuration Panel Undefined

SecureZIP Runtime Configuration Option ===> Certificate Store Settings ( ENTER to validate PF7/PF8 to scroll) / to Edit the configuration file M to Display a member selection list Private-Cert> undefined DB Profile > undefined LDAP Profile> undefined / to Edit the saved lists Zip Recipient List > undefined UNZIP Recipient List> UNDEFINED Archive Signing > undefined File Signing > undefined Authenticate Archive> undefined Authenticate Files > undefined ***** Top of Data ************************************************************** Private-key Certificate Recipient(s): ===================================== Profile: MISSING DATASET NAME Local Certificate(DB) Profile: ============================== Profile: MISSING DATASET NAME LDAP Configuration Profile: =========================== Profile: MISSING DATASET NAME ***** Bottom of Data ***********************************************************

As you begin the process of creating archives with recipients and signing and validate existing archives, the Edit/Saved Lists are populated with control records.

SecureZIP Runtime Configuration Panel with DB Profile Defined The following example shows how the Runtime Configuration Panel looks after completing the local certificate store configuration.

SecureZIP Runtime Configuration Option ===> Certificate Store Settings ( ENTER to validate PF7/PF8 to scroll) / to Edit the configuration file Private-Cert> undefined DB Profile > 'SECZIP.MVS.JCL(CCFGFPD1)' LDAP Profile> undefined / to Edit the saved lists Recipient List > undefined Archive Signing > undefined File Signing > undefined Authenticate Archive> undefined Authenticate Files > undefined ***** Top of Data ************************************************************** Private-key Certificate Recipient(s): ===================================== Profile: Undefined Local Certificate(DB) Profile: ==============================

Page 87: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

75

* DATABASE ACCESS CONTROL CARDS -{CSPUB=4;1;SECZIP.MVS1.CERTSTOR.PUBLIC} -{CSPRVT=4;1;SECZIP.MVS1.CERTSTOR.PRIVATE} -{CSPUB_DBX=SECZIP.MVS1.CERTSTOR.DBX} -{CSPUB_DBX_PATH_CN=SECZIP.MVS1.CERTSTOR.PATHCN} -{CSPUB_DBX_PATH_EM=SECZIP.MVS1.CERTSTOR.PATHEM} -{CSPUB_DBX_PATH_PUBKEY=SECZIP.MVS1.CERTSTOR.PATHPUBK}

SecureZIP Runtime Configuration Panel with Private Certificate Location The following example shows the Runtime configuration panel with the private certificate identified that will be used to provide the private key to decrypt an archive. Notice that the RECIPIENT location, the requirement to always find the certificate (R), and the password for the private key are displayed as part of the panel information provided.

The private certificate dataset must be allocated and specified by the user as it is not automatically generated during the installation process. Be sure to require suitable security authority for any and all datasets that contain private certificate password information.

SecureZIP Runtime Configuration Option ===> Certificate Store Settings ( ENTER to validate PF7/PF8 to scroll) / to Edit the configuration file Private-Cert> ‘SECZIP.MVS.JCL(CERTPROF)' DB Profile > 'SECZIP.MVS.JCL(CCFGFPD1)' LDAP Profile> 'SECZIP.MVS.JCL(LDAPFPD1)' / to Edit the saved lists Recipient List > undefined Archive Signing > undefined File Signing > undefined Authenticate Archive> undefined Authenticate Files > undefined ***** Top of Data ************************************************************** Private-key Certificate Recipient(s): ===================================== *---------------------------------------------------------------------* * Profile SECZIP.MVS.JCL(CERTPROF) * *---------------------------------------------------------------------* -recipient(db:cn=PKWARE TEST1,R,PASSWORD=xxxxxxxx)

Filename Encryption

How SecureZIP for zSeries Encrypts File Names SecureZIP for zSeries encrypts file names using your current settings for (strong) encryption method and algorithm. File names can be encrypted using either strong password encryption or a recipient list (or both).

Note: Encrypting names of files and folders in an archive encrypts and hides a good deal of other internal information about the archive as well. To encrypt file names, SecureZIP for zSeries encrypts the archive's central directory, where virtually all such metadata about the archive is stored.

Page 88: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

76

Note: Be aware that archive comments are not encrypted even when you encrypt file names. Do not put sensitive information in an archive comment.

When SecureZIP for zSeries Encrypts File Names With archives that do not already contain encrypted file names:

SecureZIP for zSeries encrypts file names only when you add files to an archive. SecureZIP for zSeries does not encrypt file names when you encrypt files that are already in an archive even if the option to encrypt file names is turned on.

SecureZIP for zSeries encrypts file names only when you add and encrypt files. SecureZIP for zSeries does not encrypt file names when you add files without encrypting them, even if the option to encrypt file names is turned on.

Encrypting File Names When You Update an Archive If you turn on the setting to encrypt file names and then add files to an archive that already contains files with unencrypted file names, SecureZIP for zSeries encrypts the names of all files in the archive.

If the archive contains files whose contents are already encrypted, SecureZIP for zSeries rejects an attempt to add filename encryption.

If you update an archive that already contains files with encrypted file names, SecureZIP for zSeries encrypts the newly added files and their names using the same password or recipient list originally used to encrypt file names in the archive.

Notes:

• Once file names in an archive are encrypted, you cannot currently remove the encryption or change the password or recipient list used.

• You cannot change the encryption on files that are already in an archive that contains encrypted file names.

Opening and Viewing an Archive That Has Encrypted File Names An archive that contains encrypted file names requires SecureZIP for zSeries 8.0 or later to open it.

Input Required To View Recipients in a Filename Encrypted Archive To view the recipients of a filename-encrypted archive, place VERBOSE in the input.

//FPDTEST3 JOB '0',CLASS=A,REGION=64M, // MSGCLASS=H,MSGLEVEL=(1,1),NOTIFY=&SYSUID //UNZIP EXEC PGM=SECUNNZIP //STEPLIB DD DISP=SHR,DSN=SECZIP.MVS.LOAD // DD DISP=SHR,DSN=SECZIP.MVS.LOAD //CERT DD DSN=FPD.FPDPVT08.PFX,DISP=SHR //SYSPRINT DD SYSOUT=* //SYSIN DD * -ARCHIVE_DSN(SECZIP.MVS.FNEREC.ZIP) -VERBOSE

Page 89: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

77

-ACTION(VIEW) -RECIPIENT(DD:CERT,R,PASSWORD=PKWARE)

View of Recipients in a Filename Encrypted Archive

ZPGE001T UNZIP STARTUP STORAGE QUERY: 24BIT= 9144K 31BIT= 65536K CACHE= ZPLI001I SecureZIP(TM) for zSeries, Version 8.1 - 02/11/05 14.26 ZPLI001I Copyright 1989-2005 PKWARE Inc. All rights reserved. ZPLI001I SecureZIP(TM) is a trademark of PKWARE (R), Inc. ZPLI001I Registered, Processor Type=2066 Processor Group=00 Serial Number= ZPLI001I OS Level: HBB7707 SP7.0.4 -INCLUDE_CMD=PKZIP.IVP.JCL(DEVCERT1) -ECHO=N -ARCHIVE_DSN(SECZIP.MVS.FNEREC.ZIP) -VERBOSE -LOGGING_LEVEL(VERBOSE) -ACTION(VIEW) -RECIPIENT(DD:CERT,R,PASSWORD=******) ZPCM011I Processing EXEC PARM parameters ZPEN110I Locating Digital Certificates ... ZPCM023I Digital Certificate Store Configuration {CSPUB=4;1;SECZIP.MVS.CERTSTOR.PUBLIC} {CSPRVT=4;1;SECZIP.MVS.CERTSTOR.PRIVATE} {CSCA=1;1;SECZIP.MVS.CERTSTOR.PUBLIC(CAP7)} {CSROOT=1;1;SECZIP.MVS.CERTSTOR.PUBLIC(ROOTP7)} {CSPUB_DBX=SECZIP.MVS.CERTSTOR.PUBLIC.DBX} {CSPUB_DBX_PATH_CN=SECZIP.MVS.CERTSTOR.PATHCN} {CSPUB_DBX_PATH_EM=SECZIP.MVS.CERTSTOR.PATHEM} {CSPUB_DBX_PATH_PUBKEY=SECZIP.MVS.CERTSTOR.PATHPUBK} {LDAP=1;192.168.0.54;4389;1;0;CN=LDAP Administrator;secret;;O=PKWARE;} ZPCM023C --------------------------------------- ZPCM024I Digital Certificate Request List ZPCM024C Req'd Private Recipient dd:CERT ZPCM024C FILE FOUND *REQUIRED* ZPCM024C -------------------------------- ZPAP900I NO API REQUIRED ZPCM100I Configuration Manager Shutdown. Posting Main Task: 00000000 ZPAM030I INPUT Archive opened: SECZIP.MVS.FNEREC.ZIP ZPAM710I Archive Directory is Compressed 85% ZPAM711I Archive Directory is Encrypted: AES_256 Certificate Only ZPEX100I Extract Task { 5} TCB: 008D0A90 Started. ZPEX004I Archive Central Directory extracted for processing. ZPAM014I 234 file(s) are in the input Archive. ZPAM012I ZIP comment: SecureZIP for zSeries by PKWARE ZPAM013I ********************************************************************************* ZPAM015I Length Method Size Ratio Date Time CRC-32 Name ZPAM016I ------------- ------------ ------------- ----- ---------- ----- -------- ----------------------------------- ZPAM017I 4,183 Deflate-SFST 2,240 46% 08/30/2004 16:24 419ABFDA ! PKZIP/FPD/JCL/ACZDFLT ZPAM017I 4,183 Deflate-SFST 2,256 46% 08/30/2004 16:24 18A324CE ! PKZIP/FPD/JCL/ACZDFL ZPAM017I 1,067 Deflate-SFST 1,536 0% 08/30/2004 16:24 183003D8 ! PKZIP/FPD/JCL/ZIPVIEW ………………… ………………… …………… ZPAM017I 1,067 Deflate-SFST 1,536 0% 08/30/2004 16:24 2F3E1C63 ! PKZIP/FPD/JCL/ZIP12 ZPAM017I 985 Deflate-SFST 1,520 0% 08/30/2004 16:24 5A8D5879 ! PKZIP/FPD/JCL/ZIP123 ZPAM018I ------------- ------------- -----

Page 90: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

78

ZPAM019I 698,546 450,288 36% ZPAM013I ********************************************************************************* ZPAM140I FILES: VIEWED EXCLUDED BYPASSED IN ERROR ZPAM140I 234 0 0 0 ZPAM712I Archive Directory Encryption Recipients: ZPAM320I 4 recipient(s) were designated: ZPAM321I Recipient: PKWARE Test0 ZPAM323I Email: [email protected] ZPAM325I Valid: 07/23/2002-07/23/2003 ZPAM326I Issuer: VeriSign, Inc. ZPAM321I Recipient: PKWARE TEST1 ZPAM323I Email: [email protected] ZPAM325I Valid: 11/05/2003-11/04/2004 ZPAM326I Issuer: VeriSign, Inc. ZPAM321I Recipient: PKWARE Test2 ZPAM323I Email: [email protected] ZPAM325I Valid: 07/22/2003-07/21/2004 ZPAM326I Issuer: VeriSign, Inc. ZPAM321I Recipient: PKWARE Test00 ZPAM323I Email: [email protected] ZPAM325I Valid: 07/22/2003-07/21/2004 ZPAM326I Issuer: VeriSign, Inc. ZPAM101I Archive Manager Task { 3} TCB: 008D0E88 shutdown begun. ZPAM109I Archive Manager Task { 3} TCB: 008D0E88 shutdown complete. ZPEX101I Extract Task { 5} TCB: 008D0A90 shutdown begun. ZPEX109I Extract Task { 5} TCB: 008D0A90 shutdown complete. ZPMT002I PKZIP processing complete. RC=00000000 0(Dec)

View Detail of an Archive that Has Encrypted File Names ZPAM711I in the output below identifies the type of encryption used for filename encryption.

ZPAM030I INPUT Archive opened: SECZIP.MVS.FNEREC.ZIP ZPAM710I Archive Directory is Compressed 85% ZPAM711I Archive Directory is Encrypted: AES_256 Certificate Only ZPAM014I 234 file(s) are in the input Archive. ZPAM012I ZIP comment: SecureZIP for zSeries by PKWARE ZPAM013I ************************************************************* ZPAM001I Filename: PKZIP/FPD/JCL/ACZDFLT ZPAM002I File type: TEXT ZPAM003I Date/Time: 30-AUG-2004 16:24:00 ZPAM004I Compression Method: Deflate- Super Fast ZPAM005I Compressed Size: 2,240 ZPAM006I Uncompressed Size: 4,183 ZPAM007I 32-bit CRC: 419ABFDA LHDR Offset: 0 ZPAM008I Created by: PK zSeries 8.1 ZPAM009I Needed to extract: ZipSpec 6.1 ZPAM010I Encryption: AES_256 Certificate Key BSAFE(R) ZPAM301I File Type: NONVSAM PDS ZPAM302I File PDS Directory Blocks: 50 ZPAM303I File Record Format: FB ZPAM304I File Allocation Type: CYL ZPAM305I File Primary Space Allocated: 5 ZPAM306I File Secondary Space Allocated: 9 ZPAM307I File Record Size: 80 ZPAM308I File Block Size: 27920 ZPAM309I File Volume(s) Used: FPD002 ZPAM310I File Creation Date: 2003/07/22 ZPAM311I File Referenced Date: 2004/08/30 ZPAM319I SMS Storage Class: PRIVATE ZPAM312I File PDS Extended Directory Information: DIRECTORY INFORMATION FOLLOWS LENGTH=00001E 000000 01040029 0102198F 0102205F 14010033 |........... ....| ) _ 3| 000010 00330000 C6D7C440 40404040 40400000 |....FPD ..| 3 @@@@@@@ |

Page 91: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

79

ZPAM312C -SIZE -CREATED-- ------CHANGED------ ---ID-- -INIT VV.MM ZPAM312C 51 2002/07/17 2002/07/24 14:01:29 FPD 51 01.04 ZPAM313I PDS member TTRKZC: 00010700000F ZPAM320I 4 recipient(s) were designated: ZPAM321I Recipient: PKWARE Test2 ZPAM322I Public Key Hash: 07E091CE30862B61663CF9D356863BF84D3DC8D5 ZPAM323I Email: [email protected] ZPAM324I Cert: //'SECZIP.MVS.CERTSTOR.PRIVATE(PKT2004)' ZPAM321I Recipient: PKWARE Test2 ZPAM322I Public Key Hash: 271842663AA344FBC35656BE68B5A46EE7E545F0 ZPAM323I Email: [email protected] ZPAM324I Cert: //'SECZIP.MVS.CERTSTOR.PUBLIC(PKT2003)' ZPAM321I Recipient: PKWARE TEST1 ZPAM322I Public Key Hash: 5D9E8B89B5948E9E853338A7250D64C5BED5E9E7 ZPAM323I Email: [email protected] ZPAM324I Cert: //'SECZIP.MVS.CERTSTOR.PUBLIC(PKT12003)' ZPAM321I Recipient: PKWARE Test00 ZPAM322I Public Key Hash: 6E16CFEFFAA093242B89DEE623C7D7428082F3E3 ZPAM323I Email: [email protected] ZPAM324I Cert: //'SECZIP.MVS.CERTSTOR.PUBLIC(PK002003)' ZPAM013I *************************************************************

Two fields in the preceding output require explanation:

• Created by: Lists the program, and its release level, that created the archive.

• Needed To Extract: Lists the version of the ZIP file format specification on which the program that created the archive is based.

The number listed is not a version of the SecureZIP for zSeries program. It is the earliest version of the ZIP file format specification that defines certain features implemented in the program. A different program must support at least the listed version of the ZIP file format in order to extract files from an archive that uses features initially defined in the listed specification.

For example, to extract files from an archive that uses filename encryption, a program must support a version of the ZIP file format that provides for filename encryption.

Decrypting a Filename-Encrypted Archive When opening an archive, SecureZIP for zSeries automatically decrypts file names for anyone on a recipient list for the encrypted file names.

If file names are encrypted using a password (with or without a recipient list), SecureZIP for zSeries requests a password when anyone who is not on the recipient list tries to open the archive. If the correct password is not entered, SecureZIP does not open the archive.

Security Examples Below are examples of how to invoke SecureZIP for zSeries processing using ISPF panels and JCL along with sample output listings.

SecureZip using Recipients or Combo When protection modes of Recipient or Combo are selected, recipients can be designated such that a password is not required to extract the data.

Page 92: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

80

If a password is entered, the lines will be concatenated to create a single password string of up to 200 characters and each line must begin and end with a non-blank.

Each recipient is represented by a public-key x.509 digital certificate. The public-key certificates can be stored and accessed in one or more of the following locations:

• Individual data sets (or PDS members)

• The Local certificate store Database as described by DB Profile

• One or more network LDAP servers as described by LDAP Profile

Recipient designations:

• LDAP:CN=Joe Smith

• dsn://'PKZIP.CERTSTOR.PRIVATE(MAS2004)',R,password=abcdef

• db:[email protected]

• LDAP:mail=*@location.com

It is important to note the following:

• CN=Joe Smith may return more than one recipient digital certificate. The LDAP entry for Joe Smith may contain multiple certificates. Certificates are frequently valid for only one year, so a recipient may have a certificate for each year with the company.

• A local PDS has a certificate loaded into member MAS2004, which may represent a specific person's 2004 certificate. In this case, the R indicates that the certificate is required for processing to be performed. In addition, this certificate is a private-key certificate, so the export password is necessary for the public-key portion to be extracted from it.

• db:EM= (or CN= for common name) may be used to locate a public-key certificate from within the local certificate store database. Private-key certificates may also be stored in the database, in which case the private-key password must also be coded to access it.

• LDAP:mail=*@location.com demonstrates that masked requests may be made to an LDAP server. However, caution must be used not to make search criteria too broad, to avoid related high CPU and virtual storage requirements.

Zip Compress File(s) to an Archive FIle (Option ‘Z’ ) Using Recipients Below is the main ZIP compression panel. Here you place a “Y” in the Encryption option field to encrypt.

SecureZIP ZIP Processing Command ===> Archive File Information: File Name : 'FPD.SEQ.ZIP' File Type : 1 ( 1 = SEQ, 2 = PDS, 3 = VSAM, 4= PDSE) More Attributes : N ( Y - Yes, N - Take Defaults) Zip file information: File to compress : 'FPD.TEST.SEQ3' Zipped DSN : Encryption : Y ( Y - Encrypt files) : N ( Y - View typed password)

Page 93: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

81

Format : ( B -Binary T -Text D -Detect BV -Binary-Variable) More Files : N ( Y - Enter additional file names, N - None) Security options: Security required : N ( Y - To Display Security Options Dialog) Processing options: Simulation Mode : N ( Y - Test file selection, N - Normal Processing) Zip Function : A ( A - Add, F - Freshen, U - Update, D - Delete) Processing Mode : B ( F - Foreground, B - Batch) Batch JCL Status : C ( C - New Dataset, A - Add to existing Dataset) Advanced Options : N ( Y - Change Defaults, N - None) Enter VIEW on command line to VIEW archive

SecureZIP Encryption Using Individual Recipients as Input The next panel that appears when you have selected Encryption is a pop-up that allows you to select the method of encryption and either enter the password and the recipient, or the password alone, or the recipient alone, to be used to encrypt the file.

PKZZ005 SecureZIP ZIP Processing Command ===> More: Security options: Password protect : N ( Y - Use Passwords) : N ( Y - View typed pwd) Encryption: Algorithm : BSAFE_AES128 / for selection list Filename Encryption: N ( Y - Encrypt file names in the Archive) ------------------------------------------------------------------------- SecureZIP certificate-based operations. (Page down for all options) Certificate Encryption: Recipients : N ( Y - Digital Certificate Encryption) Validation Policy: Y Trusted Y Expired Y Revoked Signing: Archive : N ( Y - Sign Archive Central Directory) Files : N ( Y - Sign Files) Hash Algorithm : SHA-1 (MD5, SHA-1) Validation Policy: Y Trusted Y Expired Y Revoked SecureZIP certificate-based operations. (Page down for all options) Certificate Encryption: Recipients : Y ( Y - Digital Certificate Encryption) Validation Policy: Y Trusted Y Expired Y Revoked Signing: Archive : N ( Y - Sign Archive Central Directory) Files : N ( Y - Sign Files) Hash Algorithm : SHA-1 (MD5, SHA-1) Validation Policy: Y Trusted Y Expired Y Revoked Authentication: Archive : N ( Y - Authenticate Archive Directory) Validation Policy: Y Trusted Y Expired Y Revoked Y Tampercheck ------------------------------------------------------------------------- Reporting: Certificate Report : Y ( Y - Verbose certificate selection info)

Page 94: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

82

In this example we are going to enter “RECIPIENTS=Y” to allow the use of certificate processing. This displays pop-up screen PKSZ001 so that intended recipients can be identified (see screen below).

Notice that the Certificate Report option has a “Y”. This places a VERBOSE control card in the input stream to generate additional details on the locations searched for certificate information and the status of the search. A set of ZPCM024C messages display in the SecureZIP program output to show how each RECIPIENT request was resolved.

SecureZIP Encryption OPTION ===> More: Selection Mode: Recipients / to Edit the profile used to satisfy DB: and LDAP: requests DB Profile > 'SECZIP.FPD.PROFILES(DB810X)' LDAP Profile> 'SECZIP.FPD.JCL(LDAPFPD1)' / Edit a file containing a set of -RECIPIENT commands. S Search the Local Certificate Store to build a list M Data set member selection list Recipient List: 'SECZIP.FPD.CERTSTOR.PROFILES($RECIPS)' Individual Recipients: A -RECIPIENT() request will be built for each of of the following requests. 1. 2. 3. 4. 5. Note: Recipient requests are cumulative. All requests from the Recipient List, Individual Recipients, the configured default RECIPIENT and MASTER RECIPIENT will be included.

The DB Profile member contains the definitions for the local certificate store that were created by the SecureZIP administrator. The Recipient List member $RECIPS identifies a file from which RECIPIENT commands can be included. In addition, a specific recipient with a common name of “PKWARE Test3” is identified.

SecureZIP Certificate Report Option

----------------------------------------------------------- Digital Certificate Request List Req'd Private Recip-ient //'PKZIP.CERTSTOR.PRIVATE(MAS2004)' FILE FOUND *REQUIRED* Cond'l Public Recipient CN=Joe Smith FILE NOT_FOUND ------------------------------------------------------------

Page 95: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

83

SecureZIP Verification Window Below is a pop up window to allow you to verify your selected security options.

Command ===> The following security options have been selected: Recipient-based BSAFE_AES256 Encryption No Filename Encryption No Archive Directory Signature No File Signatures No Authentication of Archive Signature Press ENTER to continue with detailed specifications of each, or PF3 or 'END' to respecify the basic security options.

SecureZIP Encryption Using Individual Recipients-Generated JCL Below is the generated JCL to submit to encrypt this archive. The JCL contains the recipients added in the Encryption panel above.

****** ********************************* Top of Data ************************** 000001 //FPDCS1 JOB 'ACCOUNTING INFO',CLASS=A,REGION=8M, 000002 // MSGCLASS=H,MSGLEVEL=(1,1),NOTIFY=&SYSUID 000003 //* 000004 //ZIPIT EXEC PGM=SECZIP 000005 //STEPLIB DD DISP=SHR,DSN=SECZIP.MVS.LOAD 000006 //SYSPRINT DD SYSOUT=* 000007 //SYSIN DD * 000008 * PANEL INPUT COMMANDS: 000009 -ENCRYPTION_METHOD(BSAFE_AES128) 000010 * Configured Profile: 000011 -INCLUDE_CMD(SECZIP.MVS.JCL(DBPROF)) 000012 -INCLUDE_CMD(MAS.TEST.CERTSTOR.PROFILES($RECIPS)) 000013 -RECIPIENT(db:cn=Joe Smith) 000014 -RECIPIENT(db:cn=PKWARE Test3) 000015 -VERBOSE 000016 -ARCHIVE_DSN(FPD.SEQ.ZIP) 000017 -ARCHIVE_DSORG(PS) 000018 -ACTION(ADD) 000019 FPD.TEST.SEQ3 000020 /*

SecureZIP Encryption Using Recipient Job Output Listing with VERBOSE Below is the output from the SecureZIP for zSeries batch job submitted. The output listing contains all pertinent information related to certificate processing. The additional certificate information is generated as a result of using the VERBOSE control card.

ZPGE001T ZIP STARTUP STORAGE QUERY: 24BIT= 8208K 31BIT= 32768K CACHE= ZPLI001I SecureZIP(TM) for zSeries, Version 8.1 - 02/11/05 14.26 ZPLI001I Copyright 1989-2005 PKWARE Inc. All rights reserved. ZPLI001I SecureZIP(TM) is a trademark of PKWARE (R), Inc. ZPLI001I Registered, Processor Type=2066 Processor Group=00 Serial Number=

Page 96: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

84

ZPLI001I OS Level: HBB7707 SP7.0.4 -INCLUDE_CMD=PKZIP.IVP.JCL(DEVCERT1) -ECHO=N * PANEL INPUT COMMANDS: -ENCRYPTION_METHOD(BSAFE_AES128) * Configured Profile: -INCLUDE_CMD(SECZIP.MVS.JCL(DBPROF)) *---------------------------------------------------------------------* * PROFILE SECZIP.MVS.JCL(DBPROF) * *---------------------------------------------------------------------* * DATABASE ACCESS CONTROL CARDS -{CSPUB=4;1;SECZIP.CERTSTOR.PUBLIC} -{CSPRVT=4;1;SECZIP.CERTSTOR.PRIVATE} -{CSPUB_DBX=SECZIP.CERTSTOR.DBX} -{CSPUB_DBX_PATH_CN=SECZIP.CERTSTOR.PATHCN} -{CSPUB_DBX_PATH_EM=SECZIP.CERTSTOR.PATHEM} -{CSPUB_DBX_PATH_PUBKEY=SECZIP.CERTSTOR.PATHPUBK} -INCLUDE_CMD(SECZIP.MVS.JCL(LDAPPROF)) *---------------------------------------------------------------------* * PROFILE SECZIP.MVS.JCL(LDAPPROF) * *---------------------------------------------------------------------* -{LDAP=1;LDAP1234.PKWARE.COM;4389;0;0;;;*CN;O=PKWARE} -RECIPIENT(db:cn=PKWARE TEST1) -RECIPIENT(db:cn=PKWARE Test2) -RECIPIENT(db:[email protected]) -VERBOSE -LOGGING_LEVEL(VERBOSE) -ARCHIVE_DSN(FPD.SEQ.ZIP) -ARCHIVE_DSORG(PS) -ACTION(ADD) FPD.TEST.SEQ3 ZPCM011I Processing EXEC PARM parameters ZPCS200I Opening Common Name DB Index (//'SECZIP.CERTSTOR.PATHCN') ZPCS200I Opening Email Address DB Index (//'SECZIP.CERTSTOR.PATHEM') ZPCM023I Digital Certificate Store Configuration {CSCA=1;1;SECZIP.MVS.CERTSTOR.PUBLIC(CAP7)} {CSROOT=1;1;SECZIP.MVS.CERTSTOR.PUBLIC(ROOTP7)} {CSPUB=4;1;SECZIP.CERTSTOR.PUBLIC} {CSPRVT=4;1;SECZIP.CERTSTOR.PRIVATE} {CSPUB_DBX=SECZIP.CERTSTOR.DBX} {CSPUB_DBX_PATH_CN=SECZIP.CERTSTOR.PATHCN} {CSPUB_DBX_PATH_EM=SECZIP.CERTSTOR.PATHEM} {CSPUB_DBX_PATH_PUBKEY=SECZIP.CERTSTOR.PATHPUBK} ZPCM023C --------------------------------------- ZPCM024I Digital Certificate Request List ZPCM024C Cond'l Public Recipient //'SECZIP.CERTSTOR.PUBLIC(GEN50874)' ZPCM024C FILE FOUND ZPCM024C Cond'l Public Recipient //'SECZIP.CERTSTOR.PUBLIC(GEN51550)' ZPCM024C FILE FOUND ZPCM024C -------------------------------- ZPCM025I Digital Certificates Found: 2 ZPCM025C Joe Smith;[email protected]; ZPCM025C PKWARE Test3;[email protected]; ZPCM025C -------------------------------- ZPAP900I NO API REQUIRED ZPAM030I OUTPUT Archive opened: FPD.SEQ.ZIP ZPCM017I A total of 1 ADD/UPDATE candidate file(s) were identified. ZPCO100I Compression Task { 5} TCB: 008D1858 Started. ZPCM100I Configuration Manager Shutdown. Posting Main Task: 00000000 ZPAM253I ADDED File FPD.TEST.SEQ3 ZPAM254I as FPD/TEST/SEQ3 ZPAM255I (DEFLATED 79%/78%) SecureZIP(TM): BSAFE_AES128 ORIG. SIZE 216,800; ZIP SIZE 47,608

Page 97: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

85

ZPAM140I FILES: ADDED EXCLUDED BYPASSED IN ERROR ZPAM140I 1 0 0 0 ZPAM101I Archive Manager Task { 3} TCB: 008D1E88 shutdown begun. ZPAM109I Archive Manager Task { 3} TCB: 008D1E88 shutdown complete. ZPCO101I Compression Task { 5} TCB: 008D1858 shutdown begun. ZPCO109I Compression Task { 5} TCB: 008D1858 shutdown complete. ZPMT002I PKZIP processing complete. RC=00000000 0(Dec)

SecureZIP Encryption Using Recipient Job Output Listing Without VERBOSE Below is the output from the SecureZIP for zSeries batch job submitted. This output shows the result of not using VERBOSE control card.

ZPGE001T ZIP STARTUP STORAGE QUERY: 24BIT= 8208K 31BIT= 32768K CACHE= ZPLI001I SecureZIP(TM) for zSeries, Version 8.1 - 02/11/05 14.26 ZPLI001I Copyright 1989-2005 PKWARE Inc. All rights reserved. ZPLI001I SecureZIP(TM) is a trademark of PKWARE (R), Inc. ZPLI001I Registered, Processor Type=2066 Processor Group=00 Serial Number= ZPLI001I OS Level: HBB7707 SP7.0.4 -INCLUDE_CMD=PKZIP.IVP.JCL(DEVCERT1) -ECHO=N * PANEL INPUT COMMANDS: -ENCRYPTION_METHOD(BSAFE_AES128) * Configured Profile: -INCLUDE_CMD(SECZIP.MVS.JCL(DBPROF)) *---------------------------------------------------------------------* * PROFILE SECZIP.MVS.JCL(DBPROF) * *---------------------------------------------------------------------* * DATABASE ACCESS CONTROL CARDS -{CSPUB=4;1;SECZIP.CERTSTOR.PUBLIC} -{CSPRVT=4;1;SECZIP.CERTSTOR.PRIVATE} -{CSPUB_DBX=SECZIP.CERTSTOR.DBX} -{CSPUB_DBX_PATH_CN=SECZIP.CERTSTOR.PATHCN} -{CSPUB_DBX_PATH_EM=SECZIP.CERTSTOR.PATHEM} -{CSPUB_DBX_PATH_PUBKEY=SECZIP.CERTSTOR.PATHPUBK} -INCLUDE_CMD(SECZIP.MVS.JCL(LDAPPROF)) *---------------------------------------------------------------------* * PROFILE SECZIP.MVS.JCL(LDAPPROF) * *---------------------------------------------------------------------* -{LDAP=1;LDAP1234.PKWARE.COM;4389;0;0;;;*CN;O=PKWARE} -RECIPIENT(db:cn=PKWARE TEST1) -RECIPIENT(db:cn=PKWARE Test2) -RECIPIENT(db:[email protected]) -ARCHIVE_DSN(FPD.SEQ.ZIP) -ARCHIVE_DSORG(PS) -ACTION(ADD) FPD.TEST.SEQ3 ZPAM030I OUTPUT Archive opened: FPD.SEQ.ZIP ZPAM253I ADDED File FPD.TEST.SEQ3 ZPAM254I as FPD/TEST/SEQ3 ZPAM255I (DEFLATED 79%/78%) SecureZIP(TM): BSAFE_AES128 ORIG. SIZE 216,800; ZIP SIZE 47,608 ZPAM140I FILES: ADDED EXCLUDED BYPASSED IN ERROR ZPAM140I 1 0 0 0 ZPMT002I PKZIP processing complete. RC=00000000 0(Dec)

Page 98: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

86

SecureZIP Encryption Using a Recipients List In the example below, we enter “RECIPIENTS” using a data set that contains the recipients. Placing a slash / in front of the data set name enables you to edit the list prior to execution.

SecureZIP ZIP Processing +-----------------------------------------------------------------------------+ ³ SecureZIP Encryption ³ ³ OPTION ===> ³ ³ More: ³ ³ ³ ³ ---------------------------------------------------------------------- ³ ³ Recipient Section (For Protection Modes "Recipient" or "Combo") ³ ³ ³ ³ / to Edit/View the profile ³ ³ DB Profile > 'SECZIP.MVS.JCL(DBPROF)' ³ ³ LDAP Profile> 'SECZIP.MVS.JCL(LDAPPROF)' ³ ³ ³ ³ / to Edit/View the list where -RECIPIENT requests are. ³ ³ Recipient List: 'SECZIP.MVS.JCL(RECIPL1)' ³ ³ ³ ³ Individual Recipients: A -RECIPIENT() request will be built with each value ³ ³ 1. ³ ³ 2. ³ ³ 3. ³ ³ 4. ³ ³ 5. ³ ³ ³ ³ ³ +-----------------------------------------------------------------------------+

Editing the Recipients List You can add, change, or delete any of your existing recipients.

File Edit Edit_Settings Menu Utilities Compilers Test Help -------------------------------------------------------------------------------- EDIT SECZIP.MVS.JCL(RECIPL1) - 01.01 Columns 00001 Command ===> Scroll === ****** ********************************* Top of Data *************************** 000001 *---------------------------------------------------------------------* 000002 * Recipient list 1 SECZIP.MVS.JCL(RECIPL1) * 000003 *---------------------------------------------------------------------* 000004 -RECIPIENT(db:cn=PKWARE TEST1) 000005 -RECIPIENT(db:cn=PKWARE Test2) 000006 -RECIPIENT(db:[email protected]) ****** ******************************** Bottom of Data *************************

SecureZIP Encryption Using a Recipients List Below is the generated JCL using the recipients list. Notice the control card INCLUDE_CMD(SECZIP.MVS.JCL(RECIPL1)). This brings into SecureZIP for zSeries your recipients.

Page 99: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

87

File Edit Edit_Settings Menu Utilities Compilers Test Help -------------------------------------------------------------------------------- EDIT FPD.PKWARE.JCL Columns 00001 Command ===> Scroll === ****** ********************************* Top of Data *************************** 000001 //FPDCS1 JOB 'ACCOUNTING INFO',CLASS=A,REGION=8M, 000002 // MSGCLASS=H,MSGLEVEL=(1,1),NOTIFY=&SYSUID 000003 //* 000004 //ZIPIT EXEC PGM=SECZIP 000005 //STEPLIB DD DISP=SHR,DSN=SECZIP.MVS.LOAD 000006 //SYSPRINT DD SYSOUT=* 000007 //SYSIN DD * 000008 * PANEL INPUT COMMANDS: 000009 -ENCRYPTION_METHOD(BSAFE_AES128) 000010 * Configured Profile: 000011 -INCLUDE_CMD(SECZIP.MVS.JCL(DBPROF)) 000012 -INCLUDE_CMD(SECZIP.MVS.JCL(LDAPPROF)) 000013 -INCLUDE_CMD(SECZIP.MVS.JCL(RECIPL1)) 000014 -VERBOSE 000015 -ARCHIVE_DSN(FPD.SEQ.ZIP) 000016 -ARCHIVE_DSORG(PS) 000017 -ACTION(ADD) 000018 FPD.TEST.SEQ3 000019 /* ****** ******************************** Bottom of Data *************************

SecureZIP Halt Process Request If you press PF3 on the build screens, a popup dialog asks you if you wisk to halt the current process and begin again.

Command ===> Do you wish to cancel the ZIP run? Press ENTER to continue. Press PF3 or enter CANCEL command to return.

SecureZIP Encryption Using LDAP Search for Recipients Below we enter recipients using a search of the LDAP(s) that are configured in the LDAP profile. The search criteria in this instance is the common name (CN). The CN request is for a name fragment beginning with M*, F*, S*, and B*. This will generate recipients that match those criteria.

SecureZIP ZIP Processing +-----------------------------------------------------------------------------+ ³ SecureZIP Encryption ³ ³ OPTION ===> ³ ³ More: ³ ³ ³ ³ ---------------------------------------------------------------------- ³ ³ Recipient Section (For Protection Modes "Recipient" or "Combo") ³ ³ ³ ³ / to Edit/View the profile ³ ³ DB Profile > 'SECZIP.MVS.JCL(DBPROF)' ³ ³ LDAP Profile> 'SECZIP.MVS.JCL(LDAPPROF)' ³ ³ ³ ³ / to Edit/View the list where -RECIPIENT requests are. ³

Page 100: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

88

³ Recipient List: ³ ³ ³ ³ Individual Recipients: A -RECIPIENT() request will be built with each value ³ ³ 1. LDAP:CN=M* ³ ³ 2. LDAP:CN=F* ³ ³ 3. LDAP:CN=S* ³ ³ 4. LDAP:CN=B* ³ ³ 5. ³ ³ ³ ³ ³ +-----------------------------------------------------------------------------+

SecureZIP Encryption Using LDAP Search for Recipients-Generated JCL

EDIT FPD.PKWARE.JCL Columns 00001 Command ===> Scroll === ****** ********************************* Top of Data *************************** 000001 //FPDCS1 JOB 'ACCOUNTING INFO',CLASS=A,REGION=8M, 000002 // MSGCLASS=H,MSGLEVEL=(1,1),NOTIFY=&SYSUID 000003 //* 000004 //ZIPIT EXEC PGM=SECZIP 000005 //STEPLIB DD DISP=SHR,DSN=SECZIP.MVS.LOAD 000006 //SYSPRINT DD SYSOUT=* 000007 //SYSIN DD * 000008 * PANEL INPUT COMMANDS: 000009 -ENCRYPTION_METHOD(BSAFE_AES128) 000010 * Configured Profile: 000011 -INCLUDE_CMD(SECZIP.MVS.JCL(DBPROF)) 000012 -INCLUDE_CMD(SECZIP.MVS.JCL(LDAPPROF)) 000013 -RECIPIENT(LDAP:CN=M*) 000014 -RECIPIENT(LDAP:CN=F*) 000015 -RECIPIENT(LDAP:CN=S*) 000016 -RECIPIENT(LDAP:CN=B*) 000017 -VERBOSE 000018 -ARCHIVE_DSN(FPD.SEQ.ZIP) 000019 -ARCHIVE_DSORG(PS) 000020 -ACTION(ADD) 000021 FPD.TEST.SEQ3

SecureZIP Encryption Using LDAP Search for Recipients - Output

ZPGE001T ZIP STARTUP STORAGE QUERY: 24BIT= 8208K 31BIT= 32768K CACHE= ZPLI001I SecureZIP(TM) for zSeries, Version 8.1 - 02/11/05 14.26 ZPLI001I Copyright 1989-2005 PKWARE Inc. All rights reserved. ZPLI001I SecureZIP(TM) is a trademark of PKWARE (R), Inc. ZPLI001I Registered, Processor Type=2066 Processor Group=00 Serial Number= ZPLI001I OS Level: HBB7707 SP7.0.4 -INCLUDE_CMD=PKZIP.IVP.JCL(DEVCERT1) -ECHO=N * PANEL INPUT COMMANDS: -ENCRYPTION_METHOD(BSAFE_AES128) * Configured Profile: -INCLUDE_CMD(SECZIP.MVS.JCL(DBPROF)) *---------------------------------------------------------------------* * PROFILE SECZIP.MVS.JCL(DBPROF) * *---------------------------------------------------------------------* * DATABASE ACCESS CONTROL CARDS -{CSPUB=4;1;SECZIP.CERTSTOR.PUBLIC} -{CSPRVT=4;1;SECZIP.CERTSTOR.PRIVATE}

Page 101: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

89

-{CSPUB_DBX=SECZIP.CERTSTOR.DBX} -{CSPUB_DBX_PATH_CN=SECZIP.CERTSTOR.PATHCN} -{CSPUB_DBX_PATH_EM=SECZIP.CERTSTOR.PATHEM} -{CSPUB_DBX_PATH_PUBKEY=SECZIP.CERTSTOR.PATHPUBK} -INCLUDE_CMD(SECZIP.MVS.JCL(LDAPPROF)) *---------------------------------------------------------------------* * PROFILE SECZIP.MVS.JCL(LDAPPROF) * *---------------------------------------------------------------------* -{LDAP=1;LDAP1234.PKWARE.COM;4389;0;0;;;*CN;O=PKWARE} -RECIPIENT(LDAP:CN=M*) -RECIPIENT(LDAP:CN=F*) -RECIPIENT(LDAP:CN=S*) -RECIPIENT(LDAP:CN=B*) -VERBOSE -LOGGING_LEVEL(VERBOSE) -ARCHIVE_DSN(FPD.SEQ.ZIP) -ARCHIVE_DSORG(PS) -ACTION(ADD) FPD.TEST.SEQ3 ZPCM011I Processing EXEC PARM parameters ZPCM023I Digital Certificate Store Configuration {CSCA=1;1;SECZIP.MVS.CERTSTOR.PUBLIC(CAP7)} {CSROOT=1;1;SECZIP.MVS.CERTSTOR.PUBLIC(ROOTP7)} {CSPUB=4;1;SECZIP.CERTSTOR.PUBLIC} {CSPRVT=4;1;SECZIP.CERTSTOR.PRIVATE} {CSPUB_DBX=SECZIP.CERTSTOR.DBX} {CSPUB_DBX_PATH_CN=SECZIP.CERTSTOR.PATHCN} {CSPUB_DBX_PATH_EM=SECZIP.CERTSTOR.PATHEM} {CSPUB_DBX_PATH_PUBKEY=SECZIP.CERTSTOR.PATHPUBK} {LDAP=1;LDAP1234.PKWARE.COM;4389;0;0;;;*CN;O=PKWARE} ZPCM023C --------------------------------------- ZPCM024I Digital Certificate Request List ZPCM024C Cond'l Public Recipient CN=M* ZPCM024C LDAP FOUND ZPCM024C Cond'l Public Recipient CN=F* ZPCM024C LDAP FOUND ZPCM024C Cond'l Public Recipient CN=S* ZPCM024C LDAP FOUND ZPCM024C Cond'l Public Recipient CN=B* ZPCM024C LDAP FOUND ZPCM024C -------------------------------- ZPCM025I Digital Certificates Found: 6 ZPCM025C PKWARE Test2;[email protected]; ZPCM025C PKWARE Test2;[email protected]; ZPCM025C Michael Burkard;[email protected]; ZPCM025C PKWARE TEST1;[email protected]; ZPCM025C Stewart T. Hamiel;[email protected]; ZPCM025C William Stackhouse;[email protected]; ZPCM025C -------------------------------- ZPAP900I NO API REQUIRED ZPAM030I OUTPUT Archive opened: FPD.SEQ.ZIP ZPCM017I A total of 1 ADD/UPDATE candidate file(s) were identified. ZPCM100I Configuration Manager Shutdown. Posting Main Task: 00000000 ZPCO100I Compression Task { 5} TCB: 008D1A70 Started. ZPAM253I ADDED File FPD.TEST.SEQ3 ZPAM254I as FPD/TEST/SEQ3 ZPAM255I (DEFLATED 78%/78%) SecureZIP(TM): BSAFE_AES128 ORIG. SIZE 216,800; ZIP SIZE 48,094 ZPAM140I FILES: ADDED EXCLUDED BYPASSED IN ERROR ZPAM140I 1 0 0 0 ZPAM101I Archive Manager Task { 3} TCB: 008D1E88 shutdown begun. ZPAM109I Archive Manager Task { 3} TCB: 008D1E88 shutdown complete. ZPCO101I Compression Task { 5} TCB: 008D1A70 shutdown begun. ZPCO109I Compression Task { 5} TCB: 008D1A70 shutdown complete. ZPMT002I PKZIP processing complete. RC=00000000 0(Dec)

Page 102: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

90

Selecting Filename Encryption To encrypt file names when encrypting and adding files to an archive, use the FILENAME_ENCRYPTION command.

Panel Option “Z” - Selecting Filename Encryption This panel appears when you have selected Encryption on the Zip panel. To add filename encryption, place a “Y” in that selection field.

+-----------------------------------------------------------------------------+ | SecureZIP Encryption | | OPTION ===> | | More: | | Main Processing Options | | Protection Mode : RECIPIENTS Password, Recipients, Combo | | Encryption Method : BSAFE_AES128 / for selection list | | Filename Encryption: Y Y/N | | Certificate Report : Y Y/N (Recipients shown in SYSPRINT) | | | | Password Section (For Protection Modes "Password" or "Combo") | | | | Enter Password below (up to 200 characters) | | ....5...10....5...20....5...30....5...40....5...50....5...60....5...70 | | | | | | | | Re-enter Password to verify: | | | | | | | | ---------------------------------------------------------------------- | | Recipient Section (For Protection Modes "Recipient" or "Combo") |

Zip Compress File(s) to an Archive FIle (Option ‘Z’ ) Using Passwords Below is the main ZIP compression panel. Here you place a “Y” in the Security required field.

SecureZIP ZIP Processing Command ===> Archive File Information: File Name : 'MAS1.TEMP.ZIP' File Type : 1 ( 1 = SEQ, 2 = PDS, 3 = VSAM, 4= PDSE) More Attributes : N ( Y - Yes, N - Take Defaults) Zip file information: File to compress : 'MAS.TEST.SEQ' Zipped DSN : Format : ( B -Binary T -Text D -Detect BV -Binary-Variable) More Files : N ( Y - Enter additional file names, N - None) Security options: Security required : Y ( Y - To Display Security Options Dialog)

Page 103: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

91

Processing options: Simulation Mode : N ( Y - Test file selection, N - Normal Processing) Zip Function : U ( A - Add, F - Freshen, U - Update, D - Delete) Processing Mode : B ( F - Foreground, B - Batch) Batch JCL Status : C ( C - New Dataset, A - Add to existing Dataset) Advanced Options : N ( Y - Change Defaults, N - None) Enter VIEW on command line to VIEW archive

SecureZIP Encryption The next panel that appears when you select Encryption is a pop-up that allows you to select the encryption algorithm and various security modes. To select password-based encryption, place a “Y” in the Password protect field. Press “Enter” and a pop-up menu appear to allow you to type in the password. You must enter the password twice to validate that you entered it correctly.

PKZZ005 SecureZIP ZIP Processing Command ===> More: Security options: Password protect : Y ( Y - Use Passwords) : N ( Y - View typed pwd) Encryption: Algorithm : BSAFE_AES128 / for selection list Filename Encryption: N ( Y - Encrypt file names in the Archive)

SecureZIP Password Encryption Command ==> To encrypt file(s), enter a password and select an algorithm Data Set Name: MAS.TEST.SEQ Password (up to 200 characters): ....5...10....5...20....5...30....5...40....5...50....5...60....5...70 Re-enter password: Press ENTER to continue, PF3 to terminate processing.

Entering PF8 will display the additional information listed below.

Cryptographic Algorithms Placing a “/” in the Encryption Method field causes an additional panel to appear to allow you to select one of the Encryption Method options. Placing a “/” in the Select field next to the

Page 104: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

92

desired Encryption Method presents the panel below, which allows you to select an encryption method to use.

+----------------------------------------------------------------+ | SecureZIP Cryptographic Algorithm | | COMMAND ===> SCROLL ===> PAGE | | | | Enter a / by the desired Option Value and press ENTER | | | | Select Option Value | | ------ ------------------------------------------------------ | | BSAFE_AES128 | | BSAFE_AES192 | | BSAFE_AES256 | | BSAFE_DES | | BSAFE_3DES | | BSAFE_RC4 | | AES128 | | AES192 | | AES256 | | STANDARD | *********************** Bottom of data *********************** | +----------------------------------------------------------------+

When you press “Enter”, the original Zip panel reappears with the return code from SECZIP in the upper right hand corner.

SecureZIP for zSeries 8.1 Zip PKZIP Done: RC=0 Command ===> Archive File Information: File Name : 'FPD.TEST600.ZIP' File Type : 1 ( 1 = SEQ, 2 = PDS, 3 = VSAM, 4= PDSE) More Attributes : N ( Y - Yes, N - Take Defaults) Zip file information: File to compress : 'SECZIP.MVS.JCL' Zipped DSN : Encryption : Y ( Y - Encrypt files) : N ( Y - View typed password) Format : ( B -Binary T -Text D -Detect BV -Binary-Variable) More Files : N ( Y - Enter additional file names, N - None) Security options: Security required : Y ( Y - To Display Security Options Dialog) Processing options: Simulation Mode : N ( Y - Test file selection, N - Normal Processing) Zip Function : A ( A - Add, F - Freshen, U - Update, D - Delete) Processing Mode : F ( F - Foreground, B - Batch) Advanced Options : N ( Y - Change Defaults, N - None) Enter VIEW on command line to VIEW archive To EXIT Press PF3 or enter X For HELP Press PF1

If the “Batch” option is selected, the following JCL is generated for you to review and submit.

//JOBNAME JOB 'ACCOUNTING INFO',CLASS=A,REGION=8M, // MSGCLASS=H,MSGLEVEL=(1,1),NOTIFY=&SYSUID //ZIPIT EXEC PGM=SECZIP //STEPLIB DD DISP=SHR,DSN=SECZIP.MVS.LOAD //SYSPRINT DD SYSOUT=*

Page 105: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

93

//SYSIN DD * * PANEL INPUT COMMANDS: -PWD(| test) -ENCRYPTION_METHOD(BSAFE_AES128) -SIMULATE(Y) -ARCHIVE_DSN(FPD.TEST600.ZIP) -ARCHIVE_DSORG(PS) -ACTION(ADD) SECZIP.MVS.JCL /*

Following is an output listing of a batch job submitted. The message ZPAM255I displays the encryption method used.

ZPGE001T ZIP STARTUP STORAGE QUERY: 24BIT= 8144K 31BIT= 32768K CACHE= 32768K ZPLI001I SecureZIP(TM) for zSeries, Version 8.1 - 02/11/05 14.26 ZPLI001I Copyright 1989-2005 PKWARE Inc. All rights reserved. ZPLI001I SecureZIP(TM) is a trademark of PKWARE (R), Inc. ZPLI001I Registered, Processor Type=2066 Processor Group=00 Serial Number= ZPLI001I OS Level: HBB7707 SP7.0.4 *PANEL INPUT COMMANDS: -PASSWORD (**********) -ENCRYPTION_METHOD(BSAFE_AES128) -ARCHIVE_DSN(FPD.TEST600.ZIP) -ARCHIVE_DSORG(PS) -ACTION(ADD) SECZIP.MVS.JCL ZPAM030I OUTPUT Archive opened: FPD.TEST600.ZIP ZPAM253I ADDED File SECZIP.MVS.JCL(ACZDFLT) ZPAM254I as PKZIP/FPD/JCL/ACZDFLT ZPAM255I (DEFLATED 73%/72%) SecureZIP(TM) ENCRYPTION:BSAFE_AES128 ORIG. SIZE 4,080; ZIP SIZE 1,126 ZPAM253I ADDED File SECZIP.MVS.JCL(ACZDFLTB) ZPAM254I as PKZIP/FPD/JCL/ACZDFLTB ZPAM255I (DEFLATED 73%/72%) SecureZIP(TM) ENCRYPTION:BSAFE_AES128 ORIG. SIZE 4,080; ZIP SIZE 1,126 ZPAM253I ADDED File SECZIP.MVS.JCL(AESASM) ZPAM140I FILES: ADDED EXCLUDED BYPASSED IN ERROR ZPAM140I 203 0 0 0 ZPMT002I PKZIP processing complete. RC=00000000 0(Dec)

UNZip File(s) from an Archive (Option ‘U’ ) Using Recipients To unzip a recipient-encrypted archive file requires no changes on the Extract panel.

Previously, we described the placement of the pointer to the private-key certificate, used for decryption, in the Runtime Configuration panel.

SecureZIP Runtime Configuration Option ===> Certificate Store Settings ( ENTER to validate PF7/PF8 to scroll) / to Edit the configuration file Private-Cert> ‘SECZIP.MVS.JCL(CERTPROF)' DB Profile > 'SECZIP.MVS.JCL(CCFGFPD1)' LDAP Profile> 'SECZIP.MVS.JCL(LDAPFPD1)' ------------------------------------------------------------------------------- ***** Top of Data ************************************************************** Private-key Certificate Recipient(s):

Page 106: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

94

===================================== *---------------------------------------------------------------------* * Profile SECZIP.MVS.JCL(CERTPROF) * *---------------------------------------------------------------------* -recipient(db:cn=PKWARE TEST1,R,PASSWORD=xxxxxxxx)

Unzip Panel (Option ‘U’ ) Using Recipients SecureZIP for zSeries uses the Private-Cert pointer to find and use your private certificate to do the decryption.

SecureZIP Extract Processing Command ===> Enter Archive from which file(s) are to be extracted: Archive Name . . . : 'FPD.SEQ.ZIP' Enter Files to be extracted: File Selection . . : Rename to. . . . . : File Decryption. . : N ( Y - Enter password) : N ( Y - View typed password) More Files . . . . : N ( Y - Enter additional file names, N - None) Security options: Security required. : N ( Y - To Display Security Options Dialog) Enter processing options: Simulation Mode. . : N ( Y - Test file selection, N - Normal Processing) Integrity Check. . : Y ( Y - Yes, N - No) Overwrite/Insert . : O ( O - Overwrite, I - Ins Mbr, OI - Both, N - None) Processing Mode. . : B ( F - Foreground, B - Batch) Batch JCL Status . : C ( C - New Dataset, A - Add to existing Dataset) Advanced Options . : N ( Y - Change Defaults, N - None) Preallocate file . : N ( Y - Prompt for allocation info, N -Use Defaults) File type : ( 1 - PDS, 2 - PS, 3 - VSAM, 4 - PDSE) Enter VIEW in the command field to VIEW an archive To EXIT Press PF3 Press ENTER to process For HELP Press PF1

Unzip Output Using Recipients Below is the output generated from the previous Unzip request.

ZPGE001T UNZIP STARTUP STORAGE QUERY: 24BIT= 8208K 31BIT= 32768K CACHE= 32768K ZPLI001I SecureZIP(TM) for zSeries, Version 8.1 - 02/11/05 14.26 ZPLI001I Copyright 1989-2005 PKWARE Inc. All rights reserved. ZPLI001I SecureZIP(TM) is a trademark of PKWARE (R), Inc. ZPLI001I Registered, Processor Type=2066 Processor Group=00 Serial Number= ZPLI001I OS Level: HBB7707 SP7.0.4 -INCLUDE_CMD=PKZIP.IVP.JCL(DEVCERT1) -ECHO=N * Configured Profile: -INCLUDE_CMD(SECZIP.MVS.JCL(DBPROF)) *---------------------------------------------------------------------* * PROFILE SECZIP.MVS.JCL(DBPROF) * *---------------------------------------------------------------------* * DATABASE ACCESS CONTROL CARDS -{CSPUB=4;1;SECZIP.CERTSTOR.PUBLIC} -{CSPRVT=4;1;SECZIP.CERTSTOR.PRIVATE} -{CSPUB_DBX=SECZIP.CERTSTOR.DBX}

Page 107: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

95

-{CSPUB_DBX_PATH_CN=SECZIP.CERTSTOR.PATHCN} -{CSPUB_DBX_PATH_EM=SECZIP.CERTSTOR.PATHEM} -{CSPUB_DBX_PATH_PUBKEY=SECZIP.CERTSTOR.PATHPUBK} * Configured Private-Key Recipients: -INCLUDE_CMD(SECZIP.MVS.JCL(CERTPROF)) *---------------------------------------------------------------------* * Profile SECZIP.MVS.JCL(certprof) * *---------------------------------------------------------------------* -recipient(db:cn=PKWARE TEST1,R,PASSWORD=******) *-recipient(dsn://'PKZIP.IVP.CERT.ADMIN04.PFX',password=password) * Panel Commands: -ACTION(TEST) -SUPPRESS_DYNALLOC_MSGS -TRACE_DYNALLOC(0) -ARCHIVE_DSN(FPD.SEQ.ZIP) -OUTFILE_OVERWRITE(Y) ZPAM030I INPUT Archive opened: FPD.SEQ.ZIP ZPEX001I tested okay FPD/TEST/SEQ3 ZPAM140I FILES: TESTED EXCLUDED BYPASSED IN ERROR ZPAM140I 1 0 0 0 ZPMT002I PKZIP processing complete. RC=00000000 0(Dec)

View Display the Contents of an Archive File (Option ‘V’ ) When a file has been encrypted, one of the following indicators describing the strength of encryption is displayed before the file name.

+ Password-only "Standard" (96-bit) encryption.

! Password-only (128-bit or above) encryption.

$ Recipient-only Digital Certificate encryption.

& Combination Password/Recipient encryption.

SecureZIP View Archive Command ===> Enter name of archive to be viewed: Archive Name : 'FPD.TEST.AUTH.ZIP' Filename Filter : Security options: Security required : N ( Y - To Display Security Options Dialogue) Enter VIEW Options: View Type . .: V ( V - View, D - Detail, B - Brief, S - Scan Sort Output : N ( Y - Yes, N - No) Sort Field . : ( D - Date, N - Name, O - Offset, P - Percent, S - Size) Sort Order . : ( A - Ascending, D - Descending) Processing Mode. : F ( F - Foreground, B - Batch) Batch JCL Status : C ( C - New Dataset, A - Add to existing Dataset) Additional Commands: To EXIT Press PF3 For HELP Press PF1

Page 108: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

96

SecureZIP View Archive Row 1 to 1 of 1 Command ===> SCROLL ===> PAGE Name of Archive : 'FPD.SEQ.ZIP' Primary commands: LOCATE to position list or SORT to sort list. Enter line command or '/' for list of valid line commands. Press PF1 for HELP. Cmd File Name Zipped Zipped Unzipped Comp Type Volume(s) Message Date/Time Size Size Ratio ---------------- ------ ------ ----- ---- ------- $ FPD/TEST/SEQ3 5/25/2004 11:16 47608 222.2K 78% TEXT FPD002

View Detail Display The View Detail option of the View panel describes the encryption algorithm used to encrypt, along with certificate information.

*********************************************************** Top of Data *** ZPGE001T UNZIP STARTUP STORAGE QUERY: 24BIT= 5172K 31BIT= 28840K C ZPLI001I SecureZIP(TM) for zSeries, Version 8.1 - 02/11/05 14.26 ZPLI001I Copyright 1989-2005 PKWARE Inc. All rights reserved. ZPLI001I SecureZIP(TM) is a trademark of PKWARE (R), Inc. ZPLI001I Registered, Processor Type=2066 Processor Group=00 Serial Number= ZPLI001I OS Level: HBB7707 SP7.0.4 -INCLUDE_CMD=PKZIP.IVP.JCL(DEVCERT1) -ECHO=N -CALLMODE(ISPF) -ARCHIVE_DSN(FPD.SEQ.ZIP) -SUPPRESS_DYNALLOC_MSGS -TRACE_DYNALLOC(0) -ACTION(VIEWDETAIL) -CALLMODE(ISPF) -TRACEDALC0 -TRACE_DYNALLOC(0) ZPAM030I INPUT Archive opened: FPD.SEQ.ZIP ZPAM014I 1 file(s) are in the input Archive. ZPAM012I ZIP comment: SecureZIP for zSeries by PKWARE ZPAM013I ****************************************************************** ZPAM001I Filename: FPD/TEST/SEQ3 ZPAM002I File type: TEXT ZPAM003I Date/Time: 25-MAY-2004 12:00:00 ZPAM004I Compression Method: Deflate- Super Fast ZPAM005I Compressed Size: 47,608 ZPAM006I Uncompressed Size: 222,221 ZPAM007I 32-bit CRC: 213E63AC LHDR Offset: 0 ZPAM008I Created by: PK zSeries 8.1 ZPAM009I Needed to extract: ZipSpec 6.1 ZPAM010I Encryption: AES_128 Certificate Key BSAFE(R) ZPAM301I File Type: NONVSAM SEQUENTIAL ZPAM303I File Record Format: FB ZPAM304I File Allocation Type: BLK ZPAM305I File Primary Space Allocated: 48 ZPAM306I File Secondary Space Allocated: 10 ZPAM307I File Record Size: 80 ZPAM308I File Block Size: 6160 ZPAM309I File Volume(s) Used: FPD002 ZPAM310I File Creation Date: 2003/04/21 ZPAM311I File Referenced Date: 2004/05/25 ZPAM319I SMS Storage Class: PRIVATE ZPAM320I 3 recipient(s) were designated: ZPAM321I Recipient: PKWARE TEST1 ZPAM310I File Creation Date: 2003/04/21

Page 109: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

97

ZPAM311I File Referenced Date: 2004/05/25 ZPAM319I SMS Storage Class: PRIVATE ZPAM320I 3 recipient(s) were designated: ZPAM321I Recipient: PKWARE TEST1 ZPAM322I Public Key Hash: 5D9E8B89B5948E9E853338A7250D64C5BED5E9E7 ZPAM323I Email: [email protected] ZPAM324I Cert: //'SECZIP.MVS.CERTSTOR.PUBLIC(PK12003)' ZPAM321I Recipient: PKWARE Test2 ZPAM322I Public Key Hash: 07E091CE30862B61663CF9D356863BF84D3DC8D5 ZPAM323I Email: [email protected] ZPAM324I Cert: //'SECZIP.MVS.CERTSTOR.PUBLIC(PKT2004)' ZPAM013I ********************************************************************* ZPAM140I FILES: VIEWED EXCLUDED BYPASSED IN ERROR ZPAM140I 1 0 0 0 ZPMT002I PKZIP processing complete. RC=00000000 0(Dec) ********************************************************** Bottom of Data ****

Incorrect Password Use The following four illustrations show what to expect if you enter an incorrect password. The third panel is a foreground execution of SECUNZIP. The upper right-hand corner contains the “Incorrect Password” message when the extraction fails. The fourth panel contains the output listing of a batch job with the message that the encrypted file has been skipped because of a missing or incorrect password.

Figure 1. Select the file to browse

SecureZIP View Archive Row 1 to 7 of 203 Command ===> SCROLL ===> PAGE Name of Archive : 'FPD.TEST600.ZIP' Primary commands: LOCATE to position list or SORT to sort list. Enter line command or '/' for list of valid line commands. Press PF1 for HELP. Cmd File Name Zipped Zipped Unzipped Comp Type Volume(s) Message Date/Time Size Size Ratio ---------------- ------ ------ ----- ---- ------- b ! PKZIP/FPD/JCL/ACZDFLT 2/11/2004 14:08 1126 4183 73% TEXT FPD002 ! PKZIP/FPD/JCL/ACZDFLTB 2/11/2004 14:08 1126 4183 73% TEXT FPD002 ! PKZIP/FPD/JCL/AESASM 2/11/2004 14:08 1110 3281 66% TEXT FPD002 ! PKZIP/FPD/JCL/AESASM2 2/11/2004 14:08 1110 3281 66% TEXT FPD002 ! PKZIP/FPD/JCL/APIMJB1 2/11/2004 14:08 502 1477 66% TEXT FPD002 ! PKZIP/FPD/JCL/ASMACTM 2/11/2004 14:08 374 903 58% TEXT FPD002 ! PKZIP/FPD/JCL/ASMACTRT

Figure 2. Enter the password

SecureZIP View Archive Row 1 to 7 of 203 EsssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssN e SECUREZIP for zSeries Encrypted File Password e

Page 110: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

98

e Command ==> e e e e File is encrypted. Enter password. e e e e Data Set Name: e e PKZIP/FPD/JCL/ACZDFLT e e e e Password (up to 200 characters): e e ....5...10....5...20....5...30....5...40....5...50....5...60....5...70 e e e e e e e e Re-enter password: e e e e e e e e Press ENTER to continue. e e Press PF3 to terminate processing e e e e e DsssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssM

Figure 3. Receive the error message and condition code if execution is in the Foreground.

SecureZIP for zSeries 8.1 View Arch Incorrect Password Command ===> SCROLL ===> PAGE Name of Archive : 'FPD.TEST600.ZIP' Primary commands: LOCATE to position list or SORT to sort list. Enter line command or '/' for list of valid line commands. Press PF1 for HELP. Cmd File Name Zipped Zipped Unzipped Comp Type Volume(s) Message Date/Time Size Size Ratio ---------------- ------ ------ ----- ---- ------- ! PKZIP/FPD/JCL/AESASM2 Brw 4 2/11/2004 14:08 1110 3281 66% TEXT FPD002 ! PKZIP/FPD/JCL/APIMJB1 2/11/2004 14:08 502 1477 66% TEXT FPD002 ! PKZIP/FPD/JCL/ASMACTM 2/11/2004 14:08 374 903 58% TEXT FPD002 ! PKZIP/FPD/JCL/ASMACTRT 2/11/2004 14:08 486 1067 54% TEXT FPD002 ! PKZIP/FPD/JCL/ASMALL 2/11/2004 14:08 5446 33867 83% TEXT FPD002 ! PKZIP/FPD/JCL/ASMAMGR 2/11/2004 14:08 438 1477 70% TEXT FPD002 ! PKZIP/FPD/JCL/ASMAPI

Figure 4. Receive the error message ZPEX014W Encrypted file skipped. Password not provided or not valid in the batch job output listing.

*************************************** Top of Data ********************************* ZPLI001I SecureZIP(TM) for zSeries, Version 8.1 - 02/11/05 14.26 ZPLI001I Copyright 1989-2005 PKWARE Inc. All rights reserved. ZPLI001I SecureZIP(TM) is a trademark of PKWARE (R), Inc. ZPLI001I Registered, Processor Type=2066 Processor Group=00 Serial Number= ZPLI001I OS Level: HBB7707 SP7.0.4 * PANEL COMMANDS: -SIMULATE(Y) -PASSWORD(**********)

Page 111: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

99

-SUPPRESS_DYNALLOC_MSGS -TRACE_DYNALLOC(0) -ARCHIVE_DSN(FPD.TEST600.ZIP) -OUTFILE_OVERWRITE(Y) -UNZIPPED_DSN(**,FPDTST2) PKZIP/FPD/JCL/AESASM2 -CALLMODE(ISPF) ZPCM000I Simulation Mode has been selected for action EXTRACT ZPAM030I INPUT Archive opened: FPD.TEST600.ZIP ZPEX014W Encrypted file skipped. Password not provided or not valid. ZPEX002I ........................................................................ ZPEX003I Extracted to FPDTST2(AESASM2) ZPAM140I FILES: EXTRACTED EXCLUDED BYPASSED IN ERROR ZPAM140I 1 0 0 0 ZPMT002I PKZIP processing complete. RC=00000000 0(Dec) ************************************ Bottom of Data **********************************

Page 112: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

100

7 File Selection and Name Processing

ZIP Processing File Selection This chapter describes how to select files for ZIP processing with SecureZIP for zSeries. The chapter discusses the primary commands used, with notes and restrictions.

ZIP file directory entries in a ZIP archive are defined in a system-independent format that is compatible with UNIX systems and has been translated into the ASCII character set. Data set level separators are typically the forward slash (“/”), not the period (“.”) as in MVS (although this can be controlled through command actions in SecureZIP for zSeries).

Primary File Selection Inputs Files that are candidates ZIP processing are selected when input parameters are processed and the old archive directory (if any) is read. Consequently, data set selection is controlled by three input sources:

Selection Source Effective ACTION Processes

Cataloged Dataset name command requests. ADD, UPDATE

INFILE command (JCL DD) requests. ADD, UPDATE

Input ZIP archive files. UPDATE, FRESHEN

Data set names found with the inputs listed above are combined into a single list of candidate files to be processed in the compression phase. A data set is selected only once. The following sections describe file selection from each of the input sources.

Cataloged Dataset Name Filter Requests Requesting a file (or set of files) for ZIP processing by data set name triggers a standard search of the system catalog structure to determine eligible file names. Both NONVSAM and VSAM CLUSTER entries are used to identify candidates.

Page 113: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

101

With data set name masking, multiple data set names may be identified from the system catalog.

Also see: RECURSE_LEVELS and VSAM.

Exclusion Filters When requesting data sets for ZIP processing through the catalog, it may be desirable to filter out categories of files. In addition to the data set name masking characters (?, *, and **), SecureZIP for zSeries provides the following commands to limit cataloged file selections:

Command Description EXCLUDE(dsname|mask) Used to avoid selecting data sets based on the file name.

Multiple EXCLUDE commands may be specified for an individual ZIP call.

SELECT_DSN_ALIAS(N) Used to avoid selecting data sets based on a catalog ALIAS definition.

SELECT_TAPE(N) Used to avoid processing tape files.

SELECT_VSAM(N) Used to avoid processing VSAM Clusters (this does not affect the archive data set organization). The archive may be VSAM, while the clusters are excluded for ZIP processing.

SELECT_MIGRATED(N) Used to avoid processing DISK files that have been migrated using a product such as IBM’s DFSMShsm. Files in this category are identified in the catalog as having a volume serial of “MIGRAT”.

SELECT_GDGALL Used to allow SecureZIP for zSeries to select all generations of a generation data group, while SELECT_NOGDGALL disables this feature (these are synonyms for the GDGALL_SUPPORT(Y|N) command).

RECURSE_LEVELS(N) Specifies if lower level data set name masking is not desired.

INFILE DD Requests When requesting a data set for inclusion in ZIP processing with INFILE (with an associated JCL DD statement), operating system allocation is performed before SecureZIP for zSeries execution begins.

JES2 SYSIN INFILE Support JES2 SPOOLed input data is supported for input ZIP processing. By referencing a “//… DD * “statement with an INFILE command, the input stream is treated as a sequential file with DCB attributes of RECFM=FB, LRECL=80, and BLKSIZE=80. The filename generated is based on the DSN generated by the JES2 subsystem and is modified to end in “SYSIN”; for example, userid/jobname/JOBxxxxx/sysinfo/SYSIN. When performing a SECZIP operation against an

Page 114: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

102

existing archive, the DCB attributes (LRECL, BLKSIZE) are retained in the new archive unless explicitly overridden with new command values.

Note: When performing an EXTRACT of such a file, OUTFILE_… space allocation and volume information must be provided through the defaults module or command input stream since JES2 DD statements do not carry space attributes.

Input ZIP Archive Files During an ACTION(FRESHEN) or ACTION(UPDATE) request, files contained within the old ZIP archive are added to the candidate list. Names as previously stored are used to search the system catalog for viability (any file names not found in the system catalog remain in the ZIP archive).

During an ACTION(COPY), only files within the input archive are candidates for copying to the new archive (which must be unique from the input archive).

File Selection Processing Notes Files are not normally opened during the file selection phase of processing in order to streamline performance. However, some file characteristics are gathered for non-tape files at this time. PDS and PDSE data sets are opened so that their directory information can be reviewed and members identified for selection.

&SYSUID may be used in cataloged data set selection requests. Multiple components of SecureZIP for zSeries are used to process File Selection requests. Various informational messages can be obtained from these internal components by turning on various logging and trace elements in the command stream. PDS member name selection can be requested through INFILE command parameters, associated JCL DD member reference, or Data set name parameters.

• When an INFILE JCL DD specification is used and a member-name is coded in the JCL, it overrides any INFILE command parameters. (Only the member requested in the JCL are added to the selection list).

• Dataset name command requests that also contain member request masks act in a cumulative fashion. All members from a PDS matching the requested masks are added to the candidate member list.

• When both INFILE and Dataset Name command requests are made with member names, the multiple requests are merged into a cumulative list, and only one copy of the member is processed.

• Because member name selections can also be placed on Dataset name masked requests, such as, more than one dataset is identified via a masked name, combinations of requests may result in different member-selection criteria for different datasets.

• Member selection requests are compiled into an internal table, which is later used to match against the list of members available from the PDS. PDS members are selected in alphanumeric order.

Page 115: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

103

Cataloged Dataset Name and INFILE Request Restrictions Cataloged data set command requests must begin with a fully qualified first level. For example, SYS1.** is valid, but SYS*.** is not.

Cataloged data set name requests depend on the accuracy of the system catalog structure under which SecureZIP for zSeries is executing. If a data set is cataloged, but does not exist on the cataloged device, an allocation error will occur later in processing.

INFILE(ddname) requests must accurately reflect the device and volume for the requested data set. “ddname” must be a fully-qualified DDname allocated to the job step (or TSO session).

INFILE requests, which refer to a DD statement that is a concatenated set of data sets, should have all files of the same DSORG and RECFM in accordance with OS/390 rules for concatenated data sets. The associated DD statement are opened with the DCB characteristics of the first file in the concatenation, and that file’s name represents the group for processing in the ZIP archive.

Data set ALIAS names may be used to identify candidate data sets. However, the system catalog structure is used to translate the ALIAS name to the true data set name for processing. When a data set name request is made, a message is issued to the output log indicating that an ALIAS to Truename translation has occurred. However, when an ALIAS name is used with an INFILE request, the operating system resolves the ALIAS entry to its associated Truename before program execution begins, and file selection only refers to the Truename as presented by OS/390.

Generation data sets (GDG) can be requested with a fully-qualified generation name, for example, “SYS1.BACKUP.G0020V00”; a relative generation level, for example, “SYS1.BACKUP(-1)”; or a GDG-base request. In all cases, identified candidates resolve to their fully qualified NONVSAM data set name, and each is processed as an independent entry.

• GDG-base selection only applies to ZIP processing at the time of the request in accordance to the current catalog structure.

• Relative generation selection is valid only with INFILE and JCL specifications.

• UNZIP processing requires selection according to fully qualified generation names.

When GDG-base names are used via data set name command requests, each current ASSOCIATION entry in the catalog will be used to identify individual NONVSAM entries, and each is processed as an independent entry. This differs from the way GDG-base names are handled when INFILE is used.

When an INFILE request is used in conjunction with a DD statement to reference a GDG-base, standard MVS expansion of the GDGALL name occurs. This results in all generations being treated as a concatenation group, with the latest generation name being assigned to the file. You must take care in handling the resultant ZIP file, since the data from one or more generations are included in the file. This differs from the way GDG-base names are handled when data set name requests are made.

VSAM files are supported at the CLUSTER level only. Individual DATA and INDEX COMPONENT names should not be requested.

Page 116: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

104

ZIP File Names The ZIP archive architecture describes files in an internal format that is comparable to the UNIX file naming standards. Each file is described within a ZIP archive central directory entry and is represented in ASCII. The format carries an inherent directory/sub-directory format (with “/” as the directory separator character).

MVS data set names are converted to the standard ZIP archive file directory format before they are stored. For example, the data set “SYS1.PARMLIB(CLOCK00)” will appear in a ZIP archive as “SYS1/PARMLIB/CLOCK00”. A browse of the file in HEX format shows the ASCII representation for the characters, not EBCDIC.

The following commands are used to control the file names being saved and restored during ZIP and UNZIP processing: (See the appropriate command section later in this manual for more detail).

Summary of Commands Affecting ZIP Filename

Process Command Description ZIP & UNZIP TRANSLATE_TABLE_FILEINFO EBCDIC <=> ASCII translate table

ZIP & UNZIP ZIPPED_DSN_SEPARATOR Default is “/” and replaces “.” In MVS DSNs, as well as separating a member name.

UNZIP UNZIPPED_DSN Allows the transformation of the internal ZIP Filename to an MVS standard name and allows the replacement of qualifiers during the process.

ZIP ZIPPED_DSN Allows the transformation of the MVS DSN to an internal ZIP Filename.

ZIP PATH Specifies whether the higher-level qualifiers should be stored as a directory pathname in the ZIP Filename.

UNZIP HIERARCHY Determines what should be done with the hi-level qualifiers (directory path structure) of the ZIP Filename during the conversion process.

UNZIP FILE_EXTENSION Specifies what should be done with a low-level extension (such as .TXT) during an EXTRACT request.

ZIP & UNZIP SIMULATE(Y) Provides a means of running a simulation to determine what the resulting names will be.

Page 117: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

105

Essentials for running SECZIP and SECUNZIP SECZIP can perform various actions for the following commands:

[ADD | COPY | DELETE | FRESHEN | UPDATE | VIEW ]

The actions are described below. ADD is the default action if no action is specified.

Command Description ADD Adds files that are not already present into a new or

existing ZIP archive.

COPY Copies a subset of an archive to a new archive.

DELETE Deletes selected files from an existing ZIP archive.

FRESHEN Updates existing files in an existing ZIP archive.

UPDATE Adds new files to or update existing files in an existing ZIP archive.

VIEW Displays details of selected files in an existing ZIP archive.

Each of the actions requires a ZIP archive to process, so the ARCHIVE command (or ARCHIVE_OUTDD) must always be specified.

–ARCHIVE(<ZIP dataset name>)

–ARCHIVE_DSNAME (<ZIP dataset name>)

Finally, you must specify the data set(s) to be added, copied, deleted, freshened, updated, or viewed in the archive. You can do this using standard MVS data set naming. For example:

MY.INPUT.DATA.SEQ

This line identifies a single file that is to be processed by SECZIP.

SECUNZIP For SECUNZIP to extract compressed data sets from a ZIP archive, SECUNZIP must be told three things:

• The action to perform.

• The archive from which the data sets are to be decompressed.

• The files that are to be extracted from the archive.

SECUNZIP can perform the following commands:

[ EXTRACT | TEST | VIEW ]

The comands are described below. EXTRACT is the default if no command is specified.

Page 118: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

106

Command Description EXTRACT Extracts selected files from an existing ZIP archive.

TEST Deletes selected files from an existing ZIP archive.

VIEW Displays details of selected files in an existing ZIP archive.

Each of the commands requires a ZIP archive to process, so the ARCHIVE command (or alternative) must always be specified.

-ARCHIVE(<ZIP dataset name>)

-ARCHIVE_DSNAME (<ZIP dataset name>)

Finally, if a subset of all files in the archive is to be processed, you must specify the data set(s) to be extracted, tested, or viewed. You can do this using standard MVS data set naming (See note below) or internal ZIP file naming conventions. For example:

MY.INPUT.DATA.SEQ

MY/INPUT/DATA/SEQ

The default is to select all files from the archive.

Note: To process an MVS DSN format for SECUNZIP selection, the name must readily match the internal zip name with the exception of the directory separators, such as, substitutes for “/”, and the target MVS name must be acceptable to the operating system. (See OUTFILE_DD and UNZIPPED_DSN).

Page 119: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

107

8 ZIP Files

Data Formats - Text or Binary Data files are held within a ZIP archive in either text or binary format. Both formats are supported by ZIP-compatible products on other platforms; however, some restrictions apply to cross-platform use of the data. For example, workstation-based applications may not be able to process EBCDIC-based data that is commonly produced by S390 platforms.

Text data is represented by one of two character sets, EBCDIC or ASCII, in which individual alphanumeric characters are assigned an internal numeric code within the range of 0-255 (hexadecimal 00-FF). Although most of the same characters—for example, A-Z, a-z, 0-9—are contained in the EBCDIC and ASCII character sets, different code assignments are used for each. To preserve cross-platform compatibility of files containing only text characters, the DATA_TYPE(TEXT) or DATA_TYPE(DETECT) commands should be used. These commands directs SecureZIP for zSeries to translate EBCDIC characters into the ASCII character set (the standard set used by ZIP-compatible products).

The DATA_TYPE(BINARY) command directs SecureZIP for zSeries to bypass EBCDIC to ASCII character translation. This feature is useful when the file contains non-text data. (Warning: Binary fields may generate what appear to be record-delimited characters. Therefore, TEXT should not be used if binary data is present.) Note that a custom TRANSLATETABLE_DATA table can be built to substitute blanks for control characters (X’0D’ + ‘25’ EBCDIC or graphics or internal numeric representations; for example, packed, or binary numeric data), or if text-based data is to be extracted only to other EBCDIC based platforms.

All data within a file is treated the same during ZIP processing in accordance with the DATA_TYPE(TEXT) and DATA_TYPE(BINARY) commands. Care should be taken when zipping files that do not contain both text and binary data. Use of the DATA_TYPE(TEXT) command when binary data exists within the file will produce unpredictable results for fields containing binary data.

DATA_TYPE(BINARY) should be used to preserve data integrity; however, with this command, text data will not be translated into the ASCII format by UNZIP processing in a cross-platform environment.

As an advanced feature, DATA_TYPE(DETECT) is provided to instruct SecureZIP for zSeries to read a portion of data from the input file (in accordance with the DATATYPE_DETECT_DEPTH value) and scan it for non-translatable text characters using the

Page 120: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

108

active text translation table. If the number of translatable text characters (as specified by the DATATYPE_DETECT_TABLE) meets or exceeds the percentage specified by DATATYPE_TEXT_PERCENT, the file is treated as DATA_TYPE(TEXT). Otherwise, it is treated as if DATA_TYPE(BINARY) was used. In an exception to this rule, X’00’, or the NULL terminator character, which is commonly used in C language is allowed within the files. If it is unknown whether a file in the ZIP archive is text or binary, you may use the ACTION(VIEWDETAIL) command to examine the file attributes.

It is possible for members of the same PDS or PDSE to be treated differently when DATA_TYPE(DETECT) is used because of a varying mix of data. Each member is treated as an independent file during ZIP processing.

The command DATA_TYPE(DETECTX) is provided as an advanced feature to assist in identifying and translating text-based files for UNZIP processing. This is useful when the originating ZIP platform (typically a workstation) does not set the “text” indicator for the file in the archive.

Data Format - Text Records In the context of ZIP archives, a “text file” is one that is stored in the ASCII format. A text file contains records of data, each separated by a delimiter to signify the end of the record.

Note: An EBCDIC file containing text information (such as source code) can be stored in its original format by using DATA_TYPE(BINARY), but it is not considered to be a “text” file within the ZIP architecture.

SecureZIP for zSeries uses the default delimiter CR-LF (x'0D0A') at the end of each text record. You may choose to use a different delimiter by using the DATA_DELIMITER command (or other characters as specified in the command set). At the end of each ZIP’d file is a file terminator. The default file terminator for SecureZIP for zSeries is Ctrl+Z (x'1A'). This file terminator can be changed by using the FILE_TERMINATOR command.

Note: The last record will have the data delimiter followed by the file terminator.

If you want the ZIPPED file to contain no data delimiters, you may specify CRLF(N) or DATA_DELIMITER(). If CR-LF is specified on ZIP, but CRLF(N) is specified on UNZIP, then SecureZIP for zSeries treats any x'0D0A' as data characters, translates them into the EBCDIC equivalent, and embeds them in the output file. Although it is possible to align fixed-length records in an output file without CR-LF (by using input and output files with identical record lengths), care must be taken when using CRLF(N) because DATA_DELIMITER is the only explicit mechanism available to determine record lengths for text files.

At the time of UNZIP file extraction, SecureZIP for zSeries changes text data from ASCII to EBCDIC by using a translation table. During installation, several translation tables are available, and the customizing process selects one as the default. Additional translation tables may be created through the customizing procedure.

Note that, during UNZIP processing, if the defined CR-LF character sequence (for example, x'0D0A') is not found in the scan of the first buffer of data, the SECUNZIP program attempts to locate a valid record terminator character to use throughout the extraction of that file.

Page 121: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

109

Note: Unpredictable results may occur if a mix of the control characters X' OA', X' OD', or X' 1A' are found in the input stream. SECZIP uses the first occurrence of one of these characters when automatic detection is used.

For example, in a ZIP archive brought from a standard UNIX platform, the record delimiter is saved as x'0A'. UNZIP processsing dynamically re-defines the DATA_DELIMITER value for the remainder of that file. This is also useful if multiple ZIP Files are contained within the same archive and have differing record delimiters.

Situations may arise in unique platform interchanges or when working with text files from different countries when the default translation table is not adequate. You may select any available translation table by using the TRANSLATE_TABLE_DATA command.

Note: The SecureZIP for zSeries INSTLIB contains sample JCL and source members to assist in creating customized translate tables.

SecureZIP for zSeries extracts text records stored in the ZIP archive by examining the data for record delimiter and file terminator indicators. Using these indicators, SecureZIP for zSeries aligns records in accordance with the target file attributes.

Data Format - Binary Records Binary data is stored in the ZIP archive in its original format. Binary data may be graphics or numbers that are already in “computer format”; therefore, no translation is done. The length of binary records in UNZIP processing is determined in one of two ways:

• Fixed-length records: SecureZIP for zSeries automatically fills the available block according to the allocation specifications.

• Binary records of variable length: A Record Descriptor Word (RDW) is inserted with the SAVE_LRECL(Y) command. An indicator is tracked in the archive directory that instructs UNZIP processing to automatically use these lengths when extracting the file. Use of this feature is extremely important when processing binary data with varying-length records. Note that the record length is in little-Endian format within the archive, not S390 format.

File Attributes Within the ZIP archive are two different directories providing information about the files held within the archive.

• A local directory included at the front of each file, with information pertaining to it—for example, file size and date ZIPPED.

• A central directory located at the end of the ZIP archive. The central directory lists the complete contents of the ZIP archive and is the primary source of information for controlling UNZIP processing.

SecureZIP for zSeries will optionally store extended attributes about the file that can be useful in re-creating the file during UNZIP processing. These attributes include items such as space allocation, maximum record size, data set organization (VSAM/PDS/SEQ, etc.).

Page 122: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

110

Additionally, an optional sub-category of extended attributes is available. Extended attributes for NONVSAM files include record format, DSORG, LRECL, and block size. Extended attributes for VSAM files would include CLUSTER information. File attributes can be displayed by using the ACTION(VIEWDETAIL) command.

SecureZIP for zSeries enables you to store the extended attributes in the local directory, central directory (recommended), both, or neither. See the Chapter 10 for the specific command for each of these options. Attributes held in the central directory are used by SECUNZIP.

Data Set Name Transformation The ZIP Archive normally holds file information in a platform-independent directory structure. The default format of each ZIP file name looks very much like an ASCII UNIX directory structure. SecureZIP for zSeries performs a transformation between MVS data set names and ZIP file names during ZIP and UNZIP processing.

The default transformation involves translating MVS EBCDIC characters to/from ASCII in accordance with the translate table specified by the TRANSLATE_TABLE_FILEINFO setting, and altering data set node delimiters (“.” and “(“ for PDS member name designation) to slashes “/”. When a partitioned membername is specified, the trailing “)” is eliminated.

Additional controls are provided to permit renaming of file names during the transformation process. The ZIPPED_DSN command set assists the user in tailoring the filename built during ZIP processing. The UNZIPPED_DSN command and FILENAME_API (user exit program) assist the user in tailoring the MVS name to be used during UNZIP processing.

Large File Considerations It is best when using the ZIP process for large files to use half-track blocking for the ZIP archive (this is the default size employed by SecureZIP for zSeries). This method provides the best performance and makes the most efficient use of storage space for ZIP archives and ZIP temporary files. Use of other block sizes decreases the volume of data that can fit onto a single volume and affects performance.

A temporary work file may be created during the updating or reconfiguring of a file in the ZIP archive, depending on file size and available storage. This temporary file may or may not have the same storage attributes as the original file. The temporary file holds the updated form of the file in order to allow for the reformatting of the (new) ZIP archive. To preserve the integrity of the original archive in case of a failure, the old archive is preserved while a new archive is being built. Therefore, there must be enough space allowed to accommodate the size of the old archive, the temporary file, and the updated archive.

Determining File Size Default space allocations may not be adequate when compressing large files. To calculate the space needed for the ZIP archive and the temporary files, the following proportions may be helpful:

ZIP archives - Primary: 25% (one-quarter) of the total size of the uncompressed file(s) (ARCHIVE_SPACE_PRIMARY command).

Page 123: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

111

ZIP archives - Secondary: 10% (one-tenth) of the total size of the uncompressed file(s) (ARCHIVE_SPACE_SECONDARY command).

Temporary Files - Primary: 25% (one-quarter) of the size of the largest uncompressed file (TEMP_SPACE_PRIMARY command).

Temporary Files - Secondary: 10% (one-tenth) of the size of the largest uncompressed file (TEMP_SPACE_SECONDARY command).

If a tape-based archive is used, it is possible to use a temporary disk archive during processing (see STAGE_TAPE_ON_DISK command). The sizes used should correspond to those specified in the tape archive.

Page 124: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

112

9 File Processing

File Support SecureZIP for zSeries can support files of various formats—specifically: sequential files, PDS, or PDSE members, VSAM files, and magnetic tapes or cartridges. SecureZIP for zSeries has three possible applications for each file type:

• Compressing files of each format into a ZIP archive.

• Data from a ZIP archive may be extracted into each of these formats.

• A ZIP archive may be managed in each of these formats.

An overview of information regarding each file type is shown in the table below. Additional information that is required in working with each specific file type is detailed under the appropriate section later in this chapter.

In all cases, SecureZIP for zSeries will optionally save file type information during ZIP processing. This information may be used by ZIP-compatible products in applicable environments for an equivalent reconstruction of the file during UNZIP processing.

Page 125: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

113

Sequential Files PDS or PDSE

Members

VSAM Files Magnetic Tapes/Cartridges

Supported Record Formats

Undefined: U

Fixed: F, FA, FB, FM, FBA, FBM, FBS

Variable: V, VA, VB, VM, VBA, VBM, VS, VBS (see Note)

Undefined: U

Fixed: F, FA, FM, FBA, FBM

Variable: V, VA, VB, VM, VBA, VBM, VS, VBS (see Note)

ESDS

KSDS

RRDS

Same as sequential files for standard-label and non-label tapes.

Supported ZIP Archive Formats

Undefined: U

Fixed: F, FB, FBS

Variable: V, VB

Undefined: U

Fixed: F, FB

Variable: V, VB

ESDS See Magnetic Tapes/Cartridge section later in chapter.

File Selection Methods

File name

File masks

JCL DD cards

ALIAS Path Name

File name

File masks

JCL DD cards

Cluster name

Path name

File masks

JCL DD cards

JCL DD cards (see DD commands used with sequential files).

File names (limited to ZIP processing of cataloged tape files where mount authority is provided).

Note: Spanned Files: Spanned record support for binary files (DATA_TYPE=BINARY) will require the record length (SAVE_LRECL=Y). The maximum record length for a binary file is 32768, the maximum record length for a text file (DATA_TYPE=TEXT) is 32764. IEBCOPY unload files will require DATA_TYPE=BINARY and SAVE_LRECL=Y with a maximum supported record length of 32740.

IEBCOPY PDS UNLOAD REQUIRES THAT THE BLKSIZE OF THE PDSU DATASET (this is the output of the IEBCOPY unload) CAN NOT BE SMALLER THAN THE PDS BLKSIZE +20. THE LARGEST PDS BLKSIZE THAT CAN BE ACCOMMODATED WILL BE 32740. IF THIS IS EXCEEDED A S002 ABEND WILL OCCUR IN SECZIP.

Sequential Files In this chapter, the term sequential file means an MVS NON-VSAM data set with DSORG=PS. This includes individual members of a GDG.

Compressing Sequential Files Batch jobs may be submitted to process sequential files using JCL DD cards and/or by file selection specifications made with control statements. Use the INFILE command to reference a data set allocated to the job step with a JCL DD statement. This directs SecureZIP for zSeries to place the specified file into the archive. Multiple INFILE control statements may be used in a single execution. The files are selected for processing in the order specified by INFILE (not by the sequence of the JCL statements).

Page 126: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

114

//MYFILE DD DISP=SHR,DSN=SYS1.PARMLIB(CLOCK00) //SYSIN DD * -ADD -INFILE(MYFILE) /*

Extracting Records into a Sequential File The default extraction format is a sequential file with dynamic allocation (creation) of the file. When the output file is to be dynamically created by the unzip process, then the OUTFILE space and attribute command settings are merged with any saved attribute information from the source archive to govern the dynamic allocation request.

When a target output file is already allocated to the system, unzip processing attempts to identify and use the pre-allocated DCB attributes for the file (either from the VTOC or JCL DD statement). If attributes are supplied in this manner, be certain to allocate the file the DCB attributes that are consistent with the data to be extracted. The saved file attributes in the source archive and command settings are ignored.

The OUTFILE_DD command may be used to reference a data set for extraction into a sequential file format.

//TARGET DD DISP=(NEW,CATLG),DSN=userid.MY.SEQUENTIAL,UNIT=SYSDA, // SPACE=(CYL,(1,1)),DCB=(RECFM=FB,LRECL=80,BLKSIZE=27920) //SYSIN DD * -EXTRACT -OUTFILE_DD(TARGET) -ARCHIVE(MY.ARCHIVE) /*

Managing a Sequential File ZIP Archive A new sequential archive may be created by use of the ARCHIVE_OUTFILE command with appropriate DCB information in the referenced JCL, or implicitly by specifying ARCHIVE_DSN(ZIP_name) with ARCHIVE_DSORG(PS).

//newarch DD DISP=(NEW,CATLG),DSN=userid.MY.ZIP,UNIT=SYSDA, // SPACE=(CYL,(1,1)),DCB=(RECFM=FB,LRECL=27998,BLKSIZE=27998) //SYSIN DD * -ADD -ARCHIVE_OUTFILE(newarch) userid.MY.JCL(*) <= file to be ZIP’d hlq.*.ASM(*)

Additionally, an existing archive may be read by use of the ARCHIVE_INFILE command.

Processing GDGs GDG members are generally treated as individual sequential data sets with their respective fully qualified names. With some restrictions, full GDGs and relative generations can be selected for ZIP processing.

Page 127: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

115

The compression and extraction of GDGs (Generation Data Groups) present unique concerns. These are described in more detail in section “Cataloged Dataset Name and INFILE Request Restrictions” in Chapter 7.

File Concatenation for ZIP Processing It is possible to use INFILE to concatenate multiple files of like attributes—for example, the same RECFM and LRECL. File types may include sequential files (DSORG=PS), fully qualified or relative generations of a GDG, or PDS/PDSE members.

Note that SecureZIP for zSeries processes the entire concatenation as one file stream and uses the first DSNAME in the concatenation sequence as its basis for saving file attributes in the ZIP archive.

PDS and PDSE Members Partitioned data sets have a variety of unique characteristics and applications. For this reason, separate sections are dedicated to the following topics:

• Selecting PDS/PDSE members for compression.

• Extracting data into a PDS.

• Managing ZIP archives as PDS members.

• Load libraries.

Selecting PDS Members for Compression SecureZIP for zSeries operates on individual PDS members as distinct file entities, although a complete PDS or subset of a PDS can be operated on through JCL and control card specifications.

Note: In this section, unless specified otherwise, the term PDS also applies to PDSE.

File Name or File Mask SecureZIP for zSeries can compress a single PDS member, multiple PDS members, or all members of one or multiple PDS files by adapting the file selection name. Examples of these options are shown below.

//member1 DD DISP=SHR,DSN=SYS1.PARMLIB(CLOCK00) //SYSIN DD * -INFILE(member1) SYS1.PARMLIB(CLOCK00) <= get a single member by catalog SYS1.PARMLIB(CLOCK*) <= get all members starting with “CLOCK” SYS1.PARMLIB or SYS1.PARMLIB(*) <= get all members SYS1.PARMLIB(*00) <= all members suffixed with “00” MY.PDS(A??SRC) <= any character in 2nd and 3rd positions

Page 128: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

116

DD Statements Batch jobs can be submitted to process PDS members using JCL DD cards. To process only one PDS member, the member name can be used as the file identifier. To process all members of a PDS, the PDS name can be used as the file identifier. To process several members, the INFILE command is used along with the selected member names, or a file mask can be used in place of specific member names.

//pds DD DISP=SHR,DSN=SYS1.PARMLIB //SYSIN DD * -INFILE(pds,CLOCK*,*00,MEMBER6) <= multiple INFILE statements may be used.

Extracting Data into a PDS SecureZIP for zSeries allows you to extract files from an archive into either a new or existing PDS. A PDS member that has been compressed into the archive may be extracted into a different PDS. In this case, file attributes for the target PDS can be governed by pre-allocation, JCL, control cards, or extended attributes previously saved in the archive during ZIP processing.

When instructing unzip processing to dynamically create the target PDS, use OUTFILE_DSNTYPE(PDS) along with other OUTFILE space and attribute commands. The PDS name is governed by the use of UNZIPPED_DSN, FILE_EXTENSION, and HIERARCHY(N).

//SYSIN DD * -ARCHIVE(my.zipfile) -EXTRACT -OUTFILE_DSNTYPE(PDS) -OUTFILE_RECFM(FB) -OUTFILE_LRECL(80) -OUTFILE_BLKSIZE(27920) -OUTFILE_SPACE_TYPE(CYLINDERS) -OUTFILE_SPACE_PRIMARY(2) -OUTFILE_SPACE_SECONDARY(1) MY/PDS/MEMBER1 <= this is the archive filename selection to result in MY.PDS(MEMBER1)

When a target output file is already allocated to the system, unzip processing attempts to identify and use the pre-allocated DCB attributes for the file (either from the VTOC or JCL DD statement). In this case, be certain to allocate the file the DCB attributes that are consistent with the data to be extracted. The saved file attributes in the source archive and command settings are ignored. Unzip processing does not alter the existing DCB (LRECL or BLKSIZE) for an existing PDS or PDSE.

Managing ZIP Archives as PDS Members SecureZIP for zSeries can maintain a ZIP archive as a PDS member using the ARCHIVE_DSN command along with the PDS and member name. When the archive is created as a member of an existing PDS, the attributes for the PDS are not altered.

Page 129: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

117

Load Libraries In most cases, load libraries are extracted only to another OS/390 platform; therefore, SecureZIP for zSeries is able to process either an individual member or an entire load library. The methods used vary, as described below.

Processing Individual Members Each member of the PDS is maintained as an individual file in the ZIP archive. Both DATA_TYPE(BINARY) and RDW commands should be used to ensure data integrity. In addition to normal data storage, necessary load module directory information is saved in the extended attributes section of the archive directory. During extraction, any individual member can be selected for processing. When recreating the member on extraction, additional information (such as the TTR entry point) is translated by SecureZIP for zSeries to use when loading the file.

Load Module Control Some information, for example, the NOTELIST used for overlay segments, is not retained in the archive. This may cause inaccuracies upon extraction, as that load module may not be properly restored. To avoid this problem, it is recommended that the load module be placed in a library by itself and that the file be extracted to a library that has the same blocksize, on the same device type, or use the process described below.

Processing Entire Load Library If it is not necessary to select individual members for later extraction, or if the library contains overlay segments or other specialized load modules, an alternate method is recommended.

First, unload the PDS to a sequential file format supported by SecureZIP for zSeries (such as IEBCOPY, or the TSO command TRANSMIT, which can be run in batch). Then ZIP the sequential file using normal SecureZIP for zSeries processing. On extraction, SecureZIP for zSeries will recreate the sequential file, which can then be reloaded to the PDS with the utility used previously.

Although this method entails an extra step, it allows compression of the entire library, and there are no restrictions placed on individual members of the library.

See seczip.mvs.INSTLIB(IVPVSPAN) for a sample job stream.

VSAM Files VSAM files are selected and allocated with the use of the IBM Access Method Services utility IDCAMS, as described in the IBM Access Method Services manual. A working knowledge of IDCAMS processing will enhance the effectiveness of managing VSAM data sets with SecureZIP for zSeries. Control statements and input file characteristics are used by SecureZIP for zSeries to internally generate Access Method Services control statements for dynamic calls to IDCAMS.

SecureZIP for zSeries makes use of Access Method Services User I/O Routines for SYSIN and SYSPRINT file requests. OEM products and/or Installation-written routines that modify standard IBM processing for these exits should not be active for SECZIP processing.

Page 130: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

118

A sample JOB to demonstrate a ZIP and UNZIP of a VSAM KSDS to a VSAM archive can be found in seczip.mvs.INSTLIB(IVPVSAM).

Compressing a VSAM File The cluster name is used when selecting a VSAM file for compression. Attempting to use only the data or index components of the file is likely to result in an unusable file. As with sequential and PDS files, either INFILE (with JCL) or file selection statements may be used to identify VSAM files for processing.

VSAM files often contain a mixture of text and binary data. Therefore, unless it is necessary to translate the data to ASCII, use both the DATA_TYPE(BINARY) and SAVE_LRECL commands.

During ZIP processing, SecureZIP for zSeries determines the type of VSAM file requested from the system catalog. Through the use of ATTRIB commands, this information can be retained in the ZIP archive for use during UNZIP processing to reconstruct the cluster.

VIEWDETAIL of a KSDS in an Archive The following VIEWDETAIL shows the ZIP result of a KSDS file:

-ACTION(VIEWDETAIL) ZPAM030I INPUT Archive opened: SECZIP.MVS.IVP.TEMP ZPAM560I ARCHIVE FASTSEEK processing is disabled. ZPAM014I 1 file(s) are in the input Archive. ZPAM012I ZIP comment: SecureZIP for zSeries by PKWARE ZPAM013I ****************************************************************** ZPAM001I Filename: RCE/MVS810/IVP/KSDS ZPAM002I File type: BINARY SAVED_LRECL (RDW) ZPAM003I Date/Time: 18-FEB-2005 08:48:00 ZPAM004I Compression Method: Deflate- Super Fast ZPAM005I Compressed Size: 64 ZPAM006I Uncompressed Size: 252 ZPAM007I 32-bit CRC: 874B6B6A LHDR Offset: 0 ZPAM008I Created by: PK zSeries 8.1 ZPAM009I Needed to extract: ZipSpec 2.0 ZPAM301I File Type: VSAM ZPAM307I File Record Size: 100 ZPAM308I File Block Size: 0 ZPAM309I File Volume(s) Used: SUP001 ZPAM331I VSAM Cluster Type: INDEXED ZPAM331I VSAM Cluster Catalog Name: SYSC.USERCAT.VSYSVOL ZPAM331I VSAM Cluster Erase: ERASE ZPAM331I VSAM Cluster Format: INDEXED ZPAM331I VSAM Cluster Free CI Space %: 33 ZPAM331I VSAM Cluster Free CA Space %: 10 ZPAM331I VSAM Cluster Imbed: NOIMBED ZPAM331I VSAM Cluster Key Length: 19 ZPAM331I VSAM Cluster Key Position: 0 ZPAM331I VSAM Cluster Ordered: UNORDERED ZPAM331I VSAM Cluster Avg. Record Size: 80 ZPAM331I VSAM Cluster Max. Record Size: 100 ZPAM331I VSAM Cluster Recovery/Speed: RECOVERY ZPAM331I VSAM Cluster Replicate: NREPL ZPAM331I VSAM Cluster Spanned: NONSPANNED ZPAM332I VSAM Data Name: RCE.MVS810.IVP.KSDS.DATA ZPAM332I VSAM Data Type Space: CYL ZPAM332I VSAM Data Primary Space: 5 ZPAM332I VSAM Data Secondary Space: 2 ZPAM332I VSAM Data Buffer Space: 37376

Page 131: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

119

ZPAM332I VSAM Data CI Size: 18432 ZPAM332I VSAM Data Reuse: REUSE ZPAM332I VSAM Data Share Options: 1,3 ZPAM332I VSAM Data Volume: SUP001 ZPAM333I VSAM Index Name: RCE.MVS810.IVP.KSDS.INDEX ZPAM333I VSAM Index Type Space: TRK ZPAM333I VSAM Index Primary Space: 1 ZPAM333I VSAM Index Secondary Space: 1 ZPAM333I VSAM Index CI Size: 512 ZPAM333I VSAM Index Reuse: REUSE ZPAM333I VSAM Index Share Options: 1,3 ZPAM333I VSAM Index Volume: SUP001 ZPAM013I ************************************************************************ ZPAM140I FILES: VIEWED EXCLUDED BYPASSED IN ERROR ZPAM140I 1 0 0 0 ZPMT002I PKZIP processing complete. RC=00000000 0(Dec) ******************************** BOTTOM OF DATA *********************************

Extracting Data into a VSAM File Before extracting data from a ZIP archive, it is helpful to be aware of what file name and file attributes are being stored for the compressed file. VIEWDETAIL can be used on the archive to verify this information. Unless SAVE_FILE_ATTRIBUTES(NONE) is specified, the SECZIP program saves the cluster definition information in the archive directory. When the SECUNZIP program is run to dynamically recreate the file during EXTRACT processing, it uses the stored file characteristics to define the cluster unless overridden in the control cards. (This includes volume information, so archives being transferred from one system to another, or being restored from an older environment, may require VSAM_DATA_VOLUMES override commands to avoid allocation problems to non-existent volumes.)

Take care when defining or overriding VSAM cluster specifications. Items such as MAX LRECL (the second parameter of VSAM_RECORDSIZE) must be correct in order for the SECZIP program to correctly UNZIP the data to the target cluster.

When extracting records for insertion into a VSAM cluster, the SECZIP program opens the cluster in Load-Mode and attempts a sequential insert strategy. However, if a record key is rejected by VSAM PUT because it is out of sequence, the SECZIP program changes to direct-insert strategy for all subsequent records. This has the two possible negative consequences:

• Performance may be severely impacted for large files

• Because VSAM handles CI and CA splits differently for direct inserts, the cluster may expand beyond anticipated space requirements, thereby requiring a subsequent re-org, or the extraction may fail due to space constraints

For these reasons, if a large file is being extracted to a keyed VSAM cluster and the source data is not known to be in key sequence, the following procedure is recommended:

1. Extract the file to a sequential dataset.

2. Sort the sequential file by the key field.

3. Use IDCAMS REPRO to load the target cluster.

Standard VSAM PUTs are performed during UNZIP operations. VSAM operating characteristics and limitations will be encountered (such as found during IDCAMS REPRO processing). A common occurrence may be that the defined VSAM CLUSTER may not have sufficient space to

Page 132: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

120

load the data due to FREESPACE designations. SecureZIP for zSeries will report VSAM error and reason code information when these types of events occur.

To Overwrite a Current VSAM File When extracting a compressed file to an existing VSAM file, it may be desirable to overwrite the existing file. Use the combined commands of OVERWRITE and VSAM_REUSE to cause the compressed file to replace the current file. File attributes are not changed when processing a file overwrite, so you must assure the compatibility of the compressed file with the file being overwritten.

Note: In accordance with IBM’s rules for REUSABLE clusters, the target cluster must have been defined with the REUSE attribute, otherwise, the open for the file will terminate with the message “ZPFM071E VSAM OPEN Error 000000E8 for File(ddname) A(vsam_cluster_name).”

-ACTION(EXTRACT) -OVERWRITE -VSAM_REUSE(Y) filename_to_be_restored

To Restore a Compressed VSAM File SecureZIP for zSeries retains the attributes of a VSAM cluster in the ZIP archive unless otherwise specified. Upon extraction, the file attributes are used to recreate the VSAM file if there is not already an existing file. File attributes can be overridden during extraction by use of commands beginning with VSAM_, VSAM_DATA_, and VSAM_INDEX_ as appropriate.

To Create a New VSAM File A VSAM file can be created from a ZIP file even though the file was not originally a VSAM file, or the file attributes were unknown. By using the MAKEVSAM command, along with any suitable VSAM_… commands, a new VSAM file is created with the appropriate VSAM file attributes.

Using a combination of archive file attributes, the ACZDFLT module defaults and any SYSIN command overrides, SecureZIP for zSeries generates command input to IDCAMS similar to the example below.

DEF CL(NAME(SECZIP.MVS.IVP.KSDS) INDEXED - BUFSP(37376) CISZ(18432) - ERASE FSPC(33 10) NONSPANNED REUSE NOWRITECHECK - RECSZ(80 100) SHR(1,3) - VOL(TSO001 - ) - NOIMBED NREPL RECOVERY - KEYS(10 4) - ) - DATA(NAME(SECZIP.MVS.IVP. KSDS.DATA) - CYL(5 2) ) - INDEX(NAME(SECZIP.MVS.IVP. KSDS.INDEX) - TRK(6 3) - CISZ(512) - )

Page 133: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

121

Note: SecureZIP for zSeries may default selected commands from the ACZDFLT module, while IDCAMS may default some file attributes when they are not specified.

Managing a VSAM ZIP Archive A VSAM Zip archive supports the ESDS format. The ARCHDSORG(VS) command is used to create the archive. See seczip.mvs.INSTLIB(IVPVSAM) for an example of creating a VSAM archive.

Archive VSAM allocation specifications may be changed by using the ARCHIVE_…and VSAM_…commands. The Access Method Services section of the IBM Manual on the DEFINE CLUSTER command may be consulted for more information.

To Update a VSAM ESDS ZIP Archive To update a VSAM ZIP archive, SecureZIP for zSeries creates a new ZIP archive and then deletes the previous archive. If either ARCHTO or ARCHFOR commands were used when the archive was originally created, a problem may occur during the deletion process, as the retention period for the VSAM ZIP archive may still be in operation.

To Process “Sparse” RRDS Files SecureZIP for zSeries uses the same process as IDCAMS REPRO to process VSAM RRDS files that contain unused “slots.” In copying the RRDS to a sequential data set, the missing slots are treated as nonexistent. If an RRDS is later created, any missing slots are not included in the new file. As a result, the slot number of some of the copied records may be different from the original.

SecureZIP for zSeries correctly recreates only those RRDS files with no interspersed empty slots. Variable length and fixed length RRDS files are both processed with this constraint.

Unsupported File Types SecureZIP for zSeries does not directly support alternate index files or paths. A VSAM alternate index can be managed in two ways.

One option (recommended) is to process the base cluster and recreate the alternate index at the time of extraction.

The other option is to copy the data to another supported data set type using the alternate index, and then compress the copy. On extraction, reverse the process. This approach maintains the data in the ZIP archive in the same order as it was contained in the alternate index.

Magnetic Tapes and Cartridges SecureZIP for zSeries can process cataloged tape files using file names (as specified in the table at the beginning of this chapter) or DD command. When an output file or a non-label tape file is defined by the DD command, it must include DCB information on the DD statement.

Page 134: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

122

Copying a Tape-Based Archive to a Disk File To enhance performance, SecureZIP for zSeries can use a temporary data set as an interim measure when reading a ZIP archive from an existing cartridge or tape based archive (governed by the STAGE_TAPE_ON_DISK(Y) command). This will be the normal method for reading a tape (3420).

TEMP commands are used to specify the size and format of the temporary data set. If default size options are chosen or if the ZIP archive is very large, it is possible that the temporary data set may not be large enough for the entire ZIP archive. This situation produces x37 abend errors, and invalidates the temporary data set, causing SecureZIP for zSeries to process the file directly.

Note: Specifically, “tape” refers to Magnetic Tape (3420 style) or Magnetic Cartridge (3480/3490 style). Unless differentiated in the context, the information in this chapter refers to both tape and cartridge.

The //ARCHTEMP DD is used for this procedure. Normally, SecureZIP for zSeries dynamically allocates this file; however, it is possible to allocate the DD statement directly in the JCL to provide manual control over the allocation of the staging file. Alternatively, the ARCHTEMP file may be allocated as a permanent data set. Using these techniques, the following additional benefits can be obtained:

• The permanently staged archive can be used as a backup copy, for example, to maintain GDGs of the archive in a “before” picture

• Retains the disk-based archive for subsequent processing runs

More information may be found in Chapter 10 in the section on the command STAGE_TAPE_ON_DISK.

Compressing Data from Tape SecureZIP for zSeries processes cataloged standard-label tape files just like disk files (namely, either through data set selection control cards or DD statements with INFILE). However, the file attributes that are stored with the archive for the related file are limited to information such as LRECL, BLKSIZE,and RECFM. When extracting such files to disk, OUTFILE_ commands should be provided either by command or the defaults module to specify proper space allocation information. The use of MULTI_THREAD_LIMIT(1) is required when there are multi file tape data sets on one volume. For example, assume that there are the following files on tape cartridge ZIP000. ZIP.FILE.TEST1 with LABEL=1, ZIP.FILE.TEST2 with LABEL=2, and ZIP.FILE.TEST3 with LABEL=3. In order to compress these files you must specify MULTI_THREAD_LIMIT(1). If you do not you will receive this DARC error:

Dynamic Allocation error (0220) for {ZIP.FILE.TEST2

DARC: Requested volume not available. Ref. IKJ56221I

Non-labeled Tapes (NL) Non-label tapes do not contain DCB information that is necessary for SecureZIP for zSeries to process the compression (such as, RECFM, LRECL, and BLKSIZE). This is not an issue when using standard-labeled tapes, as the information is coded in the label. It is imperative that the

Page 135: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

123

required information be included in the DD statement, as shown in the example below, otherwise standard system OPEN abends will result.

//TAPEIN DD DISP=OLD,DSN=my.tape.file,UNIT=TAPE, // DCB=(RECFM=FB,LRECL=80,BLKSIZE=32720) // LABEL=(1,NL) //SYSIN DD * -ARCHIVE(my.archive) -INFILE(TAPEIN)

Restriction: Non-label (NL) tape data sets should not be selected via control cards, because the DCB information cannot be obtained for the file.

File Attributes The minimal file attributes that are stored for tapes when compressed are DSORG, RECFM, LRECL, and BLKSIZE. These are apparent in the example of archive detail as shown below:

VIEWDETAIL Display

ZPAM012I ZIP comment: SecureZIP for zSeries by PKWARE Inc. ZPAM013I ************************************************************** ZPAM001I Filename: userid/TEST/TAPE ZPAM002I File type: TEXT ZPAM003I Date/Time: 18-FEB-2005 08:48:00 ZPAM004I Compression Method: Deflate- Super Fast ZPAM005I Compressed Size: 34 ZPAM006I Uncompressed Size: 247 ZPAM007I 32-bit CRC: 9EBBDFBB ZPAM008I Created by: PK zSeries 8.1 ZPAM009I Needed to extract: ZipSpec 2.0 ZPAM301I File Type: NONVSAM SEQUENTIAL ZPAM303I File Record Format: FB ZPAM307I File Record Size: 80 ZPAM308I File Block Size: 6160 ZPAM309I File Volume(s) Used: SC0016 ZPAM310I File Creation Date: 2005/02/18 ZPAM311I File Referenced Date: 2005/02/18

Extracting Data onto Tape SecureZIP for zSeries requires these steps to extract data onto tape.

• Specify the ZIP file to extract using an appropriate file selection

• Use a DD statement to specify the tape dataset you are extracting to, being sure to include DCB information.

• Use the OUTFILE command to extract the ZIP file onto the appropriate tape, as specified in the DD statement.

Restriction: Only one OUTDD statement can be used per job. It is recommended that data sets be extracted to tape one at a time.

Page 136: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

124

Managing a ZIP Archive on Tape SecureZIP for zSeries can read or write ZIP archives on tape. Use the ARCHIVE_INFILE and ARCHIVE_OUTFILE commands to specify the tape to be processed.

To Process Multiple-Volume Tape Archives A tape archive contains information at the end of the tape that is necessary for SecureZIP for zSeries processing. SecureZIP for zSeries scans the tape until it finds the information and then returns to the beginning of the tape to begin processing. Because this necessitates accessing the tape at least twice, one of the following options should be considered to reduce the impact of the tape handling:

• Mount all the required tapes at once. This can be done by specifying the unit count parameter on the DD statement (keyword UNIT). For example, if two tape units are to be allocated, the DD statement would read UNIT=(TAPE, 2), thus insuring that both volumes of a 2-volume archive will be mounted.

• The UNIT= parameter for any tape file must match the devices defined for the local system. The systems programming staff at the installation should be contacted for information regarding these units and standards for use.

• Copy the tape archive to a disk file, and processing the disk instead of tape.

• Use TAPETODISK command of SecureZIP for zSeries to copy the archive to disk.

To Compress Data into a ZIP Archive on Tape With the ARCHIVE_OUTFILE command, SecureZIP for zSeries compresses data into a ZIP archive residing on tape. Use a DD statement to specify the new tape-based archive data set and include necessary DCB information. The ARCHIVE_OUTFILE command replaces any ARCHIVE_… commands intended to dynamically create an archive, and directs SecureZIP for zSeries to create the ZIP archive on the tape data set as specified by the name in the DD statement.

//ARCHOUT DD DSN=hlq.archive.zip,UNIT=tape1,DISP=(NEW,CATLG), // DCB=(RECFM,LRECL=32760,BLKSIZE=32760),LABEL=(1,SL) //SYSIN DD * -ARCHIVE_OUTFILE(ARCHOUT)

1 Reference PKZIP Support Notice #13 02/16/2001 regarding LINUX target system support files ld.so-1.9.5-13.i386.rpm and libc-5.3.12-31.i386.rpm.

To View a Tape-Based Archive Tape-based archives may be viewed in the same way as disk-based archives. You can use either a DD statement referenced by ARCHIVE_INFILE (with appropriate DCB information if the tape file is non-label) or a cataloged standard-label tape referenced by the ARCHIVE command.

Restriction: Some data centers do not allow dynamic allocation of tape data sets. In this case, use ARCHIVE_INFILE with a DD statement.

Page 137: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

125

Processing Hint: If you intend to VIEW the archive and later process it for extraction, you may save the time of re-processing the tape volume(s) by specifying STAGE_TAPE_TO_DISK with an //ARCHTEMP DD statement to direct the SECUNZIP program to create a disk copy of the archive for subsequent processing. The disk archive can then be used for the EXTRACT (or further VIEWing with ISPF).

//ARCHTEMP DD DSN=permanent_dsn,DISP=(NEW,CATLG),UNIT=disk_device DD statement.

The sample JCL below demonstrates the creation of a ZIP archive on tape, followed by a step to view the cataloged tape data set.

//ZIPIT EXEC PGM=SECZIP //SYSPRINT DD SYSOUT=* //ARCHOUT DD DSN=&SYSUID..TAPE.ZIP, // DISP=(NEW,CATLG), // UNIT=(3490,,DEFER), // LABEL=(1,SL), // DCB=(RECFM=FB,LRECL=32760,BLKSIZE=32760) //SYSIN DD * -ARCHIVE_OUTFILE(ARCHOUT) -ACTION(ADD) SECZIP.MVS.INSTLIB(DATASEQ1) /* //VIEWIT EXEC PGM=SECUNZIP //SYSPRINT DD SYSOUT=* //SYSIN DD * -ARCHIVE(&SYSUID.TAPE.ZIP) -ACTION(VIEW) /*

To Extract Data from a Tape-Based Archive A tape-based archive can be specified via ARCHIVE_INFILE (along with necessary DCB information on the associated DD statement for a non-label data set) or with ARCHIVE for a cataloged standard-label data set.

Performance note: Processing a tape-based archive may be faster when specifying STAGE_TAPE_TO_DISK(Y). The reasons are as follows:

• The architecture of a ZIP archive (on all platforms for all PKZIP 5.x products and newer) has the central file directory at the back of the archive. This is also where some important file information is kept (such as whether the file is text needing translation, or binary). Therefore, the SECUNZIP program must read the back of the archive before scheduling the processing of the files, and then rewind and read from the beginning.

• Because of the serial nature of the tape media, only one task can be used to EXTRACT the data. When many non-partitioned files are being selected for processing, multi-tasking may be beneficial with a disk-based archive.

To Update Files in a Tape-Based Archive SecureZIP for zSeries requires the use of a new tape to update files residing on a tape-based archive. For this, ARCHIVE_INFILE and ARCHIVE_OUTFILE must be used. The input and output archives do not need to both be of the same media type (one may be disk and the other tape).

Page 138: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

126

10 Commands

This chapter describes the commands used by the SecureZIP for zSeries programs.

SecureZIP for zSeries can perform various actions in conjunction with the use of the following commands and modifiers:

[–ACTION(ADD|COPY|DELETE|EXTRACT|FRESHEN|UPDATE|VIEW)]

ACTION(ADD) is the default action for ZIP processing, and ACTION(EXTRACT) is the default for UNZIP if none of the above actions is explicitly specified. The actions ADD, COPY, DELETE, FRESHEN, and UPDATE all make logical changes to an archive, while EXTRACT and VIEW only read an existing archive.

Each of the actions requires a ZIP archive to process, so the following commands must always be specified:

–ARCHIVE_DSN(<ZIP dataset name>) –ARCHIVE_INFILE(dd_name)

For details on how to input commands for processing by SecureZIP for zSeries—for example, SYSIN, PARM parameters, and so on—refer to the section “Command Details,” later in this chapter.

Command Syntax • Command strings and filenames are identified with either a blank or a semi-colon “;”

delimiter.

• Non-blank characters found in a command buffer that are not identified as a command or comment are treated as a filename selection.

• Comments are currently supported when Column1 of an input buffer is an asterisk “*”. Commands are identified by a hyphen “–” either in the first column of a non-continued line, or immediately following a blank or semi-colon. Unpredictable results will occur when unidentified characters are found in the input stream (depending on their location in the command structure).

• Command names are accepted in mixed case.

Page 139: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

127

• Command values which have specifically listed options are translated to upper case to facilitate case-insensitive coding.

• Only selected command values which are free-form in nature—for example, MVS file names—are translated to upper case. Others—for example, internal ZIP filenames—retain case sensitivity.

• Filename selections are case-sensitive.

File Selections vs. Commands A SecureZIP for zSeries command is indicated by placing a “–” (hyphen) character in front of a valid command string. If no “–” character is found at the start of a sequence of characters, the characters are interpreted to be part of a file selection for ZIP or UNZIP processing.

When selecting files for SECUNZIP processing, keep in mind that, due to the heterogeneous nature of ZIP archives, filenames are handled with mixed case. This means that filename selection statements should be coded to match the filename exactly.

When selecting files for SECUNZIP processing, quote (") delimiters are required when there is an embedded blank in the filename to be selected. For example:

"My Documents/readme.txt"

Quote delimiters can also be used when a filename begins with a hyphen (-), to avoid confusion with command syntax.

If no file selection is specified for ZIP processing, the SECZIP program assumes that there are no files to be added or updated and outputs an error message. The SECUNZIP program assumes that all files in the archive are to be processed.

&SYSUID When specifying data set names in commands or filename specifications within the command input stream, the reserved word &SYSUID can be used to represent the 1-7 character user name that the operating system supplies in the address space control block extension for the execution. SecureZIP for zSeries performs the substitution in the command string before continuing processing. By using this command notation, a generic set of commands can be set up to perform archiving operations for various users.

-ARCHIVE_DSN(&SYSUID.MY.ZIPS(SOURCE)) &SYSUID.MY.COBOL(*)

Summary of Available Commands The commands listed below are available in both the SECZIP and SECUNZIP programs. Information specific to individual commands appears later in this chapter, in the section “Command Details.”

Page 140: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

128

COMMAND DESCRIPTION SECZIP SECUNZIP <dataset name> Defines the name of a member that should be

added to, updated in, or deleted from a compressed ZIP archive. Wildcards can be used to specify generic names.

• •

–ACTION ADD - Used to add files that are not already present in the ZIP archive. This is the default action for the SECZIP program (SECZIP default).

COPY - Used to create a subset Archive from files contained in an existing archive.

DELETE - Specifies that selected files be deleted from the old ZIP archive.

EXTRACT - Specifies that selected files be extracted from the ZIP archive. (SECUNZIP program default).

FRESHEN - Specifies that selected files be updated in the old ZIP archive.

TEST - Specifies that the ZIP archive files be tested for integrity.

UPDATE - Used to update files that are already in the ZIP archive or to add files that are not already present in the ZIP archive.

VIEW - Output details of the files selected from the ZIP archive to the SYSPRINT dataset.

• •

–ARCHIVE_BLKSIZE Specifies the block size for a new or updated ZIP archive.

–ARCHIVE_COMMENT Allows a comment of up to 255 characters to be specified and saved in the archive central directory.

–ARCHIVE_DATACLASS Specifies the DF/SMS data class for a new or updated ZIP archive.

–ARCHIVE_DIR_BLOCKS Specifies the directory block amount for a new ZIP archive.

–ARCHIVE_DSN Specifies the archive to be read (and updated) by ZIP processing.

• •

–ARCHIVE_DSORG Specifies the dataset organization for a new or updated ZIP archive.

–ARCHIVE_FASTSEEK Performance improvement for archive read access.

• •

–ARCHIVE_INFILE Specifies the DDname that references a ZIP archive to be read in by the SECZIP program.

• •

–ARCHIVE_LRECL Specifies the logical record length for a new or updated ZIP archive.

–ARCHIVE_MGMTCLASS Specifies the DF/SMS management class to be used for a new or updated ZIP archive.

Page 141: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

129

COMMAND DESCRIPTION SECZIP SECUNZIP –ARCHIVE_OUTFILE Specifies a DD statement describing the

archive to output to by ZIP processing. •

–ARCHIVE_RECFM Specifies the record format of a new or updated ZIP archive.

–ARCHIVE_SPACE_MULTIVOL Control multi-volume allocation of the archive data set.

–ARCHIVE_SPACE_PRIMARY Specify the number of allocation units in the primary extent of a new or updated ZIP archive.

–ARCHIVE_SPACE_RLSE Specifies whether free space should be released when the ZIP archive is de-allocated.

–ARCHIVE_SPACE_SECONDARY Specifies the number of allocation units in the secondary extent of a new or updated ZIP archive.

–ARCHIVE_SPACE_TYPE Specifies how space is to be allocated for a new or updated ZIP archive.

–ARCHIVE_STORCLASS Specifies the DF/SMS storage class for a new or updated ZIP archive.

–ARCHIVE_TIMESTAMP Specifies which Date/Time option to use in setting the timestamp of a created ZIP file.

–ARCHIVE_UNIT Specifies the generic unit for allocation of a new or updated ZIP file.

–ARCHIVE_VOLUMES Specifies the volume(s) for allocation of a new or updated ZIP archive.

–ATTRIB_COMPATIBILITY Governs the type of extended attributes that are stored in the archive.

–AUTHCHK Activates digital signature authentication for the archive Directory or Files.

–CALLMODE Internal environmental interfacing command. • •

–CHECK_SYSIN_MEMBER Verifies a command input stored in a PDS or PDSE member.

• •

–COMPRESSION_LEVEL Specifies speed and compression level when Zipping a file.

–CRLF Controls the use of record delimiters and an optional file terminator.

• •

–DATA_DELIMITER Specifies the delimiter(s) to be used at the end of each text record of the file.

• •

–DATA_STORAGE Specifies the amount of cache memory used in ZIP processing.

• •

–DATA_TRANS_API_ERRLIM Unused at this time •

–DATA_TRANS_API_ERROR Intended action when a user API program error occurs.

Page 142: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

130

COMMAND DESCRIPTION SECZIP SECUNZIP –DATA_TRANS_API_LANGUAGE Programming language/linkage used for the

DATA_TRANS_API user program. •

–DATA_TRANS_API_NAME Load module name of User program used to modify data records during SECZIP processing.

–DATA_TRANS_API_PARM Data string to be passed to the User API program.

–DATA_TRANS_API_TRACE Tracing level for API operation. •

–DATA_TRANS_API_WORKSIZE Size of persistent work area provided by SECZIP to the user program.

–DATA_TYPE Specifies that selected files for compression are binary or text. (Can be dynamically detected).

• •

–DATATYPE_DETECT_DEPTH Specifies the distance that a file is scanned before making a determination between binary or text.

• •

–DATATYPE_DETECT_TABLE Specifies the table of characters used to assess whether a byte is text or binary.

• •

–DATATYPE_TEXT_PERCENT Specifies the percentage of the sample that must meet the “text” criteria before it will be TEXT.

• •

–DDNAME_PARMLIB Specifies the DDname to use for command input (prior to SYSIN).

• •

–DDNAME_SYSIN Specifies the DDname to use for command input (unless –NOSYSIN is specified).

• •

–DDNAME_SYSPRINT Specifies the DDname to be used for SecureZIP for zSeries messages.

• •

–DDNAME_ZPSORTIN During –ACTION(VIEW) processing, SORT is called. This internal SORTIN DD is used.

–DDNAME_ZPSORTOUT During –ACTION(VIEW) processing, SORT is called. This internal SORTOUT DD is used.

–ECHO Specifies that a copy of SecureZIP for zSeries commands should be output to the message dataset.

• •

–ENCRYPT_CERT_LIMIT Restricts the number of certificates used for each encrypted file

–ENCRYTPION_METHOD Specifies which encryption algorithm is to be employed.

–EXCLUDE(dsname mask) Specifies which files may be eliminated from being processed using a mask selection.

–EXTRACT_PREVIEW Specifies that a select number of records be processed for previewing the data.

–FILE_BUSY_WAITTIME Specifies how long SecureZIP for zSeries should wait while continually retrying before it will terminate.

• •

Page 143: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

131

COMMAND DESCRIPTION SECZIP SECUNZIP –FILE_EXTENSION Specifies what to do with an extension. •

–FILE_TERMINATOR Specifies the character(s) to be stored (or recognized) at the end of the last record of a file.

• •

–FILENAME_API_ERRLIM Unused at this time •

–FILENAME_API_ERROR Intended action when a user API program error occurs.

–FILENAME_API_LANGUAGE Programming language/linkage used for the FILENAME_API user program.

–FILENAME_API_NAME Load module name of User program used to convert archive File names to MVS Data Set names during EXTRACT processing.

–FILENAME_API_PARM Data string to be passed to the User API program.

–FILENAME_API_TRACE Tracing level for API operation. •

–FILENAME_API_WORKSIZE Size of persistent work area provided by SECUNZIP to the user program.

–FILENAME_ENCRYPTION Perform strong encryption on the archive central directory

–FILENAME_SELECT_CASE Affect archive filename selection case sensitivity.

–GDGALL_SUPPORT Specifies whether all levels of a Generation Data Group (GDG) are to be retrieved and included in the archive.

–GZIP Specifies that the output archive will be created in GZIP format.

• •

–GZIP_SUFFIX Specifies the name to be used as the last level of the filename when there is no valid GZIP filename.

• •

–HIERARCHY Specifies that the full dataset component hierarchy should be used when converting a filename between ZIP archive format and MVS format.

–INCLUDE_CMD Include batched commands from a partitioned library.

• •

–INCLUDE_SFX Create a self-extracting archive •

–INFILE Specifies what file(s) to compress by identifying a DD statement.

–INSERT_MEMBER Used to add a member to an existing PDS. •

–KEY_PROTECT_LEVEL Strength of key protection for advanced encrypted archives.

–LDAP_ENCRYPT_CERT_SELECT Restricts the number or type of certificates used in encrypting a file.

Page 144: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

132

COMMAND DESCRIPTION SECZIP SECUNZIP –LICENSE_HLQ Specifies the high level qualifier to be used in

locating the License Control Dataset. • •

–LICENSE_WTO_INFO Support console message automation for expiring license. (Specify in the defaults module).

• •

–LMOD_SUPPORT Sets –DATA_TYPE(BINARY),–SAVE_FILE_ATTRIBUTES, and –SAVE_LRECL commands on to allow simultaneous processing of load modules with text files in a PDS

• •

–LOGGING_LEVEL Specifies the level (or quantity) of messages output to SYSPRINT.

• •

–MASTER_RECIPIENT This enables an enterprise to decrypt and access the file(s) when other RECIPIENTs are no longer able or eligible.

• •

–MEMORY_MODEL Specifies where file management control blocks are held and the amount of storage than can be used for compression control tables.

–MULTI_THREAD_LIMIT Specifies the number of subtasks to be used in compressing datasets.

• •

–NOAPI The Language Environment CEEPIPI environment associated with User API programs (such as DATA_TRANS_API) will not be initialized.

• •

–NOSYSIN Specifies the SYSIN dataset is not opened for commands.

• •

–ON_FILE_ACCESS_ERROR Specifies the action to take when an access error has occurred.

• •

–ON_FILE_IO_ERROR Specifies the action to take when an I/O error has occurred.

• •

–OUTFILE_BLKSIZE Specifies the block size for a newly extracted dataset.

–OUTFILE_DATACLASS Specifies the DF/SMS data class for a newly extracted dataset.

–OUTFILE_DD Specifies what file(s) are to contain the extracted data by identifying a DD statement.

–OUTFILE_DIR_BLOCKS Specifies the directory block amount for a newly extracted dataset.

–OUTFILE_DSNTYPE Determines the type of output file to be created.

–OUTFILE_LRECL Specifies the logical record length for a newly extracted dataset.

–OUTFILE_MGMTCLASS Specifies the DF/SMS management class to be used for a newly extracted dataset.

Page 145: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

133

COMMAND DESCRIPTION SECZIP SECUNZIP –OUTFILE_OVERWRITE Specifies overwrite of an existing file or

member within a PDS. •

–OUTFILE_PDS_ENQ Specifies the level of disposition that will be used for a PDS or PDSE when processing an EXTRACT request.

–OUTFILE_RECFM Specifies the record format of a newly extracted dataset.

–OUTFILE_SPACE_MULTIVOL Control multi-volume allocation of an Output data set during EXTRACT.

–OUTFILE_SPACE_PRIMARY Specify the number of allocation units in the primary extent of a newly extracted dataset.

–OUTFILE_SPACE_RLSE Specifies whether free space should be released when a newly extracted dataset is de-allocated.

–OUTFILE_SPACE_SECONDARY Specify the number of allocation units in the secondary extent of a newly extracted dataset.

–OUTFILE_SPACE_TYPE Specifies how space is to be allocated for a newly extracted dataset.

–OUTFILE_STORCLASS Specifies the DF/SMS storage class for a newly extracted dataset.

–OUTFILE_UNIT Specifies the generic unit for allocation of a newly extracted dataset.

–OUTFILE_VOLUMES Specifies the volume(s) for allocation of a newly extracted dataset.

–PAD_CHAR Specifies the character to use to pad fixed length records when extracting.

–PAD_VSAM Specifies that variable length records be padded using the character specified in –PAD_CHAR.

–PARMLIB_DSNAME_UNZIP Specifies the name of the dataset containing the configuration specifications for UNZIP processing.

• •

–PARMLIB_DSNAME_ZIP Specifies the name of the dataset containing the configuration specifications for ZIP processing.

• •

–PARMLIB_FILE_WAIT_MAX If the specified –PARMLIB_DSNAME cannot be dynamically allocated, this is the amount of time to wait before terminating.

• •

–PARMLIB_FILE_WAIT_TIMER If the specified –PARMLIB_DSNAME cannot be dynamically allocated, this is the amount of time to wait before retrying (up to PARMLIB_FILE_WAIT_MAX.

• •

–PASSWORD Specifies a password to encrypt/decrypt ZIP archive files.

• •

Page 146: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

134

COMMAND DESCRIPTION SECZIP SECUNZIP –PATCH_REPORT Specifies that a report of all patches be

produced.

See –ACTION.

• •

–PATH Specifies that only the last component of the dataset component hierarchy should be used when converting a filename between MVS format and ZIP archive format.

–PKSUPPRC A default command that allows the return code to be suppressed.

• •

–PRESERVE_CMD_SPACES Preserves or removes blanks preceding the “|”.

• •

–PROCESS_ALIAS Specifies whether the alias entries for selected PDS members are to be used.

• •

–RECALL_TO_ZIP Specifies whether DFHSM recall of datasets should occur.

–RECIPIENT Identifies the eligible party that may decrypt the file(s)

• •

–RECURSE_LEVELS Specifies whether or not data components beyond those specified should be used in matching with your selection.

–SAVE_FILE_ATTRIBUTES Specifies where file attributes should be stored for datasets in the zip archive; in the central directory only, the Local Directory, both directories, or neither directory.

• •

–SAVE_LRECL Compress/ Decompress a binary file with variable record lengths.

• •

–SECUREZIP_CONFIG Specifies a member that contains the cert store configuration commands to be included during processing. . (Specify in the defaults module).

• •

–SELECT_CATALOGED_ALIAS Specifies whether aliases are to be supported at time of zipping.

–SELECT_FROM_PDS Specifies a PDS dataset from which SecureZIP for zSeries can obtain members to match user selection parameters that do not match any other dataset.

• •

–SELECT_TAPE Specifies whether tape files are to be retrieved and included in the archive.

–SET_ERROR_RC Specifies a firm return code to be passed to the system when an error has been detected.

• •

–SHOW_SETTINGS Displays all current command settings. • •

–SIGN_ARCHIVE Generates a digital signature for the archive central directory

–SIGN_FILES Generates a digital signature for the files added to an archive

Page 147: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

135

COMMAND DESCRIPTION SECZIP SECUNZIP –SIGN_HASHALG Specifies which hashing algorithm to use

when requesting a signing operation. •

–SIGNAL_ZIP64 Specifies return code control when engaging ZIP64 extensions.

–SIMULATE Simulates file selection processes, but does not perform actual data manipulation for the files selected.

• •

–SNAP_SYSOUT_CLASS Specifies the SYSOUT class to be used for SNAP dumps (reserved for future use).

• •

–STAGE_TAPE_ON_DISK Specifies input from a sequential device be stored in a temporary dataset.

• •

–STRIP_CHAR Specifies an ending character to be removed from the end of each record before it is zipped.

–SUPPRESS_DYNALLOC_MSGS Specifies that the dynamic allocation messages in job log be suppressed.

• •

–SYSPRINT_DCB Specifies the DCB record format to be used for SYSPRINT listings.

–SYSPRINT_SYSOUT_CLASS Specifies the JES SYSOUT class that will be used for the SYSPRINT listing.

• •

–TEMP_BLKSIZE Specifies the temporary block size of a temporary SecureZIP for zSeries dataset.

• •

–TEMP_DATACLASS Specifies the DF/SMS data class to be used for a temporary ZIP dataset.

• •

–TEMP_MGMTCLASS Specifies the DF/SMS management class to be used for a temporary file allocation.

• •

–TEMP_RECFM Specifies the record format for a temporary ZIP dataset.

• •

–TEMP_SPACE_MULTIVOL Control multi-volume allocation of Temporary work files.

• •

–TEMP_SPACE_PRIMARY Specifies the number of space units to be used in the primary partition of a temporary ZIP dataset.

• •

–TEMP_SPACE_SECONDARY Specifies the number of space units to be used in the secondary partition of a temporary ZIP dataset.

• •

–TEMP_SPACE_TYPE Specifies how space is to be allocated for a temporary ZIP dataset.

• •

–TEMP_STORCLASS Specifies the DF/SMS storage class to be used for a temporary file allocation.

• •

–TEMP_UNIT Specifies the unit to be used for allocation of a temporary ZIP dataset.

• •

–TEMP_VOLUMES Specifies the volume onto which a temporary ZIP dataset should be placed.

• •

Page 148: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

136

COMMAND DESCRIPTION SECZIP SECUNZIP –TRACE_TABLE_SIZE Specifies the size of the internal trace table. • •

–TRANSLATE_TABLE_DATA Specifies which translation table to use when converting character sets of text files.

• •

–TRANSLATE_TABLE_FILEINFO Specifies a translation table to be used with file information such as comments, file names, and control information of a ZIP archive.

• •

–TRANSLATION_MODE (Reserved for future use). • •

–UNZIPPED_DSN Specifies a different high-level qualifier for an extracted dataset.

–VSAM Specifies whether VSAM files should be used orignored when selecting files for compression and using wildcards.

–VSAM_ACCOUNT Specifies the accounting information to be provided to Access Methods Services during a DEFINE CLUSTER command used to create a new (or update an existing) VSAM-defined ZIP archive.

–VSAM_ATTEMPTS Specifies the number of password attempts that are permitted to Access Methods Services during a DEFINE CLUSTER command used to create a new (or update an existing) VSAM-defined ZIP archive.

–VSAM_AUTH_EP Supplies the entry point of a user security verification routine to Access Methods Services during a DEFINE CLUSTER command used to create a new (or update an existing) VSAM-defined ZIP archive.

–VSAM_AUTH_STRING Supplies a string of information to be passed to your security verification routine to Access Methods Services during a DEFINE CLUSTER command used to create a new (or update an existing) VSAM-defined ZIP archive.

–VSAM_BUFFERSPACE Specifies the BUFFERSPACE parameter to the IDCAMS DEFINE CLUSTER command used to create a new (or update an existing) VSAM-defined ZIP archive.

• •

–VSAM_CATALOG Specifies the CATALOG parameter to the IDCAMS DEFINE CLUSTER command used to create a new (or update an existing) VSAM-defined ZIP archive.

• •

–VSAM_CISIZE Specifies the CONTROLINTERVALSIZE parameter to the IDCAMS DEFINE CLUSTER command used to create a new (or update an existing) VSAM-defined ZIP archive.

• •

Page 149: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

137

COMMAND DESCRIPTION SECZIP SECUNZIP –VSAM_CLUSTER_TYPE Specifies the file type to the IDCAMS

DEFINE CLUSTER command used to create a new (or update an existing) VSAM-defined ZIP archive.

–VSAM_CODE Supplies a code name for the cluster or component to Access Methods Services during a DEFINE CLUSTER command used to create a new (or update an existing) VSAM-defined ZIP archive.

–VSAM_CONTROLPW Specifies the CONTROLPW parameter to the IDCAMS DEFINE CLUSTER command used to create a new (or update an existing) VSAM-defined ZIP archive.

–VSAM_DATA_CISIZE Specifies the CONTROLINTERVALSIZE parameter to the data component of an IDCAMS DEFINE CLUSTER command used to create a new (or update an existing) VSAM-defined ZIP archive.

• •

–VSAM_DATA_EXCEPTIONEXIT Specifies the EXCEPTIONEXIT parameter to the data component of an IDCAMS DEFINE CLUSTER command used to create a new (or update an existing) VSAM-defined ZIP archive.

• •

–VSAM_DATA_FILE Specifies the FILE parameter to the data component of an IDCAMS DEFINE CLUSTER command used to create a new (or update an existing) VSAM-defined ZIP archive.

• •

–VSAM_DATA_NAME Specifies the NAME parameter to the data component of an IDCAMS DEFINE CLUSTER command used to create a new (or update an existing) VSAM-defined ZIP archive.

–VSAM_DATA_ORDERED Specifies the ORDERED parameter to the data component of an IDCAMS DEFINE CLUSTER command used to create a new (or update an existing) VSAM-defined ZIP archive.

• •

–VSAM_DATA_PRIMARY Specifies the primary space allocation value to the data component of an IDCAMS DEFINE CLUSTER command used to create a new (or update an existing) VSAM-defined ZIP archive.

• •

–VSAM_DATA_SECONDARY Specifies the secondary space allocation value to the data component of an IDCAMS DEFINE CLUSTER command used to create a new (or update an existing) VSAM-defined ZIP archive.

• •

Page 150: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

138

COMMAND DESCRIPTION SECZIP SECUNZIP –VSAM_DATA_SPACE_TYPE Specifies the space allocation type parameter

to the data component of an IDCAMS DEFINE CLUSTER command used to create a new (or update an existing) VSAM-defined ZIP archive.

• •

–VSAM_DATA_VOLUMES Specifies the VOLUMES parameter to the data component of an IDCAMS DEFINE CLUSTER command, used to create a new (or update an existing) VSAM-defined ZIP archive.

• •

–VSAM_DATACLASS Specifies the DF/SMS data class to be used for the creation of a new (or update of an existing) VSAM-defined ZIP archive.

• •

–VSAM_DUPLICATE_ERROR Specifies the action to be taken on realization of a duplicate key when creating a new extracted VSAM dataset.

–VSAM_ERASE Specifies the ERASE parameter to the IDCAMS DEFINE CLUSTER command used to create a new (or update an existing) VSAM-defined ZIP archive.

• •

–VSAM_EXCEPTIONEXIT Specifies the EXCEPTIONEXIT parameter to the IDCAMS DEFINE CLUSTER command used to create a new (or update an existing) VSAM-defined ZIP archive.

• •

–VSAM_FILE Specifies the FILE parameter to the IDCAMS DEFINE CLUSTER command used to create a new (or update an existing) VSAM-defined ZIP archive.

–VSAM_FOR Specifies the FOR parameter to the IDCAMS DEFINE CLUSTER command used to create a new (or update an existing) VSAM-defined ZIP archive.

–VSAM_FREESPACE_CA Specifies the FREESPACE parameter to the IDCAMS DEFINE CLUSTER command used to create a new (or update an existing) VSAM-defined ZIP archive.

• •

–VSAM_FREESPACE_CI Specifies the FREESPACE parameter to the IDCAMS DEFINE CLUSTER command used to create a new (or update an existing) VSAM-defined ZIP archive.

• •

–VSAM_IMBED Specifies the IMBED parameter of an IDCAMS DEFINE CLUSTER command used to create a new (or update an existing) VSAM-defined ZIP archive.

–VSAM_INDEX_ATTEMPTS Specifies the number of password attempts that are permitted to Access Methods Services during a DEFINE CLUSTER command used to create a new (or update an existing) VSAM-defined ZIP archive.

Page 151: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

139

COMMAND DESCRIPTION SECZIP SECUNZIP –VSAM_INDEX_AUTH_EP Supplies the entry point of a user security

verification routine to Access Methods Services during a DEFINE CLUSTER command used to create a new (or update an existing) VSAM-defined ZIP archive.

–VSAM_INDEX_AUTH_STRING Supplies a string of information to be passed to your security verification routine to Access Methods Services during a DEFINE CLUSTER command used to create a new (or update an existing) VSAM-defined ZIP archive.

–VSAM_INDEX_CISIZE Specifies the CONTROLINTERVALSIZE parameter to the INDEX component of an IDCAMS DEFINE CLUSTER command used to create a new (or update an existing) VSAM-defined ZIP archive.

–VSAM_INDEX_CODE Supplies a code name for the cluster or component to Access Methods Services during a DEFINE CLUSTER command used to create a new (or update an existing) VSAM-defined ZIP archive.

–VSAM_INDEX_CONTROLPW Specifies the CONTROLPW parameter to the index component of an IDCAMS DEFINE CLUSTER command used to create a new (or update an existing) VSAM-defined ZIP archive.

–VSAM_INDEX_EXCEPTIONEXIT Specifies the EXCEPTIONEXIT parameter to the index component of an IDCAMS DEFINE CLUSTER command used to create a new (or update an existing) VSAM-defined ZIP archive.

–VSAM_INDEX_FILE Specifies the FILE parameter to the index component of an IDCAMS DEFINE CLUSTER command used to create a new (or update an existing) VSAM-defined ZIP archive.

–VSAM_INDEX_MASTERPW Specifies the MASTERPW parameter to the index component of an IDCAMS DEFINE CLUSTER command used to create a new (or update an existing) VSAM-defined ZIP archive.

–VSAM_INDEX_NAME Specifies the NAME parameter to the index component of an IDCAMS DEFINE CLUSTER command used to create a new (or update an existing) VSAM-defined ZIP archive.

–VSAM_INDEX_ORDERED Specifies the ORDERED parameter to the index component of an IDCAMS DEFINE CLUSTER command used to create a new (or update an existing) VSAM-defined ZIP archive.

Page 152: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

140

COMMAND DESCRIPTION SECZIP SECUNZIP –VSAM_INDEX_PRIMARY Specifies the primary space allocation

parameter to the index component of an IDCAMS DEFINE CLUSTER command used to create a new (or update an existing) VSAM-defined ZIP archive.

–VSAM_INDEX_READPW Specifies the READPW parameter to the index component of an IDCAMS DEFINE CLUSTER command used to create a new (or update an existing) VSAM-defined ZIP archive.

–VSAM_INDEX_SECONDARY Specifies the secondary space allocation parameter to the index component of an IDCAMS DEFINE CLUSTER command used to create a new (or update an existing) VSAM-defined ZIP archive.

–VSAM_INDEX_SPACE_TYPE Specifies the space allocation type parameter to the index component of an IDCAMS DEFINE CLUSTER command used to create a new (or update an existing) VSAM-defined ZIP archive.

–VSAM_INDEX_UPDATEPW Specifies the UPDATEPW parameter to the index component of an IDCAMS DEFINE CLUSTER command used to create a new (or update an existing) VSAM-defined ZIP archive.

–VSAM_INDEX_VOLUMES Specifies the VOLUMES parameter to the index component of an IDCAMS DEFINE CLUSTER command, used to create a new (or update an existing) VSAM-defined ZIP archive.

–VSAM_KEYS Specifies the KEYS parameter for an IDCAMS DEFINE CLUSTER command used to create a new (or update an existing) VSAM-defined ZIP archive.

–VSAM_MASTERPW Specifies the MASTERPW parameter to the IDCAMS DEFINE CLUSTER command used to create a new (or update an existing) VSAM-defined ZIP archive.

–VSAM_MGMTCLASS Specifies the DF/SMS management class to be used for the creation of a new (or update of an existing) VSAM-defined ZIP archive.

–VSAM_MODEL Specifies the MODEL parameter to the IDCAMS DEFINE CLUSTER command used to create a new (or update an existing) VSAM-defined ZIP archive.

• •

–VSAM_ORDERED Specifies the ORDERED parameter to the IDCAMS DEFINE CLUSTER command used to create a new (or update an existing) VSAM-defined ZIP archive.

Page 153: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

141

COMMAND DESCRIPTION SECZIP SECUNZIP –VSAM_OWNER Specifies the OWNER parameter to the

IDCAMS DEFINE CLUSTER command used to create a new (or update an existing) VSAM-defined ZIP archive.

–VSAM_READPW Specifies the READPW parameter to the IDCAMS DEFINE CLUSTER command used to create a new (or update an existing) VSAM-defined ZIP archive.

–VSAM_RECORDSIZE Specifies the RECORDSIZE parameter to the IDCAMS DEFINE CLUSTER command used to create a new (or update an existing) VSAM-defined ZIP archive.

• •

–VSAM_RECOVERY_OPT Specifies the SPEED or RECOVERY parameter to the IDCAMS DEFINE CLUSTER command used to create a new (or update an existing) VSAM-defined ZIP archive.

–VSAM_REPLICATE Specifies the REPLICATE parameter to the IDCAMS DEFINE CLUSTER command used to create a new (or update an existing) VSAM-defined ZIP archive.

–VSAM_REUSE Specifies the REUSE|NOREUSE parameter to the IDCAMS DEFINE CLUSTER command used to create a new (or update an existing) VSAM-defined ZIP archive.

• •

–VSAM_SHAREOPTIONS Specifies the SHAREOPTIONS parameter to the IDCAMS DEFINE CLUSTER command used to create a new (or update an existing) VSAM-defined ZIP archive.

• •

–VSAM_SPACE_PRIMARY Specifies the number of allocation units to be allocated in the primary extent of an IDCAMS DEFINE CLUSTER command used to create a new (or update an existing) VSAM-defined ZIP archive.

• •

–VSAM_SPACE_SECONDARY Specifies the number of allocation units to be allocated in the secondary extent of an IDCAMS DEFINE CLUSTER command used to create a new (or update an existing) VSAM-defined ZIP archive.

• •

–VSAM_SPACE_TYPE Specifies the type of allocation units to be allocated in the IDCAMS DEFINE CLUSTER command used to create a new (or update an existing) VSAM-defined ZIP archive.

–VSAM_SPANNED Specifies the SPANNED|NONSPANNED parameter to the IDCAMS DEFINE CLUSTER command used to create a new (or update anexisting) VSAM-defined ZIP archive.

• •

Page 154: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

142

COMMAND DESCRIPTION SECZIP SECUNZIP –VSAM_STORCLASS Specifies the DF/SMS storage class to be

used for the creation of a new (or update of an existing) VSAM-defined ZIP archive.

–VSAM_TO Specifies the TO parameter to the IDCAMS DEFINE CLUSTER command used to create a new (or update an existing) VSAM-defined ZIP archive.

• •

–VSAM_UPDATEPW Specifies the UPDATEPW parameter to the IDCAMS DEFINE CLUSTER command used to create a new (or update an existing) VSAM-defined ZIP archive.

–VSAM_WRITECHECK Specifies the WRITECHECK|NOWRITECHECK parameter to the IDCAMS DEFINE CLUSTER command used to create a new (or update an existing) VSAM-defined ZIP archive.

• •

–ZIPPED_DSN Specifies what parameters to use in converting MVS file names to ZIP file names.

–ZIPPED_DSN_SEPARATOR Specifies what separator to use in the new ZIP archive name.

Command Details Descriptions of SecureZIP for zSeries commands are given below in alphabetic sequence. If applicable, synonyms for each command are listed directly below the command.

<dataset name> The <data set name> is an individual name or a file mask of files that are to be used in the ZIP or UNZIP process. The specification may represent one or more files when wildcard masks are used or RECURSE_LEVELS is specified.

Note: This command does not use a “–” prefix.

Pathnames may be specified in the <data set name> and may be either in MVS format (MYFILES.PROJECT.DATA), where periods separate the qualifiers, or in UNIX format and use slashes (MYFILES/PROJECT/DATA). SecureZIP for zSeries stores the <data set name> in the latter format to provide cross-platform compatibility but accepts references to <data set name> in MVS format.

Note: When standard ZIP archives are requested, a filename may be of mixed case. When GZIP is requested, all characters in the filename should be lower case, according to GZIP specifications.

Formatting For individual data sets or PDS names, the <data set name> entry consists of:

Page 155: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

143

dataset level[.dataset level][.dataset level]….

For example: mydata.testing.temp.

For PDS members, the <data set name> entry consists of:

dataset level[.dataset level][.dataset level] ... (member1[,member2][,member3]…)

For example: mydata.testing.temp(firstrun,secondrun).

When a single data set level is specified either as a data set or a PDS member, and if SELECT_FROM_PDS is present, the associated PDS is identified.

If SELECT_FROM_PDS is not present, then the single level will be identified as a high-level qualifier.

Wildcards Wildcard characters enable you to use a single name, containing wildcard characters, to specify multiple data sets. The wildcard characters (?, *, and **) are used in place of some or all of the characters in the name. They operate as “wild cards” in that they match a range of things instead of just a single character.

Wildcards cannot be used in the highest data set level of the data set name.

The more general the wildcard specifications, the longer the file search. To save time, be as specific as possible in selecting data set names.

Question mark (?)

A question mark (?) represents any single character in that position within a data set level.

For example, MBS.?ABC matches every data set that has one character preceding ABC in its data set level. For example:

MBS.1ABC

MBS.2ABC

MBS.MABC

MBS.??ABC includes data sets that have two characters before ABC in the data set level. For example:

MBS.10ABC

MBS.XXABC

MBS.1JABC

Asterisk *

An asterisk (*) matches any string of zero or more characters in that position, within the level.

For example, JEH.*.SUB matches all data sets of any second level and a third level of SUB data sets. For example:

Page 156: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

144

JEH.BVC.SUB

JEH.TRIAL.SUB

JEH.UNVTEST.SUB

JEH.A*.SUB represents all data sets with a third level of .SUB and all second levels whose names begin with A. For example:

JEH.ABC.SUB

JEH.AQZAR.SUB

JEH.ATEST.SUB

BOOT.* represents all data sets with a first component of BOOT plus any of its second levels. It does not represent data sets with more than one level (see ** for more than one). For example:

BOOT.MINE

BOOT.DATA

BOOT.TESTING

but not

BOOT.MINE.SOURCE

JEH.*.D* represents all files within JEH with D beginning with its third level. For example:

JEH.OWN.DATA

JEH.SOURCE.DELIM

JEH.BAKER.DEMO

Double asterisk **

A double asterisk (**) matches all occurrences of one or the next two data set levels.

For example, ABC.** represents all data sets beginning with ABC and includes the next level or two, if present. For example:

ABC.GROUP.TEST

ABC.GROUP

ABC.MINE

ABC.**.DATA represents data sets with the first level of ABC followed by one or two levels and ending with DATA as the last level. For example:

ABC.GROUP.BASIC.DATA

ABC.GROUP.DATA

ABC.MINE.DATA

MS-DOS and UNIX file formats Data set names are supported in MS-DOS and UNIX formats to delete or view entries. For all other operations, data set names should be in the MVS format.

Page 157: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

145

For UNIX or MS-DOS formatting:

[pathname][/pathname]…[/pathname][/filename]

For MS-DOS formatting:

[pathname][\pathname]…[\pathname][\filename]

Command Icon Legend The following legend is used to identfy icons that may be associated with a given command.

These icons provide platform information, command compatibility, and a icon indicates that you should proceed with extreme caution and double check that the information provided works with your platform. It is important that you double check a command before using it.

Icons Description ☺ This icon specifies what platforms use this

command.

This command is not compatible with UNIX, iSeries, OS/400, and Windows.

This icon is a warning and it instructs you to read the information and proceed with caution.

–ACTION

Synonyms Include: –ADD, –COPY, –DELETE, –EXTRACT, –FRESHEN, PATCH_REPORT, TEST, –UPDATE, –VIEW

The ACTION command is used to add, copy, delete, extract, freshen, update, or view files in a ZIP archive. It may also be used to view a patch report.

–ACTION(ADD|COPY|DELETE|EXTRACT|FRESHEN|PATCH_REPORT|TEST| UPDATE|VIEW)

ADD - Specifies the addition of a file(s) to a ZIP archive using the method as specified in COMPRESSION_METHOD. If a file already exists in the archive with the same name, the addition will be disallowed and an UPDATE modifier will be required.

• Use ARCHIVE_DSN or a combination of ARCHIVE_INFILE and ARCHIVE_OUTFILE along with the ACTION(ADD) to create the new ZIP archive.

• The ADD command forces creation of a new ZIP archive.

• ADD is the default action for the SECZIP program.

Page 158: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

146

COPY - Specifies that designated files (all by default) are to be copied from one archive to another when running program SECZIP. Data set name selections are accomplished the same as they are with ACTION(DELETE) defined previously. When no names are specified, all files within the input archive are copied to the target. No action is taken if the target archive is the same as the source archive.

• Use of ARCHIVE_DSN in conjunction with COPY causes an implicit deletion of all files not selected from the designated archive. This can be a more efficient way to delete files from an archive than by listing them all with DELETE. SECZIP does not allow implicit deletion of all files within an archive when using COPY.

• When ARCHIVE_INFILE is used with COPY, SECZIP allows the creation of an empty target archive if none of the requested files matches the input archive.

DELETE - Specifies that the file(s) selected by the <data set name> command be deleted from an existing ZIP archive. This action results in the creation of a new archive, minus the deleted files.

• Use ARCHIVE_DSN (or a combination of ARCHIVE_INFILE and ARCHIVE_OUTFILE) along with the ACTION(DELETE) to create the new ZIP archive.

• The DELETE command forces the creation of a new ZIP archive minus the deleted files.

EXTRACT - Specifies that items or files are looked for in the archive, are brought out, and are put into an MVS data set. EXTRACT is the default action for the SECUNZIP program.

FRESHEN - Specifies that files already existing in an archive are to be replaced by different files having the same names. Note that timestamp verification does not occur, so it is possible to replace a file with one that is older.

PATCH_REPORT - When gathering information for problem analysis, SecureZIP for zSeries Technical Support may request the output from an execution with PATCH_REPORT. The report output is sent to the designated DDNAME_SYSPRINT standard output. No other commands are required.

PATCH_REPORT is normally executed in batch, although a foreground report can be generated with the ISPF panels.

Note: The PATCH_REPORT command may be used under either PGM=SECZIP or PGM=SECUNZIP. No archive actions will be performed when this command action is selected.

TEST - Specifies that the ZIP archive files be tested for integrity.

• This command performs the same functions as an ACTION(EXTRACT) command without actually extracting data or producing a decompressed file. The stored CRC is checked in this process, and a confirmation message occurs in the SYSPRINT data set for each valid file.

• Use ARCHIVE_DSN or ARCHIVE_INFILE with this command to specify the ZIP archive to be validated.

UPDATE - Specifies the update or addition of a file(s) to an existing ZIP archive.

Page 159: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

147

VIEW - Specifies that information about selected files be displayed in SYSPRINT. The VIEW command may be used with or without parameters. All parameter fields are optional but, if specified, must be specified in the following order:

VIEW[level][sort][REVERSE][COMMENT]

• Level - This parameter specifies the amount and format of the information to be displayed.

Null - If no level is specified, a standard report of one line per file (wrap lines may be inserted for the file name or comment) will be displayed with columnar headings for the field values.

BRIEF - Provides a minimum of information about the files selected for display.

DETAIL - Provides a full set of technical details about the files selected for display.

• Sort - Determines the presentation sequence of information in the output report.

NAME - Sort by filename only.

DATE - Sort by date only.

LENGTH - Sort by length of the uncompressed file only.

OFFSET - Sort by order of occurrence within the ZIP archive (first in, first out). This is the default sort sequence.

PERCENT - Sort by compression percentage, only.

SIZE - See Length.

• REVERSE - Optional switch that reverses the order in which files are normally displayed for the sort criterion specified. For example, a NAME sort normally displays files in ascending order. NAMEREVERSE displays the files in descending order by file name.

• COMMENT - Optional parameter that lists any internal comment information in the archive directory in a separate line for each associated file. These file-specific comments are different from the ARCHIVE_COMMENT, which applies to the entire archive.

The following table lists the valid ACTION(VIEW) options:

Page 160: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

148

VIEWBRIEF

VIEWBRIEFCOMMENT

VIEWBRIEFDATE

VIEWBRIEFDATECOMMENT

VIEWBRIEFDATEREVERSE

VIEWBRIEFDATEREVERSECOMMENT

VIEWBRIEFLENGTH

VIEWBRIEFLENGTHCOMMENT

VIEWBRIEFLENGTHREVERSE

VIEWBRIEFLENGTHREVERSECOMMENT

VIEWBRIEFNAME

VIEWBRIEFNAMECOMMENT

VIEWBRIEFNAMEREVERSE

VIEWBRIEFNAMEREVERSECOMMENT

VIEWBRIEFOFFSET

VIEWBRIEFOFFSETCOMMENT

VIEWBRIEFOFFSETREVERSE

VIEWBRIEFOFFSETREVERSECOMMENT

VIEWBRIEFPERCENT

VIEWBRIEFPERCENTCOMMENT

VIEWBRIEFPERCENTREVERSE

VIEWBRIEFPERCENTREVERSECOMMENT

VIEWBRIEFREVERSE

VIEWBRIEFREVERSECOMMENT

VIEWBRIEFSIZE

VIEWBRIEFSIZECOMMENT

VIEWBRIEFSIZEREVERSE

VIEWBRIEFSIZEREVERSECOMMENT

VIEWCOMMENT

VIEWDATE

VIEWDATECOMMENT

VIEWDATEREVERSE

VIEWDATEREVERSECOMMENT

VIEWDETAIL

VIEWDETAILCOMMENT

VIEWDETAILDATE

VIEWDETAILDATECOMMENT

VIEWDETAILDATEREVERSE

VIEWDETAILDATEREVERSECOMMENT

VIEWDETAILLENGTH

VIEWDETAILLENGTHCOMMENT

VIEWDETAILLENGTHREVERSE

VIEWDETAILLENGTHREVERSECOMMENT

VIEWDETAILNAME

VIEWDETAILNAMECOMMENT

VIEWDETAILNAMEREVERSE

VIEWDETAILNAMEREVERSECOMMENT

VIEWDETAILOFFSET

VIEWDETAILOFFSETCOMMENT

VIEWDETAILOFFSETREVERSE

VIEWDETAILOFFSETREVERSECOMMENT

VIEWDETAILPERCENT

VIEWDETAILPERCENTCOMMENT

VIEWDETAILPERCENTREVERSE

VIEWDETAILPERCENTREVERSECOMMENT

VIEWDETAILREVERSE

VIEWDETAILREVERSECOMMENT

VIEWDETAILSIZE

VIEWDETAILSIZECOMMENT

VIEWDETAILSIZEREVERSE

VIEWDETAILSIZEREVERSECOMMENT

VIEWLENGTH

VIEWLENGTHCOMMENT

VIEWLENGTHREVERSE

VIEWLENGTHREVERSECOMMENT

VIEWNAME

VIEWNAMECOMMENT

VIEWNAMEREVERSE

VIEWNAMEREVERSECOMMENT

VIEWOFFSET

VIEWOFFSETCOMMENT

VIEWOFFSETREVERSE

VIEWOFFSETREVERSECOMMENT

VIEWPERCENT

VIEWPERCENTCOMMENT

VIEWPERCENTREVERSE

VIEWPERCENTREVERSECOMMENT

VIEWREVERSE

VIEWREVERSECOMMENT

VIEWSIZE

VIEWSIZECOMMENT

VIEWSIZEREVERSE

VIEWSIZEREVERSECOMMENT

Page 161: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

149

–ARCHIVE_BLKSIZE

Synonyms Include: –ARCHBLKSIZ

For a new or updated ZIP archive, the block size may be specified using the ARCHIVE_BLKSIZE command. The default is to attempt half-track blocking (for example, 27998 bytes, on a 3390 DASD device) unless ARCHIVE_LRECL is specified using logical record lengths. The default is not used when ARCHIVE_DATACLASS is specified and DF/SMS is in control of data set allocation on the system.

–ARCHIVE_BLKSIZE(<block size>)

block size - The size of block for the new or updated ZIP archive.

Note: A large block size should be specified for best ZIP performance.

Block size of 0:

If using a PDS or sequential archive, and a block size of 0 is specified, the program determines the block size.

If using record formats that are undefined, by default or by ARCHIVE_RECFM(U) command, and a block size of 0 is specified, the system may not set a block size. An error occurs when the archive is processed: for example, IEC141I 013-34 abend.

–ARCHIVE_COMMENT

Synonyms Include: N/A

This command allows a comment of up to 255 characters to be specified and saved in the archive central directory.

–ARCHIVE_COMMENT(<comment>)

comment - A free-form descriptive field that may be up to 255 characters in length and may contain lower-case letters.

-ARCHIVE_COMMENT(This is a sample of a long command input value, and a hyphen illustrates the use of the continuation character for a lon- …..g command.) The hyphen causes a concatenation without blanks.

Page 162: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

150

–ARCHIVE_DATACLASS

Synonyms Include: –ARCHDCLASS

For a new or updated ZIP archive, the SMS data class may be specified using the ARCHIVE_DATACLASS command. If the command is not specified, no data class is used in the allocation request.

Allocation of files in a SMS environment is controlled by the installation through automatic class selection routines as defined by the local storage administrator. Control cards specifying SMS classes and/or volume selection may be ignored by the system when performing allocations. Check with the systems administrator for proper designations of these values.

–ARCHIVE_DATACLASS(<data class>)

data class - Names the SMS data class where the updated or new archive is to reside. There is an 8-character limit.

The following parameter option for SMS classes accommodates earlier PKZIP releases:

_NONE_

For example:

ARCHIVE_DATACLASS=_NONE_

An ACZDFLT parameter of _NONE_ maintains the behavior of earlier releases of PKZIP (pre-5.6) for SMS specifications.

Note that when SECZIP dynamically allocates an archive data set, an installation SMS ACS routine may assign a DATACLASS outside of SECZIP’s control. The _NONE_ specification negates the DYNALLOC (SVC99) parameter request for DATACLASS by SECZIP, but the installation can still generate an override. This has the potential for assigning DCB attributes that are incompatible with later processing of the archive data set. Care should be taken when using SMS data class attributes to ensure that the installation assigns correct values (or does not assign them at all).

–ARCHIVE_DIR_BLOCKS

Synonyms Include: –ARCHDIRBLKS, –ARCHIVE_DIRBLKS

For a new ZIP archive, the number of directory blocks may be specified using the ARCHIVE_DIR_BLOCKS command. The default of 56 is not used with ARCHIVE_DATACLASS.

Use ARCHIVE_DIR_BLOCKS in conjunction with an ARCHIVE_DSN when creating a new PDS.

–ARCHIVE_DIR_BLOCKS(<dir blocks>)

dir blocks - This indicates the number of directory blocks for the new ZIP archive. The default allocation is 56 blocks.

Page 163: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

151

–ARCHIVE_DSN

Synonyms Include: –ARCHIVE, –ARCHIVE_DSNAME

In SECZIP Processing The ARCHIVE_DSN command specifies the archive name to be read in and updated by SecureZIP for zSeries. Either this command or the ARCHIVE_INDD command must be used to identify an archive. ARCHIVE_INDD does not allow updating and is used in conjunction with ARCHIVE_OUTDD. There is no default.

–ARCHIVE_DSN(<archname>)

archname - This is the complete archive data set name of the ZIP archive. If the archive is a PDS archive, the member name must be included here.

If archname exists:

SecureZIP for zSeries performS a SYSTEM ENQUE to lock out other users from accessing the archive.

To update an archive, SecureZIP for zSeries creates a temporary file containing the original archive’s compressed data. When processing is complete, SecureZIP deletes the old archive and assigns its name to the temporary file.

The updated archive has allocation attributes from ARCH* commands or their defaults instead of the previous archive’s allocation.

Note: The temporary file(s) may require as large an allocation as the archive itself. Use the TEMP* commands to specify sufficient allocation.

If the archive came from another platform, the created data set must be created on MVS as sequential or as a PDS member with type U, F, or FB records. For best processing, generate this data set with a block size of at least 4000 bytes.

SecureZIP for zSeries will create the archive with the <archive name>.

If this is to be a first member of a PDS, use ARCHIVE_DIR_BLOCKS to specify the allocation of directory blocks or use the default.

In SECUNZIP Processing The ARCHIVE_DSN command specifies the archive name to be read in or viewed by the SECUNZIP program.

Note: Either this command or the –ARCHIVE_INDD command must be used to identify an archive. There is no default.

–ARCHIVE_DSN(<archname>)

archname - This is the complete data set name of the ZIP archive.

Page 164: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

152

SecureZIP for zSeries will perform a SYSTEM ENQUE to lock out other users from using the archive.

–ARCHIVE_DSORG

Synonyms Include: –ARCHDSORG

For a new or updated ZIP archive, the data set organization is specified using the ARCHIVE_DSORG command. The command may specify one of four organizations with Sequential the default. Note, with the exception of VSAM files SecureZIP for zSeries can determine the data set organization by the data set name in the ARCHIVE_DSN command.

–ARCHIVE_DSORG(PO|PE|PS|VS)

PO - Partitioned data set archive.

PE - Partitioned data set enhanced archive.

PS - Physical sequential archive.

VS - Virtual storage aaccess method archive.

Note: The program can determine the organization of the archive by the data set name, except for VSAM files.

–ARCHIVE_FASTSEEK

Synonyms Include:

Control fast archive directory seek logic for selected disk archive data set organizations.

ARCHIVE_FASTSEEK= Y|N

The central file directory for an archive is located at the back of the archive data set and local File directory entries are interspersed throughout the archive. When this setting is enabled with “Y”, SECZIP and SECUNZIP will use direct I/O techniques to locate the directory entries for view, extract and archive update processing.

In order to be effective, the archive data set must reside on disk as DSORG=PS (Physical Sequential) with RECFM=U or RECFM=FB. When STAGE_TAPE_ON_DISK=Y is specified, the fast seek logic will take effect for the temporary disk archive once it has been copied from tape.

This feature is associated with the licensing of “Large File Support”.

If fast seek processing cannot be performed, message ZPAM561I is issued, and sequential processing of the archive directory entries is performed.

Page 165: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

153

Customers with a standard license receive a message like the following if ARCHIVE_FASTSEEK is set to Y. This setting causes a request for ZIP64 which is not part of the Standard license:

ZPLI902W ZIP64 LARGE FILE SUPPORT FEATURE WARNING –CPU NOT LICENSED GRACE USED 01 DAY(S)

–ARCHIVE_INFILE

Synonyms Include: –ARCHINDD, –ARCHIFILE, –ARCHINFILE,–ARCHIVE_INDD, –ARCHIVE_IFILE

The ARCHIVE_INFILE command specifies a DD statement that describes a ZIP archive to be read in for processing. Use this command when the archive is not to be updated and the processed file is to be written to another destination using ARCHIVE_OUTFILE. Also use this command when processing tapes and GDG’s. Do not use this command with the ARCHIVE_DSN command.

–ARCHIVE_INFILE(<DDname>)

DDname - This is the DD statement in the JCL that identifies the ARCHIVE to be read.

The same <DDname> may not be used for ARCHIVE_OUTFILE.

–ARCHIVE_LRECL

Synonyms Include: –ARCHLRL

For a new or updated ZIP archive, the logical record length is specified using the ARCHIVE_LRECL command. If ARCHIVE_RECFM(U) is specified for sequential archives, a default record length of 0 is established. Otherwise the block size is used. Note that the command ARCHIVE_DATACLASS overrides this default.

–ARCHIVE_LRECL(<lreclength>)

lreclength - The logical record length for the new or updated ZIP archive.

–ARCHIVE_MGMTCLASS

Synonyms Include: –ARCHMCLASS

For new file allocation when doing SECUNZIP processing, these classes are passed to SMS when data set allocation occurs.

–ARCHIVE_MGMTCLASS(<SMS Management Class>)

See IBM’s DF/SMS manuals for further information about this parameter.

Page 166: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

154

The following parameter option for SMS classes accommodates earlier PKZIP releases:

_NONE_

For example:

ARCHIVE_MGMTCLASS=_NONE_

An ACZDFLT parameter of _NONE_ maintains the behavior of earlier releases of PKZIP (pre-5.6) for SMS specifications.

–ARCHIVE_OUTFILE

Synonyms Include: –ARCHIVE_OUTDD, –ARCHIVE_OFILE, –ARCHOUTDD, –ARCHOFILE, –ARCHOUTFILE

The ARCHIVE_OUTFILE command specifies a DD statement that points to a ZIP archive to be written. Use this command when the input archive is not to be updated with new information. This command is mainly used when processing tapes and GDG’s. Do not use this command in conjunction with the ARCHIVE_DSN command.

–ARCHIVE_OUTFILE(<DDname>)

DDname - This is the DD statement in the JCL that identifies the ARCHIVE to write. It must not be the same as used for ARCHIVE_INFILE.

If the archive is updated, the JCL parameter DISP=MOD should not be used to extend the archive. DISP=OLD should be used instead to allow the archive to be overwritten.

If the archive is not updated, then the input archive will be copied to the <DDname> archive. The <DDname> attributes in the JCL are used to define the output archive. Any ARCH* commands are ignored.

In the event of an error occuring during ZIP processing such that the process does not complete, the output data set within the archive should not be used. The status of the data set is determined once the process completes and therefore will not be determined if an error is encountered.

–ARCHIVE_RECFM

Synonyms Include: –ARCHTYPE

For a new or updated ZIP archive, the record format may be specified using the ARCHIVE_RECFM command. The record specification may be one of four types with U (Undefined) as the default.

–ARCHIVE_RECFM(U|F|FB|FBS)

U - Undefined records (default) (note also that this default is ignored if an associated SMS command of ARCHIVE_DATACLASS is used).

Page 167: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

155

F - Fixed records.

FB - Fixed-Block records.

FBS - Fixed-Block Standard records.

An undefined specification (U) causes any ARCHIVE_LRECL specifications to be ignored. Similarly, an unblocked file specification will cause ARCHIVE_BLKSIZE to be ignored.

–ARCHIVE_SPACE_MULTIVOL

Synonyms Include: N/A

The ARCHIVE_SPACE_MULTIVOL command controls whether the dynamic allocation of a new non-VSAM archive data set will request multiple volumes when ARCHIVE_DATACLASS is not in effect.

–ARCHIVE_SPACE_MULTIVOL=Y|N

N - When a value of “N” is specified, or an ARCHIVE_DATACLASS is specified, SecureZIP does not provide a volume count in the dynamic allocation request. When multiple volumes are required to hold the archive under this condition, the operating system may reject the volume extension with an associated IEC032I-04 E37 error.

Y - When “Y” is specified without an ARCHIVE_DATACLASS, a maximum of 59 volumes will be requested in the DYNALLOC request. When this option is enabled, the catalog will show the archive data set as being a multi-volume data set.

Message IGD17271I Allocation has been allowed to proceed for data set may appear in the JOB log from the system but will not affect SECZIP processing.

Note: See the SecureZIP for zSeries System Administrator’s Guide for more information on SMS dataclass considerations. See also the section “Large File Considerations” in Chapter 8 for discussions regarding SMS class controls of extended size data sets.

–ARCHIVE_SPACE_PRIMARY

Synonyms Include: –ARCHPRIMARY

For a new or updated ZIP archive, the number of allocation units in the primary extent is specified using the ARCHIVE_SPACE_PRIMARY command.

The default is not used if ARCHIVE_DATACLASS is specified.

–ARCHIVE_SPACE_PRIMARY(<allocation units>)

allocation units - This is an 8-character field specifying the number of allocation units for the primary extent of the new or updated ZIP archive.

00000010 - Ten (cylinders) is the default.

Page 168: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

156

Allocation units are automatically released for a sequential archive.

–ARCHIVE_SPACE_RLSE

Synonyms Include: –ARCHIVE_RLSE, –ARCHIVE_RELEASE, –ARCHIVE_SPACE_RELEASE, –ARCHRLSE, –NOARCHRLSE, –ARCHNORLSE

This command specifies whether free space should be released when a ZIP archive is deallocated.

–ARCHIVE_SPACE_RLSE(Y|N)

Y - YES - The deallocated free space is released following compression. This is the default action taken for sequential data sets.

N - NO - The deallocated free space is not released following compression. This is the default action taken for partitioned data sets.

–ARCHIVE_SPACE_SECONDARY

Synonyms Include: –ARCHSECONDARY

For a new or updated ZIP archive, the number of allocation units in the secondary extent is specified using the ARCHIVE_SPACE_SECONDARY command. If specified, the data unit number must not be 0.

The default is not used if ARCHIVE_DATACLASS is specified.

allocation units - This is an 8-character field specifying the number of allocation units for the secondary extent of the new or updated ZIP archive.

00000010 - Ten (cylinders) is the default.

–ARCHIVE_SPACE_TYPE

Synonyms Include: –ARCHSPACE

For a new or updated ZIP archive, the type of allocation units may be specified using the ARCHIVE_SPACE_TYPE command. Note the default is not used when ARCHIVE_DATACLASS is specified.

–ARCHIVE_SPACE_TYPE(<TRK|CYL|BLK|MB|KB>)

TRK - (also TRKS and TRACKS) Allocation by tracks.

CYL - (also CYLS and CYLINDERS) Allocation by cylinders.

Page 169: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

157

BLK - (also BLKS and BLOCKS) Allocation by blocks (Note that the block size is specified in the ARCHIVE_BLKSIZE command.

KB - (also KILOBYTES) Allocation by Kilobytes for a VSAM archive.

MB - (also MEGABYTES) Allocation by Megabytes for a VSAM archive.

VSAM Note: Both the primary and secondary extents are allocated at 100 allocation units unless changed by the –VSAM_SPACE_PRIMARY or the –VSAM_SPACE_SECONDARY commands.

This command specification can be overridden at the data level by the VSAM_DATA_SPACE_TYPE command. At the data level, the corresponding cluster information is not recognized.

–ARCHIVE_STORCLASS

Synonyms Include: –ARCHSCLASS

For a new or updated ZIP archive, the DF/SMS storage class may be specified using the ARCHIVE_STORCLASS command. If the command is not specified no storage class is used.

–ARCHIVE_STORCLASS(<storclass>)

storclass - The names of the DF/SMS storage class where the updated or new archive is to reside. There is an 8-character limit.

For new ZIP archives that are members of a PDS, the SecureZIP for zSeries DF/SMS command should specify the PDS class and the non-DF/SMS command should specify the PDS volume or unit of the allocation.

–ARCHIVE_TIMESTAMP

Synonyms Include: –TIMESTAMP

This command specifies the source of the date and time for a compressed file. The default is the LOCAL time, as set on the system.

–ARCHIVE_TIMESTAMP(CREATE|CREATEGMT|CREATEUTC|GMT|LOCAL|UTC)

CREATE - Specifies the creation date of the MVS data set with time of 00:00:00. This is because standard MVS systems retain the data set’s creation date but do not retain the time of creation. If this creation date does not exist, the LOCAL time is used. Members of a PDS will have the timestamp associated with the data set, not with the individual members.

CREATEGMT - Specifies the creation date of the MVS data set with a time of 00:00:00 as in CREATE. Except if the creation date does not exist, the UTC option is used.

Page 170: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

158

CREATEUTC - Specifies the creation date of the MVS data set with a time of 00:00:00 as in CREATE. Except if the creation date does not exist, the UTC option is used.

GMT - Specifies the Greenwich Mean Time as set on the system. Time zones are not specified here; therefore, it is the same time, world-wide. The time is captured at the time ZIP processing begins.

LOCAL - Specifies the LOCAL time as set with the system. The LOCAL time is based on the UTC time with any adjustments made for time zones.

UTC - Specifies the Greenwich Mean Time as set on the system. Time zones are not specified here; therefore, it is the same time, world-wide. The time is captured at the time ZIP processing begins.

The time captured for the archive is the point at which ZIP processing begins and is the same for all files of that archive.

–ARCHIVE_UNIT

Synonyms Include: –ARCHUNIT

For new or updated ZIP file allocation, the generic units for the archive can be specified using the ARCHIVE_UNIT command. The default, should a unit be required, is the installation default, typically SYSDA.

–ARCHIVE_UNIT(unitname|SYSDA)

unitname - An 8-character field specifying the name of the generic unit to which the archive is to be allocated.

SYSDA - The default specification.

For new ZIP archives that are members of a PDS, the SecureZIP for zSeries DF/SMS command should specify the PDS class, and the non-DF/SMS command should specify the PDS volume or unit of the allocation.

–ARCHIVE_VOLUMES

Synonyms Include: –ARCHVOL

For a new or updated ZIP archive allocation, the volume(s) is specified using the ARCHIVE_VOLUMES command.

–ARCHIVE_VOLUMES(<volname>[ <volname> <volname>…])

volname - A 217-byte field specifying the name of the volume(s) onto which the new or updated ZIP archive is allocated. There may be up to 31 volume names specified with this command.

For an archive that is a new member of a new PDS, the first <volname> will only be used.

Page 171: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

159

For a VSAM archive, the volumes are specified at the Cluster Level.

–ATTRIB_COMPATIBILITY

Synonyms Include: –ATTRCOMPAT, –ATTRIB_COMPAT, –ATTRIBUTE_COMPATIBILITY

This parameter governs the type of extended attributes that are stored in the archive. SecureZIP for zSeries provides compatible attributes with PKZIP for MVS version 2.5 and above in the Systems/390 environment through the use of extended file information. New attributes may be built upon the Z390 attribute set in future releases.

–ATTRIB_COMPATIBILITY(Z390|MV25)

Although ZIP archives created by older releases of PKZIP for MVS can be processed by SecureZIP for zSeries, extended attributes created by SecureZIP for zSeries in Z390 mode are not compatible with executions of PKZIP for MVS version 2. For installations where multiple releases of the product are run with files being shared between systems, or where compatibility is desired with archives being shared with a PKZIP for VSE version 2.x system, a mode of MV25 can be used so that the attributes created are acceptable to the older product versions.

–AUTHCHK

Synonyms Include: N/A

This command specifies that digital signature authentication processing should be performed. Separate authentication processing may be specified for either the archive central directory or files by using multiple commands. Optionally, specific signers may be specified to authenticate against.

-AUTHCHK(ARCHIVE|FILES,[certificate_store_type:selection][,R] [,PASSWORD=password])

ARCHIVE|FILES - Designates the type of authentication that is to be performed. Either ARCHIVE or FILES can be specified on each command. Multiple AUTHCHK commands can be specified.

certificate_store_type:selection - An optional parameter used when attempting to validate that the associated signature(s) are from a specific source (via a public key identification). This sub-parameter designates the media containing the certificate(s) having the public key.

See SIGN_ARCHIVE for a discussion of the certificate store types and selection processing. Although a public-key X.509 certificate entity is to be used for authentication processing, a private-key entity can also be used to obtain the necessary public key.

It is possible that more than one certificate may be returned for a single common name or email search. If so, each is added to the list of validating sources.

Page 172: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

160

When no specific certificates are requested, any signatories found in the archive are validated in accordance with the –{AUTHENTICATE} policy settings in effect.

[,R] - This is an optional flag indicating that certificate(s) indicated by this AUTHCHK request must be satisfied for the run. This means that the public-key certificate information must be resolved on the local system and must pass validation as signatory for the type of AUTHCHK being performed.

All certificates specified with the “R” option must pass validation, or authentication will be marked as a failure. Only one authentication check command can be specified for the ARCHIVE type when a Required flag is set.

[,PASSWORD=] - Designates the password that is required for a private-key certificate that is to be used for public-key access. When a value is specified, the target must be an X.509 PKCS#12 private-key certificate. It should not be coded when requesting a public-key certificate.

The PASSWORD value may contain blanks and is delimited by the closing right parenthesis “)” of the signing command. Quotes and apostrophes should not be used as start/end delimiters.

Processing Notes AUTHCHK= is not honored from the defaults module (ACZDFLT or other user-designated module). A preferable technique is to use INCLUDE_CMD and reference an independent file from which the AUTCHK command(s) may be read (and file-protected from read access by the system’s security facility).

Passwords are masked out in SYSPRINT output displays.

When FILE: is specified as the certificate lookup type, the data set name is treated in accordance with fopen() as documented in the IBM C/C++ Programming Guide. See “Performing OS I/O Operations - Using a Data Set Name”. Starting a filename with “//” indicates the file refers to a non-POSIX file or data set. The name specified is translated to upper case by the run-time environment.

A local certificate store configuration is required to complete the processing of this command. Even when a direct FILE specification is made to locate the private-key certificate, the {CSCA=} and {CSROOT=} certificate store components must be accessible to complete the certificate signing chain within the archive. This information is required to complete authentication processing on the target system when the local certificate store on that system does not contain the certificate authority chain required to validate TRUST.

Authentication will fail if none of the requested certificates can be accessed, regardless of the “R” required flag. If multiple requests are made and at least one signature is found, processing will continue normally.

When one or more non-required certificates are requested but none can be resolved in the local certificate store, generic authentication continues as if no specific requests had been made.

When one or more certificates (required or non-required) are requested, and any are found in the local certificate store, at least one certificate in the list must pass authentication. By providing a list of acceptable non-required certificates, any may pass validation to satisfy the authentication request. However, certificates specified for authentication with “R” must still pass validation.

Page 173: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

161

An archive Directory authentication failure generates a minimum condition code of 6 (RC=6) for the execution unless an appropriate PKSUPPRC command is entered. This halts further processing for the archive except for ACTION=VIEW processing.

A file authentication failure generates a minimum condition code of 6 (RC=6) for the execution unless an appropriate PKSUPPRC command is entered. Processing continues for other files in the archive.

Signed files are tolerated by prior releases of PKZIP and SecureZIP for zSeries but are not processed for authentication.

Authenticity Check Policies Although the AUTHCHK command specifies which signature type (Archive or Files) should be checked, it does not direct the levels of checking to be performed. (For an overview of authentication, see the section “Authentication” in Chapter 2). The policy configuration setting AUTHENTICATE= (which may also be entered as a command) is used to govern the various aspects to be validated when an AUTHCHK operation is processed.

–{AUTHENTICATE=[ALL]|[NOT]EXPIRED,[NOT]TRUSTED,[NOT] REVOKED,[NO]TAMPERCHECK}

The AUTHENTICATE policy setting is usually located in the local certificate store configuration file supplied by the SecureZIP administrator. If not present, AUTHENTICATE=ALL is the default. Although multiple AUTHENTICATE policy command sequences may be entered, the sub-parameter values are not cummulative between commands. The latest entry of AUTHENTICATE= encountered in the command stream takes effect.

ALL - This subparameter activates all levels of authentication. If followed by negating sub-levels, then all but those negating levels are activated. For example:

-{AUTHENTICATE=ALL,NOTEXPIRED}

means that expired certificates will not cause an authentication error, but TRUST and TAMPERCHECK must both be satisfied.

[NOT]EXPIRED - This sub-parameter performs certificate date-range validation on the certificates (including the certificate authority chain). Although the term “expired” is used, a certificate that has not yet reached its valid data range specification will fail.

[NOT]REVOKED - This subparameter examines certificates and their trust chains to ensure that certificates have not been revoked by the certificate authority.

[NOT]TRUSTED - This subparameter signifies that the entire certificate authority chain must be validated. This includes locating the root (self-signed) certificate on the local system (as defined in {CSROOT=} within the local certificate store configuration).

[NO]TAMPERCHECK - This sub-parameter verifies the data stream against the digital signature.

Page 174: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

162

–CALLMODE

Synonyms Include: N/A

This command is an internal use command that is used for environmental interfacing and should not be specified.

–CALLMODE(BATCH|ISPF|TSO)

–CHECK_SYSIN_MEMBER

Synonyms Include: N/A

This is a defaults-module only parameter (since the value must be determined before the SYSIN command set is opened).

–CHECK_SYSIN_MEMEBER(Y|N)

The default operation of SecureZIP for zSeries is to verify that command input stored in a PDS or PDSE member exists. If the member is not found, then a message is issued and the SECZIP function is terminated.

"ZPCM010E MEMBER NOT ACCESSIBLE IN DATASET"

Installations that use very large PDS/PDSE libraries may want to avoid the overhead of searching the directory. Performance may be improved by specifying CHECK_SYSIN_MEMBER=N in the ACZDFLT module.

However, a system abend S013 will occur if the specified member does not exist in the library.

–COMPRESSION_LEVEL

Synonyms Include: –METHOD, –EN, –ES, –EX, –E0

This command specifies the speed and compression level when zipping a file.

–COMPRESSION_LEVEL(NORMAL|MAXIMUM|FAST|SUPERFAST|STORE)

When updating files in a ZIP archive, COMPRESSION_LEVEL specifies a parameter that determines the compression level and speed to be used. The command can specify one of the five options.

The following table shows the balance of degree of compression and speed of compression. The levels range from 0 (low) to 5 (high). For example, when using MAXIMUM, a resulting compressed file would be highly compressed, but it would take a longer time to complete.

Page 175: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

163

Level Compression Speed MAXIMUM 4 1

NORMAL 3 2

FAST 2 3

SUPERFAST (default) 1 4

STORE 0 5

If the compressed file be is than the original file, SecureZIP for zSeries performs a COMPRESSION_LEVEL(STORE) on the file instead of compressing it. Note that this file processing overhead requires significantly more time than if a COMPRESSION_LEVEL(STORE) command was issued initially.

–CRLF

Synonyms Include: –NOCRLF

☺ - Cross Platform Compatible command (VSE, iSeries, OS/400, UNIX, and Windows).

This command determines whether special delimiters or terminators are inserted when a file is being extracted from a ZIP archive.

–CRLF(Y|N|C[,STRICT])

Y - YES - Insert CR (carriage control), LF (line feed), or CZ (Ctrl-Z), as appropriate.

N - NO - Do not insert CR, LF, or CZ.

C - COMPATIBILITY - Changes the way SecureZIP for zSeries processes the last record in a file.

Y,STRICT - This special setting specifies that during UNZIP text-file processing, strict adherence to the DATA_DELIMITER and FILE_TERMINATOR character sequences is required to identify the end of a record. This combination may only be specified through command input and should be coded as “-CRLF(Y,STRICT)” as the last CRLF command encountered. Any other CRLF command will switch “STRICT” off.

When extracting a text file from a ZIP file that contains no internal delimiters or terminators of CR, LF, or CZ, you can use CRLF(N) so that the SECUNZIP program creates fixed record lengths for the output. The maximum record length of the extracted data set determines the output record length. The last record of the output is filled with EBCDIC spaces (Hex 40) if needed.

FILE_TERMINATOR() and DATA_DELIMITER() may be also be used and the SECUNZIP program will search for default delimiters.

See also DATA_TYPE(TEXT).

Page 176: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

164

In SECZIP Processing CRLF=Y normally places the DATA_DELIMITER character(s) after every record (including the last one) before conditionally adding the FILE_TERMINATOR character(s).

CRLF=C specifies that the last record should not have the DATA_DELIMITER characters added after the last record of the file, and should only have the FILE_TERMINATOR character(s) added.

Note: –CRLF(Y,NOEOFDELIM) also performs this action.

If the default values for DATA_DELIMITER and FILE_TERMINATOR are taken, the same output results are seen with either CRLY=Y (standard) or CRLF=C. The advantage of using CRLF=C or CRLF(Y,NOEOFDELIM) is that finer control of the last control characters in the file can be achieved through the FILE_TERMINATOR specifications.

In SECUNZIP Processing CRLF=C during an EXTRACT causes additional line control interpretation to be done when the DATA_DELIMITER and FILE_TERMINATOR characters specified do not accurately match the source file. This is a compatibility option (PKZIP MVS 2.x) that sets the FILE_TERMINATOR to x’0D0A1A’ and treats this terminator as the last record’s delimiter.

Use of CRLF=C or CRLF=Y (without STRICT) may cause records to be split when binary data (within a text file) is found to contain any of the typical line control characters.

CRLF=Y causes any of the specified DATA_DELIMITER control characters to act as a record delimiter, regardless of sequence. X’1A’ (Ctrl-Z) is also considered to be a delimiter, even when not specified in the command set.

CRLF(Y,STRICT) may be used in conditions where a multi-character record delimiter (such as x'0D0A' from a PC) is being read but there are also spurious control characters intermixed with the data. Assuming that an inbound text file used x'0D0A' as the record delimiter with default processing, any x'0D' or x'0A' in the data stream would normally cause a record break during output operations. However, with STRICT turned on, only exact sequences of x'0D0A' would cause a record break, and the indivdual occurances or reversed x'0A0D' will be kept as part of the data stream for subsequent translation. Only the character streams specified in DATA_DELIMITER and FILE_TERMINATOR are used in the scan.

Note: When CRLF(Y,STRICT) is enabled, a check for an exact match of the FILE_TERMINATOR stream will be done before checking the DATA_DELIMITER characters. If there are no data bytes found since the preceeding record when a positive match of the terminator string occurs, no record is written. This will result in an empty output file when only the FILE_TERMINATOR stream is found in the extracted data. For example, if x'0D0A' are specified in both FILE_TERMINATOR and DATA_DELIMITER, a stand-alone x'0D0A' at the end of the uncompressed data stream will be treated as NULL information because it matches the FILE_TERMINATOR.

ACZDFLT (MCZDFLTS macro) When CRLF=C is used in the MCZDFLTS macro and FILE_TERMINATOR is not specified, the default for FILE_TERMINATOR will be set to CRLFCZ(x’0D0A1A) instead of the standard default of CZ(x’1A’). This yields equivalent ZIP results when CRLF=Y is specified with its defaults.

Page 177: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

165

“–FILE_TERMINATOR=” can be specified along with –CRLF=C to ZIP a file, resulting in no control characters at the end of the file.

If both CRLF=C and FILE_TERMINATOR=CZ are specified, then FILE_TERMINATOR=0D0A1A is substituted. FILE_TERMINATOR=1A can be used to override this substitution.

Processing Examples

–DATA_DELIMITER CRLF = x'0A0D'

–FILE_TERMINATOR CZ = x'CZ'

CRLF(N) No control characters are inserted after any records.

No control characters are inserted at the end of the file.

Rec1_dataRec2_data…

CRLF(Y) All records are terminated with DATA_DELIMITER characters.

After the final record, the –FILE_TERMINATOR character is added.

Assuming the distribute defaults of: –DATA_DELIMITER=crlf –FILE_TERMINATOR=cz

Rec1_dataCRLF Rec2_dataCRLF Last_recordCRLF CZ

CRLF(C) All records except the last record are terminated with –DATA_DELIMITER characters.

After the final record, the –FILE_TERMINATOR character is added.

Assuming the distribute defaults of: –DATA_DELIMITER=crlf –FILE_TERMINATOR=cz

Rec1_dataCRLF Rec2_dataCRLF Last_record CZ

CRLF=Y,NOEOFDELIM All records except the last record are terminated with –DATA_DELIMITER characters.

After the final record, the –FILE_TERMINATOR character is added.

Same as CRLF(C).

–DATA_DELIMITER

Synonyms Include: –DELIM

☺ - Cross Platform Compatible command (VSE, iSeires, OS/400, UNIX, and Windows).

In SECZIP Processing: When compressing a file as text (not binary), the DATA_DELIMITER command specifies what character(s) to store at the end of each record to differentiate records. (See the CRLF and FILE_TERMINATOR commands regarding control over the last record). When compressing a file as binary, the DATA_DELIMITER command is ignored.

Page 178: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

166

–DATA_DELIMITER(<delim chars>)

Delim chars - The delimiter characters to be appended. There may be 0-4 characters specified in any combination:

CR - Appends an ASCII Carriage Return (hex 0D).

CZ - Appends an ASCII Ctrl-Z character (hex 1A).

LF - Appends an ASCII Line Feed character (hex 0A).

() - No delimiters at all.

The default is CRLF if no DATA_DELIMITER command is specified.

Note: Transfers of Microsoft- Disk Operating System (MS-DOS) records use a CRLF for a delimiter, while UNIX records use a LF. See –INCLUDE_CMD=TOMSDOS|TOUNIX for more information about target platform requirements.

When extracting the file(s), the same DATA_DELIMITER command should be used to differentiate each record, just as it was when it was compressed.

SecureZIP for zSeries searches for one each of CR, CZ, and LF characters as a default for text file record delimiters. If a file was compressed with double characters as delimiters—for example, DATA_DELIMITER(LFCZLF)—and the file is later decompressed without the DATA_DELIMITER command (a default search is used), SecureZIP for zSeries uses each LF as a record delimiter. It then creates extra record(s) to accommodate for the duplicate characters—for example, LF.

In SECUNZIP Processing When decompressing a text file (not binary), the DATA_DELIMITER command specifies what characters to look for at the end of records (except the last) that serve as delimiters. The delimiter is removed from the record when it is decompressed. The last record of the file ends with the characters specified in the FILE_TERMINATOR command. When decompressing a binary file, the DATA_DELIMITER command is ignored.

–DATA_DELIMITER(<delim chars>)

delim chars - The delimiter characters to be appended. There may be 0-4 characters specified in any combination:

CR - Appends an ASCII Carriage Return (hex 0D).

CZ - Appends an ASCII Ctrl-Z character (hex 1A).

LF - Appends an ASCII Line Feed character (hex 0A).

() - No delimiters at all.

The default is CRLF if no DATA_DELIMITER command is specified.

Default processing of records. SecureZIP for zSeries will search for a range of delimiters when the DATA_DELIMITER command is not used. They are: CRLFCZ, LFCRCZ, CRLF, LFCR, CRCZ, LFCZ, CR, and LF. This default may be used unless special delimiter combinations were

Page 179: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

167

assigned during compression. To assure correct location of records, the same DATA_DELIMITER command used in compression should be used to decompress as well.

–DATA_STORAGE

Synonyms Include: –CACHEMEMORY

Cache memory may be specified, with the DATA_STORAGE command, in order to increase processing speed. This command specifies the total number of bytes to be allocated for caching. The default is zero (0)—no caching—when this command is not specified.

-DATA_STORAGE(<bytes>)

bytes - This specifies the total number of bytes assigned for caches in SecureZIP for zSeries. Where <bytes> may range from 64000 to (231 - 1).

The unit is specified only in bytes and with no commas. To specify a cache memory of 0.30Mb, use DATA_STORAGE(300000).

A larger file may be processed in less time by specifying a larger cache memory. A larger cache memory increases virtual memory for compression operations that may decrease the necessary number of disk accesses. This reduces I/O time and thus improves compression performance time.

Warning: Be aware of your system’s storage requirements before specifying very large amounts of cache memory of, for example, 1 Gbyte or 1000000000. Claiming too large a cache memory when there is insufficient storage and/or page data sets can create serious problems. It is suggested that one should verify this capability with the proper systems management personnel before attempting a command of this magnitude.

SecureZIP for zSeries can use multiple caches during processing which can vary the actual amount of virtual memory that is used. The amount is affected by the number and size of the files being processed.

–DATA_TRANS_API_ERRLIM

Synonyms Include: N/A

This setting currently has no effect.

–DATA_TRANS_API_ERRLIM(<threshold #>)

threshold # – Default 0

Page 180: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

168

–DATA_TRANS_API_ERROR

Synonyms Include: N/A

Identify the type of processing to occur when an API error occurs.

–DATA_TRANS_API_ERROR(STOPRUN|ABEND|IGNORE>)

STOPRUN traps any program exception, displays the results of the trap, and causes the end of the SecureZIP execution.

ABEND causes the API to allow an abend of the user API withour trapping the program exception, allows a dump to occur, and ends the SecureZIP execution.

IGNORE traps any program exception, displays the results of the trap, and continues with the next record or file.

–DATA_TRANS_API_LANGUAGE

Synonyms Include: N/A

The language used to code the API. Basic Assembler Language (ASM) is the default.

–DATA_TRANS_API_LANGUAGE(ASM|COBOL)

–DATA_TRANS_API_NAME

Synonyms Include: N/A

The name of the data record transformation API load module. Place this load module into a JOBLIB, STEPLIB or a system linklist library.

–DATA_TRANS_API_NAME(<module name>)

module name – Up to 8 character name of the load module to be used as the data record transformation API.

Note: Use of the NOAPI control card negates all USER API processing. Any information placed into the DATA_TRANS_API control cards is ignored.

–DATA_TRANS_API_PARM

Synonyms Include: N/A

This control card can be used to pass information to the User API.

Page 181: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

169

–DATA_TRANS_API_PARM(<user data>)

user data – Default blanks, can be up to 80 bytes

–DATA_TRANS_API_TRACE

Synonyms Include: N/A

This allows headings, control blocks, registers, and data areas to be presented in SYSPRINT to help in the debugging of a User API.

–DATA_TRANS_API_TRACE(0|1|2|3|4)

0 = Trace Off

1 = Basic

2 = Medium

3 = Low Level

4 = Very Low Level

The higher the number, the more volume of output.

–DATA_TRANS_API_WORKSIZE

Synonyms Include: N/A

The size of the work area to be used for the API. This area can be used to pass information between instances of the API being called and will be retained for the life of the run.

–DATA_TRANS_API_WORKSIZE(<work size in bytes>)

work size – Default 4096 max is 32768

–DATA_TYPE

Synonyms Include: –DETECT, –BINARY, –TEXT, –DETECTX

This command specifies that files for compression are either binary, text, or detectable. If the modifier is (BINARY), no translation is performed on the files. If the modifier is (TEXT), text files are files selected for compression and are translated from EBCDIC to ASCII before compression. If neither of these is specified, the program makes a determination (DETECT) based on the existing data type. The program reads in a portion of the data, evaluates it, and determines the appropriate process.

Page 182: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

170

–DATA_TYPE(DETECT|BINARY|TEXT|DETECTX)

If you know the file type, you can save processing time by specifying DATA_TYPE(BINARY), DATA_TYPE(TEXT), or DATA_TYPE(BINARY) with SAVE_LRECL(Y).

In SECZIP Processing

When specifying –DATA_TYPE(BINARY):

No translation of the data is performed, and record terminators are not inserted. A binary file contains no delimiters between records and should only be used when the target system (for UNZIP) will be able to handle the EBCDIC format. Variable length files should be processed with the addition of the SAVE_LRECL(Y) command. This command is commonly used when exchanging files between Systems/390 operating environments, for example, load modules.

When specifying –DATA_TYPE(TEXT):

A compressed text file is stored as ASCII (unless otherwise specified with TRANSLATE_TABLE_DATA) and is stored with the specified delimiters (DATA_DELIMITER) and terminator (FILE_TERMINATOR). Note that the translation defaults and delimiter and terminator defaults of a stored text file from SecureZIP for zSeries make the file compatible with compressed files on other platforms. This enables compressed text files to be extracted onto other platforms.

When specifying –DATA_TYPE(DETECT) or –DATA_TYPE(DETECTX) :

SECZIP attempts to dynamically determine whether the data should be translated into TEXT format. A portion of the file (see DATATYPE_DETECT_DEPTH) is examined using the tailorable DETECTXT translation table (see DATATYPE_DETECT_TABLE ) and is compared to the value specified in DATATYPE_TEXT_PERCENT.

In SECUNZIP Processing:

When specifying –DATA_TYPE(BINARY):

If the raw format of the data is desired, regardless of whether the originating system ZIPPED the file as TEXT, use this command.

Binary processing does not attempt to resolve record delimiters. As a result, the data is streamed into records according to the file allocation specifications. Note that when using SecureZIP for zSeries to create binary files that are targetted for another MVS system, SAVE_LRECL(Y) can be specified to preserve record lengths.

When specifying –DATA_TYPE(TEXT):

The selected file is treated as a text file regardless of the archive directory indicator for the file. This can be used when the originating system is known to have ZIPPED an ASCII text file as binary. To discover what file type exists in the archive directory entry, see the ACTION(VIEW) command.

When the SECUNZIP program extracts the selected file, it first translates the character set and then extracts records to the output file as determined by embedded record delimiters. (See

Page 183: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

171

DATA_DELIMITER command). The delimiters are not included in the extracted file. If the output file is a fixed record length, then records that exceed the record length will be truncated and records that are smaller than the record length will be filled with EBCDIC spaces (hex 40).

If no delimiters are embedded in the selected file, the command CRLF(N) should also be used. This command directs the SECUNZIP program to not seek out record delimiters but instead use the maximum record size in creating the output.

When specifying –DATA_TYPE(DETECT):

The SECZIP archive layout contains an indicator that reflects whether the file was ZIPPED as text. SecureZIP for zSeries honors that flag when DETECT is specified. This is the default setting. However, there are cases that DETECTX is recommended when TEXT data has been ZIPPED in an ASCII environment with a binary indication, for example, a workstation ZIP compatible product is used to create the archive.

When specifying –DATA_TYPE(DETECTX) :

On some platforms, for example, workstations, some ZIP utilities do not set the TEXT indicator although the data was ASCII text. In this situation, DETECTX is recommended so that SecureZIP for zSeries attempts to dynamically determine whether the data should be translated into EBCDIC TEXT format. A portion of the file (see DATATYPE_DETECT_DEPTH) is examined using the tailorable DETECTXT translation table (see DATATYPE_DETECT_TABLE ) and compared to the value specified in DATATYPE_TEXT_PERCENT. (Note that the detection depth is limited in size to the first internal buffer being extracted. This is typically less than 64K).

–DATATYPE_DETECT_DEPTH

Synonyms Include: –DATATYPE_SCAN_DEPTH, –DETECT_DEPTH

This command specifies the distance that a file is scanned before making a determination as to whether it is binary or text. It can be specified as a number of records (1000R) or as a size in bytes (64000), Kilobytes (64K), or Megabytes (4M).

–DATATYPE_DETECT_DEPTH(<amt>)

amt

amount in records (1000R).

amount in bytes (64000).

amount in kilobytes (64K) (8K is the default).

amount in megabytes (4M).

It is important to note that the amount of data specified in this parameter is buffered in virtual storage during the text/binary translation period and before the data is directed to the compression algorithms. (Compression cannot be performed until data translation and record delimiter processing is done, which follows DATA_TYPE detection). The buffering is done for

Page 184: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

172

performance reasons (to avoid Close/Open/Re-read overhead). However, sufficient virtual storage (31-bit region) must be available to temporarily hold the specified quantity, or storage capacity issues may arise.

Note that in UNZIP processing with DETECTX, record count is changed to a maximum setting of 64K. Since the data is being scanned for ASCII characters before record processing is determined, a record count is not applicable. The amount of data scanned for DETECTX is also limited to the amount of data returned by the decompression engine (typically a maximum of 64K) and is dynamically rounded down as needed.

–DATATYPE_DETECT_TABLE

Synonyms Include: N/A

This command specifies the table of characters used to assess whether a byte is text or binary. The default table name is DETECTXT.

–DATATYPE_DETECT_TABLE(<tablename>|DETECTXT)

tablename - A tablename of characters used to assess whether a byte is text or binary.

DETECTXT - The default table as shipped with the product.

The specified TRANSLATE and TEST table is used to detect binary data within data records when DATA_TYPE(DETECT) is specified for ZIP processing.

The table is used as a character lookup table for each byte scanned through DATATYPE_SCAN_DEPTH. The binary value of each data byte is used to locate a position in the table. If the table position is x'00', then that byte is considered to be BINARY. If the table position is NONZERO, then the byte is counted as TEXT. The actual value in the table is not important, but the locations have been filled in with the equivalent offset for ease of editing (the comments reflect the character value where possible, although some bytes (such as CR/LF) are simply indicated with a comment of ".").

This table may be changed, copied, and re-assembled to adjust for data dependencies. The table used (loaded as a load module) is specified in DATATYPE_DETECT_TABLE and may be specified either in the defaults module or by command (Seemembers in INSTLIB(ASMDETXT) and (DETECTXT).

–DATATYPE_TEXT_PERCENT

Synonyms Include: N/A

This command specifies the percentage of the sample that must meet the “text” criteria before it will be considered to be TEXT.

–DATATYPE_TEXT_PERCENT(<percent>)

percent - This is the percentage from 1-100 that is required (97% is the default).

Page 185: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

173

If the entire file is read before DATATYPE_DETECT_DEPTH is reached, then the percentage is computed according to the number of bytes read. For example, if DATATYPE_TEXT_PERCENT=97 is specified, with DATATYPE_DETECT_DEPTH=64K, then .03 * (64*1024) = 1966 (rounded down). Once 1967 binary characters are found, then the entire DEPTH cannot meet 97% text, so the scan is terminated and the file is marked as BINARY.

Given the percentage listed above (97%), a file having 100 records, each containing 80 bytes of text with 2 bytes of additional termination information (total 82 bytes), passes as TEXT. 100 * 82 (8200) * .03 = 246 Thus, 246 bytes of binary data would be required to mark this file as BINARY, but there are only 200.

–DDNAME_PARMLIB

Synonyms Include: N/A

This command specifies the name of the JCL DD statement used to read the preset commands which are read before the //SYSIN member.

–DDNAME_PARMLIB(<ddname>)

ddname - This is the DDname of the preset parameters member.

PARMLIB - This is the default DDname.

–DDNAME_SYSIN

Synonyms Include: N/A

This command specifies the name of the JCL DD statement used to identify the SYSIN member. It can go into the defaults module to specify which DDname to open to read job level commands.

–DDNAME_SYSIN(<ddname>)

ddname - This is the DDname of the SYSIN member.

SYSIN - This is the default DDname.

–DDNAME_SYSPRINT

Synonyms Include: N/A

This command specifies the name of the JCL DD statement used to identify where messages will be written.

Page 186: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

174

–DDNAME_SYSPRINT(<ddname>)

ddname - This is the DDname of the SYSPRINT member.

SYSPRINT - This is the default DDname.

–DDNAME_ZPSORTIN

Synonyms Include: N/A

This command specifies the name of the JCL DD statement used for sorting directory information associated with VIEW processing. This should not need to be changed unless the name conflicts with other JCL allocation used in the same job step.

–DDNAME_ZPSORTIN(<ddname>)

ddname - The DDname to use for SORTIN.

ZPSRTIN - The default DDname.

Note: The value specified for –TEMP_UNIT is used to allocate a temporary work file with this DD.

–DDNAME_ZPSORTOUT

Synonyms Include:

This command specifies the name of the JCL DD statement used for sorting directory information associated with ACTION(VIEW) processing. This should not need to be changed unless the name conflicts with other JCL allocation used in the same job step.

–DDNAME_ZPSORTOUT(<ddname>)

ddname - The DDname to use for SORTOUT.

ZPSRTOUT - The default DDname.

–ECHO

Synonyms Include: –NOECHO

Commands used for the SECZIP and SECUNZIP programs are put into the output message data set when ECHO(Y) is specified. This is the default setting.

Page 187: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

175

–ECHO(Y|N)

Y - YES - Log all output messages to SYSOUT.

N - NO - Do not log output messages to SYSOUT.

One would use ECHO(Y) if the ECHO(N) command had previously been used (either in the configuration module or through the JCL) to suppress output messages. Then the commands that are output begin with the ECHO(Y) command itself. Since the ECHO command is processed before it is activated, errors in this line would not appear in the output message data set.

–ENCRYPT_CERT_LIMIT

Synonyms Include: N/A

ENCRYPT_CERT_LIMIT(0|1-3275)

This command assists in restricting the number of certificates being used to represent a user or organization for each encrypted file. The limit number can be used to avoid long LDAP searches for generic search criteria that could consume virtual storage and processing resources. In addition, it can be used to allow processing to continue even if the limit is reached.

When the LDAP search requests are found to exceed a specified non-zero value, ZIP processing will continue with the number of certificates found.

When zero (0) is specified, then the default maximum value of 3275 is used. Under this condition, if the maximum limit is reached, ZIP processing will terminate.

–ENCRYPTION_METHOD

Synonyms Include: -AES128 | AES192 | AES256| BSAFE_AES128| - BSAFE_AES192| BSAFE_AES256| - BSAFE_DES|- BSAFE_3DES| - BSAFE_RC4

☺ - Cross Platform Compatible command (iSeries, OS/400, UNIX, and Windows).

When a ZIP action is requested to save a file in an archive and a password is provided, SecureZIP for zSeries will use an encryption method to protect the data. This command value specifies which algorithm is to be employed.

Standard - This algorithm is the original algorithm used in PKZIP 2.x products and is compatible with other PKZIP 2.04g products that support standard encryption. This is the default value for password-only encryption unless the installation defaults module has been tailored differently.

AES128 - A SECZIP/PKZIP exclusive implementation of the AES 128-bit key algorithm (also known as Rijndael) will be used.

Page 188: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

176

AES192 - A SECZIP/PKZIP exclusive implementation of the AES 192-bit key algorithm.

AES256 - A SECZIP/PKZIP exclusive implementation of the AES 256-bit key algorithm.

BSAFE_AES128 - A SECZIP/PKZIP implementation of the RSA Security, Inc. CERT-C AES 128-bit key algorithm. When Recipient-based encryption is requested, this will be the default encryption method unless the installation defaults moduled has been tailored differently.

BSAFE_AES192 - A SECZIP/PKZIP implementation of the RSA Security, Inc. CERT-C AES 192-bit key algorithm.

BSAFE_AES256 - A SECZIP/PKZIP implementation of the RSA Security, Inc. CERT-C AES 256-bit key algorithm.

BSAFE_DES - A SECZIP/PKZIP implementation of the RSA Security, Inc. CERT-C DES key algorithm.

BSAFE_3DES - A SECZIP/PKZIP implementation of the RSA Security, Inc. CERT-C Triple DES key algorithm.

BSAFE_RC4 - A SECZIP/PKZIP implementation of the RSA Security, Inc. CERT-C RC4 key algorithm.

Usage Notes:

• SECUNZIP will automatically detect which encryption method was specified during the ZIP process and operate accordingly.

• During a SECZIP (ZIP) run, only 1 encryption method may be specified, and that method will be used for each file operated on.

• By executing SECZIP at different times, various files within the archive may be saved with differing levels (and types) of protection. That is, some files may not be protected at all, while others may have different methods and/or passwords.

• A “+” is shown in a View to indicate Standard Encryption protection is used for a file.

• A “!” is shown in a View to indicate Strong Encryption protection is used for a file.

• When specifying long passwords (requiring multiple control records) do not use the “+” continuation character (because it supplies an implicit blank in the command stream).

• This enhanced feature for ADD, UPDATE, and FRESHEN applies to standard ZIP archives and not GZIP.

–EXCLUDE(dsname mask)

Synonyms Include: N/A

This parameter has no equivalent. It is a new command.

When selecting a large number of files via a mask selection it may be useful to eliminate some of the files from being processed, for example, GDGs, ZIP archives, or other special files that can be identified by their data set naming conventions.

See also: –SELECT_TAPE, –SELECT_VSAM, –SELECT_CATALOGED_ALIAS, and –RECALL_TO_ZIP for other selection-restricting capabilities.

Page 189: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

177

The dsname mask may be a fully qualified file name or a masked name (similar to data set selection names) of 1 to 80 characters. (Embedded blanks in an MVS dsname for ZIP processing will truncate the mask.)

Multiple EXCLUDE commands may be specified in an execution. A table is built from all of the commands found and is scanned for a match against a candidate file for selection. The file will be excluded if ANY of the masks is a match.

Note that there is no default for this command, nor can one be specified in the ACZDFLT module. This is a run-time only command, although it may be specified through the PARMLIB DD or EXEC parms (including a parm string from a calling program) in addition to SYSIN.

Example:

Assume that PDS SYS1.PARMLIB contains members CLOCK01, CLOCK02, CLOCK11, and CLOCK13. If the following commands were issued for SECZIP:

SYS1.PARMLIB(CLOCK*) –EXCLUDE=SYS1.PARMLIB(*11)

Member CLOCK11 would be excluded from the ZIP process, while the other members would be processed.

–EXTRACT_PREVIEW

Synonyms Include: –PREVIEW

When the contents of a large archived file is unknown, it may be useful to extract a small portion of the file for the purpose of previewing the data. The EXTRACT_PREVIEW(nnnnnnnn) command limits the number of records to extract and can save a considerable amout of time in assessing data content.

–EXTRACT_PREVIEW(<nnnnnnnn>)

The parameter value specifies the maximum number of records to extract. If the value is either 0 (or not supplied) then the entire file is extracted.

–FILE_BUSY_WAITTIME

Synonyms Include: N/A

This command specifies how long SecureZIP for zSeries should wait while continually retrying before it will terminate and give an error message or go on to further processing.

–FILE_BUSY_WAITTIME(<HHMMSSTH>)

HHMMSSTH:

HH - Hours

MM - Minutes

Page 190: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

178

SS - Seconds

T - Tenths of a second

H - Hundredths of a second

00100000:

10 minutes is the default

–FILE_EXTENSION

Synonyms Include: –CNVEXT

☺ - Cross Platform Compatible command (VSE, iSeries, OS/400, UNIX, and Windows).

- Be aware that if this command is used incorrectly, you could incur problems.

When a file is extracted and the archive name contains an extension, the FILE_EXTENSION command specifies what to do with the extension. There are three options: DROP (the default), SUFFIX, or NAMEFILE.

–FILE_EXTENSION(DROP|SUFFIX|NAMEFILE)

DROP - The extension (which will drop the last data level of the archive File).

Example: Given the file: FIRST/RATE/DATES/TEST

and a command of: –FILE_EXTENSION(DROP) the file will be: FIRST.RATE.DATES

the PDS will be: FIRST.RATE(DATES)

SUFFIX - The extension to the last data level (note that any generated name longer than 8 characters will be truncated to 8 characters).

Example: Given the file: FIRST/RATE/DATES/TEST

and a command of: –FILE_EXTENSION(SUFFIX) the file will be: FIRST.RATE.DATESTES

the PDS will be: FIRST.RATE(DATESTES)

NAMEFILE - The extension into a data level.

Page 191: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

179

Example: Given the file: FIRST/RATE/DATES/TEST

and a command of: –FILE_EXTENSION(NAMEFILE) the file will be: FIRST.RATE.DATES.TEST

the PDS will be: FIRST.RATE.DATES(TEST)

The default is DROP if no FILE_EXTENSION command is specified.

–FILENAME_API_ERRLIM

Synonyms Include: N/A

This command value is not currently used.

–FILENAME_API_ERRLIM(<threshold #>)

threshold # – Default 0

–FILENAME_API_ERROR

Synonyms Include: N/A

Identify the type of processing to occur when an API error occurs.

STOPRUN will trap any program exception, display the results of the trap and cause the end of the SECZIP execution.

ABEND will cause the API to allow an abend of the user API withour trapping the program exception and will subsequently allow a dump to occur. It will then result in the end of the SECZIP execution.

IGNORE will trap any program exception, display the results of the trap, and then continue with the next file.

–FILENAME_API_ERROR(STOPRUN|ABEND|IGNORE>)

–FILENAME_API_LANGUAGE

Synonyms Include: N/A

The language used to code the API. Basic Assembler Language (ASM) is the default.

Page 192: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

180

–FILENAME_API_LANGUAGE(ASM|COBOL)

–FILENAME_API_NAME

Synonyms Include: N/A

The name of the filename API load module. You would place this load module into a JOBLIB, STEPLIB or a system linklist library.

–FILENAME_API_NAME(<module name>)

module name – Up to 8 character name of the load module to be used as the Filename API.

Note: Use of the NOAPI control card negates all USER API processing. Accordingly any information placed into the FILENAME_API control cards is ignored.

–FILENAME_API_PARM

Synonyms Include: N/A

This control card can be used to pass information to the User API.

–FILENAME_API_PARM(<user data>)

user data – Default blanks, can be up to 80 bytes

–FILENAME_API_TRACE

Synonyms Include: N/A

This allows headings, control blocks, registers, and data areas to be presented in SYSPRINT to help in the debugging of a User API.

0 = Trace Off

1 = Basic

2 = Medium

3 = Low Level

4 = Very Low Level

The higher the number the more volume of output.

Page 193: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

181

–FILENAME_API_TRACE(0|1|2|3|4)

–FILENAME_API_WORKSIZE

Synonyms Include: N/A

The size of the work area to be used for the API. This area can be used to pass information between instances of the API being called and will be retained for the life of the run.

–FILENAME_API_WORKSIZE(<work size in bytes>)

work size – Default 4096 max is 32768

–FILENAME_ENCRYPTION

Synonyms Include: –ENCRYPT_FILENAMES –FNE

This command specifies whether the archive central directory is to be strongly encrypted during ZIP processing to protect the filenames and associated data set description information.

–FILENAME_ENCRYPTION(Y|N|blank)

Y - YES – Request that central directory encryption be performed for the output archive.

N - NO – Request that an unencrypted central directory be created in the output archive.

blank - Request that an unencrypted central directory be created for a new archive, and that the state of an input archive be retained when creating an updated output archive. This is the default setting as distributed, but may be changed in the defaults configuration module.

See also: PASSWORD, RECIPIENT

When FILENAME_ENCRYPTION is enabled, the settings for the following commands are involved: ENCRYPTION_METHOD, PASSWORD, RECIPIENT and SECURE_OPT_MSK3DES. If files are added or freshened during the update to the archive, the same encryption scheme will be used both for the central directory and the altered files.

Information in the local headers for each of the files in the archive will be masked or eliminated. Filenames normally stored in the local header preceeding each file will have a dynamically generated pseudo name assigned. ZIP and UNZIP operations ignore these names when processing files. (Only the true names stored within the encrypted central directory will be used for processing when the proper authorization is specified). The generated filenames may be different for each SecureZIP run. File attributes such as allocation, volume, DCB, and uncompressed size will not be stored in the local header area.

When FILENAME_ENCRYPTION is turned on, an additional benefit of archive Directory compression is introduced, further reducing the total size of the archive. The current

Page 194: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

182

compression settings to be used for file compression are used to compress the archive Directory.

Because the entire central directory of the archive is encrypted, all filenames are encrypted.

Usage Notes:

Password, Recipient, or both may be used to encrypt the archive central directory.

ENCRYPTION_METHOD must be set to use an algorithm of at least a 128-bit key length. ENCRYPTION_METHOD=STANDARD is 96-bit, and is not allowed for FILENAME_ENCRYPTION.

In order to perform any ZIP or UNZIP operation against an archive that has FILENAME_ENCRYPTION turned on, the correct password or one of the associated private-key certificates for one of the designated recipients must be provided.

SAVE_FILE_ATTRIBUTES will be restricted to CENTRAL or NONE. SecureZIP will automatically convert “BOTH” to “CENTRAL” and “LOCAL” to “NONE” to ensure that file attribute information is not viewable within the archive for added or changed files.

An archive previously having FILENAME_ENCRYPTION turned on may be updated (Add, Copy, Delete, Freshen). The encryption mode (password and/or recipient) and settings (algorithm and key length) will be retained as used in the original activation of Filename Encryption.

Once file names in an archive are encrypted, you cannot change the password or recipient list used.

An archive containing no previously encrypted files may be updated (Add, Copy, Delete, Freshen) and converted to a filename-encrypted archive. Files added, updated or freshened in the run will be encrypted with the specified encryption parameters. File data copied from the original archive will remain unencrypted, the filename associated with the file will be encrypted, and any carried-over file attributes from the local header will be retained. (If SAVE_FILE_ATTRIBUTES CENTRAL or NONE had been specified for the input archive when it was created, then there will be no exposure of file attributes).

When attempting to update archive containing previously encrypted files but not with FILENAME_ENCRYPTION, FILENAME_ENCRYPTION will be dynamically disabled, message ZPEN018W will be issued and a warning return code (4) for SecureZIP will be set while processing continues.

The ZIP archive_comment that is written at the end of the archive (if one is specified) is not included in the FILENAME_ENCRYPTION area. It will still be written in display text format (normally encoded in ASCII).

You cannot change the encryption on files that are already in an archive that contains encrypted file names when FILENAME_ENCRYPTION is retained for an updated archive.

An archive may be updated or copied using ARCHINDD and ARCHOUTDD to either enable or disable FILENAME_ENCRYPTION for the resulting output archive. An archive may not be transformed in place by using ACTION=COPY, however, an Add, Freshen, Update or Delete action will allow the mode of FILENAME_ENCRYPTION to be changed for a dynamically allocated archive.

Any files added or freshened in the archive when FILENAME_ENCRYPTION is enabled will be encrypted with the same settings used for the archive directory. Files may not be added or freshened “without” encryption while FILENAME_ENCRYPTION is enabled.

Page 195: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

183

When a transformation from a Filename-encrypted archive to a nonFilename-encrypted is requested, the input archive with Filename Encryption enabled requires that update processing provide either password or Recipient information for access. Files being added or freshened will be encrypted with the mode and encryption algorithm specified in the command settings (not from the input archive). This means that the mode and algorithm for updated files may be different than that of the input archive. However, the mode used for access to the input archive will minimally be included for the updated file encryption.

When a transformation from a Filename-encrypted archive to a nonFilename-encrypted is requested, files may not be added or freshened directly with a removal of encryption (or reduction to “Standard” encryption). The input archive must first be transformed to a non-Filename Encryption format before unencrypted or “Standard” encryption files can be added or freshened.

If it is desirable to have an archive with some files unencrypted, first create an archive with no encryption, then update/copy the archive with FILENAME_ENCRYPTION enabled to encrypt the archive Central directory and optionally add files that are to be encrypted.

FILENAME_ENCRYPTION will be disabled for GZIP runs.

INCLUDE_SFX will be disabled when FILENAME_ENCRYPTION is enabled. The Self-extracting stubs provided do not support this feature. The appropriate PKWARE product should be obtained for the target platform in order to process encrypted filenames.

Restriction – Filename Encryption should not be attempted with more than approximately 100 recipients. The current code supports a 128K buffer to contain certain recipient certificate information.

Because Filename Encryption mirrors the previous recipient list during an archive update without having to re-access public key certificates, a significant amount of unnecessary processing can be avoided by providing only the private key certificate needed to facilitate update priviledges to the archive.

–FILENAME_SELECT_CASE

Synonyms Include: FILECASE_MIXED, FILECASE_UPPER

Affect archive filename selection case sensitivity.

–FILENAME_SELECT_CASE=M|U

When attempting to select files from an archive, case sensitivity is the default. By specifying FILENAME_SELECT_CASE=U, the file names in the archive and the filename command selections will be translated to Upper case before a comparison is performed. The “M” (mixed) option is the default, which means that case-sensitivity is honored during the match process.

The use of Upper can reduce the complexities of selecting files from an archive for View and Extract processing. However, unpredictable results may occur if multiple files in the archive use the same character strings with varying case.

This specification also affects the UNZIPPED_DSN selection command values. Although this provides a convenience for coding, archives that contain multiple files of similar names except for case-differentiation may require case-sensitive selection.

Page 196: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

184

Note: The effect of this command setting is not positional within the command data stream. The last value set will be honored regardless of where data set names are in the stream.

–FILE_TERMINATOR

Synonyms Include: –TERM

☺ - Cross Platform Compatible command (VSE, iSeries, OS/400, UNIX, and Windows).

–FILE_TERMINATOR(<delim chars>)

delim chars - These are the delimiter characters to be appended. There may be 0-4 characters specified in any combination:

CR - Appends an ASCII Carriage Return (hex 0D).

CZ - Appends a ASCII Ctrl-Z character (hex 1A).

LF - Appends a ASCII Line Feed character (hex 0A).

() - No delimiters at all.

Used in SECZIP Processing

When compressing a file as text (not binary), the FILE_TERMINATOR command specifies what character(s) to store at the end of the last record of the file to signal the end. When compressing a file as binary, the FILE_TERMINATOR command is ignored. (See also CRLF command for additional information regarding the interaction of DATA_DELIMITER and FILE_TERMINATOR for the last record of the file).

Used in SECUNZIP Processing

When decompressing a text file (not binary), the FILE_TERMINATOR command specifies what character(s) to find at the end of the last record of the file to signal the end. When decompressing a binary file the FILE_TERMINATOR command is ignored.

When used in either type of processing:

The default is CRLFCZ if no FILE_TERMINATOR command is specified with the SECZIP program. With the SECUNZIP program the default is CRLFCZ if no characters are specified by FILE_TERMINATOR(). Otherwise a range of standard delimiters are used in the search which should satisfy most systems.

MS-DOS records use CRLFCZ for a delimiter.

UNIX records use LF for a delimiter.

When extracting the file(s), the same FILE_TERMINATOR command that was used to ZIP should be used to UNZIP to process the file correctly if non-standard delimiter characters were used.

Page 197: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

185

The FILE_TERMINATOR characters should be different than the DATA_DELIMITER characters to make the last record distinct. Use a different combination of characters to create the distinction.

For example, these would not be distinct (note the same CRLF in the character set):

–DATA_DELIMITER(CRLF). –FILE_TERMINATOR(CRLFCZ)

or

–FILE_TERMINATOR(CZCRLF)

where a single record of CZ would be created.

These would be distinct: there is no duplication of character sets:

–DATA_DELIMITER(CRLF). –FILE_TERMINATOR(CZCRCZ).

–GDGALL_SUPPORT

Synonyms Include: –GDGALL, –NOGDGALL, –SELECT_GDGALL

This command determines whether all levels of a Generation Data Group (GDG) are retrieved and included in the archive.

–GDGALL_SUPPORT(Y|N)

Y - YES - All levels of the data set are retrieved.

N - NO - Only the current data set (Level 0) is retrieved.

–GZIP

Synonyms Include: –NOGZIP

☺ - Cross Platform Compatible command (VSE, iSeries, OS/400, UNIX, and Windows).

This command may be used to create an archive using the GZIP-compatible format instead of the ZIP format. For further information, see Chapter 12.

–GZIP(Y|N)

Y - YES - Process using GZIP-compatible SecureZIP for zSeries processing.

N - NO - Process using normal SecureZIP for zSeries processing.

Processing Notes

Because GZIP does not support the PKWARE ZIP archive format standards, some SecureZIP features are not available for use when GZIP is enabled, such as strong encryption, signing

Page 198: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

186

and authentication. Features may be dynamically disabled and/or messages issued when GZIP is activated.

When enabled with GZIP, password-based 96-bit encryption is supported for decryption only under PKZIP for MVS, PKZIP for zSeries, PKZIP for OS/400, PKZIP for iSeries, SecureZIP for iSeries and SecureZIP for zSeries.

–GZIP_SUFFIX

Synonyms Include: N/A

☺ - Cross Platform Compatible command (VSE, iSeries, OS/400, UNIX, and Windows).

This command may be used when there is no valid GZIP filename. The archive input file name will be used and the last level of the name will be replaced with the value of this field.

–GZIP_SUFFIX(<suffix>)

suffix - The name to be used as the last level of the filename.

–HIERARCHY

Synonyms Include: –NOHIERARCHY

–HIERARCHY(Y|N)

Y - YES - Specifies that the entire data set name stored in the ZIP archive file is to be used to convert the file to an MVS format.

N - NO - Strips away higher level components and uses the lowest level of the data set component(s) as the member name when creating a file name in the PDS. It is used when converting a file from ZIP archive format to MVS format. The PDS should be specified with the command SELECT_FROM_PDS or ZIPCUR.

Example: Given the file: TDS/DICT/DATA

and a command of: –HIERARCHY(Y) the file will be: TDS.DICT.DATA

the PDS will be: TDS.DICT(DATA)

Page 199: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

187

Example: Given the file: TDS/DICT/DATA

and a command of: –ZIPCUR (MYRE.SPELL.CHK) –HIERARCHY(N) the PDS will be: MYRE.SPELL.CHK(DATA)

If the PDS member already exists, you must replace it with OUTFILE_OVERWRITE or add it with INSERT_MEMBER to keep the member.

–INCLUDE_CMD

Synonyms Include:

Include an additional set of commands from a PDS or PDSE member.

–INCLUDE_CMD=ddname(member)

or

–INCLUDE_CMD=(member)

or

–INCLUDE_CMD=hlq.dsname(member)

If ddname is omitted, then a search is performed to locate a member in the data set specified via the DDNAME_PARMLIB specification (if one is allocated) or the PARMLIB_DSNAME_ZIP and PARMLIB_DSNAME_UNZIP settings.

If the data set is found to not be partitioned, or the member cannot be read, then processing will be terminated.

When multiple nodes (separated by ‘.’) are detected in the command parameter, the entire value is treated as a data set from which commands are to be included. This may either be a member of a PDS or a sequential data set.

Two members are included in SECZIP.MVS.INSTLIB (TOUNIX and TOMSDOS) to assist in cross-platform file transfers. The following example shows how to include the attributes required when sending text data to an MS-DOS platform.

//INSTLIB DD DISP=SHR,DSN=SECZIP.MVS.INSTLIB //SYSIN DD * -ARCHIVE_DSN(&SYSUID.DOS.ZIP) -INCLUDE_CMD=INSTLIB(TOMSDOS) ********************************************************************** * This sample command stream can be included with the command * * -INCLUDE_CMD=ddname(TOMSDOS) * * * * Set common parameters associated with transfering data to a * * workstation (assuming ASCII data translation). * * *

Page 200: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

188

********************************************************************** * Have SECZIP translate EBCDIC (IBM-1047) to ASCII (IBM-850) -DATA_TYPE(TEXT) -TRANSLATE_TABLE_DATA(EBC#850) * Use x'0D0A' to delimit records -DATA_DELIMITER(CRLF) * No file terminator at the end of the stream -FILE_TERMINATOR() SECZIP.MVS.C(CCENCDK1) ZPAM030I OUTPUT Archive opened: MAS.DOS.ZIP ZPAM253I ADDED File SECZIP.MVS.C(CCENCDK1) ZPAM254I as PKZIP/DEV/C/CCENCDK1 ZPAM255I (DEFLATED 60%/57%) ORIG. SIZE 14,471; ZIP SIZE 6,235 ZPAM140I FILES: ADDED EXCLUDED BYPASSED IN ERROR ZPAM140I 1 0 0 0 ZPMT002I PKZIP processing complete. RC=00000000 0(Dec)

Processing Notes:

Multiple INCLUDE_CMD commands may be used in a single run.

When found in the primary command streams (SYSIN or EXEC PARM) or via the defaults module PARMLIB settings, the referenced command member is read immediately into the command stream at the point in which the INCLUDE_CMD command is encountered. This makes the commands positionally sensitive since additional commands that follow may override included commands.

Nesting of INCLUDE_CMD from within included command sequences is supported. However, the following should be noted:

• The current included command stream is processed entirely before the nested include file is read. Assume that SYSIN has INCLUDE_CMD=dsn(A), member A has INCLUDE=dsn(B), and B has INCLUDE_CMD=dsn(C). As soon as INCLUDE_CMD=dsn(A) is encountered in the primary input stream, B will be opened and read completely. Regardless of where INCLUDE=dsn(B) is found within A, it will be queued for processing behind all of A’s commands. Then all of member B will be read and processed (and C will be queued behind it).

• Once all nested includes have been processed, then control will be returned to reading the primary input stream immediately following the original INCLUDE_CMD request.

• A recursion protection mechanism is built into the software to prevent loops due to command coding errors. Each INCLUDE_CMD value is tracked as it is encountered. If a duplicate INCLUDE_CMD value is found, it will be ignored and processing off commands in the current source will occur without opening (or queueing) the duplicate source.

• Care should be taken to evaluate the include sequences or unexpected results may occur. If multiple sources have includes for the same member, then the first occurrence encountered will include that member and subsequent includes will be ignored. If sequence-sensitive overrides are coded, the inclusion of a nested command sequence by another source may alter the expected result.

Page 201: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

189

–INCLUDE_SFX

Synonyms Include: SELF_EXTRACTOR, SFX, MAKESFX, SFX_AIX, SFX_HPUX, SFX_LINUX2I, SFX_LINUX, SFX_SUN, SFX_WINDOWS

Create a self-extracting archive by prefixing the archive with a self-extraction program appropriate to a target system.

–INCLUDE_SFX=self_extraction_program_name self_extraction_program_name –

SFXAIX IBM AIX Version 4.0 and above

SFX_AIX may be specified as a shortcut

SFXHP HP/UX Version 9.0 and above

SFX_HPUX may be specified as a shortcut

SFXLNX2I LINUX Kernel 2.x for Intel (target system run-time requirements: Reference PKZIP Support Notice #13 02/16/2001 regarding LINUX target system support files ld.so-1.9.5-13.i386.rpm and libc-5.3.12-31.i386.rpm)

SFX_LINUX or SFX_LINUX2I may be specified as a shortcut

SFXSUN Sun Solaris 2.3 (SunOS 53) and above

SFX_SUN may be specified as a shortcut

SFXWIN Microsoft Windows (95 and above)

SFX_WINDOWS may be specified as a shortcut

When creating an archive for self-extraction to take place on a different platform, it is important to also include commands that are associated with properly converting the record management and text character set of the data file. INCLUDE_CMD(TOMSDOS) and INCLUDE_CMD(TOUNIX) will assist you in creating a file that will successfully extract on the target system.

The self extracting programs are held as binary entities in the SecureZIP for zSeries load library. The appropriate member is loaded and the executable data copied to the beginning of the archive as a preamble when requested.

The resulting archive can still be processed by SecureZIP for zSeries as a normal ZIP archive.

When an input archive containing a self-extraction preamble is passed to SecureZIP for zSeries for SECZIP processing and no value is supplied by INCLUDE_SFX , the PREAMBLE is removed when writing the new archive.

A self-extracting archive can be created from an existing archive by using the ACTION(COPY) command along with INCLUDE_SFX. If the original archive contained a preamble, it will be removed and the newly specified preamble will be inserted.

When transferring a self-extracting archive to a target system, be sure to transfer the archive in BINARY format and adhere to requirements for executables in that environment. (For

Page 202: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

190

example, a Windows program should be saved with an application extension of EXE, and a UNIX file attribute should have executable authorization set via the UNIX chmod command).

The self-extraction programs provided are at the 2.5 level of PKZIP. As such, the following restrictions apply to the operation of the self-extraction program(s). Care should be taken to control the creation of the self-extracting archive within these restrictions, although the resulting archive may still be processed with PKZIP programs at higher levels that support these features.

• The number of files in the archive should be limited to 65,535 or less.

• Strong Encryption is not supported.

• Authentication of digital signatures is not supported (although the signatures within the archive will be maintained and can be authenticated by appropriate SecureZIP products).

• The size of the archive should not exceed 4 gigabytes.

• The uncompressed size of individual files should be less than 4 gigabytes.

• Some target file systems (such as Windows FAT and UNIX Kernals earlier than release 2.4) do not support files greater than 2 gigabytes.

To assist in the usage of the self-extraction programs on the target systems, some of the command parameters are listed below. Note that some parameters may not be valid on all systems. By executing the transferred self-extracting archive on the target system with “-help”, the commands syntax appropriate to that system will be displayed.

Usage: sfx.exe [options] [.ZIP archive] [files...]

Where sfx.exe = the name of the self-extracting executable file

Option after extract files that are newer than or equal to a specified date

Suboptions:

"date specification" [format: mmddyy or mmddyyyy]

Example: sfx.exe -aft=12311999 file.zip

before extract files that are older than a specified date

Suboptions:

"date specification" [format: mmddyy or mmddyyyy]

Example: sfx.exe -bef=12311999 file.zip

console display the contents of specified archived files on your screen

Example: sfx.exe -con= file.zip readme.txt

directories recreate directory path while extracting including any sub-directories

Example: sfx.exe -dir file.zip

exclude exclude specified files from being extracted

Example: sfx.exe -exc=*.txt file.zip

Page 203: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

191

Option extract extract files from the .ZIP archive

Suboptions:

all [extract everything in archive]

freshen [extract if newer than destination copy]

update [extract if newer or not in destination directory]

Example: sfx.exe -ext=all file.zip

help display help screen

Example: sfx.exe -help

Id preserve original file uid/gid. Must be root/file owner (UNIX only)

include include specified files for extraction

Example: sfx.exe -inc=*.txt file.zip

larger extract files that are the specified size (in bytes) and larger

Suboptions:

a numerical value (in bytes) that indicates a minimum desired file size

Example:sfx.exe -larger=400

license displays license information

Example: sfx.exe -lic

locale reads and/or adjusts the locale variable for date and time format input

Suboptions:

environment [read system variable and apply accordingly]

"valid country name" [for example localExamplermany]

Example: sfx.exe -loc=us -aft=12311999 file.zip

lowercase change filenames to lower case on extraction

Example: sfx.exe -lowercase

mask remove specified file attributes upon extraction

Suboptions:

archive [mask archive attribute from file(s)/folder(s)]

hidden [mask hidden attribute from file(s)/folder(s)]

system [mask system attribute from file(s)/folder(s)]

readonly [mask read-only attribute from file(s)/folder(s)]

none [do not mask attributes from file(s)/folder(s)]

all [mask all attributes from file(s)/folder(s)]

Example: sfx.exe -mask=archive,readonly file.zip

more display output one screen at a time

Example: sfx.exe -more file.zip

Page 204: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

192

Option newer process only those files that are newer than a specified (calendar) day in the past

Suboptions:

a numerical value (in calendar days) that indicates some

date in the past relative to the current date

Example: sfx.exe -newer=2

noextended suppress the extraction of extended attributes

Example: sfx.exe -noex file.zip

older process only those files that are older than a specified (calendar) day in the past

Suboptions:

a numerical value (in calendar days) that indicates some

date in the past relative to the current date

Example: sfx.exe -older=2

overwrite overwrite existing files

Suboptions:

prompt [prompt before overwriting]

all [always overwrite]

never [never overwrite]

Example: sfx.exe -o=all file.zip

password specify a decryption password

Example: sfx.exe -pass=grendel file.zip

print print the specified archived file

Suboptions:

"print device name" [for example print=lpt1]

Example: sfx.exe -print=lpt2 file.zip readme.txt

silent suppress warning messages when extracting

Example: sfx.exe -silent file.zip

smaller extract files that are the specified size (in bytes) and smaller

Suboptions:

a numerical value (in bytes) that indicates a maximum desire file size

Example:sfx.exe -smaller=400

Page 205: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

193

Option sort sort files when extracting

Suboptions:

crc [sort by crc value]

date [sort by date of the file]

extension [sort by file extension]

name [sort by file name]

natural [sort in the order that the file was archived]

ratio [sort by compression ratio]

size [sort by file size]

none [do not sort]

Example: sfx.exe -sort=size file.zip

test test the integrity of archived files

Suboptions:

all [test everything in archive]

freshen [test if newer than destination copy]

update [test if newer or not in destination directory]

Example: sfx.exe -test=all file.zip

times preserve specified file date/time stamp

Suboptions:

access [preserve accessed date/time stamp on extraction]

modify [preserve modified date/time stamp on extraction]

create [preserve created date/time stamp on extraction]

all [preserve all date/time stamps on extraction]

none [do not preserve date/time stamps on extraction]

Example: sfx.exe -time=access,modify file.zip

translate translate the end of line sequence for give operating system

Suboptions:

DOS [convert to DOS style line endings]

MAC [convert to MAC style line endings]

unix [convert to unix style line endings]

Example:sfx.exe -translate=unix

Page 206: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

194

Option version display SFX version and return appropriate value to the shell

Suboptions:

major [return major version number]

minor [return minor version number]

step [return step or patch version number]

Example: sfx.exe -ver=step

volume restore the volume label when extracting

Example: sfx.exe -vol file.zip

warning prompt to continue after warning message

Example: sfx.exe -warn file.zip

–INFILE

Synonyms Include: –INDD, –IFILE, –INFILE_DD

The INFILE command identifies the DD statement that further describes the file to be compressed.

–INFILE(<ddname>[,member1][,member2][,…membern])

ddname - The name of the DD job step listed in the JCL.

Member1-n - 0 to n member names that identify specific members within the PDS (described in the <ddname> used in the job step).

The DD statement may describe a sequential data set, an entire PDS or a member of a PDS, or even a generation of a GDG.

If a member of a PDS is to be compressed, there are two methods of identifying that member.

First, using just the DD statement where the individual member is described in the DD statement and INFILE refers to that DD statement.

Example: //INPUT DD DISP=SHR, DSN=MY.DATA.FILES(.FIRST) . . . –INFILE(INPUT)

Second, using the command where the entire PDS is described in the DD statement and then the INFILE command refers to that DD statement as well as the individual member name(s) to use.

Page 207: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

195

Example //INPUT DD DISP=SHR, DSN=MY.DATA.FILES . . –INFILE(INPUT,FIRST, SECOND,FIFTH)

Note that more than one member may be indicated with the command.

If no members are indicated, the entire PDS is used.

Multiple INFILE commands can be used.

See <data set name> for data set naming capabilities.

–INSERT_MEMBER

Synonyms Include: –INSERTMEMBER, –NOINSERTMEMBER

The INSERT_MEMBER command is used to add a member to an existing PDS.

–INSERT_MEMBER(Y|N)

Y - YES - Specifies that the newly extracted member will be added and become a new member of an existing data set.

N - NO - Specifies that the member will not be added and the process will fail with an error message.

See OUTFILE_OVERWRITE to update a data set in an existing PDS.

–KEY_PROTECT_LEVEL

Synonyms Include: –KEYPROTECT1, –KEYPROTECT2

–KEY_PROTECT_LEVEL(1|2)

When using advanced encryption (see ENCRYPTION_METHOD) during a ZIP operation, additional information is stored in the ZIP archive pertaining to the encryption keys. This information is also encrypted to further secure the file data.

The use of this parameter will affect the size of the resulting archive. KEY_PROTECT_LEVEL(1) will use approximately 100 more bytes per file in the archive, while KEY_PROTECT_LEVEL(2) will require 340 more bytes per file. Level(2) is the preferred setting for increased security.

Page 208: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

196

–LDAP_ENCRYPT_CERT_SELECT

Synonyms Include: N/A

LDAP_ENCRYPT_CERT_SELECT(ALL|FIRST|LAST|LATEST|FIRST_ENCRYPT |LAST_ENCRYPT|LATEST_ENCRYPT)

This command assists in restricting the number or type of certificates being used to represent a user or organization for each encrypted file.

When using LDAP to locate Public-key certificates for recipients, it is possible to locate more than one certificate for a target recipient. For example, if a user obtains a new certificate each year, then multiple certificates may represent that user within the LDAP. It may also be possible for a user to have certificates from multiple Certificate Authorities (e.g. Verisign, Thawte), or multiple certificates for different purposes (encryption vs. signing).

In any of the above conditions, a ZIP process may result in multiple recipient certificates being processed for the same target recipient (person or organization). Some organizations may desire to restrict the type or quantity of certificates being used for encryption. This can save processing resources and ZIP archive space.

Parameters:

ALL – Every certificate located in an LDAP Server matching the search criteria will be added as a viable recipient.

FIRST – For each LDAP entry matching the search criteria, only the first certificate stored in that entry will be included, regardless of use type designated in the certificate or its valid date period. This use case depends on the certificate loading order used in the LDAP.

LAST – For each LDAP entry matching the search criteria, only the last certificate stored in that entry will be included, regardless of use type designated in the certificate or its valid date period. This use case depends on the certificate loading order used in the LDAP.

LATEST – For each LDAP entry matching the search criteria, the most recent certificate stored in that entry will be included, regardless of use type designated in the certificate. Note that if multiple certificates are found within an LDAP entry, certificates with their validity period not yet starting will be excluded unless they are the only certificates within the entry. In that case, the first certificate found will be selected.

FIRST_ENCRYPT – For each LDAP entry matching the search criteria, the first certificate found with a use type set for encryption stored in that entry will be included, regardless of its valid date period. This use case depends on the certificate loading order used in the LDAP. If no entries are found with the use type set to encryption, then the first certificate found in the LDAP entry will be selected.

LAST_ENCRYPT – For each LDAP entry matching the search criteria, the last certificate found with a use type set for encryption stored in that entry will be included, regardless of its valid date period. This use case depends on the certificate loading order used in the LDAP. If no entries are found with the use type set to encryption, then the first certificate found in the LDAP entry will be selected.

LATEST_ENCRYPT – For each LDAP entry matching the search criteria, the most recent certificate found with a use type set for encryption also having the “best” date range for its

Page 209: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

197

validity period. This use case depends on the certificate loading order used in the LDAP. If no entries are found with the use type set to encryption, then the most recent certificate found in the LDAP entry will be selected. Note that if multiple certificates are found within an LDAP entry, certificates with their validity period not yet starting will be excluded unless they are the only certificates within the entry. In that case, the first certificate found will be selected.

Note: Regardless of the option selected, at least one certificate will be selected from an LDAP entry. Each certificate selected must be in valid X.509 Public-key format.

–LICENSE_HLQ

Synonyms Include: N/A

This command specifies the high level qualifier to be used in locating the License Control Data set. This should be specified in accordance with directions provided by the Systems Programmer responsible for setting up the product and maintaining its licensing options. It will be used to allocate the sezczip.mvs.LICENSE data set during execution.

See Appendix A - Licensing Requirements for more information.

–LICENSE_HLQ(<hlvl>)

hlvl - High level qualifier used for allocation (SECZIP.MVS is the default).

–LMOD_SUPPORT

Synonyms Include: N/A

☺ - This is an MVS command only.

- Be aware that if this command is used incorrectly, you could incur problems.

This command determines whether SecureZIP for zSeries processing will dynamically turn on the commands of DATA_TYPE(BINARY), SAVE_LRECL, and SAVE_FILE_ATTRIBUTES for PDS members that have been detected as Load Modules. These modules will then be reconstructed during UnZip processing.

This feature allows text-based non-load module files to be zipped during a single pass along with load libraries. One might use this feature to process a PDS containing both load modules and text files in a single pass.

–LMOD_SUPPORT(Y|N)

Y - YES - Turn on LMOD_SUPPORT support. Zip processing will dynamically turn on SAVE_LRECL and DATA_TYPE(BINARY) for PDS members detected as being load modules.

N - NO - Do not turn on LMOD_SUPPORT support.

Page 210: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

198

See DATA_TYPE(BINARY), SAVE_FILE_ATTRIBUTES, and SAVE_LRECL for additional information.

–LICENSE_WTO_INFO

Synonyms Include:

The license feature warning messages will be displayed on the console as well as in the printed output of each run. If you do not wish to display the messages on the console change the defaults module to LICENSE_WTO_INFO=N. (Specifying this operation as a command will not affect license messaging that occurs prior to command inputs).

–LOGGING_LEVEL

Synonyms Include: –VERBOSE, –Q, –QUIET

This command specifies the level (or quantity) of messages that will be output from SecureZIP for zSeries to SYSPRINT.

–LOGGING_LEVEL(NORMAL|QUIET|VERBOSE)

NORMAL - Specifies that a standard set of messages will be output to SYSPRINT.

QUIET - Specifies that no messages are issued, although return codes will be set when errors occur. This option is normally used when calling from a CLIST or another program where you will not immediately view the output (as in ISPF execution).

VERBOSE - Specifies that a more detailed level of messages will be output to provide in-depth processing information.

• Dynamic Allocation Parameters used to create and access files.

• Dynamic Allocation error codes.

• System SORT messages (TRACE_SORT (4) may provide more).

• Specific SECZIP messages.

–MASTER_RECIPIENT

Synonyms Include: N/A

-MASTER_RECIPIENT(cert_store_type:selection[,R][,PASSWORD=password])

This command has the same format as RECIPIENT, and may be specified either through the Defaults module (ACZDFLT) or commands. The specification of MASTER_RECIPIENT does not trigger encryption to take place during ZIP processing in the same way as RECIPIENT.

Page 211: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

199

However, once encryption is specified, the value of MASTER_RECIPIENT is implicitly included in the run as if a RECIPIENT command had been invoked.

This represents an enterprise or corporate defined RECIPIENT which is to be included as a global or administrative access RECIPIENT. This enables the enterprise to decrypt and access the file(s) when other RECIPIENTs are no longer able or eligible.

–MEMORY_MODEL

Synonyms Include: –MEM_MODEL, –MEM_MDL, –SMM, –MMM, –LMM, –MMS, –MML

–MEMORY_MODEL(SMALL|MEDIUM|LARGE)

MEMORY_MODEL(SMALL|MEDIUM|LARGE) controls where file management control blocks are held, such as, control blocks describing an archive file with its attributes, and the amount of storage than can be used for compression control tables.

When MEMORY_MODEL(LARGE) is specified or defaulted, all of the file management control blocks are held in 31-bit virtual storage and the largest compression tables are used (providing the best compression possible for the Compression_Level selected).

When either SMALL or MEDIUM are specified, the file descriptor information is spilled to a set of work files to be sorted, merged and selected. Note that file descriptors are built for both files existing in the input archive and new files to be selected, so the aggregate count must be managed. Approximate sizes for each file descriptor are as follows:

VSAM - 2.5K.

Sequential - 800 bytes.

PDS/PDSE - 800 bytes for base data set + 224 bytes per member.

–MULTI_THREAD_LIMIT

Synonyms Include: –TASKS

To specify more than one task to be used while compressing a data set(s), use ARCHIVE_MGMTCLASS. Some systems have more that one CPU and can run subtasks to aid in processing. The compression of a data set would then run with two or more subtasks (depending upon the specified amount). These subtasks would run in parallel and speed processing time, improving performance for the processing of multiple data sets.

–MULTI_THREAD_LIMIT(<amount>)

amount - Specifies the maximum number of subtasks that may be used by SecureZIP for zSeries to compress data sets. The <amount> should not exceed twice the number of CPU’s on a system. Should this command be used on a single CPU system, the results are undefined. An amount of 3 is the default.

Page 212: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

200

ZIP processing speed can improve with this command, however, actual performance is dependent on the type of data sets that are processed.

Data sets within a PDS are processed within the same subtask unless the data sets are individually identified in separate data set definitions.

Some processing functions require that the MULTI_THREAD_LIMIT operate at 1. In most instances SECZIP and SECUNZIP will automatically set the active value to 1 when required, however you must use MULTI_THREAD_LIMIT(1) when you are compressing multi-file tape data sets from the same volume.

–NOAPI

Synonyms Include: N/A

–NOAPI

The Language Environment CEEPIPI environment associated with User API programs (such as DATA_TRANS_API) will not be initialized. This is important for Language Environment operations that do not support CEEPIPI being in operation (such as C++ calling SecureZIP ).

This command must be passed in the execute parameters (not in the defaults module or a command stream) so that it takes effect early in the SecureZIP initialization process.

When NOAPI is in use, the DATA_TRANS and FILENAME APIs are not available for use.

–NOSYSIN

Synonyms Include: –NOSYSIPT

–NOSYSIN

The SYSIN data set will not be opened if NOSYSIN is specified in the PARM parameter or in the Configuration file. The command has no effect if placed within the SYSIN data set.

This command is useful when calling the SECZIP program from another program. The SYSIN passed to the calling program will not be effected by the SECZIP program processing in this situation. See Invoking SecureZIP for zSeries Services.

Page 213: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

201

–ON_FILE_ACCESS_ERROR

Synonyms Include: –FILESELERR

In SECZIP Processing If an access problem occurs during the ZIP processing of an input file or a temporary archive, the ON_FILE_ACCESS_ERROR command specifies whether to terminate processing or ignore the error and continue. The default is to allow for compatibility.

–ON_FILE_ACCESS_ERROR(STOP|TERMINATE|TOLERATE| IGNORE[,WARNONBUSY]|[,WARNIFBUSY])

STOP - Processing halts when an access error is detected.

TERMINATE - Processing halts when an access error is detected.

TOLERATE - Processing continues with the next file. Error return codes and messages of the problem files are produced.

IGNORE - Processing continues with the next file. Error return codes and messages of the problem files are produced.

WARNIFBUSY - Processing continues with the next file, and the “busy” files are reported as a warning. This is an option to STOP or TOLERATE. Without STOP or TOLERATE specified, busy files will be skipped.

WARNONBUSY - Same as WARNIFBUSY.

Note: This is different from a similar command, –ON_FILE_IO_ERROR which refers to file errors during a read.

–ON_FILE_IO_ERROR

Synonyms Include: –FILEPROCERR

In SECZIP Processing If an I/O problem occurs during ZIP processing of an input file or a temporary archive, the ON_FILE_IO_ERROR command specifies whether to terminate processing or ignore the error and continue.

–ON_FILE_IO_ERROR(STOP|TERMINATE|TOLERATE|IGNORE)

STOP - Processing halts when an I/O error is detected.

TERMINATE - Processing halts when an I/O error is detected.

TOLERATE - Processing continues with other files. Should all files receive errors, the archive may be empty as no file processing occurred.

Page 214: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

202

IGNORE - Processing continues with other files. Should all files receive errors, the archive may be empty as no file processing occurred.

In either case, the SECZIP program will create a return code and error message(s) indicating the problem.

Note: This is different from a similar command, –ON_FILE_ACCESS_ERROR which refers to file errors during access, before the file is read.

Used in SECUNZIP Processing

If an I/O problem occurs during ZIP processing of an output file, the ON_FILE_IO_ERROR command specifies whether to terminate processing or ignore the error and continue.

–ON_FILE_IO_ERROR(STOP|TERMINATE|TOLERATE|IGNORE)

STOP - Processing halts when an I/O error is detected.

TERMINATE - Processing halts when an I/O error is detected.

TOLERATE - Processing continues with other files following an I/O error.

IGNORE - Processing continues with other files following an I/O error.

In either case, the SECUNZIP program will create a return code and error message(s) indicating the problem.

Note: This is different from a similar command, –ON_FILE_ACCESS_ERROR which refers to file errors during access, after the file is extracted.

–OUTFILE_BLKSIZE

Synonyms Include: –OUTBLKSIZ, –OUTBLKSIZE

The OUTFILE_BLKSIZE command specifies the block size to be used when extracting to a dynamically created data set.

–OUTFILE_BLKSIZE(<block size>)

block size - The block size to be used for a newly created data set.

If the block size is not specified by this command, the size is taken from the information stored in the archive. If neither is available, a default size of 6160 bytes is set (assuming that an OUTFILE_DATACLASS was not specified, in which case the default is not used).

A value of zero will cause the SECUNZIP program to calculate a block size for sequential or PDS files. However, do not use a value of zero for undefined files (OUTFILE_RECFM(U)) as the resulting calculated block size may not be appropriate.

Page 215: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

203

–OUTFILE_DATACLASS

Synonyms Include: –OUTDCLASS

This command pertains to DF/SMS allocation of new files when doing SECUNZIP processing. If you specify these classes, they will be passed to DF/SMS when data set allocation occurs.

–OUTFILE_DATACLASS(<SMS Data Class>)

See IBM’s DF/SMS manuals for further information about this parameter.

A new parameter option for SMS classes has been introduced to override a DATACLASS in the archive.

_NONE_

Example of change:

OUTFILE_DATACLASS=_NONE_

When specified, the DATACLASS in the archive is ignored. The RECFM, LRECL, and BLKSIZE will be taken from the original file in the archive.

An ACZDFLT parameter of _NONE_ will override all DATACLASSes in all archives. The data class specified in an OUTFILE_DATACLASS command override is applied to extracted file(s).

Note that during EXTRACT processing to a dynamically allocated data set, an installation SMS ACS routine may assign a DATACLASS outside of UNZIP’s control. The _NONE_ specification negates the DYNALLOC (SVC99) parameter request for DATACLASS by UNZIP, but the installation can still generate an override. This has the potential for assigning DCB attributes that are incompatible with the file data. Care should be taken when using SMS data class attributes to ensure that the installation assigns correct values.

–OUTFILE_DD

Synonyms Include: –OUTDD, –OFILE, –OUTFILE, –OUT_FILE

The OUTFILE_DD command identifies the DD statement that further describes the data set into which the files are to be extracted.

–OUTFILE_DD(<ddname>)

ddname - The DD statement in the JCL that identifies the data set to which files are extracted. When using OUTFILE_DD, allocation and attribute information should be provided in the JCL for the output file.

Multiple OUTFILE_DD commands may not be used. All extracted data is written to the target data set.

Other UNZIP commands are related to the function of OUTFILE_DD and may not be needed when OUTFILE_DD is used. They are the following:

Page 216: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

204

FILE_EXTENSION - Specifies DROP, SUFFIX, or NAMEFILE to tell what to do with file extensions when extracting. The DD statement will determine the name of the output file.

OUTFILE_LRECL, OUTFILE_BLKSIZE, and OUTFILE_RECFM - Commands pertaining to dynamic creation of an output file are ignored when OUTFILE_DD is used.

UNZIPPED_DSN - Specifies exactly what files are to receive the extracted data. This file is determined in the DD statement, but the member name may be affected with the UNZIPPED_DSN command in operation.

–OUTFILE_DIR_BLOCKS

Synonyms Include: –OUTDIRBLKS, –OUTFILE_DIRBLKS

This command specifies the number of directory blocks to be used when a SECUNZIP process requires that a partitioned data set (PDS) is to be created. When OUTFILE_DSNTYPE is PDS or extended attributes are used to create the output file, then OUTFILE_DIR_BLOCKS can be used to specify or override the number of directory blocks to be allocated.

–OUTFILE_DIR_BLOCKS(<blocks>)

blocks - An 8-character field specifying the number of directory blocks to be allocated for a partitioned data set.

00000010 - Ten directory blocks is the default.

–OUTFILE_DSNTYPE

Synonyms Include: –OUTFILE_DSORG, –OUT_DSORG, –MAKEPDS, –MAKEPDSE, MAKELIBRARY, –MAKESEQ, –MAKEVSAM, –MAKEESDS

The OUTFILE_DSNTYPE command determines the type of output file to be created. This command overrides any stored file attributes.

–OUTFILE_DSNTYPE(SEQ|PDS|PO|PDSE|LIBRARY|VSAM)

If the Modifier Is SEQ

The extracted file will be a sequential data set.

Example: Given the ZIP file: MY/DATA/SOURCE/ACCOUNTS

and a command of: –OUTFILE_DSNTYPE(SEQ) the extracted file will

be: MY.DATA.SOURCE.ACCOUNTS

Page 217: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

205

If the Modifier Is PDS, PDSE, PO, or LIBRARY

The extracted file will be a partitioned data set. The member name comes from the lowest level of the source data set name. If the PDS receiving the file already exists, you must specify INSERT_MEMBER(Y) or OUTFILE_OVERWRITE(Y) to determine what to do with the additional PDS file.

Example: Given the ZIP file: MY/DATA/SOURCE/ACCOUNTS

and a command of: –OUTFILE_DSNTYPE(PDS) the extracted member

will be: MY.DATA.SOURCE(ACCOUNTS)

If the Modifier Is VSAM

The extracted file will be a VSAM file.

Example: Given the ZIP file: MY/DATA/SOURCE/ACCOUNTS

and a command of: –OUTFILE_DSNTYPE(VSAM) the extracted cluster

name will be: MY.DATA.SOURCE.ACCOUNTS

–OUTFILE_LRECL

Synonyms Include: –OUTLRL –OUTLRECL

This command specifies the logical record length to be used for a new output file. It does not override an existing record length that is specified in JCL or for a data set that already exists.

–OUTFILE_LRECL(<length>)

length - An 8-character field specifying the logical record length.

00000080 - Eighty is the default record length.

–OUTFILE_MGMTCLASS

Synonyms Include: –OUTMCLASS

This command pertains to DF/SMS allocation of new files when doing SECUNZIP processing. If you specify these classes, they will be passed to DF/SMS when data set allocation occurs.

Page 218: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

206

–OUTFILE_MGMTCLASS(<SMS Management Class>)

See IBM’s DF/SMS manuals for further information about this parameter.

–OUTFILE_OVERWRITE

Synonyms Include: –OVERWRITE, –NOOVERWRITE

The OUTFILE_OVERWRITE command is used to update an existing file or member within a PDS.

–OUTFILE_OVERWRITE(Y|N)

Y - YES - The newly extracted data set will overwrite the data in an existing data set of the same name.

N - NO - The new data set will not overwrite an existing data set and the process will fail with an error message.

See INSERT_MEMBER to add a data set to an existing PDS.

–OUTFILE_PDS_ENQ

Synonyms Include: N/A

The OUTFILE_PDS_ENQ command governs the level of disposition that will be used for a PDS or PDSE when processing an EXTRACT request. This affects both the EXTRACT job and other users in the system who have an existing PDS/PDSE open.

–OUTFILE_PDS_ENQ(OLD|SHR)

OLD - Specifies that a DISP=OLD be used.

SHR - Specifies that a DISP=SHR be used.

The greatest level of integrity is reached when jobs use DISP=OLD at the data set level. However, when PDS data sets or PDSE Libraries are held open in long running jobs (such as an online system), it is not possible to use DISP=OLD in the SECZIP program to update a member.

DISP=SHR will result in the SECZIP program processing the PDS directory and its members without full data set serialization. However, some level of protection is provided as follows:

• During an EXTRACT process, SECUNZIP will test for an SPFEDIT ENQ on the PDS/PDSE member. If one exists in the system, then that member will be bypassed.

• The operating system will provide protection for jobs using DISP=OLD:

When another job holds the dataset with DISP=OLD, the SECZIP program will fail to obtain an allocation to the dataset.

Page 219: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

207

If the SECZIP program is updating the dataset and another job starts with DISP=OLD in its JCL, that job will wait until the SECZIP program closes and frees the file.

If the SECZIP program is updating the dataset and another job or user attempts a dynamic allocation with DISP=OLD, that allocation request will fail.

• The operating system may provide update protection for two different jobs attempting DISP=SHR updates. For example:

If an IEBCOPY update is being performed against a PDS with DISP=SHR and SECZIP is running with –OUTFILE_PDS_ENQ(SHR), the SECZIP program may experience a system abend 213-30 when attempting to open the PDS directory. This is the way the system provides PDS directory integrity.

Likewise, if the SECZIP program already has the PDS/PDSE open for output, the same IEBCOPY step in the other job would receive the 213-30 abend.

–OUTFILE_RECFM

Synonyms Include: –OUTTYPE –OUTRECFM

The OUTFILE_RECFM command specifies the record format of the records in a newly extracted data set. If not specified, the information is taken from the attributes stored in the ZIP archive.

–OUTFILE_RECFM(U|F|FA|FB|FBA|FBM|FBS|FM|V|VA|VB|VBA|VBM|VM)

U - Undefined records.

F - Fixed records.

FA - Fixed records with ISO/ANSI control characters.

FB - Fixed-Block records (note also that this default is ignored if an associated SMS command of OUTFILE_DATACLASS is used).

FBA - Fixed-Block records with ISO/ANSI control characters.

FBM - Fixed-Block records with Machine control characters.

FBS - Fixed-Block Standard records.

FM - Fixed records with Machine control characters.

V - Variable records.

VA - Variable records with ISO/ANSI control characters.

VB - Variable-Block records.

VBA - Variable-Block records with ISO/ANSI control characters.

VBM - Variable-Block records with Machine control characters.

VBS - Variable-Block-Spanned records.

VM - Variable records with Machine control characters.

Page 220: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

208

VS - Variable-Spanned records.

An undefined specification (U) will cause any OUTFILE_LRECL specifications to be ignored. Similarly, any of the unblocked specifications will cause OUTFILE_BLKSIZE specifications to be ignored.

–OUTFILE_SPACE_MULTIVOL

Synonyms Include: N/A

The OUTFILE_SPACE_MULTIVOL command controls whether the dynamic allocation of a new non-VSAM output data set will request multiple volumes when OUTFILE_DATACLASS is not in effect.

–OUTFILE_SPACE_MULTIVOL=Y|N

N - When a value of “N” is specified, or an OUTFILE_DATACLASS is specified, SecureZIP does not provide a volume count in the dynamic allocation request. When multiple volumes are required to hold the output file under this condition, the operating system may reject the volume extension with an associated IEC032I-04 E37 error.

Y - When “Y” is specified without an OUTFILE_DATACLASS, a maximum of 59 volumes will be requested in the DYNALLOC request. When this option is enabled, the catalog will show the output data set as being a multi-volume data set.

The message IGD17271I Allocation has been allowed to proceed for data set may appear in the JOB log from the system, but this will not affect SECZIP processing.

Note: See the SecureZIP for zSeries System Administrator’s Guide for more information on SMS dataclass considerations. See also the section “Large File Considerations” in Chapter 8 for discussions regarding SMS class controls of extended size data sets.

–OUTFILE_SPACE_PRIMARY

Synonyms Include: –OUTPRIMARY

This command specifies the number of allocation units in the primary extent to be allocated to a newly extracted data set.

The default is not used if OUTFILE_DATACLASS is specified.

–OUTFILE_SPACE_PRIMARY(<allocation units>)

allocation units - This an 8-character field specifying the number of allocation units for the primary extent allocation.

00000010 - Ten is the default.

Page 221: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

209

–OUTFILE_SPACE_RLSE

Synonyms Include: –OUTFILE_RLSE, –OUTFILE_RELEASE, –OUTFILE_SPACE_RELEASE, –OUTRLSE, –OUTNORLSE

This command indicates that when a new file is closed using SECUNZIP processing, additional cylinders or tracks should be released from the allocation.

–OUTFILE_SPACE_RLSE(Y|N)

Y - YES - The deallocated free space is released following compression. This is the default action taken for sequential data sets.

N - NO - The deallocated free space is not released following compression. This is the default action taken for partitioned data sets (since the extra space may be needed by other members within the same PDS).

–OUTFILE_SPACE_SECONDARY

Synonyms Include: –OUTSECONDARY

This command specifies the number of allocation units in the secondary extent to be allocated to a newly extracted data set.

The default is not used if OUTFILE_DATACLASS is specified.

–OUTFILE_SPACE_SECONDARY(<allocation units>)

allocation units - This an 8-character field specifying the number of allocation units for the secondary extent allocation.

0000010 - Ten is the default.

–OUTFILE_SPACE_TYPE

Synonyms Include: –OUTSPACE

This command specifies the type of allocation units that are used at the allocation of a newly extracted data set. The allocation units may be one of five choices with CYL (cylinders) as the default. Note that the default is not used when OUTFILE_DATACLASS is specified.

–OUTFILE_SPACE_TYPE(<TRK|CYL|BLK|MB|KB>)

TRK - (also TRKS and TRACKS) Allocation by tracks.

CYL - (also CYLS and CYLINDERS) Allocation by cylinders.

Page 222: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

210

BLK - (also BLKS and BLOCKS) Allocation by blocks (Note that the block size is specified in the OUTFILE_BLKSIZE command.)

KB - (also KILOBYTES) Allocation by Kilobytes for the ICF catalog environment only.

MB - (also MEGABYTES) Allocation by Megabytes for the ICF catalog environment only.

Note: Both the primary and secondary extents are allocated at 10 allocation units unless changed by the –VSAM_SPACE_PRIMARY or the –VSAM_SPACE_SECONDARY commands.

This command specification can be overridden at the data level by the VSAM_DATA_SPACE_TYPE command. At the data level, the corresponding cluster information is not recognized.

–OUTFILE_STORCLASS

Synonyms Include: –OUTSCLASS

This command pertains to DF/SMS allocation of new files when doing SECUNZIP processing. If you specify these classes, they will be passed to DF/SMS when data set allocation occurs.

–OUTFILE_STORCLASS(<SMS Storage Class>)

See IBM’s DF/SMS manuals for further information about this parameter.

–OUTFILE_UNIT

Synonyms Include: –OUTUNIT

For a newly extracted data set, the generic units for the output file can be specified using the OUTFILE_UNIT command.

–OUTFILE_UNIT(<units>)

unitname - An 8-character field specifying the name of the generic unit to which the output data set is to be allocated.

SYSDA - The default specification.

–OUTFILE_VOLUMES

Synonyms Include: –OUTVOL

For a newly extracted data set, the volume(s) is specified using the OUTFILE_VOLUMES command.

Page 223: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

211

–OUTFILE_VOLUMES(<volname>[ <volname> <volname>…])

volname - A 217-byte field specifying the names of volume(s) (separated by blanks) onto which a newly extracted data set is allocated. There may be up to 31 volume names specified with this command.

For an output that is a new member of a new PDS, the first <volname> will only be used.

For a VSAM file, the volumes are specified at the Cluster Level.

–PAD_CHAR

Synonyms Include: –PAD

When extracting data into fixed length records, specify the pad character with the command PAD_CHAR. If the command is not specified and padding is needed, the default will be spaces (X‘40’) for TEXT and nulls (X’00’) for BINARY extraction.

–PAD_CHAR(<pad char>)

pad char - May be one of the following:

None - For –PAD_CHAR(), the space (X’40’) is used.

Any EBCDIC character.

Any Hexadecimal character with the format X(‘<hex character>’).

Multiple pad characters will be used if needed to fill in at the end of the record to make it the required fixed record length.

–PAD_VSAM

Synonyms Include: –PADVSAM, –NOPADVSAM

This command instructs the SECUNZIP program to pad variable length records with a character(s) specified by the PAD_CHAR command to the length specified in the VSAM_RECORDSIZE command (average and maximum lengths must be the same).

–PAD_VSAM(Y|N)

Y - YES - Records are padded with the pad character specified in PAD_CHAR. If the lengths specified in the VSAM_RECORDSIZE command are of different lengths, padding will not occur.

N - NO - Records are not padded.

Page 224: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

212

–PARMLIB_DSNAME_UNZIP

Synonyms Include: –UNZIPCONFIG

–PARMLIB_DSNAME_UNZIP(<dataset>)

data set - SecureZIP for zSeries can be configured or customized to operate in a number of ways. The name of the data set containing the configuration specifications for UNZIP processing is specified by the use of this command. The default command for this data set is NULLFILE.

Note that some installations try to eliminate any allocation of a PARMLIB or CONFIG data set through PARMLIB_DSNAME_ZIP and PARMLIB_DSNAME_UNZIP.

If no installation-supplied data set commands are desired, then ACZDFLT parameters may be set to bypass the allocation attempt. Only //SYSIN DD and EXEC PARM='...' parameters will be processed.

–PARMLIB_DSNAME_ZIP

Synonyms Include: –ZIPCONFIG

–PARMLIB_DSNAME_ZIP(<dataset>)

data set - SecureZIP for zSeries can be configured or customized to operate in a number of ways. The name of the data set containing the configuration specifications for ZIP processing is specified by the use of this command. The default command for this data set is NULLFILE.

–PARMLIB_FILE_WAIT_MAX

Synonyms Include: N/A

If the file indicated by PARMLIB_DSNAME_ZIP or PARMLIB_DSNAME_UNZIP is in use elsewhere and cannot be opened, the command PARMLIB_FILE_WAIT_MAX indicates the maximum amount of time SecureZIP for zSeries will wait for the file to become available before abnormally ending the job. The default setting is five minutes.

–PARMLIB_FILE_WAIT_MAX(<HHMMSSTH>)

HHMMSSTH:

HH - Hours.

MM - Minutes.

SS - Seconds.

Page 225: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

213

T - Tenths of a second.

H - Hundredths of a second.

00050000: 5 minutes is the default.

–PARMLIB_FILE_WAIT_TIMER

Synonyms Include: N/A

If the file indicated by PARMLIB_DSNAME_ZIP or PARMLIB_DSNAME_UNZIP is in use elsewhere and cannot be opened, the command PARMLIB_FILE_WAIT_TIMER is the polling time used during the wait process. The default setting is five seconds.

–PARMLIB_FILE_WAIT_TIMER(<HHMMSSTH>)

HHMMSSTH:

HH - Hours.

MM - Minutes.

SS - Seconds.

T - Tenths of a second.

H - Hundredths of a second.

00000500: 5 seconds is the default.

–PASSWORD

Synonyms Include: –PASS, –PWD

To encrypt a ZIP archive file, the PASSWORD command is used to establish an associated password for that file.

–PASSWORD(<userpw>)

userpw - Your selected password, needed for later decrypting the ZIP archive file. The encrypted file will need this password for access for extraction.

The password:

Is case-sensitive - Capital and lower case letters should be just that. The following passwords are considered three different passwords: Password, PASSWORD, or password. If the password is being input from JCL, take note that the JCL editor may capitalize all the letters of the password.

May be 1-200 characters in length.

Page 226: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

214

This is not stored in the ZIP archive and, as a result, care must be taken to keep passwords secure and accessible by some other source. Different passwords may be used for various files within a ZIP archive, although only one password may be specified per run.

Password translation is done from EBCDIC to ASCII using the TRANSLATE_TABLE_FILEINFO. When cross-platform exchanges are done with encrypted archives, care should be taken to use characters that will be acceptable to both platforms with the translate table in use.

–PATH

Synonyms Include: –NOPATH

The PATH command determines how an MVS filename is converted to a ZIP archive format.

–PATH(Y|N)

When Using –PATH(Y)

When converting a filename from MVS format to ZIP archive format, the PATH(Y) command is specified so that all of the data set levels are used in the archive name. PATH(Y) is the default.

Example: Given the PDS

member: PROJECT.DEPT.SOURCE(TEST)

and a command of: –PATH(Y) the ZIP internal filename will be:

PROJECT/DEPT/SOURCE/TEST

Example: Given the PDS dataset that contains member

CLOCK00

SYS1.PARMLIB

and a command of: –PATH(Y) the ZIP internal

filename for that member will be:

SYS1/PARMLIB/CLOCK00

When Using –PATH(N)

When converting a filename from MVS format to ZIP archive format, the PATH(N) command is specified so that the last level of the data set is used as the archive name. This command is not used if a matching ZIPPED_DSN command exists.

Page 227: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

215

Example: Given the PDS

member: SYS1.PARMLIB(CLOCK00)

and a command of: –PATH(N) the ZIP internal filename will be:

CLOCK00

–PKSUPPRC

Synonyms Include: N/A

PKSUPPRC is a non-default command that allows the return code to be suppressed for the following messages:

ZPAM092E – Nothing to do.

ZPAM093W – No files match; Initializing/Copying Archive.

ZPCM032W – Cataloged file request not found

ZPEX013W – Truncation.

ZPEN002W – Encryption Method not supported by this release

ZPEN020W – Filename Encryption is being deactivated in the output archive

ZPEN035E – Archive Authentication Failure

ZPEN039E – Archive Authentication unsuccessful (unsigned archive)

ZPEN045E – File Authentication Failure

ZPEN049E – Archive Authentication unsuccessful (unsigned file)

ZPEN057W – Certificate Validation Failed

–PRESERVE_CMD_SPACES

Synonyms Include: N/A

In releases of PKZIP 2.61 and prior, a " |" was required to identify a command continuation, a blank preceding the “ |” was needed to identify the continuation action. The support of continuation command records with embedded blanks that was added with PKZIP MVS Version 5 (for extended filenames) required all occurrences of " |" (preceding space) to be changed to "|".

–PRESERVE_CMD_SPACES

Y - YES - The default; required for the preservation of preceding spaces when required for specific command values—for example, UNIX-format file names with embedded blanks and ARCHIVE_COMMENT text.

Page 228: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

216

N - NO - For backward-compatibility. Enables you to remove blanks preceding the "|" as in earlier releases of PKZIP MVS (provided with fix TT1053).

Warning: Space preservation for current and future commands is predicated on the default PRESERVE_CMD_SPACES=Y. Control cards should be converted to the SecureZIP for zSeries format (no blanks preceding "|" for continued lines).

–PROCESS_ALIAS

Synonyms Include: –ALIASMEMBER, –NOALIASMEMBER

–PROCESS_ALIAS(Y|N)

During ZIP processing, the PROCESS_ALIAS(Y) command specifies that the alias entries for selected PDS members are to be retained for the real member. These stored attributes then may be used when extracting the file to a PDS.

During UNZIP processing, the PROCESS_ALIAS(Y) command specifies that saved alias entries for selected PDS members are to be restored to the PDS directoy in association with the real member.

Processing Notes:

• Alias members are not selectable as members or files from the archive. The “real” member must be selected.

• SAVE_FILE_ATTRIBUTES(CENTRAL) must be active during the ZIP process for this command to take effect.

–RECALL_TO_ZIP

Synonyms Include: –RECALL, –NORECALL, –SELECT_MIGRATED

This command instructs SecureZIP for zSeries to either recall a data set with DFHSM or to bypass that data set if a recall is required. This will speed up processing if migrated data sets are not required to be zipped. The catalog information is reviewed for volume serial (MIGRATE or ARCHIVE) to identify data sets which are migrated. (“ARCHIVE” is used by some non-IBM storage management products).

–RECALL_TO_ZIP(Y|N)

Y - YES - Recall a data set using DFHSM. Note that this specification may incur significant processing delays as DFHSM performs the recalls so that file attributes can be checked. File attributes must be checked to ensure that partition data set information is all specified and characterized before file selection can occur.

N - NO - Bypass recall of DFHSM data sets.

Page 229: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

217

–RECIPIENT

Synonyms Include: N/A

Here you identify the Public-key recipients that are capable of decrypting the archive.

-RECIPIENT(certificate_store_type:selection[,R][,PASSWORD=password])

certificate_store_type: designates the media in which the certificate(s) containing the public keys are contained.

Certificate Store Type Selection DD: A ddname pre-allocated to the job step.

FILE:

A dataset name that is to be dynamically allocated. This is a fully qualified name conforming to fopen() syntax.

DA: Converts MVS DSN to FILE:

DS: Converts MVS DSN to FILE:

DSN: Converts MVS DSN to FILE:

DB: Search criteria

LDAP: Search criteria

System: Search criteria

Direct File Access – DD, FILE, DA, DS, DSN

A data set reference may be made in the command to access the x.509 file representing the certificate and associated keys. The local certificate store index search (used for DB) is bypassed. This type of reference provides the means to specify a particular certificate/key set when a DB: search request may return more than one. The x.509 does not need to be installed to the local certificate store index. However, certificate validation policy settings may require access to supporting components of the local certificate store to complete certificate validation.

FILE: See the IBM C/C++ Optional Feature Bookshelf, Programming Guide, section “Using a Data Set Name” for fopen() for more information. MVS data set access (non-HFS/zFS) requires “//” as a prefix.

DA:, DS: and DSN: all imply that an MVS data set (or partitioned member) is being accessed. SecureZIP will automatically perform a conversion to the proper FILE: format for the file to be opened.

Search Criteria, Database

DB and LDAP Certificate Stores allow a search to be performed based on selected field types.

Page 230: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

218

DB

The DB Store currently supports searching based on Email address (mail= or EM=), or Common Name (CN=). The value is resolved in a case-insensitive manner within the database index. However, the string must be an exact representation of the value as loaded by the certificate store administrator. Generic and masked searches are not supported.

Example: If search criteria is "cn=joe smith" and "CN=JOE SMITH”

Will resolve to "Joe Smith” If search criteria is "CN=J* Smith" and "CN=JoeSmith" Will not resolve to "Joe Smith”

It is possible that more than one certificate may be returned for a single Common Name or Email search. If Joe Smith had 2 different certificates installed (from different sources, or the same source for different years) that have the same CN= or EM= value, then both certificates will be included in the recipient list.

A DB: search will not return entries marked by the certificate store administrator as “Suspended”. Entries may be marked this way because they are no longer considered valid for use in the installation.

LDAP

The LDAP Store provides support for Email, Common Name, and other searchable fields supported by your LDAP Service Provider. Up to 3 LDAP servers will be searched based upon the certificate store Configuration settings selected (see {LDAP:...}).

Once a valid certificate is returned for a search in a specified LDAP, the search for that RECIPIENT request is finalized. If a specific LDAP server does not return a valid certificate, then subsequent LDAP servers will be searched until a match is found or the list of configured LDAP servers is exhausted.

Example: Recipient “A” In LDAP #1 and LDAP #2 Recipient “B” In LDAP #2

LDAP#1 & #2 available Recipient “A” retrieved from LDAP #1

Recipient “B” retrieved from LDAP #2 LDAP#1 not available Recipient “A” retrieved from LDAP #2

Recipient “B” retrieved from LDAP #2 Recipeint “A” cert invalid in LDAP#1

Recipient “A” retrieved from LDAP #2

Recipient “B” retrieved from LDAP #2

Page 231: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

219

System

This option combines the search capabilities of "DB:" and "LDAP:" into one request. Within the definitions set for the certificate store Configuration, the local system "DB:" is searched first.

If one or more entries are determined to exist in the local DB: store, then those entries will be used.

If no entries can be located in the DB: store, then a subsequent search of the configured LDAP(s) will be performed according to the rules for LDAP.

If an error is encountered for a DB: certificate that is indexed in the DB: Store, the search is terminated (that is, no LDAP search is performed).

Please note that the CN= and EM= value formats must be compatible between the DB: and LDAP: search engines.

Example: If DB contains CN=Joseph Smith

If LDAP contains CN=Joe Smith Request SYSTEM:CN= Action Can only satisfy one of the search types

Resolution Separate commands should be coded for each cert_store_type

[,R]

This is an optional flag indicating that one or more certificates must be satisfied from this RECIPIENT request. A ZIP run will terminate if one or more required recipients cannot be resolved.

When a certificate store cannot be opened for a RECIPIENT request that is not required, a non-zero return code may be issued to indicate that a complete search for the recipient could not be performed.

When one or more recipients are requested but none can be resolved, a ZIP run will be terminated regardless of the "R" (required) flag.

[,PASSWORD=]

This designates the password that is required for a private-key certificate. When a value is specified, the target must be an X.509 PKCS#12 private-key certificate. This allows the Public key to be obtained from a private-key Certificate, thereby eliminating the need to store both public-key (PKCS#7) and private-key (PKCS#12) certificates for the same user.

The PASSWORD value may contain blanks and is delimited by the closing right parenthesis ")" of the RECIPIENT command. Quotes and apostrophes should not be used as start/end delimiters.

The PASSWORD parameter is not valid for LDAP searches.

Page 232: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

220

Processing Notes

A “BSAFE” ENCRYPTION_METHOD must be active. However, SecureZIP will automatically switch to BSAFE mode when any of the AES algorithms are specified in combination with a RECIPIENT request for encryption.

When extracting data, SecureZIP will automatically switch to BSAFE mode for AES, 3DES and RC4 files. Exceptions to this are when PKZIP "Standard" encryption files are encountered, or ENCRYPTION_METHOD is explicitly set to one of the PKZIP AES algorithms via a command override.

An absolute maximum of 3,275 public-key recipient certificates can be reflected in the ZIP archive for an individual file. The maximum number of certificates may not be achievable when multiple certificates are returned by Database or LDAP searches. This is because multiple certificates may be returned for a single search request and the maximum number exceeded. The ZIP run will terminate if the maximum number is exceeded.

The total number of RECIPIENTs able to be reflected in the ZIP archive for an individual file is restricted by the file attributes also stored in the central directory for the file. SAVE_FILE_ATTRIBUTES=NONE may be set to increase the amount of space available to hold recipient information. However, if NONE is specified, the file will not be able to be restored to its original file format automatically by UNZIP processing.

A maximum number of RECIPIENT requests (including MASTER_RECIPIENT) is limited to 3,275. This is true even if the RECIPIENT requests do not result in public-key certificates being found.

It is important that the “PASSWORD=” keyword be coded in upper case. Any variation in case or misspelling will result in a public-key certificate access attempt (which will fail for a private-key PKCS#12 certificate).

RECIPIENT= may be specified in the defaults module (ACZDFLT or other user-designated module). Specification of this default value in combination with a default strong-security ENCRYPTION_METHOD will result in a corresponding RECIPIENT command being automatically entered to the ZIP run. (ENCRYPTION_METHOD specifies a strong-security profile when any value other than “Standard” or “NONE” is specified). This value cannot be overridden or nullified through standard command stream inputs. A proper LDAP or local certificate store configuration should also be supplied to ensure that the specified RECIPIENT certificate(s) will be found.

MASTER_RECIPIENT= may also be specified in the defaults module. The MASTER_RECIPIENT value will be included in the processing stream when the conditions for default RECIPIENT processing are met, AND either a PASSWORD or RECIPIENT value is present. In other words, MASTER_RECIPIENT is meant to be included when other strong security activation has taken place.

Passwords will be masked out in SYSPRINT output displays.

When FILE: is specified as the certificate lookup type, the data set name will be treated in accordance with fopen() as documented in the IBM C/C++ Programming Guide. See “Performing OS I/O Operations - Using a Data Set Name”. Starting a filename with "//" indicates the file refers to a non-POSIX file or data set. The name specified is translated to upper case by the run-time environment.

Using VERBOSE when recipients are active will display the certificate store configuration (ZPCM023I) and a report of which recipient types are being requested (ZPCM024I).

Page 233: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

221

LDAP "best fit" selection (see the LDAP_ENCRYPT_CERT_SELECT command) can limit the total number of LDAP certificates returned. Otherwise, all certificates meeting the base address/name selection request are included.

Certificates that are used for processing are subject to validation policy settings as governed by {VALENCRYPT}. The policy settings are defined by the certificate store administrator. If no VALENCRYPT settings are found by SECZIP (either through the certificate store Profile or commands), then all aspects of certificate validation will be attempted by default.

–RECURSE_LEVELS

Synonyms Include: –RECURSE, –NORECURSE

During ZIP file selection with masking, this specifies whether or not to use file names represented by wildcard specifications.

-RECURSE_LEVELS(Y|N)

When Specifying Y (YES)

Additional data set levels below the qualifiers specified are included in the match for a user specified data set.

Example: For the selection: XXX.YYY(*)

and a command of: -RECURSE_LEVELS(Y) the following datasets

would be found: XXX.YYY

XXX.YYY.ZZZ

XXX.YYY.REF

XXX.YYY.Z12

or

Page 234: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

222

Example: For the selection: PAYROLL.DEPT(*)

and a command of: -RECURSE_LEVELS(Y) the following datasets

would be found: PAYROLL.DEPT.ENG

PAYROLL.DEPT.ACC05

PAYROLL.DEPT.MKT

PAYROLL.DEPT.ADVERT

When Specifying N (NO)

Only the specified data set levels from your file selection are used in the match for file selection.

Example: For the selection: XXX.YYY(*)

and a command of: -RECURSE_LEVELS(N) the only dataset found

would be: XXX.YYY

and would not be: XXX.YYY.ZZZ

XXX.YYY.REF

XXX.YYY.Z12

or

Example: For the selection: PAYROLL.DEPT(*)

and a command of: -RECURSE_LEVELS(N) the only dataset found

would be: PAYROLL.DEPT

and would not be: PAYROLL.DEPT.ENG

PAYROLL.DEPT.ACC05

PAYROLL.DEPT.MKT

PAYROLL.DEPT.ADVERT

–SAVE_FILE_ATTRIBUTES

Synonyms Include: –ATTRIBCENTRAL, –ATTRIBLOCAL, –ATTRIB, NOATTRIB, USE_FILE_ATTRIBUTES

☺ - Cross Platform Compatible command (VSE, iSeries, and OS/400).

Page 235: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

223

The SAVE_FILE_ATTRIBUTES command specifies whether and where to save the attributes of this compressed file.

–SAVE_FILE_ATTRIBUTES(CENTRAL|LOCAL|BOTH|NONE|NO|N)

In SECZIP Processing

CENTRAL - Allocation attributes for the ZIPPED file are stored in the central directory. SecureZIP for zSeries uses this information when extracting a file.

Note: The –OUTFILE series of commands may be used during SECUNZIP processing to ignore stored attributes.

LOCAL - Attributes for the ZIP file are stored (only) in the local Directory. SecureZIP for zSeries does not use the local Directory when extracting a file.

BOTH - The attributes for a compressed file are to be stored in the ZIP archive in both the Central and the local Directories of an archive when the BOTH modifier is issued.

NONE|NO|N - The attributes for a compressed file are not to be stored in the ZIP archive. This is useful when the archive is to be sent to another platform where the allocation information is not referenced. It also serves to reduce the size of the archive.

In SECUNZIP Processing

NONE|NO|N - The attributes for a ZIP file should not be used when creating a new extracted data set. Instead, the OUTFILE series of commands may specify attributes for the new extracted data set. Any other value will cause SecureZIP for zSeries to blend the extended attributes saved in the archive with override commands for new dynamically allocated files.

The attributes are not used when an OUTFILE_DDNAME JCL allocation is used. The user should specify all appropriate values through JCL or pre-allocation.

–SAVE_LRECL

Synonyms Include: –RDW, –USE_SAVED_LRECL, –ZDW

☺ - This command is comaptible with VSE.

- This command is not compatible with UNIX, iSeries, OS/400, and Windows.

This command is used in combination with DATA_TYPE(BINARY) during ZIP processing to specify record lengths should be retained with the ZIPPED file. This is particularly useful for files containing variable-length records that need to be restored to their original length during UnZip processing.

–SAVE_LRECL(Y|N)

Y - YES - Specifies that record length information is to be included in the Zip archive.

Page 236: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

224

N - NO - Specifies that record length information is not to be included.

A VIEWDETAIL will show “File Type: BINARY SAVED_LRECL (RDW)” when a file has been zipped with this option.

It is highly recommended that VSAM files ZIPPED as BINARY should have SAVE_LRECL(Y) specified even if the catalog indicates the average and maximum recordsize to be the same. This is not a guarantee that all records in the VSAM CLUSTER are of the same length.

SAVE_LRECL(Y) should always be specified with Load modules.

It may be the case that a particular platform does not support the SAVE_LRECL command and does not use stored record lengths in a binary file and therefore the file should be processed as straight DATA_TYPE(BINARY) , otherwise formatting problems may be encountered with the data.

This command does not apply to files ZIPPED as TEXT.

The command USE_SAVED_LRECL=Y retained for backward compatibility, but is not required when the SAVE_LRECL=Y was specified with the ZIP because the archive contains the required information. This command should not be set to “Y” for extraction if the file was not saved with it on.

–SECURE_OPT_MSK3DES

Synonyms Include: N/A

-SECURE_OPT_MSK3DES(Y|N)

The purpose of this switch is to maintain compatibility with Windows (pre-XP) systems where the private key certificate was not imported with "Mark the private key as exportable". This has importance when sharing AES-encrypted files with recipients.

Y - YES - Instructs SecureZIP to use 3DES (168-bit) encryption for key-generation material when any AES algorithm is specified for ENCRYPTION_METHOD. This provides greater flexibility for exchanging archives with non-XP Windows systems. However, the total security of the file may be reduced.

N - NO - Instructs SecureZIP to use the same algorithm to protect key-generation material as is specified for the data with ENCRYPTION_METHOD. This is a preferred setting to maximize security.

SECUREZIP_CONFIG

Synonyms Include: N/A

SECUREZIP_CONFIG=dataset(member)

This command is specified in the defaults module only.

Page 237: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

225

This setting specifies a PDS[E] member that contains SecureZIP certificate store configuration commands to be automatically included in the processing stream. The configuration command values from this member will be included at the start of command input processing prior to //SYSIN statements being read. The data set(member) will be converted into an "INCLUDE_CMD=(pds[e](member)" command internally and will be echoed to the message log in accordance with the ECHO setting.

SecureZIP certificate store Configuration commands entered from other sources such as //SYSIN will override the values read in from this source.

–SELECT_CATALOGED_ALIAS

Synonyms Include: –ALIAS_NAME, –NOALIAS_NAME, –SELECT_DSN_ALIAS

This parameter specifies whether ALIAS catalog entries are to be eligible for processing when performing a ZIP request for ACTION(ADD) or ACTION(UPDATE).

–SELECT_CATALOGED_ALIAS(Y|N)

Y - YES - Alias catalog entries are processed

N - NO - alias catalog entries are not processed

This command specifies that if there is a data set named XYZ that has an alias defined as ABC, SecureZIP for zSeries processing will zip the XYZ data set if ABC is requested. It is an alternative way of asking for files.

–SELECT_FROM_PDS

Synonyms Include: –PDS_TARGET, –ZIPCUR

Used in SECZIP Processing

The SELECT_FROM_PDS command is used as a shortcut to specify the current higher level components which would apply to the files that follow in the command list. It eliminates having to enter the higher level data set components each time a different data set is referenced.

–SELECT_FROM_PDS(<PDS name>)

Page 238: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

226

Example: Zipping: ABC

with commands of: –SELECT_FROM_PDS(DOG.PONY.SHOW)

ABC will select the file for

zipping: DOG.PONY.SHOW(ABC)

Used in SECUNZIP Processing

The SELECT_FROM_PDS command is used to designate an output library for files to be extracted into. It is commonly used when a PDS is not specified in a data set name, for example, the name levels were dropped by the HIERARCHY(N) command during ZIP processing when the archive was created.

–SELECT_FROM_PDS (<PDS name>)

Example:

Unzipping: ABC with a command of: –SELECT_FROM_PDS (DOG.PONY.SHOW) will extract the PDS

member: DOG.PONY.SHOW(ABC)

See UNZIPPED_DSN to specify high level qualifiers in a more general fashion.

–SELECT_TAPE

Synonyms Include: –NOTAPE

This command specifies whether tape files are to be processed when requesting data sets for ZIP processing via the catalog.

–SELECT_TAPE(Y|N)

Y - YES - All tape files in the catalog will be processed.

N - NO - Tape files will be filtered out during processing of the catalog.

See also: SELECT_VSAM, SELECT_MIGRATED, and SELECT_GDGALL.

Page 239: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

227

–SET_ERROR_RC

Synonyms Include: N/A

The SET_ERROR_RC may be used to set a firm return code when an error has been detected. Internal return codes of 8 or above will be converted to this value. This optional feature may be of use to installations converting from PKZIP for MVS 2.x, which uses RC=24 for severe errors.

–SET_ERROR_RC(<nbr>)

nbr - Return code to be passed to the system.

–SHOW_SETTINGS

Synonyms Include: –SS

This command causes current command settings to be displayed in the output at the point in the input that the SHOW_SETTINGS command is invoked. Since command settings may come from the Execute Parm, the Parmlib Configuration File, or from SYSIN, the use of the SHOW_SETTINGS command is useful in showing the combined effect of all sources leading up to the request.

–SHOW_SETTINGS

No parameter is required.

Some SecureZIP command settings are purposely removed from this display. Other information is available in the listing for commands such as:

• AUTHCHK

• PASSWORD

• MASTER_RECIPIENT

• RECIPIENT

• SIGN_ARCHIVE

• SIGN_FILES

Note: This command does not override or interrupt the processing request in effect for the run(–ACTION). If a standalone report is desired without attempting ZIP/UNZIP archive processing, use the command sequence “–SS –PATCH_REPORT”.

Page 240: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

228

–SIGN_ARCHIVE

Synonyms Include: N/A

Here you identify the private-key certificate that is to be used to digitally sign the archive’s central directory. One and only one certificate may be used to perform this operation. Signing an archive by signing its central directory enables people who receive the archive to confirm that the archive as a whole is not changed. By contrast, signing only individual files in an archive enables people to confirm that the particular signed files are unchanged but not that the archive has had files added or removed.

-SIGN_ARCHIVE(certificate_store_type:selection,PASSWORD=password)

certificate_store_type:selection - Designates the media containing the certificate(s) with the private key.

Certificate Store Type Selection DD: A ddname pre-allocated to the job step.

FILE:

A dataset name that is to be dynamically allocated. This is a fully qualified name conforming to fopen() syntax.

DA: Converts MVS DSN to FILE:

DS: Converts MVS DSN to FILE:

DSN: Converts MVS DSN to FILE:

DB: Search criteria

Direct File Access – DD, FILE, DA, DS, DSN

A data set reference may be made in the command to access the x.509 file representing the certificate and associated keys. The local certificate store index search (used for DB) is bypassed. This type of reference provides the means to specify a specific certificate/key set when more than one may be returned by a DB: search request. The x.509 does not need to be installed to the local certificate store index. However, certificate validation policy settings may require access to supporting components of the local certificate store to complete certificate validation.

FILE: See the IBM C/C++ Optional Feature Bookshelf, Programming Guide, section “Using a Data Set Name” for fopen() for more information. MVS data set access (non-HFS/zFS) requires “//” as a prefix.

DA:, DS: and DSN: all imply that an MVS data set (or partitioned member) is being accessed. SecureZIP will automatically perform a conversion to the proper FILE: format for the file to be opened.

Search Criteria, Database

DB reflects the local certificate store, thereby allowing a search to be performed based on selected field types.

Page 241: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

229

DB

The DB Store currently supports searching based on email address (mail= or EM=), or common name (CN=). The value is resolved in a case-insensitive manner within the database index. However, the string must be an exact representation of the value as loaded by the certificate store administrator. Generic and masked searches are not supported.

A DB: search will not return entries marked by the certificate store administrator as “Suspended”. Entries may be marked this way because they are no longer considered valid for use in the installation.

Example:

If search criteria is "cn=joe smith" and "CN=JOE SMITH” Will resolve to "Joe Smith”

If search criteria is "CN=J* Smith" and "CN=JoeSmith" Will not resolve to "Joe Smith”

Because it is possible that more than one certificate may be returned for a single common name or email search, care should be taken to ensure that unique names and or passwords be used when installing the private-key certificates to the database. Since only one certificate may be used for SIGN_ARCHIVE, another alternative is to specify one of the FILE formats to selecte a specific certificate instead of using the DB form of the command.

,PASSWORD= - The password required to access a private key. When a value is specified, the target must be an X.509 PKCS#12 private-key certificate.

The PASSWORD value may contain blanks and is delimited by the closing right parenthesis ")" of the signing command. Quotes and apostrophes should not be used as start/end delimiters.

Processing Notes

This command has no effect on an archive that contains 0 files (for example, an archive that has had all its files deleted). An attempt to sign a logically empty archive results in an unsigned archive, and an informational message is logged.

Signing the archive central directory also signs the archive’s file statistics and ZIP control information such as the 32-bit CRC. This provides some added protection for files because data tampering would surface as a CRC-check during a TEST or EXTRACT operation.

Note that even signing the central directory of an archive does not sign archive comments. Archive comments should not be considered authenticated even if an archive is signed. Do not rely on archive comments for sensitive information.

The processor requirements and elapsed time associated with signing the archive central directory is proportional to the size of the directory (normally a function of the number of files in the archive together with the amount of SAVE_FILE_ATTRIBUTES information associated with each). Typically the central directory is small compared with the size of file data, and only one signing operation is performed for SIGN_ARCHIVE regardless of the number of files.

It is important that the PASSWORD= keyword be coded in upper case. Any variation in case or misspelling will result in a public-key certificate access attempt (which will fail for a private-key PKCS#12 certificate).

Page 242: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

230

SIGN_ARCHIVE= should not be specified in the defaults module (ACZDFLT or other user-designated module). This is because specification of the command necessitates the inclusion of a clear text password. A better technique is to use INCLUDE_CMD and reference an independent file from which the SIGN_ARCHIVE command may be read (and file-protected from read access by the system’s security facility).

Passwords are masked out in SYSPRINT output displays.

When FILE: is specified as the certificate lookup type, the data set name will be treated in accordance with fopen() as documented in the IBM C/C++ Programming Guide. See “Performing OS I/O Operations - Using a Data Set Name”. Starting a filename with “//” indicates the file refers to a non-POSIX file or data set. The name specified is translated to upper case by the run-time environment.

A local certificate store configuration is required to complete the processing of this command. Even when a direct FILE specification is made to locate the private-key certificate, the {CSCA=} and {CSROOT=} certificate store components must be accessible to complete the certificate signing chain within the archive. This information is required to complete authentication processing on the target system when the local certificate store on that system does not contain the certificate authority chain required to validate TRUST.

Processing will be terminated if the requested certificate cannot be accessed.

Certificates that are used for processing are subject to validation policy settings as governed by {VALSIGN}. The policy settings are defined by the certificate store administrator. If no VALSIGN settings are found by SECZIP (either through the certificate store profile or commands), then all aspects of certificate validation will be attempted by default.

Signed archives are tolerated by prior releases of PKZIP and SecureZIP for zSeries but are not processed for authentication.

–SIGN_FILES

Synonyms Include: N/A

Here you identify the private-key certificate that is to be used to digitally sign files to be added to the archive. Multiple signing certificates may be applied to the files. Signing an archive by signing its central directory enables people who receive the archive to confirm that the archive as a whole is not changed. By contrast, signing only individual files in an archive enables people to confirm that the particular signed files are unchanged but leaves open the possibility that the archive has had files added or removed.

-SIGN_FILES(certificate_store_type:selection[,R],PASSWORD=password)

certificate_store_type:selection - Designates the media in which the certificate(s) containing the private key is contained.

See SIGN_ARCHIVE for a discussion of the certificate store types and selection processing.

It is possible that more than one certificate may be returned for a single common name or email search. As a result, each one matching the specified password will be used to sign the file(s).

Page 243: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

231

[,R] - an optional flag indicating that one or more certificates must be satisfied from this signing request. A ZIP run will terminate if the required certificates cannot be resolved.

When a certificate store cannot be opened for a SIGN_FILES request that is not required, a non-zero return code may be issued to indicate that a complete search for the recipient could not be performed.

When one or more signers are requested but none can be resolved, a ZIP run will be terminated regardless of the "R" (required) flag.

,PASSWORD= - This designates the password that is required for a private-key certificate. When a value is specified, the target must be an X.509 PKCS#12 private-key certificate.

The PASSWORD value may contain blanks and is delimited by the closing right parenthesis ")" of the signing command. Quotes and apostrophes should not be used as start/end delimiters.

Processing Notes

A NULL file (a binary file having 0 bytes of data) will be signed. However, note that the digital signature is based on a fixed hash value.

The entire data stream of each file is run through the hash algorithm before compression or encryption. However, file text data is translated before hashing so that the receiving system is able to hash the identical stream after decryption/decompression.

The processor requirement for a file signature is directly related to the size of the file(s) being signed and/or authenticated (see SIGN_HASHALG). Therefore, when processing costs are a consideration, the decision whether to use SIGN_FILES to sign large files should be based on the business case. Sometimes SIGN_ARCHIVE may be more appropriate. (The directory size is proportional to the number of files in the archive, not the physical size of the file data.)

A separate signing operation is performed for each supplied certificate, for each file. Processor and elapsed time will be impacted in proportion to the number of signatories and files selected.

The number of file signatures that can be held for each file is constrained by a number of factors. These include SAVE_FILE_ATTRIBUTES=Y, the size of the signatures generated (based on the size of the certificate information), the number of certificates in the authenticating certificate authority chain, the number of different certificate authorities used in association with the signing certificates, whether FILENAME_ENCRYPTION=N, and the number of RECIPIENTs for certificate-based encryption of files. Typical ZIP operations support up to ten file signatories as a rule, although more or fewer may be achieved in practice.

It is important that the PASSWORD= keyword be coded in upper case. Any variation in case or misspelling will result in a public-key certificate access attempt (which will fail for a private-key PKCS#12 certificate).

SIGN_FILES= should not be specified in the defaults module (ACZDFLT or other user-designated module). This is because specification of the command necessitates the inclusion of a clear text password. A preferable technique is to use INCLUDE_CMD and reference an independent file from which the SIGN_FILES command(s) may be read (and file-protected from read access by the system’s security facility).

Passwords are masked out in SYSPRINT output displays.

When FILE: is specified as the certificate lookup type, the data set name will be treated in accordance with fopen() as documented in the IBM C/C++ Programming Guide. See

Page 244: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

232

“Performing OS I/O Operations - Using a Data Set Name”. Starting a filename with "//" indicates the file refers to a non-POSIX file or data set. The name specified is translated to upper case by the run-time environment.

A local certificate store configuration is required to complete the processing of this command. Even when a direct FILE specification is made to locate the private-key certificate, the {CSCA=} and {CSROOT=} certificate store components must be accessible to complete the certificate signing chain within the archive. This information is required to complete authentication processing on the target system when the local certificate store on that system does not contain the certificate authority chain required to validate TRUST.

Processing is terminated if none of the requested certificates can be accessed, regardless of the “R” required flag. If multiple requests are made and at least one signature is found, processing will continue normally.

Certificates used for processing are subject to validation policy settings as governed by {VALSIGN}. The policy settings are defined by the certificate store administrator. If no VALSIGN settings are found by SECZIP (either through the certificate store profile or commands), then all aspects of certificate validation will be attempted by default.

Signed Files are tolerated by prior releases of PKZIP and SecureZIP for zSeries but are not processed for authentication.

–SIGN_HASHALG

Synonyms Include: N/A

Here you specify the hashing algorithm that is used to generate a digital signature. It applies to the active SIGN_ARCHIVE and SIGN_FILES commands during a ZIP run.

–SIGN_HASHALG(SHA-1|MD5)

SHA-1 - The default algorithm generates a 20-byte hash value. This algorithm is supported by all SecureZIP products.

The information below is from FIPS 180-1:

This Standard specifies a Secure Hash Algorithm, SHA-1, for computing a condensed representation of a message or a data file. When a message of any length < 264 bits is input, the SHA-1 produces a 160-bit output called a message digest. The message digest can then be input to the Digital Signature Algorithm (DSA) which generates or verifies the signature for the message. Signing the message digest rather than the message often improves the efficiency of the process because the message digest is usually much smaller in size than the message. The same hash algorithm must be used by the verifier of a digital signature as was used by the creator of the digital signature.

The SHA-1 is called secure because it is computationally infeasible to find a message which corresponds to a given message digest, or to find two different messages which produce the same message digest. Any change to a message in transit will, with very high probability, result in a different message digest, and the signature will fail to verify.

Page 245: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

233

MD5 - This algorithm generates a 16-byte hash value. It is included for compatibility with older releases of PKZIP on other platforms, which previously supported this algorithm.

Processing Notes

The entire data stream (archive central directory or file data) is run through the hash algorithm before compression or encryption. However, file text data is translated before hashing so that the receiving system is able to hash the identical stream after decryption/decompression.

During authentication operatings, SecureZIP for zSeries will dynamically detect which algorithms had been used for signing and perform the necessary processing to validate the signature.

–SIGNAL_ZIP64

Synonyms Include: N/A

Here you specify the severity of message and return code when creating or updating an archive and ZIP64 processing is required.

–SIGNAL_ZIP64(0|4|8)

0 - The default setting is to allow processing to continue with no effect on return code, and to issue informational message ZPAM046I.

4 - A setting to allow processing to continue with a minimal return code of 4, and to issue warning message ZPAM046W.

8 - The default setting is to halt processing with a return code of 8, and to issue error message ZPAM046E.

This feature may be of value when creating archives intended for distribution to systems that may not be able to handle the ZIP64 processing attributes. This may be due to the UNZIP software being used on the target system or the file system for the related OS. (For example, some UNIX or Windows FAT file systems cannot handle file sizes greater than 4 gigabytes).

Triggers for this command include:

• More than 65,535 files are being placed into the archive

• One or more source files are greater than 4 gigabytes in size

• The amount of data written to the archive exceeds 4 gigabytes

–SIMULATE

Synonyms Include: N/A

This command runs file selection processes for ACTION(ADD), ACTION(EXTRACT), ACTION(FRESHEN), and ACTION(UPDATE), but does not perform actual data manipulations for

Page 246: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

234

the files selected or for the output archive. Compression and Decompression algorithms will be bypassed. The input archive will be opened and read for directory information. STAGE_TAPE_ON_DISK will also be acted upon when specified or required.

–SIMULATE(Y|N)

Y - YES - Simulation of the file selection processes will occur.

N - NO - Full processing file processing will occur.

Note: This command is helpful when learning to code the ZIPPED_DSN and UNZIPPED_DSN commands.

–SNAP_SYSOUT_CLASS

Synonyms Include: N/A

This command specifies the SYSOUT class to be used for SNAP dumps. This feature is used only in conjunction with diagnostic features of SecureZIP for zSeries and may not necessarily be used by an end user of the product.

–SNAP_SYSOUT_CLASS(<class>)

class - A one-character class assigned for the output of a SNAP dump.

* - The default.

–STAGE_TAPE_ON_DISK

Synonyms Include: –STAGE_TAPE_TO_DISK

This command specifies that input from a sequential device be stored in a temporary data set.

–STAGE_TAPE_ON_DISK(Y|N)

Y - Yes - Processing occurs on disk rather than on tape.

N - No - Processing occurs on tape, thus incurring significant processing degradation.

When reading a cartridge-based archive, the input can be stored in a temporary data set with the STAGE_TAPE_ON_DISK command. This occurs automatically when reading a 3420 (reel-to-reel) archive.

Should allocated temporary space be insufficient, the temporary data set is not used and processing continues with the tape. Note that this will have an impact on elapsed processing time.

It is helpful to include FREE=CLOSE in the DD statement in the JCL. This frees up the tape once the copy of the data has been made. If it is not included, the tape must remain mounted for the duration of ZIP processing.

Page 247: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

235

Warning: If an //ARCHTEMP DD is found in the JCL, it will be over-written with the input archive. This DDNAME should not be used in a SecureZIP for zSeries job-step for any other purpose.

–STRIP_CHAR

Synonyms Include: –STRIP

This command specifies an ending character to be removed from the end of each record before it is compressed. There is no default as this process does not occur unless specified.

-STRIP_CHAR(<strip char>)

strip char - A single entry for the character(s) to be removed from the end of each record before compressing. One of three types may be entered:

• No character specifies that trailing spaces (hex ’40’) are removed from every record.

• Any EBCDIC character.

• Any Hexadecimal character in the format: STRIP_CHAR(X’7B’).

If multiple characters occur at the end of the record, all occurrences of the character are removed.

Use caution with this command as it modifies the data set.

–SUPPRESS_DYNALLOC_MSGS

Synonyms Include: –NODYNMSGS

This command specifies that the dynamic allocation messages that appear in the job log be suppressed. This will not affect severe errors.

–SUPPRESS_DYNALLOC_MSGS

SecureZIP for zSeries performs dynamic allocation requests for various files (archive, parameter, input, output, and temporary). During the system-service requests, the operating system may attempt to issue messages to the joblog or foreground TSO session screen. These messages are classified by level, ranging from Informational to error conditions. SecureZIP for zSeries intercepts many of the dynamic allocation return code conditions and provides its own reporting according to the data set request being performed.

SUPPRESS_DYNALLOC is the default, which limits the operating system to reporting “Error” conditions (as the operating system defines “error”).

If additional dynamic allocation information is needed for problem determination purposes, the SecureZIP for zSeries technical support staff will provide additional commands that will provide tracing of dynamic allocation activities.

Page 248: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

236

Note: An ACZDFLT setting of –TRACE_DYNALLOC=0 can be used to make this the default.

–SYSPRINT_DCB

Synonyms Include: N/A

This command can only be entered through ACZDFLT or as an EXEC parameter. The SYSPRINT DCB attributes can be customized.

–SYSPRINT_DCB(FB132|FBA121|FBA133|FA121)

FB132 - SYSPRINT DCB attributes will be fixed block 132 no ASA.

FBA121 - SYSPRINT DCB attributes will be fixed block 121 with ASA.

FBA133 - SYSPRINT DCB attributes will be fixed block 133 with ASA.

FA121 - SYSPRINT DCB attributes will be fixed 121 with ASA.

The ASA control character (character in column 1) will be a blank.

–SYSPRINT_SYSOUT_CLASS

Synonyms Include: N/A

This command specifies the SYSOUT class to be used for SYSPRINT messages when a SYSPRINT allocation is not provided for the job/session.

–SYSPRINT_SYSOUT_CLASS(<class>)

class - A one-character class assigned for the output of a SYSPRINT listings.

The default is the JCL MSGCLASS associated with the runtime environment.

Record Length: 132.

Format: FB.

–TEMP_BLKSIZE

Synonyms Include: –TEMPBLKSIZ

This command specifies the block size of a temporary SecureZIP for zSeries data set.

–TEMP_BLKSIZE(DYNAMIC|SMS|value)

DYNAMIC/SMS - A dynamically computed value will be requested by SecureZIP for zSeries (although SMS or allocation routines in the operating system may override the value).

Page 249: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

237

Value - A blocksize value; recommended to be sized at half-track for the selected TEMP_UNIT.

When either DYNAMIC or SMS is specified, a dynamically computed value will be requested by SecureZIP for zSeries (although SMS or allocation routines in the operating system may override the value).

–TEMP_DATACLASS

Synonyms Include: –TEMPDCLASS

–TEMP_DATACLASS(<data class>)

Use this command to specify or override value for temporary work File allocation requests in a DF/SMS - controlled environment.

data class - Specifies the DF/SMS data class receiving the temporary ZIP data set.

See IBM’s DF/SMS manuals for further information about this parameter.

–TEMP_MGMTCLASS

Synonyms Include: N/A

–TEMP_MGMTCLASS(<mgmt class>)

Use this command to specify or override value for temporary work File allocation requests in a DF/SMS - controlled environment.

mgmt class - Specifies the DF/SMS management class receiving the temporary ZIP data set.

See IBM’s DF/SMS manuals for further information about this parameter.

–TEMP_RECFM

Synonyms Include: –TEMPTYPE

–TEMP_RECFM(U|F|FB)

The command specifies the record format of a temporary work data set.

U - Undefined record format.

F - Fixed record format.

FB - Fixed block record format.

Page 250: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

238

–TEMP_SPACE_MULTIVOL

Synonyms Include: N/A

Control whether the dynamic allocation of a new non-VSAM temporary data set will request multiple volumes when TEMP_DATACLASS is not in effect.

–TEMP_SPACE_MULTIVOL=Y|N

N - When a value of “N” is specified, or an TEMP_DATACLASS is specified, SecureZIP does not provide a volume count in the dynamic allocation request. When multiple volumes are required to hold the temporary data set under this condition, the operating system may reject the volume extension with an associated IEC032I-04 E37 error.

Y - When “Y” is specified without an TEMP_DATACLASS, a maximum of 59 volumes will be requested in the DYNALLOC request. When this option is enabled, the catalog will show the archive data set as being a multi-volume data set.

The message IGD17271I Allocation has been allowed to proceed for data set may appear in the JOB log from the system, but will not affect SECZIP processing.

Note: See the SecureZIP for zSeries System Administrator’s Guide for more information on SMS dataclass considerations. See also the section “Large File Considerations” in Chapter 8 for discussions regarding SMS class controls of extended size data sets.

–TEMP_SPACE_PRIMARY

Synonyms Include: –TEMPPRI, –TEMPPRIMARY

–TEMP_SPACE_PRIMARY(<allocation units>)

allocation units - Specifies the number of allocation units for the primary extent of the temporary ZIP data set.

Default is the same as ARCHIVE_SPACE_PRIMARY.

–TEMP_SPACE_SECONDARY

Synonyms Include: –TEMPSEC, –TEMPSECONDARY

–TEMP_SPACE_SECONDARY(<allocation units>)

allocation units - The size of the secondary extent in allocation units for the temporary ZIP data set

Default is the same as ARCHIVE_SPACE_SECONDARY.

Page 251: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

239

–TEMP_SPACE_TYPE

Synonyms Include: –TEMPSPACE

-TEMP_SPACE_TYPE(TRK|CYL|BLK)

TRK - Tracks

CYL - Cylinders

BLK - Blocks (with the size specified in the TEMP_BLKSIZE command)

–TEMP_STORCLASS

Synonyms Include: –TEMPSCLASS

-TEMP_STORCLASS(<storclass>)

Use this command to specify or override value for temporary work File allocation requests in a DF/SMS - controlled environment.

storclass - The DF/SMS storage class requested in placing the temporary ZIP data set. An installation’s DF/SMS ACS routine may reset the value.

See IBM’s DF/SMS manuals for further information about this parameter.

–TEMP_UNIT

Synonyms Include: –TEMPUNIT

-TEMP_UNIT(<unit name>)

unit name - Specifies the generic unit name indicating where the data set is to be allocated. SYSDA is the default if not provided.

Use the SHOW_SETTINGS command to determine the installation’s selected default values.

Note: The defaults may not reflect the installation values by the product installer.

Page 252: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

240

–TEMP_VOLUMES

Synonyms Include: –TEMPVOL

-TEMP_VOLUME(<volname>[ <volname> <volname> …..]

volname - Specifies 1 to 31 volumes that indicate where the temporary ZIP data set is to be allocated. Separate multiple <volume name>s by spaces.

This command is used in conjunction with TEMP_UNIT to direct work files to a specific location. SecureZIP for zSeries will use values specified in its dynamic allocation request. The installation’s storage management controls may redirect the actual file location.

Note: The defaults may not reflect the installation values by the product installer.

–TRACE_TABLE_SIZE

Synonyms Include: N/A

This command specifies the size of the internal trace table.

–TRACE_TABLE_SIZE(<tabsize>)

tabsize - An 8-byte field containing the size of the trace table.

–TRANSLATE_TABLE_DATA

Synonyms Include: –TRAN

☺ - Cross Platform Compatible command (VSE, iSeries, OS/400, UNIX, and Windows).

–TRANSLATE_TABLE_DATA(<translation table name>)

Used in SECZIP Processing

Use the TRANSLATE_TABLE_DATA command to identify a particular translation table to be used when converting text file data from one character set to another. This command would be used, for example, when converting a file from EBCDIC to ASCII, which is the standard the ZIP archive text format.

Where <translation table name> specifies a useable table name for translation. EBC#8859 is the default if TRANSLATE_TABLE_DATA is not specified. the table specified in the defaults module and it can be changed by customizing the ACZDFLT module.

Page 253: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

241

Used in SECUNZIP Processing

Use the TRANSLATE_TABLE_DATA command to identify a particular translation table to be used when extracting a text file from ASCII to anther character set. This command would be used, for example, when converting a ZIP archive file in ASCII to a non-MVS format of EBCDIC.

TRANSLATE_TABLE_DATA(<translation table name>) where <translation table name> specifies a useable table name for translation.

EBC#8859 is the default if TRANSLATE_TABLE_DATA is not specified. The default table selection may be changed to a different table.

SecureZIP for zSeries provides certain “ready to use” translation tables commonly used in an OS/390 environment. These tables are provided “as is” and are not supported as part of SecureZIP for zSeries. It is your responsibility to ensure that data translation mapping satisfies their requirements. More information can be found in the FAQ at http://www.pkware.com.

Language EBCDIC Code Page

ASCII Code Page

EURO/ASCII Code Page

EBCDIC Code Set ID

ASCII Code Set ID

EURO/ ASCII CODE Set ID

Table Name ASCII

Table Name EURO

German 273 850 858 EB AA AI TRTEBAA TRTEBAI

Spanish 284 850 858 EJ AA AI TRTEJAA TRTEJAI

Portuguese 282 850 858 EI AA AI TRTEIAA TRTEIAI

Italian 280 850 858 EG AA AI TRTEGAA TRTEGAI

Danish 277 850 858 EE AA AI TRTEEAA TRTEEAI

Norwegian 277 850 858 EE AA AI TRTEEAA TRTEEAI

Swedish 278 850 858 EF AA AI TRTEFAA TRTEFAI

Finnish 278 850 858 EF AA AI TRTEFAA TRTEFAI

French 297 850 858 EM AA AI TRTEMAA TRTEMAI

English UNIX

IBM 1047

ISO 8859-1

EBC#8859

English PC IBM 1047

IBM 850

EBC#850

–TRANSLATE_TABLE_FILEINFO

Synonyms Include: –FTRAN, –TRANSLATE_FILEINFO, TRANSLATE_FILENAME

☺ - Cross Platform Compatible command (VSE, iSeries, OS/400, UNIX, and Windows).

The TRANSLATE_TABLE_FILEINFO command specifies a translation table to be used with file information such as comments, file names, andpassword usage for an encrypted file. The default is EBC#8859 if this command is not specified.

Page 254: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

242

-TRANSLATE_TABLE_FILEINFO(<trantable>)

trantable - A name of a loadable translation table that is supplied with the product or customized by the installation.

Use this command when filenames are in an incompatible format with the target platform or when standard translation tables contain indecipherable characters from when the file was previously translated.

–UNZIPPED_DSN

Synonyms Include: –NOA, –HLQ, –UNZIPPED_DSNAME

One or more UNZIPPED_DSN commands may be used to modify high level qualifiers when extracting files. During filename transformation (from archive filename format to MVS data set name format), matching archive file high level qualifiers are replaced with an MVS high level qualifier specified in this command. A generalized renaming process can be made by using wildcard specifications.

The basic format of the command is:

–UNZIPPED_DSN([<Zipfile_path>],[<MVS_hlq>])

Note: Either field may be blank but not both.

Note: In previous versions of PKZIP for zSeries, the ‘/’ character was used to separate the two parameters. This character is still supported, but the ‘,’ is recommended as this is consistent with other commands and removes confusion about the use of the ‘/’ character in the Zip file name.

The four possible functions performed by this command include:

High-Level Replacement

–UNZIPPED_DSN(<Zipfile_path>,<MVS_hlq>)

Example: Given the archive: MDB/TYPE/RATE and a command of: –UNZIPPED_DSN(MDB.TY,XXX.)

(note delimiter in newname) the result will be: XXX.PE.RATE

Page 255: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

243

Example: Given the archive: MDB/TYPE/RATE and a command of: –UNZIPPED_DSN(*,XXX)

(note use of wildcard for high level qualifier in oldname)

the result will be: XXX.TYPE.RATE

Example: Given the archive: MDB/TYPE/RATE and a command of: –UNZIPPED_DSN(MDB.?YPE.,XXX)

(note delimiter in oldname) the result will be: XXX.RATE

High Level Prefixing

–UNZIPPED_DSN(,<MVS_hlq>)

Example: Given the archive: MDB/TYPE/RATE and a command of: –UNZIPPED_DSN(,NEW.)

(note delimiter in new name) the result will be: NEW.MDB.TYPE.RATE or a command of: –UNZIPPED_DSN(,NEW)

(note no delimiter in new name) the result will be: NEWMDB.TYPE.RATE

High-Level Removal

–UNZIPPED_DSN(<Zipfile_path>,)

Example:

Given the archive: MDB/TYPE/RATE and a command of: –UNZIPPED_DSN(M,) the result will be: DB.TYPE.RATE

(with the “M” removed)

Page 256: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

244

Complete Replacement

–UNZIPPED_DSN(**,<MVS_hlq>)

Example:

Given the data: MDB/TYPE/RATE and a command of: –UNZIPPED_DSN(**,NEW.VER.DATA) the result will be: NEW.VER.DATA

Parameter Usage:

• <Zipfile_path> defines the high-level qualifier characters of the input ZIP file name that are to be substituted by the <MVS_HLQ>. This value can be up to 80 characters long and may specify wild characters to assist in the matching. The wild characters that can be specified are:

“*” to match any number of characters (within one level).

“?” to match a single character (except a qualifier separation character).

• <MVS_hlq> specifies the characters that are to be used to replace those specified in the first operand (if any) and prefixed to the remainder of the archive filename. A maximum of 54 characters may be specified and should match MVS dataset naming conventions.

‘*’

Processing Notes

• If you are uncertain about the results that will be achieved by the use of UNZIPPED_DSN, it is recommended that trial runs be performed with the SIMULATE command. This will cause SecureZIP for zSeries to issue standard extraction messages that contain the target DSN values without actually extracting the files. This avoids excessive processing time and errant dataset creation when undesired filename results are experienced.

• The UNZIPPED_DSN command is not recommended when using NOHIERARCHY, OUTDD, or ZIPCUR commands, as these commands can also change the output dataset name used, in potentially conflicting ways.

• The UNZIPPED_DSN command is processed after the FILE_EXTENSION command has been used. FILE_EXTENSION(DROP) causes the removal of the ‘extension’ in the ZIP file name, in which case the extension should not be used when specifying the Zipfile_path.

• When attempting to extract files to PDS members, the command OUTFILE_DSNTYPE (PDS I PDSE) may be used in combination with this command. In addition, by specifying a PDS member mask in newname, a PDS target will be assumed. For example: UNZIPPED_DSNAME (**,MY.NEW.PDS(*)).

Page 257: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

245

• Message ZPAM183E will be issued when the target MVS name is determined to fail MVS naming conventions (such as when the resulting filename is too long for the target dataset type, or DSN qualifiers are not properly constructed with period separators).

• ZPAM91I GENERATED MVS DSN LEVEL TOO LONG MAS.IR4006DZMTVT.

• ZPAM183E UNZIPPED_DSN(…/ parm2) Name is invalid.

• The input UNZIPPED_DSN commands are searched in the order specified until a match is found with the beginning of the ZIP archive file name. Although many commands may be specified to account for various filename matches, one and only one is used to resolve the MVS_hlq once a match is found.

–VSAM

Synonyms Include: –NOVSAM, –SELECT_VSAM

☺ - This command is also compatible with VSE.

To access or not access VSAM files during wildcard selections the VSAM command is specified. This only occurs for wildcard cases.

–VSAM(Y|N)

Y - YES - Any VSAM files that are used in multiple data set selections are included when using a wildcard request.

N - NO - The VSAM file(s) within a file selection are ignored when the selection contains a wildcard. If no wildcard is used in the selection, the VSAM file is used regardless.

Note that all VSAM commands use the access methods services IDCAMS utility to help define a new (or update an existing) data component, for a VSAM cluster containing a ZIP archive. See the Access Methods Services manual for specific information on use of this parameter.

–VSAM_ACCOUNT

Synonyms Include: N/A

☺ - This command is also compatible with VSE.

The VSAM_ACCOUNT parameter defines the accounting information to be provided to Access Methods Services during a DEFINE CLUSTER.

The IDCAMS equivalent for this command is ACCOUNT(accounting information).

-VSAM_ACCOUNT(<acctinfo>)

acctinfo - A 32-character field containing accounting information.

Page 258: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

246

–VSAM_ATTEMPTS

Synonyms Include: –OUTATTEMPTS, –OUTDATAATT

☺ - This command is also compatible with VSE.

The VSAM_ATTEMPTS parameter defines the number of password attempts that are permitted to Access Methods Services during a DEFINE CLUSTER.

The IDCAMS equivalent for this command is ATTEMPTS(number).

–VSAM_ATTEMPTS(<number>)

number - The number of attempts that will be allowed at the console in response to a prompting message.

–VSAM_AUTH_EP

Synonyms Include: –OUTAUTH, –OUTDATAAUTH

The VSAM_AUTH_EP parameter supplies the entry point of a user security verification routine to Access Methods Services during a DEFINE CLUSTER.

The IDCAMS equivalent for this command is AUTHORIZATION(entrypoint).

–VSAM_AUTH_EP(<entry point>)

entry point - The entry point name of your security verification routine.

See also VSAM_AUTH_STRING below.

–VSAM_AUTH_STRING

Synonyms Include: –OUTASTR, –OUTDATAASTR

☺ - This command is also compatible with VSE.

The VSAM_AUTH_STRING parameter supplies a string of information to be passed to your security verification routine to Access Methods Services during a DEFINE CLUSTER.

The IDCAMS equivalent for this command is AUTHORIZATION(entrypoint string).

–VSAM_AUTH_STRING(<string>)

string - The string of information to be passed to your security verification routine.

See also VSAM_AUTH_EP above.

Page 259: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

247

–VSAM_BUFFERSPACE

Synonyms Include: –ARCHBUFSPACE, –BUFSPACE, –BUFFERSPACE, –OUTBUFSPACE

☺ - This command is also compatible with VSE.

- Be aware that if this command is used incorrectly, you could incur problems.

The VSAM_BUFFERSPACE parameter defines the minimum space (in bytes) to be provided for buffers.

The IDCAMS equivalent for this command is BUFFERSPACE(size).

-VSAM_BUFFERSPACE(<buffer size>)

buffer size - Specifies the number of bytes to be provided for buffers.

Note: Access Method Services may modify the value to fit VSAM processing needs.

–VSAM_CATALOG

Synonyms Include: –ARCHCATALOG, –CATALOG, –OUTCATALOG

☺ - This command is also compatible with VSE.

- Be aware that if this command is used incorrectly, you could incur problems.

The VSAM_CATALOG parameter defines into which catalog the VSAM output file is to be defined. If the value is blank, then the system-defined catalog environment will be used. If the value is set to a catalog name, then the name will be used in the Define Cluster Cat(name) parameter. If the value is set to USE_ORIGINAL, then UNZIP processing will attempt to use a saved catalog attribute from the zip archive.

Warning: Care must be taken when using the USE_ORIGINAL option. An inappropriate catalog may be used which does not fit within the master/user catalog structure of the target system. This may occur because the high-level-qualifier does not match the alias entries in the master catalog; either because of a change of qualifier, for example, with UNZIPPED_DSN specifications, or because the original filename does not match the current operating environment. This can result in a file being allocated in the specified catalog, but inaccessible through normal system catalog structures. The unzip will fail and the dataset may not appear in standard catalog listings, even though the file was created.

The IDCAMS equivalent for this command is CATALOG(catname).

Page 260: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

248

-VSAM_CATALOG(<catname>[/<password>])

or

-VSAM_CATALOG(USE_ORIGINAL)

catname - Specifies the name of the catalog in which the cluster is to be defined.

Password - Specifies the update or higher-level password.

USE_ORIGINAL - Specifies that UNZIP processing will attempt to use a saved catalog attribute from the archive.

–VSAM_CISIZE

Synonyms Include: –ARCHCISZ, –ARCHCISIZE, –OUTCISZ, –OUTCISIZE, –VSAMCISZ, VSAMCISIZE, –CISIZE

☺ - This command is also compatible with VSE.

- Be aware that if this command is used incorrectly, you could incur problems.

The VSAM_CISIZE parameter defines the size of the control intervals for the cluster.

The IDCAMS equivalent for this command is CONTROLINTERVALSIZE(size).

-VSAM_CISIZE(<size>)

size - Specifies (in bytes) the size of the control intervals for the cluster.

Note: Access Method Services may modify the value to fit VSAM processing needs.

–VSAM_CLUSTER_TYPE

Synonyms Include: –VSAM_TYPE, –VSAMTYPE, –OUTATTR, –VSAMESDS, –VSAMKSDS, –VSAMRRDS, –ESDS, –KSDS, –RRDS

☺ - This command is also compatible with VSE. Some values may be restricted by the operating environment.

- Be aware that if this command is used incorrectly, you could incur problems.

The VSAM_CLUSTER_TYPE command defines the file type of a VSAM cluster.

There are three IDCAMS equivalents for this command, which include INDEXED, NONINDEXED, and NUMBERED.

–VSAM_CLUSTER_TYPE(ESDS|NONINDEXED|INDEXED|NUMBERED|RRDS

Page 261: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

249

|KSDS)

NONINDEXED - Entry-Sequenced VSAM file.

ESDS - Entry-Sequenced VSAM file.

INDEXED - Key-Sequenced VSAM file.

KSDS - Key-Sequenced VSAM file.

NUMBERED - Relative Record VSAM file.

RRDS - Relative Record VSAM file.

The file attributes stored in the original file will be used to create a newly extracted file unless a specification is made from the above list.

–VSAM_CODE

Synonyms Include: –OUTCODE, –OUTDATACODE

☺ - This command is also compatible with VSE.

- Be aware that if this command is used incorrectly, you could incur problems.

The VSAM_CODE parameter supplies a code name for the cluster or component to Access Methods Services during a DEFINE CLUSTER.

The IDCAMS equivalent for this command is CODE(code).

–VSAM_CODE(<name>)

name - The code name for the cluster or component.

–VSAM_CONTROLPW

Synonyms Include: –OUTCONTROLPW, –OUTDATACTLPW

☺ - This command is also compatible with VSE.

This command specifies the control password to be passed to Access Methods Services for the definition or update of a VSAM cluster or component.

The IDCAMS equivalent for this command is CONTROLPW(password).

–VSAM_CONTROLPW(<pwd>)

pwd - An 8-character field specifying the control password.

Page 262: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

250

–VSAM_DATA_CISIZE

Synonyms Include: –ARCHDATACISZ, –ARCHDATACISIZE, –OUTDATACISZ, –OUTDATACISIZE

☺ - This command is also compatible with VSE.

The VSAM_DATA_CISIZE command provides the ability to define the size of the control intervals for the data component of a VSAM cluster.

The IDCAMS equivalent for this command is CONTROLINTERVALSIZE(size).

-VSAM_DATA_CISIZE(<size>)

size - Specifies (in bytes) the size of the control intervals for the data component.

–VSAM_DATA_EXCEPTIONEXIT

Synonyms Include: –ARCHDATAEEXT, –OUTDATAEEXT

☺ - This command is also compatible with VSE.

The VSAM_DATA_EXCEPTIONEXIT parameter defines the name of your module that is given control when a problem occurs during the IDCAMS processing of the data component of the cluster.

The IDCAMS equivalent for this command is EXCEPTIONEXIT(module name).

-VSAM_DATA_EXCEPTIONEXIT(<exceptname>)

exceptname - Specifies the name of your module (phase name) that will be given control when an exception occurs.

–VSAM_DATA_FILE

Synonyms Include: –ARCHDATAFILE, –OUTDATAFILE

☺ - This command is also compatible with VSE.

Specifies the FILE parameter of the IDCAMS DEFINE CLUSTER command used to create the data component of a new or updated ZIP archive.

The IDCAMS equivalent for this command is FILE(ddname).

–VSAM_DATA_FILE(<ddname>)

ddname - Specifies a DD statement in the JCL.

Page 263: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

251

–VSAM_DATA_NAME

Synonyms Include: –ARCHDATANAME, –OUTDATANAME

☺ - This command is also compatible with VSE.

The VSAM_DATA_NAME command provides the ability to define a NAME parameter for the data component of a VSAM cluster.

The IDCAMS equivalent for this command is NAME(entryname).

–VSAM_DATA_NAME(<entryname>)

entryname - Specifies the name to be given to the data component of the cluster.

–VSAM_DATA_ORDERED

Synonyms Include: –ARCHDATAORD, –ARCHDATANORD, –OUTDATAORD, –OUTDATANORD

☺ - This command is also compatible with VSE.

- Be aware that if this command is used incorrectly, you could incur problems.

The VSAM_DATA_ORDERED command provides the ability to define an ORDERED parameter for the data component of a VSAM cluster.

The IDCAMS equivalent for this command is ORDERED|UNORDERED.

–VSAM_DATA_ORDERED(<ORDERED|UNORDERED>)

ORDERED - Specifies the volumes are to be used in the order in which they were listed in the VOLUMES parameter.

UNORDERED - Specifies the volumes are not to be used in the order in which they were listed in the VOLUMES parameter.

–VSAM_DATA_PRIMARY

Synonyms Include: –ARCHDATAPRI, –OUTDATAPRI

☺ - This command is also compatible with VSE.

The VSAM_DATA_PRIMARY command provides the ability to define the primary value for space allocation in the DATA component of a VSAM cluster. Note that this command is used in conjunction with VSAM_DATA_SPACE_TYPE.

The IDCAMS equivalent for this command is CYLINDERS(primary), TRACKS(primary), or RECORDS(primary).

Page 264: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

252

–VSAM_DATA_PRIMARY(<primary>)

primary - Specifies the number of units to be allocated (cylinders, tracks, records, kilobytes, or megabytes).

–VSAM_DATA_SECONDARY

Synonyms Include: –ARCHDATASEC, –OUTDATASEC

☺ - This command is also compatible with VSE.

The VSAM_DATA_SECONDARY command provides the ability to define the secondary value for space allocation in the DATA component of a VSAM cluster. Note that this command is used in conjunction with VSAM_DATA_SPACE_TYPE.

The IDCAMS equivalent for this command is CYLINDERS(secondary), TRACKS(secondary), or RECORDS(secondary).

–VSAM_DATA_SECONDARY(<secondary>)

secondary - Specifies the number of units to be allocated (cylinders, tracks, records, kilobytes, or megabytes).

–VSAM_DATA_SPACE_TYPE

Synonyms Include: –ARCHDATASPACE, –OUTDATASPACE

☺ - This command is also compatible with VSE. Some values may be restricted by the operating environment.

For a new or updated ZIP archive, the type of allocation units may be specified using the VSAM_DATA_SPACE_TYPE command.

Note that use of this command necessitates the use of VSAM_DATA_PRIMARY and VSAM_DATA_SECONDARY to define the specific extent values.

–VSAM_DATA_SPACE_TYPE(<CYL|KB|REC|MB|TRK>)

CYL - (also CYLS and CYLINDERS) allocation by cylinders.

KB - (also KILOBYTES) allocation by Kilobytes (for the ICF catalog environment only).

MB - (also MEGABYTES) allocation by Megabytes (for the ICF catalog environment only).

REC - (also RECORDS) allocation by records.

TRK - (also TRKS and TRACKS) allocation by tracks.

Also see VSAM_DATA_PRIMARY and VSAM_DATA_SECONDARY.

Page 265: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

253

–VSAM_DATA_VOLUMES

Synonyms Include: –ARCHDATAVOL, –OUTDATAVOL, –VSAM_VOLUMES

☺ - This command is also compatible with VSE.

The VSAM_DATA_VOLUMES command provides the ability to define a VOLUMES parameter for the data component of a VSAM cluster. Note that a maximum of 31 volumes are supported.

The IDCAMS equivalent for this command is VOLUMES(volser).

–VSAM_DATA_VOLUMES(<volser>[ <volser> …])

volser - Specifies a one-to-six-character volume serial number.

–VSAM_DATACLASS

Synonyms Include: N/A

This command pertains to DF/SMS allocation of new files when doing SECUNZIP processing. If you specify these classes, they will be passed to DF/SMS when data set allocation occurs.

–VSAM_DATACLASS(<SMS Data Class>)

See IBM’s DF/SMS manuals for further information about this parameter.

–VSAM_DUPLICATE_ERROR

Synonyms Include: –OUTDUPLICATES, –FAILONDUPKEYS, –IGNOREDUPKEYS

☺ - This command is also compatible with VSE.

When extracting a file to a new VSAM keyed cluster, this command specifies the action to be taken if a duplicate key is detected.

–VSAM_DUPLICATE_ERROR(FAIL|IGNORE)

FAIL - Indicates that processing will be aborted if a duplicate key is encountered.

IGNORE - Indicates that processing will continue if a duplicate key is encountered.

Page 266: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

254

–VSAM_ERASE

Synonyms Include: –ARCHERASE, –ARCHNOERASE

☺ - This command is also compatible with VSE.

The VSAM_ERASE parameter defines that the data component that is being defined be erased when the cluster is deleted.

The IDCAMS equivalent for this command is ERASE|NOERASE.

–VSAM_ERASE(Y|N)

Y - YES - The IDCAMS DEFINE CLUSTER command equivalent is ERASE.

N - NO - The IDCAMS DEFINE CLUSTER command equivalent is NOERASE.

–VSAM_EXCEPTIONEXIT

Synonyms Include: –ARCHEEXT, –OUTEEXT

☺ - This command is also compatible with VSE.

- Be aware that if this command is used incorrectly, you could incur problems.

The VSAM_EXCEPTIONEXIT parameter defines the name of your module that is given control when a problem occurs during the IDCAMS processing of the cluster component.

The IDCAMS equivalent for this command is EXCEPTIONEXIT(module name).

-VSAM_EXCEPTIONEXIT(<entrypoint>)

exceptname - Specifies the name of your module (phase name) that will be given control when an exception occurs.

–VSAM_FILE

Synonyms Include: –ARCHFILE

☺ - This command is also compatible with VSE.

- Be aware that if this command is used incorrectly, you could incur problems.

The VSAM_FILE parameter defines the name of the job control DD statement that identifies the volumes that are to be used for space allocation.

The IDCAMS equivalent for this command is FILE(ddname).

Page 267: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

255

-VSAM_FILE(<ddname>)

ddname - Specifies a DD statement in the JCL.

–VSAM_FOR

Synonyms Include: –ARCHFOR

☺ - This command is also compatible with VSE.

- Be aware that if this command is used incorrectly, you could incur problems.

The VSAM_FOR parameter defines the retention date for the cluster.

The IDCAMS equivalent for this command is FOR(days).

-VSAM_FOR(<days>)

Note that specification of either the VSAM_TO or VSAM_FOR commands could prevent an old ZIP archive from being deleted during an update if the old archive had an active retention period.

–VSAM_FREESPACE_CA

Synonyms Include: –ARCHFREECA, –OUTFREECA

☺ - This command is also compatible with VSE.

- Be aware that if this command is used incorrectly, you could incur problems.

The VSAM_FREESPACE_CA command provides the ability to define the CA-percent parameter for a key-sequenced VSAM cluster.

-VSAM_FREESPACE_CA(<ca-percent>)

ca-percent - Specifies the percentage of control area that is to be left empty.

–VSAM_FREESPACE_CI

Synonyms Include: –ARCHFREECI

☺ - This command is also compatible with VSE.

- Be aware that if this command is used incorrectly, you could incur problems.

Page 268: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

256

The VSAM_FREESPACE_CI command provides the ability to define the CI-percent parameter for a VSAM key-sequenced cluster.

-VSAM_FREESPACE_CI(<ci-percent>)

ci-percent - Specifies the percentage of control interval that is to be left empty.

–VSAM_IMBED

Synonyms Include: –OUTIMBED, –OUTNOIMBED

☺ - This command is also compatible with VSE.

- Be aware that if this command is used incorrectly, you could incur problems.

The VSAM_IMBED command provides the ability to define an IMBED parameter for a VSAM cluster.

The IDCAMS equivalent for this command is IMBED|NOIMBED.

–VSAM_IMBED(Y|N)

Y - YES - Specifies that the sequence set is to be placed with the data component of a new cluster.

N - NO - Specifies that the sequence set is not to be placed with the data component of a new cluster.

–VSAM_INDEX_ATTEMPTS

Synonyms Include: –OUTINDXATT

☺ - This command is also compatible with VSE.

- Be aware that if this command is used incorrectly, you could incur problems.

The VSAM_INDEX_ATTEMPTS parameter defines the number of password attempts that are permitted to Access Methods Services during a DEFINE CLUSTER.

The IDCAMS equivalent for this command is ATTEMPTS(number).

–VSAM_INDEX_ATTEMPTS(<number>)

number - The number of attempts that will be allowed at the console in response to a prompting message.

Page 269: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

257

–VSAM_INDEX_AUTH_EP

Synonyms Include: –OUTINDXAUTH

☺ - This command is also compatible with VSE.

- Be aware that if this command is used incorrectly, you could incur problems.

The VSAM_INDEX_AUTH_EP parameter supplies the entry point of a user security verification routine to Access Methods Services during a DEFINE CLUSTER.

The IDCAMS equivalent for this command is AUTHORIZATION(entrypoint).

–VSAM_INDEX_AUTH_EP(<entry point>)

entry point - The entry point name of your security verification routine.

–VSAM_INDEX_AUTH_STRING

Synonyms Include: –OUTINDXASTR

☺ - This command is also compatible with VSE.

- Be aware that if this command is used incorrectly, you could incur problems.

The VSAM_INDEX_AUTH_STRING parameter supplies a string of information to be passed to your security verification routine to Access Methods Services during a DEFINE CLUSTER.

The IDCAMS equivalent for this command is AUTHORIZATION(entrypoint string).

–VSAM_INDEX_AUTH_STRING(<string>)

string - The string of information to be passed to your security verification routine.

See also VSAM_INDEX_AUTH_EP above.

–VSAM_INDEX_CISIZE

Synonyms Include: –OUTINDXCISZ, –OUTINDXCISIZE

☺ - This command is also compatible with VSE.

- Be aware that if this command is used incorrectly, you could incur problems.

The VSAM_INDEX_CISIZE command provides the ability to define a CONTROLINTERVALSIZE for the index component of a VSAM cluster.

The IDCAMS equivalent for this command is CONTROLINTERVALSIZE(size).

Page 270: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

258

–VSAM_INDEX_CISIZE(<size>)

size - Specifies the size of the control intervals for the index component.

–VSAM_INDEX_CODE

Synonyms Include: N/A

☺ - This command is also compatible with VSE.

- Be aware that if this command is used incorrectly, you could incur problems.

The VSAM_INDEX_CODE parameter supplies a code name for the cluster or component to Access Methods Services during a DEFINE CLUSTER.

The IDCAMS equivalent for this command is CODE(code).

–VSAM_INDEX_CODE(<name>)

name - Specifies the code name for the index component.

–VSAM_INDEX_CONTROLPW

Synonyms Include: –OUTINDXCTLPW

☺ - This command is also compatible with VSE.

- Be aware that if this command is used incorrectly, you could incur problems.

This command specifies the control password to be passed to Access Methods Services for the definition or update of the index component of a VSAM cluster.

The IDCAMS equivalent for this command is CONTROLPW(password).

–VSAM_INDEX_CONTROLPW(<pwd>)

pwd - Specifies a one-to-eight-character control password.

–VSAM_INDEX_EXCEPTIONEXIT

Synonyms Include: –OUTINDXEEXT

☺ - This command is also compatible with VSE.

- Be aware that if this command is used incorrectly, you could incur problems.

Page 271: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

259

The VSAM_INDEX_EXCEPTIONEXIT command provides the ability to define an EXCEPTIONEXIT parameter for the index component of a VSAM cluster.

The IDCAMS equivalent for this command is EXCEPTIONEXIT(module name).

-VSAM_INDEX_EXCEPTIONEXIT(<exceptname>)

exceptname - Specifies the name of your module (phase name) that will be given control when an exception occurs.

–VSAM_INDEX_FILE

Synonyms Include: –OUTINDXFILE

☺ - This command is also compatible with VSE.

- Be aware that if this command is used incorrectly, you could incur problems.

The VSAM_INDEX_FILE command provides the ability to define an INDEX parameter for the index component of a VSAM cluster.

The IDCAMS equivalent for this command is FILE(ddname).

–VSAM_INDEX_FILE(<ddname>)

ddname - Specifies a DD statement in the JCL.

–VSAM_INDEX_MASTERPW

Synonyms Include: –OUTINDXMRPW

☺ - This command is also compatible with VSE.

- Be aware that if this command is used incorrectly, you could incur problems.

This command specifies the master password to be passed to Access Methods Services for the definition or update of the index component of a VSAM cluster.

The IDCAMS equivalent for this command is MASTERPW(password).

–VSAM_INDEX_MASTERPW(<pwd>)

pwd - An 8-character field specifying the master password.

Page 272: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

260

–VSAM_INDEX_NAME

Synonyms Include: –OUTINDXNAME

☺ - This command is also compatible with VSE.

- Be aware that if this command is used incorrectly, you could incur problems.

The VSAM_INDEX_NAME command provides the ability to define a NAME parameter for the index component of a VSAM cluster.

The IDCAMS equivalent for this command is NAME(entryname).

–VSAM_INDEX_NAME(<entryname>)

entryname - Specifies the name to be given to the index component of the cluster.

–VSAM_INDEX_ORDERED

Synonyms Include: –OUTINDXORD, –OUTINDXNORD

☺ - This command is also compatible with VSE.

- Be aware that if this command is used incorrectly, you could incur problems.

The VSAM_INDEX_ORDERED command provides the ability to define an ORDERED parameter for the index component of a VSAM cluster.

The IDCAMS equivalent for this command is ORDERED|UNORDERED.

–VSAM_INDEX_ORDERED(<ORDERED|UNORDERED>)

ORDERED - Specifies the volumes are to be used in the order in which they were listed in the VOLUMES parameter.

UNORDERED - Specifies the volumes are not to be used in the order in which they were listed in the VOLUMES parameter.

–VSAM_INDEX_PRIMARY

Synonyms Include: –OUTINDXPRI

☺ - This command is also compatible with VSE.

- Be aware that if this command is used incorrectly, you could incur problems.

The VSAM_INDEX_PRIMARY command provides the ability to define the primary value for space allocation in the INDEX component of a VSAM cluster. Note that this command is used in conjunction with VSAM_INDEX_SPACE_TYPE.

Page 273: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

261

The IDCAMS equivalent for this command is CYLINDERS(primary), TRACKS(primary), or RECORDS(primary).

–VSAM_INDEX_PRIMARY(<primary>)

primary - Specifies the number of units to be allocated (cylinders, tracks, records, kilobytes, or megabytes).

Also see VSAM_INDEX_SECONDARY.

–VSAM_INDEX_READPW

Synonyms Include: –OUTINDXRDPW

☺ - This command is also compatible with VSE.

- Be aware that if this command is used incorrectly, you could incur problems.

This command specifies the read password to be passed to Access Methods Services for the definition or update of the index component of a VSAM cluster.

The IDCAMS equivalent for this command is READPW(password).

–VSAM_INDEX_READPW(<pwd>)

pwd - An 8-character field specifying the read password.

–VSAM_INDEX_SECONDARY

Synonyms Include: –OUTINDXSEC

☺ - This command is also compatible with VSE.

- Be aware that if this command is used incorrectly, you could incur problems.

The VSAM_INDEX_SECONDARY command provides the ability to define the secondary value for space allocation in the INDEX component of a VSAM cluster. Note that this command is used in conjunction with VSAM_INDEX_SPACE_TYPE.

The IDCAMS equivalent for this command is CYLINDERS(secondary), TRACKS(secondary), or RECORDS(secondary).

–VSAM_INDEX_SECONDARY(<secondary>)

secondary - Specifies the number of units to be allocated (cylinders, tracks, records, kilobytes, or megabytes).

Also see VSAM_INDEX_PRIMARY.

Page 274: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

262

–VSAM_INDEX_SPACE_TYPE

Synonyms Include: –OUTINDXSPACE

☺ - This command is also compatible with VSE. Some values may be restricted by the operating environment.

- Be aware that if this command is used incorrectly, you could incur problems.

For a new or updated ZIP archive, the type of index units may be specified using the VSAM_INDEX_SPACE_TYPE command.

Note that use of this command necessitates the use of VSAM_INDEX_PRIMARY and VSAM_INDEX_SECONDARY to define the specific extent values.

The IDCAMS equivalent for this command is CYLINDERS, TRACKS, or RECORDS.

–VSAM_INDEX_SPACE_TYPE(<CYL|KB|REC|MB|TRK>)

CYL - (also CYLS and CYLINDERS) allocation by cylinders.

KB - (also KILOBYTES) allocation by Kilobytes (for the ICF catalog environment only).

MB - (also MEGABYTES) allocation by Megabytes (for the ICF catalog environment only).

REC - (also RECORDS) allocation by records.

TRK - (also TRKS and TRACKS) allocation by tracks.

Note that both the primary and secondary extents are allocated at 10 allocation units unless changed by the VSAM_SPACE_PRIMARY or the VSAM_SPACE_SECONDARY commands.

Also see VSAM_INDEX_PRIMARY and VSAM_INDEX_SECONDARY.

–VSAM_INDEX_UPDATEPW

Synonyms Include: –OUTINDXUPDPW

☺ - This command is also compatible with VSE.

- Be aware that if this command is used incorrectly, you could incur problems.

This command specifies the update password to be passed to Access Methods Services for the definition or update of the index component of a VSAM cluster.

The IDCAMS equivalent for this command is UPDATEPW(password).

–VSAM_INDEX_UPDATEPW(<pwd>)

pwd - An 8-character field specifying the update password.

Page 275: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

263

–VSAM_INDEX_VOLUMES

Synonyms Include: –OUTINDXVOL

☺ - This command is also compatible with VSE.

- Be aware that if this command is used incorrectly, you could incur problems.

The VSAM_INDEX_VOLUMES command provides the ability to define a VOLUMES parameter for the index component of a VSAM cluster. Note that a maximum of 31 volumes are supported.

The IDCAMS equivalent for this command is VOLUMES(volser).

–VSAM_INDEX_VOLUMES(<volser>[ <volser> …])

volser - Specifies volume serial numbers sequenced by a blank.

–VSAM_KEYS

Synonyms Include: –OUTKEYS

☺ - This command is also compatible with VSE.

- Be aware that if this command is used incorrectly, you could incur problems.

The VSAM_KEYS command provides the ability to specify information about key fields for a VSAM key-sequenced file (ignored for entry-sequenced or relative-record files).

The IDCAMS equivalent for this command is KEYS(length offset).

–VSAM_KEYS(length offset)

length - Defines the length of a key for a key-sequenced file (255-byte maximum).

Offset - Defines the offset of the key from the front of the data record.

–VSAM_MASTERPW

Synonyms Include: –OUTMASTERPW, –OUTDATAMRPW

☺ - This command is also compatible with VSE.

- Be aware that if this command is used incorrectly, you could incur problems.

This command specifies the master password to be passed to Access Methods Services for the definition or update of a VSAM cluster or component.

Page 276: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

264

The IDCAMS equivalent for this command is MASTERPW(password).

–VSAM_MASTERPW(<pwd>)

pwd - An 8-character field specifying the master password.

–VSAM_MGMTCLASS

Synonyms Include: N/A

- Be aware that if this command is used incorrectly, you could incur problems.

This command pertains to DF/SMS allocation of new files when doing SECUNZIP processing. If you specify these classes, they will be passed to DF/SMS when data set allocation occurs.

–VSAM_MGMTCLASS(<SMS Management Class>)

See IBM’s DF/SMS manuals for further information about this parameter.

–VSAM_MODEL

Synonyms Include: –ARCHMODEL, –ARCHIVE_MODEL, –OUTMODEL

☺ - This command is also compatible with VSE.

- Be aware that if this command is used incorrectly, you could incur problems.

This command specifies that a catalog entry of a previously defined cluster is to be used as the model for a new archive.

The IDCAMS equivalent for this command is MODEL(entryname).

–VSAM_MODEL(<entryname>)

entryname - A 44-character entry used to specify the model.

–VSAM_ORDERED

Synonyms Include: N/A

☺ - This command is also compatible with VSE.

- Be aware that if this command is used incorrectly, you could incur problems.

Page 277: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

265

The VSAM_ORDERED command provides the ability to define an ORDERED parameter for a VSAM cluster.

The IDCAMS equivalent for this command is ORDERED|UNORDERED.

–VSAM_ORDERED(<ORDERED|UNORDERED>)

ORDERED - Specifies the volumes are to be used in the order in which they were listed in the VOLUMES parameter.

UNORDERED - Specifies the volumes are not to be used in the order in which they were listed in the VOLUMES parameter.

–VSAM_OWNER

Synonyms Include: –ARCHDATAOWNER, –ARCHOWNER, –OUTDATAOWNER, OUTINDXOWNER, –OUTOWNER

☺ - This command is also compatible with VSE.

- Be aware that if this command is used incorrectly, you could incur problems.

The VSAM_OWNER command provides the ability to define an OWNER parameter for a VSAM cluster.

The IDCAMS equivalent for this command is OWNER(owner ID).

-VSAM_OWNER(<owner>)

owner - Specifies a one-to-eight-character owner ID of the cluster.

–VSAM_READPW

Synonyms Include: –OUTREADPW, –OUTDATARDPW

☺ - This command is also compatible with VSE.

- Be aware that if this command is used incorrectly, you could incur problems.

This command specifies the read password to be passed to Access Methods Services for the definition or update of a VSAM cluster or component.

The IDCAMS equivalent for this command is READPW(password).

–VSAM_READPW(<pwd>)

pwd - An 8-character field specifying the read password.

Page 278: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

266

–VSAM_RECORDSIZE

Synonyms Include: –ARCHRECORDSIZE

☺ - This command is also compatible with VSE.

- Be aware that if this command is used incorrectly, you could incur problems.

The VSAM_RECORDSIZE parameter defines the average and maximum lengths of the data records of a variable length file.

The IDCAMS equivalent for this command is RECORDSIZE(average maximum).

-VSAM_RECORDSIZE(<average> <maximum>)

<average> - The average length in bytes of each record.

<maximum> - The maximum length of any record.

The default for this command is (4000 4000).

It is suggested <average> = <maximum> for SecureZIP for zSeries processing since full-length records are written in the process. Also, a larger value for both parameters will improve SecureZIP for zSeries performance.

–VSAM_RECOVERY_OPT

Synonyms Include: –OUTRECOVERY, –OUTSPEED

☺ - This command is also compatible with VSE.

- Be aware that if this command is used incorrectly, you could incur problems.

The VSAM_RECOVERY_OPT command provides the ability to define a SPEED or RECOVERY parameter for a VSAM cluster.

The IDCAMS equivalent for this command is RECOVERY|SPEED.

–VSAM_RECOVERY_OPT(recovery|speed)

recovery - Specifies that the data component control areas are written with records that indicate an end-of-file indicator.

speed - Specifies that the data component control areas are not preformatted.

Page 279: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

267

–VSAM_REPLICATE

Synonyms Include: –OUTREPLICATE, –OUTNOREPLICATE

☺ - This command is also compatible with VSE.

- Be aware that if this command is used incorrectly, you could incur problems.

The VSAM_REPLICATE command provides the ability to define a REPLICATE parameter for a VSAM cluster.

The IDCAMS equivalent for this command is REPLICATE|NOREPLICATE.

–VSAM_REPLICATE(Y|N)

–VSAM_REUSE

Synonyms Include: –ARCHREUSE, –ARCHNOREUSE, –ARCHDATARUS, ARCHDATANRUS, –OUTREUSE, –OUTNOREUSE, –OUTDATARUS, OUTDATANRUS, –OUTINDXRUS, OUTINDXNRUS

☺ - This command is also compatible with VSE.

- Be aware that if this command is used incorrectly, you could incur problems.

The VSAM_REUSE parameter defines whether the newly-defined file can be opened repeatedly as a new file.

The IDCAMS equivalent for this command is REUSE|NOREUSE.

-VSAM_REUSE(Y|N)

Y - YES - Specifies that REUSE be passed to the DEFINE CLUSTER command.

N - NO - Specifies that NOREUSE be passed to the DEFINE CLUSTER command.

–VSAM_SHAREOPTIONS

Synonyms Include: –ARCHSHR, –ARCHDATASHR, –OUTSHR, –OUTDATASHR, OUTINDXSHR, –VSAM_SHROPTS, –VSAM_SHROPT

☺ - This command is also compatible with VSE.

- Be aware that if this command is used incorrectly, you could incur problems.

Page 280: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

268

–VSAM_SHAREOPTIONS(value1|value2)

The VSAM_SHAREOPTIONS parameter defines how a file can be shared within or between systems.

The IDCAMS equivalent for this command is SHAREOPTIONS(value1 value2).

Crossregion - Specifies the level of sharing among regions.

Crosssystem - Specifies the level of sharing among systems.

–VSAM_SPACE_PRIMARY

Synonyms Include: N/A

☺ - This command is also compatible with VSE. Some values may not be restricted by the operating environment.

- Be aware that if this command is used incorrectly, you could incur problems.

For a new or updated ZIP archive, the number of allocation units in the primary extent is specified using the VSAM_SPACE_PRIMARY command.

The default is not used if VSAM_DATACLASS is specified.

The IDCAMS equivalent for this command is CYLINDERS(primary), TRACKS(primary), RECORDS(primary), KILOBYTES(primary), or MEGABYTES(primary).

–VSAM_SPACE_PRIMARY(<primary>)

primary - An 8-character field specifying the number of allocation units for the primary extent of the new or updated ZIP archive.

00000010 - Ten (cylinders) is the default.

–VSAM_SPACE_SECONDARY

Synonyms Include: N/A

☺ - This command is also compatible with VSE.

- Be aware that if this command is used incorrectly, you could incur problems.

For a new or updated ZIP archive, the number of allocation units in the secondary extent is specified using the VSAM_SPACE_SECONDARY command. If specified, the data unit number must not be 0.

The default is not used if VSAM_DATACLASS is specified.

The IDCAMS equivalent for this command is CYLINDERS(secondary), TRACKS(secondary), RECORDS(secondary), KILOBYTES(secondary), or MEGABYTES(secondary).

Page 281: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

269

–VSAM_SPACE_SECONDARY(<secondary>)

secondary - An 8-character field specifying the number of allocation units for the secondary extent of the new or updated ZIP archive.

00000010 - Ten (cylinders) is the default.

–VSAM_SPACE_TYPE

Synonyms Include: N/A

☺ - This command is also compatible with VSE. Some values may not be restricted by the operating environment.

- Be aware that if this command is used incorrectly, you could incur problems.

For a new or updated ZIP archive, the type of allocation units may be specified using the VSAM_SPACE_TYPE command. Note the default is not used when VSAM_DATACLASS is specified.

The IDCAMS equivalent for this command is CYLINDERS, TRACKS, or RECORDS.

–VSAM_SPACE_TYPE(<CYL|KB|REC|MB|TRK>)

CYL - (also CYLS and CYLINDERS) allocation by cylinders.

KB - (also KILOBYTES) allocation by Kilobytes (for the ICF catalog environment only).

MB - (also MEGABYTES) allocation by Megabytes (for the ICF catalog environment only).

REC - (also RECORDS) allocation by records.

TRK - (also TRKS and TRACKS) allocation by tracks.

This command specification can be overridden at the data level by the VSAM_DATA_SPACE_TYPE command. At the data level, the corresponding cluster information is not recognized.

–VSAM_SPANNED

Synonyms Include: –ARCHSPANNED, –ARCHNONSPANNED

☺ - This command is also compatible with VSE.

- Be aware that if this command is used incorrectly, you could incur problems.

The VSAM_SPANNED parameter defines whether the maximum length of a data record can be greater than the control interval size.

The IDCAMS equivalent for this command is SPANNED|NONSPANNED.

Page 282: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

270

-VSAM_SPANNED(Y|N)

Y - YES - The IDCAMS DEFINE CLUSTER command equivalent is SPANNED.

N - NO - The IDCAMS DEFINE CLUSTER command equivalent is NONSPANNED.

–VSAM_STORCLASS

Synonyms Include: N/A

- Be aware that if this command is used incorrectly, you could incur problems.

This command pertains to DF/SMS allocation of new files when doing SECUNZIP processing. If you specify these classes, they will be passed to DF/SMS when data set allocation occurs.

–VSAM_STORCLASS(<SMS Storage Class>)

See IBM’s DF/SMS manuals for further information about this parameter.

–VSAM_TO

Synonyms Include: –ARCHFOR, –ARCHTO, –OUTFOR, –OUTTO

☺ - This command is also compatible with VSE.

- Be aware that if this command is used incorrectly, you could incur problems.

The VSAM_TO parameter defines the retention date for the cluster.

The IDCAMS equivalent for this command is TO(date).

-VSAM_TO(<date>)

date - Specifies the date until which the cluster is to be retained.

Note: The specification of either the –VSAM_TO or –VSAM_FOR commands could prevent an old ZIP archive from being deleted during an update if the old archive had an active retention period.

–VSAM_UPDATEPW

Synonyms Include: –OUTUPDATEPW, –OUTDATAUPDPW

☺ - This command is also compatible with VSE.

Page 283: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

271

- Be aware that if this command is used incorrectly, you could incur problems.

This command specifies the update password to be passed to Access Methods Services for the definition or update of a VSAM cluster or component.

The IDCAMS equivalent for this command is UPDATEPW(password).

–VSAM_UPDATEPW(<pwd>)

pwd - An 8-character field specifying the update password.

–VSAM_WRITECHECK

Synonyms Include: –ARCHWRITECHK, –ARCHNOWRITECHK, –ARCHDATAWCK, ARCHDATANWCK, –OUTDATAWCK, –OUTDATANWCK, –OUTWRITECHK, –OUTNOWRITECHK

☺ - This command is also compatible with VSE.

- Be aware that if this command is used incorrectly, you could incur problems.

The VSAM_WRITECHECK parameter defines whether to verify the transfer of records written to the cluster.

The IDCAMS equivalent for this command is WRITECHECK|NOWRITECHECK.

–VSAM_WRITECHECK(WRITECHECK|NOWRITECHECK)

WRITECHECK - The IDCAMS DEFINE CLUSTER command equivalent is WRITECHECK.

NOWRITECHECK - The IDCAMS DEFINE CLUSTER command equivalent is NOWRITECHECK.

–ZIPPED_DSN

Synonyms Include: –NIA

☺ - This command is also compatible with VSE.

- Be aware that if this command is used incorrectly, you could incur problems.

The ZIPPED_DSN command specifies one or more MVS file names and how they are to be renamed for the associated ZIP file. More than one file may be referenced in one command by the use of wildcard characters. The default depends on the MVS file type and other situations as outlined below.

Page 284: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

272

–ZIPPED_DSN(<MVS name>,<Archive name>)

MVS name - One entry representing one or more MVS file names. The maximum character length is 54 characters. Spaces are not valid. Wildcard characters (“*”) may be used here for two purposes:

• To identify more than one file. <MVS name> = MYFILE.NEW* represents MYFILE.NEW1, MYFILE.NEW2, MYFILE.NEW3, and so on.

• To identify the part of the <MVS name> to be used in the <Archive name>. A matching wildcard character in the <Archive name> indicates the corresponding part of the <MVS name> is duplicated in the <Archive name>.

See the table below for examples.

Archive name - The format for the associated ZIP file name(s). The maximum character length is 80 characters. Embedded spaces are supported. The entry contains the ZIP file component name and may contain wildcard characters(“*”) and ignore characters (“+”). Each wildcard character matches a wildcard character in the <MVS name> and copies that character from the <MVS name> into the ZIP archive name at the “*” location. Each ignore character matches with a wildcard character in the <MVS name> and does not copy that character from the <MVS name> into the Zip archive name at the “+” location. (See below).

See the table below for ZIPPED_DSN examples:

<MVS file> <MVS name>,<Archive name> ZIP File name results MVS.SEQ.INFO MVS.SEQ.INFO,ZIP/INF ZIP/INF

MVS.SEQ.INFO MVS.SEQ.INFO,ZIP.EXT ZIP.EXT

MVS.PDS(MEM1) MVS.PDS(*),ZIP/LIB/* ZIP/LIB/MEM1

MVS.PDS(MEM2) Allow to default ZIP/LIB/MEM2

MVS.PDS(MEMN) *.*(MEMN),*/*.DAT MVS/PDS.DAT

MVS.PDS(MEMN) *.*(*),*/*/*.DAT MVS/PDS/MEMN.DAT

MVS.PDS(MEMN) *.PDS(*),*/*/INFO MVS/MEMN/INFO

MVS.PDS(MEMN) *(*),+*.INF MEMN.INF

MVS.SEQ.INFO *.*.INFO,*.* MVS.SEQ

MVS.SEQ.INFO *.*.DATA,+*.INF SEQ.INF More than one ZIPPED_DSN command can be used in one execution to match various input/output combinations. File names are converted based on the order of occurrence of ZIPPED_DSN commands. In the following example, the file MYFILE.INPUT.DAT would be processed by the second ZIPPED_DSN command.

Page 285: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

273

MYFILE.INPUT.DAT –ZIPPED_DSN(*.IN.*,*/*) –ZIPPED_DSN(*.INPUT,*/*.DAT) (here the file is processed) –ZIPPED_DSN(*.DATA,*/DAT) ZPAM253I ADDED File MYFILE.INPUT.DAT ZPAM254I as MYFILE/INPUT/DAT.TXT ZPAM255I (DEFLATED 62%/61%)

This would create the ZIP file: MYFILE/INPUT.DAT.

Notes for –ZIPPED_DSN File names are converted based on the order of occurrence of ZIPPED_DSN commands. For example, the file MYFILE.INPUT.DAT would be processed by the second ZIPPED_DSN command in the following example.

–ZIPPED_DSN(*.IN.*,*/*)

–ZIPPED_DSN(*.INPUT,*/*.DAT) (here the file is processed)

–ZIPPED_DSN(*.DATA,*/DAT)

This would create the ZIP file: MYFILE/INPUT.DAT.

Care must be taken when coding this command to achieve a desired result. Examples of errant coding techniques follows:

Example: Given the PDS

member: MVS.PDS(MEMBER)

and a command of: –ZIPPED_DSN(*,*.TXT) the ZIP archive will be: MVS.PDS(MEMBER).TXT

(an invalid filename)

or

Given the PDS member:

MVS.PDS(MEMBER)

and a command of: –ZIPPED_DSN(MV*,PD*.TXT) the ZIP archive will be: PDS.PDS(MEMBER).TXT

(an invalid filename)

When coding this command for new filename translation, the SIMULATE command can be used in test runs to ensure that the desired results are being achieved without the processing time associated with compression and archiving.

The allowable number of ZIPPED_DSN commands is determined by each command’s storage requirements of approximately 256 bytes.

The allowable number of wild characters (“*”) is determined by the <MVS name> format. Extra wild characters adjacent to other wild characters are not supported. The maximum number of wild characters in the <MVS name> is 28.

Page 286: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

274

There must be a match of wild characters in the <Archive name> to the <MVS name> or unpredictable results may occur. Any extra wild characters in the <MVS name> are ignored. For example, a null filename may result from ZIPPED_DSN(*,+), which instructs all MVS DSN characters to be deleted.

Defaults for –ZIPPED_DSN If the ZIPPED_DSN command is not specified, the default ZIP file name depends on the MVS file type.

NonVSAM files Periods for all data set types and the left-parenthesis associated with PDS and PDSE member formats are converted to the active ZIPPED_DSN_SEPARATOR character. The right-parenthesis for member name designations are ignored. For example:

–ARCHIVE(MY.TEMP.ZIP) –ACTION(UPDATE) DEV.IVP.SEQ DEV.PROJ.SRC(ASCIIUS) ZPAM030I OUTPUT Archive opened: MY.TEMP.ZIP ZPAM253I ADDED File DEV.IVP.SEQ ZPAM254I as DEV/IVP/SEQ ZPAM255I (DEFLATED 78%/78%) ZPAM253I ADDED File DEV.PROJ.SRC(ASCIIUS) ZPAM254I as DEV/PROJ/SRC/ASCIIUS ZPAM255I (DEFLATED 62%/61%)

Note that the command PATH(N) may change the expected path name, and ZIPPED_DSN_SEPARATOR can create a file with the command’s specified separators. If the ZIPPED_DSN command is not specified, verify that the path and separators are specified correctly.

VSAM Clusters for –ZIPPED_DSN The ZIPPED_DSN specifications are also applied to the index and the data levels of file names, which are stored as attributes within the archive. Separate ZIPPED_DSN commands cannot be applied to the component names.

The created DATA and INDEX names are appended with “.DATA” and “.INDX” respectively. The MVS separator “.” is used rather than the active value of ZIPPED_DSN_SEPARATOR.

-ACTION(ADD) -ARCHIVE_DSN(MAS.TEMP.ZIP) -ARCHIVE_DSORG(PS) -ACTION(UPDATE) MAS.TEST.KSDS -ZIPPED_DSN(MAS.*.KSDS,MAS/NEWLVL/KSDS) ZPAM030I OUTPUT Archive opened: MAS.TEMP.ZIP ZPAM253I ADDED File MAS.TEST.KSDS ZPAM254I as MAS/NEWLVL/KSDS ZPAM255I (DEFLATED 91%/91%)

Page 287: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

275

Resulting values: -ACTION(VIEWDETAIL) ZPAM001I Filename: MAS/NEWLVL/KSDS ZPAM332I VSAM Data Name: MAS.NEWLVL.KSDS.DATA ZPAM333I VSAM Index Name: MAS.NEWLVL.KSDS.INDEX

–ZIPPED_DSN_SEPARATOR

Synonyms Include: –NIASEP

To specify the separator to be used in the created ZIP archive name, ZIPPED_DSN_SEPARATOR command is used. The default is “/” or Hex ‘2F’ to conform to ZIP Specifications, which provides for cross-platform compatibility. This creates a file name where each MVS qualifier is converted to a directory name. For example, period separators are changed to the specified separator character.

–ZIPPED_DSN_SEPARATOR(<sepchar>)

sepchar - The character to be used as a separator between components in the ZIP file name. It may be coded in one of two formats:

• EBCDIC Display Character - Where the character is a single EBCDIC character. This will be translated with the TRANSLATE_TABLE_FILEINFO table to ASCII before used in the ZIP file. A “/” is the default character.

• X’Hex’ - Where the actual ASCII character is specified in hex and is not translated before placed in the ZIP file. A hex character of “2F” is the default character.

Note: Use of a separator character other than the default should be done with consideration of the targeted SECUNZIP system. Unexpected results may occur during an extract if the filename does not adhere to the target system’s file naming standards.

Example: Given the PDS

member: XXX.YYY(ZZZ)

and a command of: (not specified: using the default value of “/”) the ZIP archive will be: XXX/YYY/ZZZ

Example: Given the PDS

member: XXX.YYY(ZZZ)

and a command of: –ZIPPED_DSN_SEPARATOR($) the ZIP archive will be: XXX$YYY$ZZZ

Page 288: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

276

11 ZIP Archives

A ZIP archive is the storage facility for files that are compressed, or simply stored using the SecureZIP for zSeries product. It can hold up to 65,535 files, which may be compressed up to 99% of their original size. File attributes are retained to allow extraction of the same file characteristics without the need of control card specifications. Data integrity is validated by a cyclic redundancy check (CRC) to ensure integrity from compression through extraction.

An archive can exist in three possible states during processing. These are “old archive,” “temporary data set,” and “new archive.” An explanation of the functions of each of these is described in the sections below.

Many older ZIP products were modeled after the disk-operating system, (DOS)-based PKZIP® products, which had an archive limit of 16,383 files. The current ZIP archive specifications allow up to 65,535 files based on a two-byte binary counter in the directory. An archive that is created by SecureZIP for zSeries with greater than 16,383 files may not be able to be processed by older releases of PKZIP for zSeries or ZIP products written by other vendors. The actual number of files that can be processed by SecureZIP for zSeries is limited by local system resources such as allowable region size.

A ZIP archive is transferable between platforms. For example, files compressed by SecureZIP for zSeries can be extracted by PKZIP on a different platform and maintain identical data.

MVS archives can be held in a variety of formats: sequential data set on tape or disk, PDS or PDSE members, or a VSAM cluster (ESDS). An archive file is designated to SecureZIP for zSeries by a control card of either ARCHIVE_DSN(dsname) or ARCHIVE_INFILE(ddname).

Sequential data set archives may be held in Undefined (U), Variable (V, VB) or Fixed (F, FB, FBS) formats. PDS and PDSE member archives may be held in Undefined (U), or Fixed (F, FB) formats.

The standard format for a ZIP archive is shown in the table below:

Page 289: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

277

Standard Zip Archive Format File #1 [Local Directory Entry (X’504B0304’)] [optional extended attributes][file data]

File #2 [Local Directory Entry (X’504B0304’)] [optional extended attributes][file data]

File #n [Local Directory Entry (X’504B0304’)] [optional extended attributes][file data]

File #1 [Central Directory Entry (X’504B0102’)] [optional extended attributes]

File #2 [Central Directory Entry (X’504B0102’)] [optional extended attributes]

File #n [Central Directory Entry (X’504B0102’)] [optional extended attributes]

[End-Central Directory Entry (X’504B0506’)] [optional Archive Comment] The local and central directory entries contain information such as the file name, uncompressed size and compressed size, along with control values. The extended information controlled by the SAVE_FILE_ATTRIBUTES command reflects data set allocation information from the file as stored by SecureZIP for zSeries.

“Old” ZIP Archive An old ZIP archive refers to an archive containing ZIPPED files that is in existence and may also be referred to as “ARCHIN”. It may have been created by SecureZIP for zSeries in an earlier process, or have been transferred from a different platform. This archive is specified using the ARCHIVE or ARCHIVE_INFILE commands. The old archive can be thought of as the “before” version of an archive that is being updated.

“Temporary” Dataset A temporary data set refers to a work in progress. This data set has several possible uses in SecureZIP for zSeries processing, including:

• X'Hex' - Here the actual ASCII character is specified in hex and is not translated before placed in the ZIP file. A hex character of “2F” is the default character.

When a new non-partitioned archive data set is created by an update request, SecureZIP for zSeries will use a temporary name for the output archive until the processing request is complete. Note that the system reports the cataloging of the temporary dataset name in the job log, not the final name used in the rename. This is normal behavior for dynamically allocated files in System/390 operating systems.

• As an interim storage area for compressed data before it is written to the output archive.

In addition to the archive being allocated, temporary files may be allocated as staging areas for compressed data. The –TEMP family of commands governs the allocation controls for these temporary files.

• As temporary storage while processing tape input archives.

Page 290: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

278

The –STAGE_TAPE_TO_DISK command may be used to copy a tape archive to a disk based temporary file to improve performance. SecureZIP for zSeries will automatically process 3420 reel to reel tape in this way to accelerate the copying process. By manually defining //ARCHTEMP DD in the job, this temporary dataset can also be passed to subsequent SECUNZIP steps for better performance. The use of this method requires that the size of the temporary archive be equal to or larger than the archive.

• As temporary storage for file control information, including SORT work files.

When a high volume of dataset names is encountered during catalog filename selection and archive directory parsing, informational records may be written to work files for processing according to the memory controls provided in the job. Additionally, these temporary files are used for sort/merge processing for filename matching.

“New” ZIP Archive When ZIP processing begins, SecureZIP for zSeries creates a new ZIP archive that is the modified, or “after”, version of the old archive. The (modified) name of the old archive and specified allocation information of the old archive is automatically transferred to the new archive. After the update process completes, the old archive is deleted. If the new output archive allocation fails, SecureZIP for zSeries will terminate, leaving the old input archive intact.

Temporarily, the new ZIP archive will keep the same name as the old ZIP archive, as named in the ARCHIVE command, except that the last part of the data set name will be replaced by a unique eight-character name. If the new archive is a member of a PDS or PDSE, this unique name acts as the member name.

Page 291: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

279

12 Processing with GZIP

What is GZIP? GNU Zip is a different standard for handling compressed file data in an archive. Support for the GZIP standard can be found in various utilities for many platforms. This format is not compatible with SecureZIP for zSeries archives; however, SecureZIP for zSeries provides limited support for GZIP archives (Information regarding RFC processes for information interchange with regard to GZIP can be found at www.faqs.org/rfcs).

RFC 1951 is the specification that describes DEFLATE compressed data format that is to be used with GZIP archives. SecureZIP for zSeries creates a compression stream that is compatible with this format.

RFC 1952 describes the GZIP archive format specifications. Differences from SecureZIP for zSeries archives include:

• All GZIP filenames must be represented in lower case.

• Both binary and text data are supported by GZIP; however, the LATIN-1 translation table is the defined standard for EBCDIC/ASCII filename translation (ISO 8859-1).

Why use GZIP? GZIP may be useful when doing file exchanges to a platform only having a GZIP support utility.

Although GZIP has an almost limitless capacity, it has other significant limitations that make it less attractive than SecureZIP for zSeries for most applications.

• GZIP lacks a “directory” of the files contained within it. In addition, files contained within a GZIP archive can only be found in a serial fashion. (GZIP and ZIP have different nomenclature. Whereas a ZIP archive stores “files”, these data entities are known as “members” in a GZIP archive.)

• The file information controls provided in GZIP archives cannot be fully reported on until the entire data stream is decompressed.

Page 292: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

280

• The GZIP format may not be recognized by other products providing ZIP archive support, and thereby restricts its cross-platform usefulness.

SecureZIP for zSeries Implementation Notes for GZIP The DEFLATE compression algorithm used in GZIP is similar to the compression logic used in SecureZIP for zSeries archives. The archive format is compatible with GZIP processes running on other platforms, although extensions provided by SecureZIP for zSeries may not be supported by other utilities.

The standard GZIP archive format maintains a header entry at the beginning that describes the name of the file and a timestamp. A CRC integrity value is also maintained, however, this value is stored at the end of the file along with the original size of the input file.

GZIP Restrictions • The SecureZIP for zSeries implementation for GZIP is restricted to 1 file within an

archive. For this reason, only the ADD Action for a new archive is supported. Attempting to FRESHEN an existing file within an archive, adding additional files, or deleting a file from an archive should not be attempted.

• Only the first file in a GZIP archive from another platform will be processed by UNZIP processing. For this reason, when creating GZIP archives on other platforms with MVS as the target system, only place one file in each GZIP archive file.

• An existing archive must be processed in accordance with its archive type, such as, SecureZIP for zSeries or GZIP. For example, an existing SecureZIP for zSeries archive cannot have GZIP data appended to it. A message will be issued and processing will be terminated if this rule is not followed.

• VIEW processing will not report the CRC or file size information because of the way GZIP archives hold the information.

• COMPRESSION_LEVEL(STORE) is not part of the GZIP standard, and is therefore ignored by the compression engine.

GZIP Extensions • As a proprietary extension, standard (96 bit) password encryption support is provided

beyond the RFC standard.

• File attributes can be stored in the GZIP archive (just as they are in a SecureZIP for zSeries archive) so that the file can be reconstructed during EXTRACT processing.

• Filename control commands may be used—for example, ZIPPED_DSN. Lower-case translation of the resulting name is done to conform to GZIP requirements.

• During EXTRACT processing, if the GZIP archive does not contain a file name (not required by GZIP specifications), then a filename is constructed with a low-level qualifier (or PDS/PDSE member name) of “GZOUT” by using the input archive name as the base. This pseudo-name is then processed by filename-modifying commands such as UNZIPPED_DSN. (See also GZIP_SUFFIX in Chapter 10.

Page 293: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

281

• Although the default specification for GZIP processing is to handle data as BINARY, SecureZIP for zSeries will use the DATA_TYPE command with DETECT or TEXT processing.

• Although MULTI_THREAD_LIMIT is ignored for GZIP processing (because only one file can be compressed), multi-tasking is still performed for input file reads, data compression, and archive file writes to maximize processing throughput.

• Although the GZIP standard does not support directory levels in the filename, many products (including SecureZIP for zSeries) support this as an extension.

• Although the timestamp in the archive is in UNIX-format and is by specification to be UTC, SecureZIP for zSeries honors the TIMESTAMP command.

Processing GZIP Archives In general, a GZIP archive must be processed only in GZIP mode and with only one GZIP “member.” When creating a GZIP archive, specify GZIP in the command stream (or use a defaults module with the GZIP value set). UNZIP processing in SecureZIP for zSeries automatically detects the GZIP header and processes accordingly.

If zipping a file for transport to another platform that does not support the extensions provided by SecureZIP for zSeries, use commands to nullify those extensions—for example, NOATTRIB, NOPATH.

Page 294: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

282

13 Using the ISPF Interface

Getting Started with the ISPF Interface When the SecureZIP for zSeries ISPF interface is started for the first time, the Configuration Menu displays. On subsequent use, the first display is the Main Menu. An example of this menu is shown below. From this panel the desired function can be selected by entering the letter associated with that function.

To display the help information, press PF1 from any panel in the ISPF interface and the help panel for that function is displayed.

To end the SecureZIP for zSeries ISPF session, press PF3 or enter “X” while the main menu is displayed.

SecureZIP for zSeries 8.1 Main Menu Option ===> C Config Modify Run-time Configuration Settings ZD Zip Defaults Modify Default ZIP Command Settings UD Unzip Defaults Modify Default UNZIP Command Settings U Unzip Decompress, Decrypt, Authenticate File(s) in an Archive V View Display the Contents of a Zip Archive Z Zip Compress, Encrypt, Sign File(s) into a Zip Archive S Sysprint Browse Log of Last Foreground Execution M Messages Message ID lookup L License Display License Information CS Cert Store Certificate Store Administration and Configuration W What's New Browse Information on Changes Since Last Release P Contact PKWARE Browse Information on How to Contact PKWARE X EXIT To EXIT Press PF3 or enter X For HELP Press PF1

Page 295: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

283

Configuration (Option ‘C’) The SecureZIP for zSeries ISPF interface requires configuration information to function correctly in the user environment. Upon initial use of the ISPF interface, the Configuration Menu is displayed regardless of the option selected. The following is an example of the Menu.

SecureZIP for zSeries 8.1 Configuration OPTION ===> Specify load library..: 'SECZIP.MVS.LOAD' Specify defaults file(s): Specify defaults module: ACZDFLT ZIP processing......: 'SECZIP.MVS.INSTLIB(CMDZIP)' UNZIP processing....: 'SECZIP.MVS.INSTLIB(CMDUNZIP)' Miscellaneous: Sysprint allocation info: Use TSO Prefix (Y/N): Y Pri : 3 Lowest Acceptable RC: 4 (0,4,8) Sec : 1 Type: CYLS (BLKS,TRKS,CYL) Job Card information: //JOBNAME JOB 'ACCOUNTING INFO',CLASS=A,REGION=8M, // MSGCLASS=H,MSGLEVEL=(1,1),NOTIFY=&SYSUID To EXIT Press PF3 For HELP Press PF1

The configuration panel is shown above. There are several configuration data fields on this panel:

Field Description Load Library The library that contains the executable code for SecureZIP for zSeries. The default is

the installed load library.

Defaults Module The module listed here is used as the installed defaults for all SECZIP or SECUNZIP jobs generated by ISPF. The default module is ACZDFLT.

Defaults Files The files that contain any overrides to the installed defaults. There is one for ZIP processing and one for UNZIP processing. The default file names are dsnhlq.INSTLIB(CMDZIP) and dsnhlq.INSTLIB(CMDUNZIP) (where dsnhlq is the high level qualifier specified during installation).

TSO Prefix This field controls the use of the TSO prefix. Specify ‘Y’ to have the value of the TSO prefix appended to all unquoted data set names as the high level qualifier. If NOPREFIX is specified in the TSO PROFILE, then the value of this field is ignored.

Lowest Acceptable RC

This field controls the display of the generated output of a foreground execution. If the return code of the execution is greater than the number entered in this field, then the output is automatically displayed after the run.

Sysprint Allocation Information used to set the default size for the SYSPRINT (output) file.

Job Card The default job card to be used in all batch jobs generated by the SecureZIP for zSeries ISPF interface.

Page 296: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

284

Defaults (Options ZD and UD) As explained previously, SecureZIP for zSeries defaults are provided at installation time. These are reflected in the table displayed by options ZD and UD. Option ZD displays the defaults in place for ZIP processing. Option UD displays the UNZIP defaults.

When either option ZD or UD is selected, the defaults are displayed in a scrollable table. An example is shown below. The defaults can be changed and will override the installed defaults for the remainder of this ISPF SecureZIP for zSeries session or until a LOAD or RESET command is entered. Use the CANCEL command to return to the calling function without processing the changes. All changes made prior to the cancel remain in effect until RESET or until the ISPF session is terminated.

SecureZIP for zSeries 8.1 Zip Defaults Row 1 to 13 of 184 COMMAND ===> SCROLL ===> PAGE Make changes to option value(s) and Press ENTER and/or enter command. EXIT (PF3) - Return and process changes SAVE - Save changes in data set (RES)ET - Restore original defaults LOAD - Load from a saved file (CAN)CEL - Return - DO NOT Process DISP - Display Current Changes (L)OCATE - Locate Option / - Select option for update / Option Name Option Value --------------------------- ----------------------------------- ACTION ADD ARCHIVE_BLKSIZE DYNAMIC ARCHIVE_COMMENT SecureZIP for zSeries by PKWARE Inc. ARCHIVE_DATACLASS ARCHIVE_DIR_BLOCKS 52 ARCHIVE_DSN ARCHIVE_DSORG PS ARCHIVE_INFILE ARCHIN ARCHIVE_LRECL DYNAMIC ARCHIVE_MGMTCLASS ARCHIVE_OUTFILE ARCHOUT ARCHIVE_RECFM U

Use PF7 and PF8 or the UP and DOWN commands to scroll the table display.

Only the first 34 characters of an option value is displayed. If the option value exceeds 34 characters, then a ‘+’ is displayed at the end of those 34 characters indicating that the option value is longer than the display field. The entire length of the field is maintained when the changes are processed. Only the display is truncated.

Page 297: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

285

Primary Commands The following table lists the commands that can be entered on the Defaults panel.

Command Description CANCEL This command allows you to return from the default options display without generating. All changes

made prior to the CANCEL command will remain. To change them back to the original defaults, use the RESET command as explained above.

DISP This command gathers all the changes to the default options and format a scrollable display showing the options, their current value and the origin of the change. The origin can be DS (loaded from a dataset), CD (changed on the defaults panel), or AV (changed by the Advanced Option feature on the ZIP and UNZIP options—explained later in this chapter). An example of this display is shown below.

EXIT End the defaults display and return to the SecureZIP for zSeries main menu. Pressing PF3 has the same results.

LOAD This command loads default settings that were previously saved in a data set using the SAVE command. You are prompted to enter the data set name and member name. First a RESET is done to clear any previously changed defaults and then the default option values saved in the data set entered are loaded and the displayed table is updated. Any options changed by the LOAD are flagged with the string ‘**Loaded**’. These defaults will remain in effect until this SecureZIP for zSeries session is ended or the RESET command is entered.

LOCATE This command positions the table display to a particular default option or to a default option beginning with a certain string. For example, by entering LOCATE C the table display will be positioned so that the first default option beginning with the letter ‘C’ will be the first line displayed. This command can be truncated to LOC or L.

RESET This command resets any changes made using this option and restore the defaults as they were installed and/or modified by the systems programmer. This command can be truncated to RES.

SAVE This command prompts you for a data set name and member. Then any changes made to the defaults subsequent to the SAVE command are written to the data set entered. That data set can then be reloaded using the LOAD command explained below.

The Changed Zip Defaults panel looks like this:

Display of Changed Zip Defaults Row 1 to 4 of 4 COMMAND ===> SCROLL ===> PAGE The following options have been changed from the original defaults. Source of changes: DS - Loaded from data set CD - Changed default panel AV - Zip or UnZip Advanced options / Option Name Current Option Value Origin --------------------------- ----------------------------------- ------------- MEMORY_MODEL LARGE AV ACTION FRESHEN DS LOGGING_LEVEL VERBOSE DS ARCHIVE_DSORG PE CD

Page 298: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

286

Changing Default Options The default option values vary depending on the option being changed. There are seven types of options: A Y/N option, a numeric option, an EBCDIC character, a data set name, clear text, a list of volumes, and an option list. Each of these are explained below. An option of any type must be selected for update by first typing a ‘/’ in the field at the beginning of line where the desired option is displayed and pressing “Enter”. After the option is selected and its type is determined, then the update proceeds as explained below.

Option Type Description Y/N The value of the selected YES/NO option is toggled. If it is currently a ‘Y’, then it is made a ‘N’

and vice versa.

Numeric When an option with a numeric value is selected, then a ‘pop-up’ panel is displayed where the desired numerical value can be entered.

EBCDIC When an option value is a single EBCDIC character, a ‘pop-up’ panel is displayed where the desired character can be entered.

Data set Name If the value of an option is a data set name, then a ‘pop-up’ panel is displayed allowing the name of a data set to be entered. The data set name can be in the form of MY.DATA.SET.NAME or MY.DATA.SET.NAME(MEMBER).

Text If an option value is character or text information, then a ‘pop-up’ panel is displayed allowing the desired text to be entered. Text can be up to 255 characters depending on the option.

Volume List Some option values are lists of volume serial numbers. Selecting an option of this type will cause a ‘pop-up’ panel to display where from 1 to 31 volume serial numbers can be entered.

Option List Several options have a list of valid values. When an option of this type is selected for update, a scrollable panel is displayed showing all of the valid values for that option. The desired value can then be selected by placing a ‘/’ beside the desired value.

Changes entered for the updates above are identified on the panel by the string ‘**Changed**.

Including Changed Defaults Any ZIP and/or UNZIP default options changed using this SecureZIP for zSeries option are included in every corresponding ZIP and/or UNZIP foreground and batch job generated during this SecureZIP for zSeries ISPF session. A SecureZIP for zSeries ISPF session is defined from the time the main menu is displayed until it is exited. The proper commands are generated and included in the appropriate input stream.

View Archive (Option ‘V’) This option is used to view information about the files contained in a zip archive. The information is formatted in a scrollable table and displayed on a panel. The table can be scrolled ‘UP’, ‘DOWN’, ‘LEFT’, and ‘RIGHT’ using the commands (or PF7, PF8, PF10, and PF11). The information displayed about each archived file spans three panels. Scrolling LEFT or RIGHT displays each panel in turn and the associated archived file information. The initial panel for option ‘V’ is shown below. There are also several line commands that can be used to browse, view, extract, display file information, or delete the selected file.

Page 299: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

287

PKZV001 SecureZIP View Archive Command ===> Enter name of archive to be viewed: Archive Name . .: 'FPD.TEST.VIEWFILE.ZIP' Dataset Filter .: Security options: Security required. : N ( Y - To Display Security Options Dialogue) Enter VIEW Options: View Type . .: V ( V - View, D - Detail, B - Brief, S - Scan Sort Output : N ( Y - Yes, N - No) Sort Field . : ( D - Date, N - Name, O - Offset, P - Percent, S - Size) Sort Order . : ( A - Ascending, D - Descending) Processing Mode. : F ( F - Foreground, B - Batch) Batch JCL Status : C ( C - New Dataset, A - Add to existing Dataset) Additional Commands: To EXIT Press PF3 or enter X For HELP Press PF1

Setting VIEW Options The panel shown above is used to specify options for the VIEW operation. The individual fields are given in the following table:

Field Description Archive Name Enter the name of the archive to be viewed. It can be in the form of DATA.SET.NAME or

DATA.SET.NAME(MBR). Standard data set naming conventions apply. Place the data set name in single quotes (‘…’) to prevent using the TSO prefix as the first qualifier. This option can be turned off using the Configuration option explained earlier.

Data set Filter This field is used to specify a wildcard type filter used to limit the number of data sets displayed. If this field is entered, only those data sets matching the filter will be displayed on the VIEW information panels.

Security required If authentication is required for this archive, select ‘Y”. Additional panels will guide you through the security requirements.

View Type If a 'V' is selected, then the files within the selected archive are displayed on the scrollable panels shown within this chapter. The information displayed on the panels is obtained from a ACTION(VIEWDETAIL) command. If a 'B' is selected then a ACTION(VIEWBRIEF) command is executed and the output print file is displayed using ISPF browse. The ‘D’ option generates the same command as the ‘V’ option, but the output is browsed instead of being displayed in an ISPF table.

Sort Output The displayed file list can be sorted prior to being displayed by entering a 'Y' in this field. When this field is a ‘Y’ then the following two fields are used to specify sort options.

Sort Field This field is used to specify which display fields to sort on. Enter a ‘D’, ‘N’, ‘O’, ‘P’, or ‘S’ to sort on date, file name, offset, percent compressed, and compressed size, respectively.

Sort Order Specify ‘A’ for ascending or ‘D’ for descending.

Processing Mode Specifying a 'F' in this field will run the view job as a foreground task. Specifying a 'B' will build JCL for a batch job. The JCL will be displayed so it can reviewed and/or modified before submission. Only the foreground task will display the output on the panels.

Page 300: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

288

Field Description Batch JCL Status Specifying a 'C' in this field creates a new job to be submitted in a batch run. Specifying a 'A'

in this field adds generated JCL to an already existing file to be submitted as multiple steps in one job.

By using first a ‘C’ option on one panel then a series of other panls using the ‘A’ option, you can generate a series of steps to process as one job. For example, you may want to build a ZIP archive and then View that archive. By using this feature, you can generate the ZIP JCL from the Z Option and then go to the View panel and generate the View JCL where you will then submit the batch job.

To exit the VIEW operation and return to the main menu, press PF3. Help for the VIEW function can be obtained by pressing PF1. Pressing PF3 on any of the information display panels will return to the main VIEW panel.

SecureZIP for zSeries 8.1 View Archive Row 1 to 7 of 48 Command ===> SCROLL ===> CSR Name of Archive : 'SECZIP.TEST.ZIP' Primary commands: LOCATE to position list or SORT to sort list. Enter line command or '/' for list of valid line commands. Press PF1 for HELP. Cmd File Name Zipped Zipped Unzipped Comp Type Volume(s) Message Date/Time Size Size Ratio ---------------- ------ ------ ----- ---- ------- _ PKZIP/TEST/PDS/DELCSI 1/24/2001 10:42 456 3281 86% TEXT TSO002 _ + PKZIP/TEST/PDS/DELLINK 1/24/2001 10:42 8010 85855 90% TEXT TSO002 _ PKZIP/TEST/PDS/DELNUC 1/24/2001 10:42 8010 85855 90% TEXT TSO002 _ + PKZIP/TEST/PDS/DELNVSM 1/24/2001 10:42 365 1477 75% TEXT TSO002+ _ PKZIP/TEST/PDS/DELUCAT 1/24/2001 10:42 314 1067 70% TEXT TSO002+ _ PKZIP/TEST/PDS/DELVSAM 1/24/2001 10:42 278 1067 73% TEXT TSO002 _ PKZIP/TEST/PDS/DIAGBCS 1/24/2001 10:42 230 739 68% TEXT TSO002

SecureZIP for zSeries 8.1 View Archive Row 1 to 7 of 48 Command ===> SCROLL ===> CSR Name of Archive : 'SECZIP.TEST.ZIP' Primary commands: LOCATE to position list or SORT to sort list. Enter line command or '/' for list of valid line commands. Press PF1 for HELP. Cmd File Name Ds Rec Record Block Space Date Last Org Fmt Size Size Prim Sec Dir Unit Created Referenced ---- --- ------ ------ ---- --- --- ---- ---------- ---------- _ PKZIP/TEST/PDS/DELCSI PO FB 80 27920 5 2 200 CYL 2001/01/24 2001/01/24 _ PKZIP/TEST/PDS/DELLINK PO FB 80 27920 5 2 200 CYL 2001/01/24 2001/01/24 _ PKZIP/TEST/PDS/DELNUC PO FB 80 27920 5 2 200 CYL 2001/01/24 2001/01/24 _ PKZIP/TEST/PDS/DELNVSM PO FB 80 27920 5 2 200 CYL 2001/01/24 2001/01/24

Page 301: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

289

_ PKZIP/TEST/PDS/DELUCAT PO FB 80 27920 5 2 200 CYL 2001/01/24 2001/01/24 _ PKZIP/TEST/PDS/DELVSAM PO FB 80 27920 5 2 200 CYL 2001/01/24 2001/01/24 _ PKZIP/TEST/PDS/DIAGBCS PO FB 80 27920 5 2 200 CYL 2001/01/24 2001/01/24

SecureZIP for zSeries 8.1 View Archive Row 1 to 7 of 48 Command ===> SCROLL ===> CSR Name of Archive : 'SECZIP.TEST.ZIP' Primary commands: LOCATE to position list or SORT to sort list. Enter line command or '/' for list of valid line commands. Press PF1 for HELP. Cmd File Name Compression CRC Compressed Needed to Method By Extract ----------- -------- ------------------ --------------------- _ PKZIP/TEST/PDS/DELCSI DEFLATE BA6AB353 PKZIP for MVS 5.5 ZipSpec 2.0 _ PKZIP/TEST/PDS/DELLINK DEFLATE 2F2AA610 PKZIP for MVS 5.5 ZipSpec 2.0 _ PKZIP/TEST/PDS/DELNUC DEFLATE 2F2AA610 PKZIP for MVS 5.5 ZipSpec 2.0 _ PKZIP/TEST/PDS/DELNVSM DEFLATE 62E3B570 PKZIP for MVS 5.5 ZipSpec 2.0 _ PKZIP/TEST/PDS/DELUCAT DEFLATE FF65B6F2 PKZIP for MVS 5.5 ZipSpec 2.0 _ PKZIP/TEST/PDS/DELVSAM DEFLATE C3593401 PKZIP for MVS 5.5 ZipSpec 2.0 _ PKZIP/TEST/PDS/DIAGBCS DEFLATE 822BD61C PKZIP for MVS 5.5 ZipSpec 2.0

Primary Commands The primary command UP, DOWN, LEFT, and RIGHT can be entered to control the scrolling. Also the LOCATE command can be entered to position the list of files displayed to a file name beginning with the string specified. The display can also be sorted on several fields.

The format of the sort command is:

Page 302: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

290

SORT <field> <order>

The sort field (<field>) can be one of the following:

NAME File name.

DATE Date zipped.

TIME Time zipped.

ZSIZE Compressed size.

USIZE Uncompressed size.

RATIO Compression ratio.

CREATED File creation date

REF Last date file referenced

The sort order (<order>) can be either:

A Ascending order

D Descending order For example, to sort the display on zipped size beginning with the largest item, enter:

SORT ZSIZE D

Line Commands Once the list of files is displayed, there are several line commands that may be entered. They are entered in the left-most field next to the desired file. To execute the line commands, press “Enter”. Multiple selections are allowed and will be processed in succession. To select from a list of valid commands, enter a ‘/’ for the line command. The panel below shows the View Line Commands.

SecureZIP View Line Commands Command ==> Data Set: 'FPD.TEST.VIEWFILE.ZIP' Action: B - Browse File PV - Preview n Lines of File BB - Browse Binary File D - Delete File BT - Browse Text File I - Display File Information V - View File ID - Information Details VB - View Binary File SI - Display File Signers VT - View Text File X - Extract File XO - Extract with Overwrite Select an action and press ENTER to process Press PF3 to return to data set list.

You can select the desired action by typing a ‘/’ next to it. The valid commands are given in the following table.

Page 303: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

291

Command Description B-Browse The selected file is extracted to a temporary file which is then displayed using ISPF

browse. This option does not work for UNIX files with lower case file names. If the selected file is a VSAM file, then the file is browsed as a sequential file.

BT-Browse Text Same as the browse command above except this will generate a DATA_TYPE(TEXT) command for the extract to the temporary file. This is used when the file comes from another platform and/or has incomplete attributes.

BB-Browse Binary Same as the browse command above except this will generate a DATA_TYPE(BINARY) command for the extract to the temporary file. This is used when the file comes from another platform and/or has incomplete attributes.

D-Delete The selected file is deleted from the archive file. A confirmation panel will be displayed to confirm the delete.

I-Info This option displays detailed information about the selected file. This display is similar to the 'I' command given on the Data set List (3.4) display.

SI-Display File Signers This command will display the detailed information on who signed this file.

PV-Preview Extract This command will display the first n lines of an archived file. This option can be used to view a portion of a large file without extracting the entire file. A prompt will request the number of lines to display.

V-View The selected file is extracted to a temporary file which is then displayed using ISPF view. This option does not work for VSAM files or for UNIX type files with lower case file names. Standard ISPF View commands (such as CREATE) can be used to make a copy of the file being viewed.

VT-View Text Same as the view command above except this will generate a DATA_TYPE(TEXT) command for the extract to the temporary file. This is used when the file comes from another platform and/or has incomplete attributes.

VB-View Binary Same as the browse command above except this will generate a DATA_TYPE(BINARY) command for the extract to the temporary file. This is used when the file comes from another platform and/or has incomplete attributes.

X-Extract The selected file is extracted from the archive file.

XO-Extract with overwrite The selected file is extracted from the archive file and will overwrite an existing file with the same name. Same as the ‘X’ command except the OUTFILE_OVERWRITE(Y) command is generated.

Note: Each time a zipped file is selected for browsing or viewing, a temporary file is created. Depending on the size of the unzipped file, the temporary file may be quite large. If you are running under SMS control, SMS will attempt to find the necessary space for the large file and your terminal will be locked during that period of time.

Display Fields There are several fields of information displayed for each file in the archive. Each field is explained in the table below.

Page 304: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

292

Field Description File Name The file name field contains the name(s) of the file(s) contained in the archive.

This name can contain both upper and lower case letters. This is the only field that is repeated on each display panel. If a ‘+’ is displayed immediately in front of the file name this indicates that that file is encrypted and any operation on that file will require a password.

Date/Time Zipped The field contains the data and time that the file was compressed and added to the archive.

Zipped Size This field contains the number of bytes the file contains after it was compressed. If the file attributes are incomplete or if the file was compressed in GZIP format, this field will contain ‘N/A’.

Unzipped Size This field contains the number of bytes the file contained before it was compressed. If the file attributes are incomplete or if the file was compressed in GZIP format, then this field will contain ‘N/A’.

Compression Ratio This field contains the ratio between uncompressed size and compressed size. It provides a measure of the degree of compression.

File Type This field indicates the type of data contained in the compressed file. It can be text (TEXT) or binary (BIN).

Volume This field indicates the volume from which the compressed file came. If it is a multi-volume file, only the first volume is displayed along with a plus sign (+) indicating there are additional volume(s).

Message This field is used to show the last line command executed against this file. The valid displays are '*Browsed', '*Viewed', '*Info', '*Unzip', and '*Delete'.

Dsorg This field displays the data set organization of the compressed file. Valid entries are ‘PS’ for a sequential file, ‘PO’ for a PDS, ‘VSAM’, and 'PDSE' for a PDS extended file.

Record Format Record format of the compressed file.

Record Size Record size of the file in bytes.

Block Size Block size of the file in bytes.

Primary Space Amount of primary space allocation.

Secondary Space Amount of secondary space allocation.

Allocation Units BLKS, TRKS, or CYLS.

Directory Blocks Number of directory blocks allocated.

Creation Date Date the file was created.

Last-Referenced Date Date the file was last referenced.

Compression Method Method used to compress the file.

Cyclic Redundancy Check A 32-bit field used to ensure integrity of the file. This field is calculated during compression. It is re-calculated when the file is decompressed and that value is checked against the original value.

Compressed by Program used to compress file.

Needed to Extract The ZIP Specification level required to extract the file. The number listed is not a version of the SecureZIP for zSeries program but rather a version of the ZIP file format.

Page 305: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

293

Using Security The panels shown below are used to specify options for archive authentication.

| PKZV015 SecureZIP VIEW Processing | | Command ===> | | | | Security options: | | | | Archive Authentication | | | | Options: Y or N to turn on or off the option | | Note: The values listed represent your current options | | Y Trusted Y Expired Y Revoked Y Tampercheck | | | | / Local Store Data Base Profile | | DB Profile > 'SECZIP.MVS.PROFILES(DBPSTD)' | | | | ------------------------------------------------------------------------- | | Reporting: | | Certificate Report : Y ( Y - Recipients show in SYSPRINT) | | | | | | | | | | | +-----------------------------------------------------------------------------+ | PKZA001 SecureZIP Archive Authentication | | Command ===> | | Archive File Information: | | Archive Name : 'FPD.TEST.VIEWFILE.ZIP' | | Specific signers : N ( Y - Verify against a list of signatories) | | ( N - A generic -AUTHCHK(ARCHIVE)) | | | | / Local Store Data Base Profile | | DB Profile > 'SECZIP.MVS.PROFILES(DBPSTD)' | | List the signing certificates to be used if Specific signers=Y above. | | / Edit a file containing a set of -AUTHCHK commands. | | S Search the Local Certificate Store to build a list | | Archive Signers List: 'SECZIP.MVS.CERTSTOR.PROFILES($AUTHARC)' | | | | Individual Signers: An -AUTHCHK() request will be built | | for each of the following requests. | | 1. | | 2. | | 3. | | 4. | | 5. | | |

Archive Authenticated The panels shown below display “Authenticated” and the name of the signer if you selected to authenticate the archive during “View” processing.Archive Signed

PKZV002 SecureZIP View Archive Authenticated Command ===> SCROLL ===> CSR Name of Archive : 'FPD.TEST.VIEWFILE.ZIP' Archive was digitally signed by PKWARE Test1; Primary commands: LOCATE to position list or SORT to sort list. Enter line command or '/' for list of valid line commands. Press PF1 for HELP.

Page 306: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

294

Cmd FileName Zipped Zipped Unzipped Comp Type Volume(s) Message Date/Time Size Size Ratio ---------------- ------ ------ ----- ---- ------- S FPD/TEST/ARC1 2/01/2005 16:24 1248 1383 9% BIN FPD001 FPD/TEST 2/01/2005 16:24 284 560 49% BIN FPD001 FPD/TEST/ARC2 2/01/2005 16:24 1248 1383 9% BIN FPD001 FPD/TEST/ARC3 2/01/2005 16:24 1248 1383 9% BIN FPD001 FPD/TEST/ARC5 2/01/2005 16:24 2155 3925 45% BIN FPD002 FPD/TEST/ARC4 2/01/2005 16:24 2116 2543 16% BIN FPD002

The panels shown below display the message “Archive was digitally signed”, without specific information on the signer, if you do not request authentication and the archive is signed.

PKZV002 SecureZIP View Archive Row 1 of 10 Command ===> SCROLL ===> CSR Name of Archive : 'FPD.TEST.VIEWFILE.ZIP' Archive was digitally signed Primary commands: LOCATE to position list or SORT to sort list. Enter line command or '/' for list of valid line commands. Press PF1 for HELP. Cmd FileName Zipped Zipped Unzipped Comp Type Volume(s) Message Date/Time Size Size Ratio ---------------- ------ ------ ----- ---- ------- S FPD/TEST/ARC1 2/01/2005 16:24 1248 1383 9% BIN FPD001 FPD/TEST 2/01/2005 16:24 284 560 49% BIN FPD001 FPD/TEST/ARC2 2/01/2005 16:24 1248 1383 9% BIN FPD001 FPD/TEST/ARC3 2/01/2005 16:24 1248 1383 9% BIN FPD001 FPD/TEST/ARC5 2/01/2005 16:24 2155 3925 45% BIN FPD002 FPD/TEST/ARC4 2/01/2005 16:24 2116 2543 16% BIN FPD002

File Signers The panel shown below lists all of the file signers of the displayed file.

PKZV013 SecureZIP File Signers Option ===> File: FPD/TEST was digitally signed by: *************************************************************************** PKWARE Test1;[email protected];00 PKWARE Test2;[email protected];00 PKWARE Test3;[email protected];03 PKWARE Test4;[email protected];04

Page 307: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

295

Zip (Option ‘Z’) This option is used when a file or multiple files are to be compressed and added to a zip archive. You must enter the name of a zip archive. This file can be a new file or an existing file. Additionally, you must indicate what file(s) to compress, indicate the name of the files in the archive, and select the desired processing options. The initial panel displayed when this option is selected is shown below.

SecureZIP ZIP Processing Command ===> Archive File Information: File Name : 'FPD.MVS.SPKZLIBS.DEC31.ZIP' File Type : 1 ( 1 = SEQ, 2 = PDS, 3 = VSAM, 4= PDSE) More Attributes : N ( Y - Yes, N - Take Defaults) Zip file information: File to compress : 'SECZIP.MVS.SPKZ*' Zipped DSN : Format : Y ( B -Binary T -Text D -Detect BV -Binary-Variable) More Files : N ( Y - Enter additional file names, N - None) Security options: Security required : N ( Y - To Display Security Options Dialogue) Processing options: Simulation Mode : N ( Y - Test file selection, N - Normal Processing) Zip Function : A ( A - Add, F - Freshen, U - Update, D - Delete) Processing Mode : B ( F - Foreground, B - Batch) Batch JCL Status : C ( C - New Dataset, A - Add to existing Dataset) Advanced Options : N ( Y - Change Defaults, N - None) Enter VIEW on command line to VIEW archive To EXIT Press PF3 or enter X For HELP Press PF1

Based upon the panel input, commands are built and included in the compress job’s input (SYSIN) stream. The commands generated are fully explained in the commands chapter of this manual. The individual panel fields and their affect on processing are described in the following table:

Field Description Archive Name Enter the name of the archive file. It can be in the form of DATA.SET.NAME or

DATA.SET.NAME(MBR). Standard data set naming conventions apply. Place the data set name in single quotes (‘…’) to prevent using the TSO prefix as the first qualifier. This option can be turned off using the Configuration option explained earlier. This file can be a new or an existing file.

File Type If the archive file entered above is a new file, this field is used to specify what type of archive is desired. Valid entries are ‘1’ for a sequential file, ‘2’ for a PDS file, ‘3’ for a VSAM archive, and ‘4’ for a PDS extended archive. The default is a sequential file.

More Attributes When the archive file entered above is a new file and this field is set to ‘Y’, then a panel is displayed where additional allocation specifications for the archive file can be entered.

File to Compress This field is used to specify what file(s) are to be compressed and added to the archive file. A fully qualified name can be entered or standard wildcards can be used to select multiple files. See Chapter 7 for rules on file selection.

Zipped DSN This field is used to give the compressed file a new name in the archive file. It generates a ZIPPED_DSN command. That command is explained in Chapter 10.

Page 308: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

296

Field Description Encryption A ‘Y’ in this field indicates that the file to be compressed should be encrypted. This will

cause a panel to be displayed requesting that you enter a 1-200 character password to be associated with the compressed file. This field is initialized to an ‘N’.

View Typed Password Enter a ‘Y’ or ‘N’. A ‘Y’ indicates that the password will be displayed while you enter it. This field is initialized to ‘N’.

Format This field indicates the file type of the file to be compressed. Valid entries are ‘B’ for binary, ‘T’ for text, ‘D’ for detect, and ‘BV’ for binary-variable. The value entered will be used to construct a DATA_TYPE command. If the value entered is ‘BV’ then a SAVE_LRECL(Y) command is also generated.

More Files If more file selection entries are desired, enter a ‘Y’ in this field. Another panel will be displayed where up to 10 additional file specifications can be entered.

Security required If encryption or authentication is required for this archive or the files within the archive select ‘Y’. Additional panels will guide you through the security requirements.

Simulation Mode Specifying a 'Y' in this field will run the compress job in simulation mode. A SIMULATE(Y) command is added to the input stream. This allows file selection and renaming operations to be verified before files are actually written. No file(s) are actually added to the archive file.

Zip Function This field will determine the type of ACTION command that will be generated. Valid entries are: ‘A’ for ACTION(ADD), ‘F’ for ACTION(FRESHEN), ‘U’ for ACTION(UPDATE), and ‘D’ for ACTION(DELETE).

Processing Mode Specifying a ‘F’ in this field will run the compress as a foreground task. Specifying a ‘B’ will build JCL for a batch job. The JCL will be displayed so it can reviewed and/or modified before submission. The job is submitted by the TSO SUBMIT command.

Batch JCL Status Specifying a ‘C’ in this field will create a new job to be submitted in a batch run. Specifying a ‘A’ in this field will continue adding generated JCL to an already existing file to be submitted as multiple steps in one job. Using first a ‘C’ option on one panel then a series of other panls using the ‘A’ option you may generate a series of steps to process as one job. For example, you may want to build a ZIP archive and then View that archive. By using this feature you can generate the ZIP JCL from the Z Option and then go to the View panel and generate the View JCL where you will then submit the batch job.

Advanced Options Specifying a ‘Y’ in this field will display the current defaults for zip processing and allow them to be changed and included as commands in this extract. This is the same process described for Option ‘ZD’ earlier. As the options are changed they are flagged with the string ‘**Adv Options**’. This field is initialized to a ‘N’.

After all the fields have been entered, press “Enter” to process the panel and build the compress job. To display the ZIP help information, press PF1. Enter ‘VIEW’ as a primary command to view the current contents of the specified archive file. This VIEW option is explained above under Option ‘V’.

SecureZIP ZIP Processing +-----------------------------------------------------------------------------+ | SecureZIP ZIP Processing | | Command ===> | | More: | | Security options: | | Password protect : N ( Y - Use Passwords) : N ( Y - View typed pwd) | | ------------------------------------------------------------------------- | | | | Certificate Encryption and Authentication are valid with SecureZIP only |

Page 309: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

297

| Recipients : N ( Y - Digital Certificate Encryption) | | Filename Encryption: N ( Y - Encrypt file names in the Archive) | | | | Signing: | | Archive : N ( Y - Sign Archives) | | Files : N ( Y - Sign Files) | | Hashing Algorithm used with Signing: | | SHA-1 : Y ( Y - for SHA-1 - Default) | | MD5 : N ( Y - for MD5) | | | | Authentication: | | Archive : N ( Y - Validate Archive) | | Options: Y or N to turn on or off the option | | Note: The values listed represent your current options | | Y Trusted Y Expired N Revoked Y Tampercheck | | | | ------------------------------------------------------------------------- | | Encryption: | | Method : BSAFE_AES256 / for selection list | | | | ------------------------------------------------------------------------- | | Reporting: | | Certificate Report : Y ( Y - Recipients show in SYSPRINT) | | | +-----------------------------------------------------------------------------+

Using Security The panel shown above is used to specify options for the password protection, filename encryption, recipient based encryption, signing for files and the archive, and authentication if this is an update to an existing archive.

Enter ‘Y’ to select an option.

+---------------------------------------------------------------------------+ | SecureZIP Password Encryption | | Command ==> | | | | To encrypt file(s), enter a password and select an algorithm | | | | Data Set Name: | | FPD.JCLZ.CNTL | | | | Password (up to 200 characters): | | ....5...10....5...20....5...30....5...40....5...50....5...60....5...70 | | | | | | | | Re-enter password: | | | | | | | | | | Press ENTER to continue, PF3 to terminate processing. | | | | | | |

Select Password Protect The panel shown above is used to specify the password used to encrypt the file(s).

Page 310: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

298

+-----------------------------------------------------------------------------+ | SecureZIP Encryption | | OPTION ===> | | More: | | | | Recipients | | | | / to Edit the profile used to satisfy DB: and LDAP: requests. | | DB Profile > 'SECZIP.MVS.PROFILES(DBPROF)' | | LDAP Profile> 'SECZIP.MVS.PROFILES(LDAPPROF)' | | | | / Edit a file containing a set of -RECIPIENT commands. | | S Search the Local Certificate Store to build a list | | M Data set member selection list | | Recipient List: 'SECZIP.MVS.PROFILES($RECIPX)' | | | | Individual Recipients: A -RECIPIENT() request will be built for each of | | of the following requests. | | 1. | | 2. | | 3. | | 4. | | 5. | | | +-----------------------------------------------------------------------------+

Select Recipients The panel shown above is used to specify the recipient certificates used to encrypt the files in the archive.

+-----------------------------------------------------------------------------+ | SecureZIP Authentication | | OPTION ===> | | | | Archive Signing | | | | / Local Store Profile | | DB Profile > 'SECZIP.MVS.PROFILES(DBPROF)' | | / Edit a file containing a set of -SIGN_ARCHIVE commands. | | S Search the Local Certificate Store to build a list | | M Data set member selection list | | Archive Signers List: 'SECZIP.MVS.CERTSTOR.PROFILES($SIGNARC)' | | | | Individual Signer: A -SIGN_ARCHIVE() request will be built | | for the following request. | | DB:CN=PKWARE TEST1,R,password=PKWARE | | | | Note: An archive can only contain a single signature. | | If an Individual Signer is used, the Archive Signer LIst is ignored. | | If an Archive Signer List is used, it must contain ONLY one entry | | | +-----------------------------------------------------------------------------+

Archive Signing The panel shown above is used to specify the certificates used to sign the archive for authentication.

Page 311: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

299

| SecureZIP Authentication | | OPTION ===> | | | | File Signing | | | | / Local Store Profile | | DB Profile > 'SECZIP.MVS.PROFILES(DBPROF)' | | / Edit a file containing a set of -SIGN_FILES commands. | | S Search the Local Certificate Store to build a list | | M Data set member selection list | | File Signers List: 'SECZIP.MVS.CERTSTOR.PROFILES($SIGNFIL)' | | | | Individual Signers: A -SIGN_FILES() request will be built | | for each of the following requests. | | 1. | | 2. | | 3. | | 4. | | 5. | | | | Note: Sign Files requests are cummulative. All requests from the | | Sigh Files List and Individual Signers, will be included | | | +-----------------------------------------------------------------------------+

File Signing The panel shown above is used to specify the certificates used to sign the files for authentication.

+-----------------------------------------------------------------------------+ | SecureZIP Archive Authentication | | Command ===> | | Archive File Information: | | Archive Name : 'FPD.MVS.SPKZLIBS.DEC31.ZIP' | | Specific signers : N ( Y - Verify against a list of signatories) | | ( N - A generic -AUTHCHK(ARCHIVE)) | | | | / Local Store Data Base Profile | | DB Profile > 'SECZIP.MVS.PROFILES(DBPROF)' | | List the signing certificates to be used if Specific signers=Y above. | | / Edit a file containing a set of -AUTHCHK commands. | | S Search the Local Certificate Store to build a list | | M Data set member selection list | | Archive Signers List: 'SECZIP.MVS.PROFILES($AUTHARC)' | | | | Individual Signers: An -AUTHCHK() request will be built | | for each of the following requests. | | 1. DB:CN=PKWARE TEST1,PASSWORD=PKWARE | | 2. | | 3. | | 4. | | 5. | | | +-----------------------------------------------------------------------------+

Archive Authentication The panel shown above is used to specify the certificates used to authenticate the archive.

Page 312: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

300

UNZIP (Option ‘U’) This option allows the user to decompress or unzip one or more files that were previously compressed and stored in a zip archive. The user must enter the name of the archive, indicate what file(s) to decompress, and set any desired processing options. The initial panel displayed when this option is displayed is shown in Figure 9-5.

SecureZIP Extract Processing Command ===> Enter Archive from which file(s) are to be extracted: Archive Name . . . : 'FPD.TEST.SCREENS.ZIP' Enter Files to be extracted: File Selection . . : Rename to. . . . . : More Files . . . . : N ( Y - Enter additional file names, N - None) Security options: Security required. : N ( Y - To Display Security Options Dialogue) Enter processing options: Simulation Mode. . : N ( Y - Test file selection, N - Normal Processing) Integrity Check. . : N ( Y - Yes, N - No) Overwrite/Insert . : N ( O - Overwrite, I - Ins Mbr, OI - Both, N - None) Processing Mode. . : B ( F - Foreground, B - Batch) Batch JCL Status . : C ( C - New Dataset, A - Add to existing Dataset) Advanced Options . : N ( Y - Change Defaults, N - None) Preallocate file . : N ( Y - Prompt for allocation info, N -Use Defaults) File type : ( 1 - PDS, 2 - PS, 3 - VSAM, 4 - PDSE) Enter VIEW in the command field to VIEW an archive To EXIT Press PF3 Press ENTER to process For HELP Press PF1

Based upon the panel input, commands are built and included in the decompress job’s input (SYSIN) stream. The commands generated are explained in Chapter 7 of this manual. The individual panel fields and their effect on the processing are described in the following table.

Field Description Archive Name Enter the name of the archive. It can be in the form of DATA.SET.NAME or

DATA.SET.NAME(MBR). Standard data set naming conventions apply. Place the data set name in single quotes (‘…’) to prevent using the TSO prefix as the first qualifier. This option can be turned off using the Configuration option explained earlier.

File selection This field is used to specify what file(s) are to be extracted. A fully-qualified name can be entered or standard wildcards can be used to select multiple files. See Chapter 3 for rules on file selection.

Rename To This field is used to specify a different high level qualifier for the extracted data set(s). This allows the renaming of data set(s) as they are extracted. The input is used to build a UNZIPPED_DSN command. for the extracted data set(s). If &SYSUID is entered in this field, it will be replaced with the TSO user id.

File Decryption Enter a ‘Y’ or ‘N’. A ‘Y’ indicates that the file to be extracted is encrypted. A password will be requested. This field is initialized to ‘N’.

More Files Enter a ‘Y’ or ‘N’. A ‘Y’ will display another panel where up to 10 additional file specifications can be entered. The same rules apply as stated in the ‘File Selection’ field above. This field is initialized to ‘N’.

Security required If decryption or authentication is required for this archive or the files within the archive select ‘Y”. Additional panels will guide you through the security requirements.

Page 313: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

301

Field Description Simulation Mode Specifying a ‘Y’ in this field will run the extract in simulation mode. This is used to

determine what the resulting names of the extracted data sets will be and where they will be stored without actually writing any files. The command built is SIMULATION(Y). This field is initialized ‘N’.

Integrity Check Specifying a ‘Y’ in this field will check the integrity of the files within the zip archive. No file(s) are actually extracted. This generates a TEST(Y) command. This field is initialized to a ‘N’.

Overwrite/Insert Specifying an ‘O’ in this field will overwrite a file that has the same name as an extracted data set. Specifying an ‘I’ will add the extracted data set to an existing PDS as a new member. An ‘OI’ or ‘IO’ in this field will build both commands. The commands built could be OVERWRITE(Y) and/or INSERT_MEMBER(Y).

Processing Mode Specifying a ‘F’ in this field will run the extract as a foreground task. Specifying a ‘B’ will build JCL for a batch job. The JCL will be displayed so it can reviewed and/or modified before submission. The job is submitted by the TSO SUBMIT command.

Advanced Options Specifying a ‘Y’ in this field will the display the current defaults for unzip processing and allow them to be changed and included as commands in this extract. This is the same process described for Option ‘UD’ earlier. As the options are changed, they are flagged with the string ‘**Adv Options**’. This field is initialized to a ‘N’.

Batch JCL Status Specifying a ‘C’ in this field will create a new job to be submitted in a batch run. Specifying a ‘A’ in this field will continue adding generated JCL to an already existing file to be submitted as multiple steps in one job. Using first a ‘C’ option on one panel then a series of other panls using the ‘A’ option you may generate a series of steps to process as one job. For example, you may want to build a ZIP archive and then View that archive. By using this feature you can generate the ZIP JCL from the Z Option and then go to the View panel and generate the View JCL where you will then submit the batch job.

Preallocate File Specifying a ‘Y’ in this field will allow allocation defaults for the extracted files to be overridden. An ‘N’ results in the defaults.

File Type If pre-allocation is selected (see above), then this field is used to specify what type of file is to be allocated. The user enters a 1 for a PDS, a 2 for a sequential file, a 3 for a VSAM file, or a 4 for a PDSE file. The appropriate panel where the allocation specifications can be entered is displayed based on this input. If this field is left blank, the file type is determined by the attributes of the archived file.

After all the fields have been entered, press “Enter” to process the panel and build the extract job. To display the UNZIP help information, press PF1. Enter ‘VIEW’ as a primary command to view the current contents of the specified zip archive file. The VIEW option is explained below under Option ‘V’.

+-----------------------------------------------------------------------------+ | SecureZIP UNZIP Processing | | Command ===> | | | | Security options: | | Password protect : N ( Y - Use Passwords) : N ( Y - View typed pwd) | | ------------------------------------------------------------------------- | | | | Certificate Decryption and Authentication are valid with SecureZIP only | | Recipients : N ( Y - Digital Certificate Encryption) | | | | Authentication: | | Archive : N ( Y - Validate Archives) | | Files : N ( Y - Validate Files) | | Options: Y or N to turn on or off the option |

Page 314: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

302

| Note: The values listed represent your current options | | Y Trusted Y Expired N Revoked Y Tampercheck | | | | ------------------------------------------------------------------------- | | Reporting: | | Certificate Report : Y ( Y - Recipients show in SYSPRINT) | | | | | +-----------------------------------------------------------------------------+

Using Security The panel shown above is used to specify options for the password protection, recipient based decryption, and authentication of the files and archive.

Enter ‘Y’ to select an option.

+---------------------------------------------------------------------------+ | SecureZIP Encrypted File Password | | Command ==> | | | | File is encrypted. Enter password. | | | | Data Set Name: | | | | | | Password (up to 200 characters): | | ....5...10....5...20....5...30....5...40....5...50....5...60....5...70 | | | | | | | | Re-enter password: | | | | | | | | | | Press ENTER to continue, PF3 to terminate processing. | | | | | | |

Select Password Protect The panel shown above is used to specify the password used to decrypt the file(s).

+-----------------------------------------------------------------------------+ | SecureZIP Encryption | | OPTION ===> | | More: | | | | Recipients | | | | / to Edit the profile used to satisfy DB: and LDAP: requests. | | DB Profile > 'SECZIP.MVS.PROFILES(DBPROF)' | | LDAP Profile> 'SECZIP.MVS.PROFILES(LDAPPROF)' | | | | / Edit a file containing a set of -RECIPIENT commands. | | S Search the Local Certificate Store to build a list | | M Data set member selection list | | Recipient List: 'SECZIP.MVS.PROFILES($RECIPX)' |

Page 315: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

303

| | | Individual Recipients: A -RECIPIENT() request will be built for each of | | of the following requests. | | 1. | | 2. | | 3. | | 4. | | 5. | | | +-----------------------------------------------------------------------------+

Select Recipients The panel shown above is used to specify the recipient certificates used to decrypt the files in the archive.

+-----------------------------------------------------------------------------+ | SecureZIP Archive Authentication | | Command ===> | | Archive File Information: | | Archive Name : 'FPD.MVS.SPKZLIBS.DEC31.ZIP' | | Specific signers : N ( Y - Verify against a list of signatories) | | ( N - A generic -AUTHCHK(ARCHIVE)) | | | | / Local Store Data Base Profile | | DB Profile > 'SECZIP.MVS.PROFILES(DBPROF)' | | List the signing certificates to be used if Specific signers=Y above. | | / Edit a file containing a set of -AUTHCHK commands. | | S Search the Local Certificate Store to build a list | | M Data set member selection list | | Archive Signers List: 'SECZIP.MVS.PROFILES($AUTHARC)' | | | | Individual Signers: An -AUTHCHK() request will be built | | for each of the following requests. | | 1. DB:CN=PKWARE TEST1,PASSWORD=Frank | | 2. | | 3. | | 4. | | 5. | | | +-----------------------------------------------------------------------------+

Archive Authentication The panel shown above is used to specify the certificates used to authenticate the archive.

+-----------------------------------------------------------------------------+ | SecureZIP File Authentication | | Command ===> | | Archive File Information: | | File Name : FPD.TEST.ZIP | | Specific signers : N ( Y - Verify against a list of signatories) | | ( N - A -AUTHCHK(FILES) generated) | | | | / Local Store Data Base Profile | | DB Profile > 'SECZIP.MVS.PROFILES(DBPROF)' | | List the signing certificates to be used if Specific signers=Y above. | | / Edit a file containing a set of -AUTHCHK commands. | | S Search the Local Certificate Store to build a list | | M Data set member selection list |

Page 316: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

304

| File Signers List: | | | | Individual Signers: An -AUTHCHK() request will be built | | for each of the following requests. | | 1. | | 2. | | 3. | | 4. | | 5. | | |

File Authentication The panel shown above is used to specify the certificates used to authenticate the file(s).

SYSPRINT Browse (Option ‘S’) This option displays the output of the last on-line operation. It is displayed in a standard ISPF browse panel. If the return code of an on-line operation exceeds the lowest allowable return code (see Configuration), then the output is automatically displayed. This option allows the browsing of the output from a run with any return code. An example of this display is shown below.

Menu Utilities Compilers Help BROWSE FPD.PKZIP55.SYSOUT Line 00000000 Col 001 132 Command ===> Scroll ===> PAGE ****************************** Top of Data************************************** ZPLI001I SecureZIP(TM) for zSeries, Version 8.1 - 02/11/05 14.26 ZPLI001I Copyright 1989-2005 PKWARE Inc. All rights reserved. ZPLI001I SecureZIP(TM) is a trademark of PKWARE (R), Inc. ZPLI001I Registered, Processor Type=2066 Processor Group=00 Serial Number= ZPLI001I OS Level: HBB7707 SP7.0.4 **************************************** * Commands generated from panel input. * **************************************** -SUPPRESS_DYNALLOC_MSGS -TRACE_DYNALLOC(0) -ARCHIVE_DSN(SECZIP.MVS.ZIP) -ACTION(EXTRACT) -OUTFILE_DSNTYPE(SEQ) -OUTFILE_OVERWRITE(Y) -UNZIPPED_DSN(**,FPD.T074526.PKZIP51.TEMP) FPD/TEST/SEQ1 -CALLMODE(ISPF) -TRACEDALC0 -TRACE_DYNALLOC(0) ZPAM030I INPUT Archive opened: SECZIP.MVS.ZIP ZPEX002I FPD/TEST/SEQ1

Messages (Option ‘M’) This option allows you to browse the HELP data set containing the SecureZIP for zSeries messages. Each message is a separate member. Select option ‘M’, do a (L)ocate on the message id, and then select that member. The text of the message, any system and/or user

Page 317: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

305

response, and the invoking module are displayed. An example of the display for the message list is shown below.

Menu Functions Utilities Help ______________________________________________________________________________ BROWSE SECZIP.MVS.HELP Row 00001 of 00290 Command ===> Scroll ===> PAGE Name Prompt Size Created Changed ID . $CONTACT 10 2001/05/03 2001/05/03 13:29:26 ALPHA3 . $DEFAULT 29 2001/05/07 2001/05/07 13:39:23 MAS01 . $MESSAGE 47 2001/05/03 2001/05/03 13:29:29 ALPHA3 . IKJ56228 19 2001/05/17 2001/05/17 08:27:16 MAS01 . ZPAM001C 15 2001/05/03 2001/05/03 13:29:01 ALPHA3 . ZPAM001I 16 2001/05/03 2001/05/03 13:29:24 ALPHA3 . ZPAM002I 25 2001/05/03 2001/05/03 13:29:26 ALPHA3 . ZPAM003I 16 2001/05/03 2001/05/03 13:29:58 ALPHA3 . ZPAM004I 31 2001/05/03 2001/05/03 13:29:44 ALPHA3 . ZPAM005I 21 2001/05/03 2001/05/03 13:29:53 ALPHA3 . ZPAM006I 20 2001/05/03 2001/05/03 13:29:23 ALPHA3 . ZPAM007I 16 2001/05/03 2001/05/03 13:29:53 ALPHA3 . ZPAM008I 24 2001/05/03 2001/05/03 13:29:30 ALPHA3 . ZPAM009I 17 2001/05/03 2001/05/03 13:29:17 ALPHA3 . ZPAM010I 18 2001/05/03 2001/05/03 13:29:01 ALPHA3 . ZPAM011C 13 2001/05/03 2001/05/03 13:29:56 ALPHA3 . ZPAM011I 18 2001/05/03 2001/05/03 13:29:06 ALPHA3 . ZPAM012C 15 2001/05/03 2001/05/03 13:29:29 ALPHA3

If you wish to see the message text for message ZPAM914E, enter a L ZPAM9, select ZPAM914E, and press “Enter”. The text for the message is displayed in an ISPF browse panel as shown below.

Menu Utilities Compilers Help sssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssss BROWSE SECZIP.MVS.HELP(ZPAM914E) - 01.00 Line 00000000 Col 001 080 Command ===> Scroll ===> CSR ********************************* Top of Data ********************************** ******************************************************************************** * * * ZPAM914E An error occurred attempting to locate a Local Directory entry. * * * * Explanation: The Archive Manager was reading through the input Archive * * by using offsets and lengths according to other directory * * entries. A Local Directory Header was expected at a * * specific offset in the file, but the eye-catcher was not * * present there. * * * * Note: The Local Directory begins with X'504B0304' * * * * System Response: Processing is terminated. * * * * User Response: Determine whether the file has been truncated. * * * * Invoking module: <ACAMGR> * * * ********************************************************************************

Page 318: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

306

License Display (Option ‘L’) This option displays information about the SecureZIP for zSeries license in effect on this processor. The initial information produced in the list is your customer number and customer name along with the current processor serial number. Licensing requirements and options are explained in Appendix A of this document. Selecting this option displays the license data set using the high-level qualifier you specified in your ACZDFLTS and appending LICENSE. Using that data set the license data is reported and displayed.

An example of the display generated by this option is shown below.

BROWSE FPD.PKLIC.TEMP Command ===> *********************************************************** Top of Data ZPLI200I A LICENSE REPORT HAS BEEN REQUESTED ON 06/09/04 AT 4:44pm VER: 8.1 IN SECZIP.MVS.LICENSE ZPLI200I For Technical Support assistance, please contact Product Services Division ZPLI200I at 937-847-2687 or go on-line at http://www.pkware.com/support ********************************************************************************* ZPLI200I SecureZIP (TM) IS LICENSED TO CUSTOMER # 000012805 ZPLI200I - CUSTOMER NAME - PKWARE OF OHIO, INC. ZPLI200I CPU model 2066 with 1 online ZPLI200I Service units per second per online CPU is 5612.07 ZPLI200I Approximate total MIPS (SUs/SEC / 48.5 * #CPUs) is 115.71 ZPLI200I Central Processing Complex (CPC) Node Descriptor: CPC ND = 002066.0B1.IBM.02.00000001263B ZPLI200I CPC ID = 00 Type(002066) Model(0B1) Manufacturer(IBM) Plant(02) Seq Num(00000001263B) ZPLI200I CPU serial number for CPU 1 is 04263B2066 (4263B), version code 00, model 0B1. ZPLI200I Model from CPC SI ********************************************************************************* ZPLI200I COMPRESSION IS LICENSED ON THE FOLLOWING PROCESSORS ZPLI200I SERIAL# *0263B PROCESSOR TYPE 2066 VERSION/MODEL 0B1 WITH AN EXPIRATION DATE OF 02/28/2400 ZPLI200I DECOMPRESSION IS LICENSED ON THE FOLLOWING PROCESSORS ZPLI200I SERIAL# *0263B PROCESSOR TYPE 2066 VERSION/MODEL 0B1 WITH AN EXPIRATION DATE OF 02/28/2400 ZPLI200I GZIP SUPPORTED FILES LICENSED ON THE FOLLOWING PROCESSORS ZPLI200I SERIAL# *0263B PROCESSOR TYPE 2066 VERSION/MODEL 0B1 WITH AN EXPIRATION DATE OF 02/28/2400 ZPLI200I ISPF IS LICENSED ON THE FOLLOWING PROCESSORS ZPLI200I SERIAL# *0263B PROCESSOR TYPE 2066 VERSION/MODEL 0B1 WITH AN EXPIRATION DATE OF 02/28/2400 ZPLI200I COMMAND LINE INTERFACE IS LICENSED ON THE FOLLOWING PROCESSORS ZPLI200I SERIAL# *0263B PROCESSOR TYPE 2066 VERSION/MODEL 0B1 WITH AN EXPIRATION DATE OF 02/28/2400 ZPLI200I DIRECTORY INTEGRATION IS LICENSED ON THE FOLLOWING PROCESSORS ZPLI200I SERIAL# *0263B PROCESSOR TYPE 2066 VERSION/MODEL 0B1 WITH AN EXPIRATION DATE OF 02/28/2400 ZPLI200I ZIP64 LARGE FILE SUPPORT IS LICENSED ON THE FOLLOWING PROCESSORS ZPLI200I SERIAL# *0263B PROCESSOR TYPE 2066 VERSION/MODEL 0B1 WITH AN EXPIRATION DATE OF 02/28/2400 ZPLI200I SELF EXTRACTION CREATOR IS LICENSED ON THE FOLLOWING PROCESSORS ZPLI200I SERIAL# *0263B PROCESSOR TYPE 2066 VERSION/MODEL 0B1 WITH AN EXPIRATION DATE OF 02/28/2400 *********************************************************************************

Page 319: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

307

Certificate Stores (Option ‘CS’) For system administrators to access the Certificate Store Administration and Configuration, enter “CS” in the Option field from the main SecureZIP panel.

SecureZIP Certificate Store Administration Option ===> Select one of the following options and press Enter: 1 Local Certificate Store Administration 2 LDAP Certificate Store Configuration 3 x.509 Certificate Utilites

What’s New (Option ‘W’) This option displays information about the changes included in this release of SecureZIP for zSeries.

Contact PKWARE (Option ‘A’) This option displays information on how to contact PKWARE. Additionally, the display contains information on the data to provide to PKWARE when reporting problems about SecureZIP for zSeries.

Page 320: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

308

14 User API Processing

Overview A User Application Program Interface (API) allows the user to programmatically shape certain functions of the SECZIP/SECUNZIP process. Processing interface points currently defined are:

• The format and content of data records to be archived

• The target data set names of files to be extracted.

These User API functions are distinct from, but are not incompatible with, an application program calling SECZIP or SECUNZIP as a utility. See Chapter 15.

Data Record Transformation API for ZIP processing. The User API provides a means to restructure a data record before compression takes place. A common use is to transform binary and packed decimal fields into display-format numerics. This is useful when the system intended to receive the ZIP archive does not easily handle these field formats.

File Name Manipulation API for UNZIP processing. The User API provides a means to transform filenames into manageable IBM MVS-compatible data set names. This is useful when specialized re-direction of files is required that exceeds the capabilities of the SecureZIP for zSeries command set.

Invocation You may have one User API for file name processing and one User API for data record transformation processing. To use the APIs, certain information must be provided to SecureZIP for zSeries. The User APIs are invoked by the use of control cards. Each control card is specific to the type of API being invoked. There are FILENAME control cards and DATA_TRANS control cards. The APIs to be invoked must be placed in a load library accessible to SecureZIP for zSeries through a concatenated STEPLIB, JOBLIB or the system linklist.

Page 321: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

309

During initialization, SECZIP initializes the interfaces required for API processing based on the information in the control cards. If there is a FILENAME API, for example, this API is loaded and made available for processing. When SECZIP enters the appropriate routine, it calls the API with a list of data addresses contained in DCTMAPIU (Assembler) or COBMAPIU (COBOL), the main control block passed to the API. DCTMAPIU and COBMAPIU are in INSTLIB. The API routine then gets control, manipulates the data appropriately, and returns control to SECZIP for completion of that call. The formats for both file level and data level calls to the API follow a similar protocol.

Informational and error messages are placed in the print output for reference. For archival processing, an extended attribute is placed in the archive to identify this as a file that has been affected by a User API.

The APIs must be reentrant and follow standard linkage conventions. See the example User APIs.

The API facility allows the user to determine the name of the API module, the processing to occur when there is an error, the amount of workspace the User API routine requires, a passed parameter to the API, and the amount of tracing information for debugging purposes.

By default, the system does not invoke a User API.

Negation of API processing Use of the NOAPI control card negates the initialization and possible use of all User API processing. This is important for language environment operations that do not support CEEPIPI being in operation (such as C++ calling SecureZIP).

This command must be passed in the execute parameters (not in the defaults module or a command stream) so that it takes effect early in the SecureZIP initialization process.

When NOAPI is in use, the DATA_TRANS and FILENAME APIs are not available.

Execution Environment The environment established for the User API is determined by the language specified on the control cards. If COBOL is specified, a language environment is established through the use of preinitialization services using the IBM LE-supplied routine CEEPIPI that is available on your system. This allows the API to utilize the HLL environment when it is written in COBOL.

If the API is written in assembler, then a non-LE load and branch is use to pass control to the API, and a HLL environment is not established. See the example User APIs to better understand the passing of parameters between both types.

Since there are two API languages that can be used, it is very important to identify the correct language on the control card. Unpredictable results will occur if the language identified on the control card is not the language that was used to code the User API.

Run-time options used for the LE environment are the runtime options established for your site by the systems programmer or, if no changes have been made, the IBM defaults.

POSIX(ON) is not supported as a run-time option for User APIs.

Page 322: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

310

File Name Manipulation API File name manipulation takes place in the UNZIP process. Certain platforms allow file name structures that are incompatible with the standard IBM MVS format. The File Name API is presented with the EBCDIC representation of the archive file name, a copy of the candidate MVS data set name created according to the SECUNZIP commands, and some control information. If the output file is a PDS or PDSE, the new file name must conform to PDS file name rules, which includes a valid data set name and member name enclosed in parentheses. The API cannot change the output data set organization. The file type attributes are provided, identifying the file as VSAM, PDS or SEQUENTIAL. If a sequential data set was being created and the input area contained the value “TEST/INPUT/FILE”, the output candidate data set name would be “TEST.INPUT.FILE”.

The User API routine has the option of either keeping the candidate data set name or manipulating the data set name further. SECZIP will attempt to use whatever name is presented back in the output area. Unpredictable results may occur if the data set name does not conform to MVS requirements for the data set type involved.

PDS files: If the input file is zipped from a PDS and contains the PDS extended attributes, an input area of “TEST/PDS/MEMBERA” has an output candidate containing “TEST.PDS(MEMBERA). The user can work with the output area or re-parse the input file name, moving it to the output area. The output area of an archive created on a non-mainframe platform may have a name that is not in a standard IBM MVS format and is likely to produce unpredictable results.

VSAM files: The API is entered up to 3 times depending on the type of VSAM file. The first time for the base cluster, and the following times for the data and index components respectively, the API control block indicates the data and index component calls. The data and index API call’s input area is not the raw input the cluster call received; rather, it contains whatever changes have been made to the file on the cluster call. The input file name for the data and index calls are the result of changes made to the cluster file name.

Data Record Transformation API Data RECORD TRANSFORMATION takes place during ZIP processing. The User API routine is presented with the raw file data immediately after the record is read. The API can filter out records, expand or reduce a record’s size, unpack fields, and convert binary data to display-numerics (also referred to as field-level manipulation). This is useful when sending ZIP archives to target systems which cannot readily handle these formats. Manipulation can be performed on the record based on control cards and other sources.

The User API routine is passed control information such as input file data set organization, file name, record length, and the translation mode (text or binary) that is being performed.

SECZIP command-controlled features are still operative when the User API routine is operative.

If requested, DATA_TYPE(DETECT) takes place before the first record is presented to the User API routine. EBCDIC to ASCII translation and DATA_DELIMITER functions are performed according to SECZIP command settings after the User API routine has completed its work on each record.

A first-call indicator is set on to notify the API that this is the first call to the API for the selected file, during which the API can perform certain first-time functions to improve

Page 323: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

311

efficiency. The working storage provided is persistent for the entire run. The return code (register 15) from the API is checked. If it is zero, the record is processed; if it is 4, the record is rejected.

User API Samples Below are examples of how to invoke the User APIs and sample output listings. Members in INSTLIB contain sample JCL for invoking the User APIs along with sample assembler and COBOL programs that you may use as a reference for coding your User APIs.

JCL and Sample Programs

Assembler ASMDAPIJ contains the JCL to invoke the sample Data Record Transformation API.

//ASMDAPI JOB (ACCT),'NAME',MSGCLASS=H, // CLASS=A,REGION=4M,NOTIFY=&SYSUID //* //* THIS SAMPLE WILL CALL THE DATA TRANSACTION API, CONVERTING PACKED //* FIELDS TO DISPLAY AND ',' DELIMITING EACH FIELD. //* //ZIP EXEC PGM=SECZIP //SYSPRINT DD SYSOUT=* //SYSIN DD * -TEXT -VERBOSE SECZIP.MVS.INSTLIB(SAMPDAPI) -ARCHIVE(PKZIP.DATAAPI.ZIP) -DATA_TRANS_API_PARM(TEST PASS DATA TO API) -DATA_TRANS_API_NAME(ASMDTAPI) -DATA_TRANS_API_LANGUAGE(ASM) -DATA_TRANS_API_WORKSIZE(4096) -DATA_TRANS_API_TRACE(0) -TRACE_API(0) //

Assembler Source ASMDTAPI contains the sample assembler program.

********************************************************************* * AUTHOR: PKWARE INC. * * NAME: ASMDTAPI * * ENVIRONMENT: S390 * * PURPOSE: SAMPLE API TO CONVERT DATA RECORD TO BE COMMA * * DELIMITED BY FIELD FOR PC SPREAD SHEET. THE * * RECORD WILL CONTAIN PACKED DATA WHICH WILL NEED * * TO BE UNPACKED FOR THE PC PLATFORM. * * * * HISTORY: BASE V1R0M0 03/30/2003 * * * * MAINTENANCE LOG BEGIN * ********************************************************************* * CALL LINKAGE: STANDARD. *

Page 324: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

312

* PARAMETER LIST: * * API CONTROL BLOCK * ********************************************************************* ASMDTAPI CSECT STM R14,R12,12(R13) SAVE REGISTERS LR R12,R15 PRIME BASE REG USING ASMDTAPI,R12 ………………… ………………..

Assembler JCL ASMFAPIJ contains the JCL to invoke the sample Filename API.

//ASMFAPI JOB (ACCT),'NAME',MSGCLASS=H, // CLASS=A,REGION=4M,NOTIFY=&SYSUID //* //* THIS EXAMPLE WILL CONVERT THE FILE NAME ON EXTRACTION //* //UNZIP EXEC PGM=SECUNZIP //SYSPRINT DD SYSOUT=* //SYSIN DD * -ARCHIVE_DSN(PKZIP.SAMPLE.ZIP) -VERBOSE -EXTRACT -FILENAME_API_NAME(ASMFNAPI) -FILENAME_API_LANGUAGE(ASM) -FILENAME_API_WORKSIZE(4096) -FILENAME_API_ERROR(ABEND) -FILENAME_API_PARM(SAMPLE FILENAME API) -FILENAME_API_TRACE(0) -TRACE_API(0)

Assembler Source ASMFNAPI contains the sample assembler program.

********************************************************************* * AUTHOR: PKWARE INC. * * NAME: ASMFNAPI * * ENVIRONMENT: S390 * * PURPOSE: SAMPLE API TO MODIFY FILE NAMES ON EXTRACTION * * EXAMPLE: * * SEQUENTIAL * * I/P FILE: SAMPLE/TEST/FILE * * O/P FILE: PKZIP.APIFNSEQ.FILE * * * * PDS * * I/P FILE: SAMPLE/LIST/FILEA * * O/P FILE: PKZIP.APIFNPDS(FILEA) * * * * VSAM * * I/P FILE: INPUT/KSDS/FILE * * O/P FILE: PKZIP.APIFNVSM.FILE * * PKZIP.APIFNVSM.FILE.DATA * * PKZIP.APIFNVSM.FILE.INDEX * * *

Page 325: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

313

* HISTORY: BASE V1R0M0 03/30/2003 * …………….. …………………. …………………..

DCTMAPIU DSECT DCTMAPIU is the DSECT that describes the parameters passed to the User API

DCTMAPIU DSECT MB041803 * *** * PARAMETERS PASSED TO THE USER EXIT *** * APIP_START DS 0F APIP_FILENAME_SOURCE_LGTH DS F LENGTH OF SOURCE APIP_FILENAME_SOURCE@ DS A(0) SOURCE LOCATION OF DATA APIP_FILENAME_TARGET_LGTH DS F LENGTH OF TARGET APIP_FILENAME_TARGET@ DS A(0) TARGET ADDRESS OF MOD SOURCE DATA APIP_RESET ORG APIP_START APIP_DATA_TRANS_SOURCE_LGTH DS F LENGTH OF SOURCE APIP_DATA_TRANS_SOURCE@ DS A(0) SOURCE LOCATION OF DATA APIP_DATA_TRANS_TARGET_LGTH DS F LENGTH OF TARGET APIP_DATA_TRANS_TARGET@ DS A(0) TARGET ADDRESS OF MOD SOURCE DATA APIP_WA_LGTH DS F GETMAINED WA LENGTH FOR EXIT APIP_WORK@ DS F GETMAINED WORK AREA FOR EXIT APIP_USER_SW DS F ORG APIP_USER_SW ……………. …………….. …………………

COBOL

COBOL JCL COBDAPIJ contains the JCL to invoke the sample Data Record Transformation API.

//COBDAPI JOB (ACCT),'NAME',MSGCLASS=H, // CLASS=A,REGION=4M,NOTIFY=&SYSUID //* //* THIS SAMPLE WILL CALL THE DATA TRANSACTION API, CONVERTING PACKED //* FIELDS TO DISPLAY AND ',' DELIMITING EACH FIELD. //* //ZIP EXEC PGM=SECZIP //SYSPRINT DD SYSOUT=* //SYSIN DD * -TEXT -VERBOSE SECZIP.MVS.INSTLIB(SAMPDAPI) -ARCHIVE(PKZIP.DATAAPI.ZIP) -DATA_TRANS_API_PARM(TEST PASS DATA TO API) -DATA_TRANS_API_NAME(COBDTAPI) -DATA_TRANS_API_LANGUAGE(COBOL) -DATA_TRANS_API_WORKSIZE(4096) -DATA_TRANS_API_TRACE(0) -TRACE_API(0)

Page 326: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

314

//

COBFAPIJ contains the JCL to invoke the sample Filename API.

//COBFAPI JOB (ACCT),'NAME',MSGCLASS=H, // CLASS=A,REGION=4M,NOTIFY=&SYSUID //* //* THIS EXAMPLE WILL CONVERT THE FILE NAME ON EXTRACTION //* //UNZIP EXEC PGM=SECUNZIP //SYSPRINT DD SYSOUT=* //SYSIN DD * -ARCHIVE_DSN(PKZIP.SAMPLE.ZIP) -VERBOSE -EXTRACT -FILENAME_API_NAME(COBFNAPI) -FILENAME_API_LANGUAGE(COBOL) -FILENAME_API_WORKSIZE(4096) -FILENAME_API_ERROR(ABEND) -FILENAME_API_PARM(SAMPLE FILENAME API) -FILENAME_API_TRACE(0) -TRACE_API(0)

COBMAPIU copy member COBMAPIU is the COBOL copy member that describes the parameters passed to the User API

01 COBMAPIU. *** * PARAMETERS PASSED TO THE USER API *** 02 APIP-COMMON. 03 APIP-SOURCE-LGTH PIC 9(8) BINARY. 03 APIP-SOURCEP POINTER. 03 APIP-TARGET-LGTH PIC 9(8) BINARY. 03 APIP-TARGETP POINTER. 03 APIP-WA-LGTH PIC 9(8) BINARY. 03 APIP-WORKP PIC 9(8) BINARY. 03 PIC X(2). 03 APIP-FILENAME-SW PIC X. 88 APIP-FILENAME-ZIP VALUE X'80'. 88 APIP-FILENAME-UNZIP VALUE X'40'. 03 APIP-DATA-TRANS-SW PIC X. 88 APIP-DATA-TRANS-ZIP VALUE X'80'. 88 APIP-DATA-TRANS-UNZIP VALUE X'40'. 03 APIP-FILETYPE PIC XX. 88 APIP-VSAM-BASE VALUE 'VS'.

Sample input file - SAMPDAPI SAMPDAPI is the input file to the Data Record Transformation API. Use with ASMDAPIJ or COBDAPIJ

-CAUTION- Profile changed to CAPS OFF (from CAPS ON) because data contains lower case characters. -CAUTION- Data contains invalid (non-display) characters. Use command ===> FIND P'.' to position cursor to these DAVID JONES 11 FIRST ST ANYWHERE OH45999032665 ϱ042102

Page 327: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

315

KAREN FRANKLIN 456 MAIN ST ANYWHERE OH45999071162 ¬ ç¤090803 MARY HOOVER 1600 PENN LN ANYWHERE OH45999030771 " À 041703 JANICE PATTEN 22 SECOND ST ANYWHERE OH45999042760 ç 062303 JANICE PATTEN 44 FOURTH ST ANYWHERE OH45999082766 /"030403 JOYCE JONES 22 SECOND ST ANYWHERE OH45999122563 ß? Ѭ020502 KAREN FRANKLIN 55 FIFTH ST ANYWHERE OH45999042162 ° â¤042402 GREGG MADISON 123 SESAME ST ANYWHERE OH45999031880 á" â?080102 WALTER MADISON 44 FOURTH ST ANYWHERE OH45999032053 ñ l¬040802 JOHN DOE 456 MAIN ST ANYWHERE OH45999011356 l? 071202 PETER MADISON 123 SESAME ST ANYWHERE OH45999081765 &"030202 JANE SMITH 1010 WINS RD ANYWHERE OH45999021368 à è¤030102 JANICE WALTERS 22 SECOND ST ANYWHERE OH45999032557 DZ 052803 JANE MADISON 123 SESAME ST ANYWHERE OH45999070752 î DZ061402 ……………….. ………………….. ……………………..

Output from sample jobs

ASMFNAPI Sample Output This is an example of a Filename API, ASMFNAPI, which takes the first two nodes of the archived file and changes them to SECZIP.APIFNSEQ. The message ZPAP010I is presented once per run to document that an API has been invoked.

ZPGE001T UNZIP STARTUP STORAGE QUERY: 24BIT= 6100K 31BIT= 32768K ZPLI001I SecureZIP(TM) for zSeries, Version 8.1 - 02/11/05 14.26 ZPLI001I Copyright 1989-2005 PKWARE Inc. All rights reserved. ZPLI001I SecureZIP(TM) is a trademark of PKWARE (R), Inc. ZPLI001I Registered, Processor Type=2066 Processor Group=00 Serial Number= ZPLI001I OS Level: HBB7707 SP7.0.4 * EXTRACT AND CHANGE NAME -ARCHIVE_DSN(FPD.APIIT.ZIP) -FILENAME_API_NAME(ASMFNAPI) -FILENAME_API_LANGUAGE(ASM) -FILENAME_API_ERROR(IGNORE) FPD/TEST/SEQ1 ZPAP010I Filename Module ASMFNAPI Loaded ZPAM030I INPUT Archive opened: FPD.APIIT.ZIP ZPEX002I FPD/TEST/SEQ1 ZPEX003I Extracted to PKZIP.APIFNSEQ.SEQ1 ZPAM140I FILES: EXTRACTED EXCLUDED BYPASSED IN ERROR ZPAM140I 1 0 0 0 ZPMT002I PKZIP processing complete. RC=00000000 0(Dec)

XSMFNAPI Sample Output

FILENAME_API_ERROR Using STOPRUN Option This is an example of a Filename API, XSMFNAPI, which was not found. The FILENAME_API_ERROR(STOPRUN) option was selected. The API could not find and load the API (see the message ZPAP005E below) and, because of the STOPRUN (or if ABEND is specified) option, SECZIP ends without processing any data.

Page 328: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

316

ZPGE001T UNZIP STARTUP STORAGE QUERY: 24BIT= 6100K 31BIT= 32768K CACHE= ZPLI001I SecureZIP(TM) for zSeries, Version 8.1 - 02/11/05 14.26 ZPLI001I Copyright 1989-2005 PKWARE Inc. All rights reserved. ZPLI001I SecureZIP(TM) is a trademark of PKWARE (R), Inc. ZPLI001I Registered, Processor Type=2066 Processor Group=00 Serial Number= ZPLI001I OS Level: HBB7707 SP7.0.4 * EXTRACT AND CHANGE NAME -ARCHIVE_DSN(FPD.APIIT.ZIP) -FILENAME_API_NAME(XSMFNAPI) -FILENAME_API_LANGUAGE(ASM) -FILENAME_API_ERROR(STOPRUN) -OUTFILE_OVERWRITE(Y) FPD/TEST/SEQ1 ZPAP005E Filename Module XSMFNAPI Failed to Load ZPTM002I SUBTASK ( 2) EP: ACCMGR Ended - TCB: 008CF908 Comp: 00000008 ZPAM140I FILES: EXTRACTED EXCLUDED BYPASSED IN ERROR ZPAM140I 0 0 0 0 ZPMT002I PKZIP processing complete. RC=0000000C 12(Dec)

FILENAME_API_ERROR using IGNORE Option This is an example of a Filename API, XSMFNAPI, which was not found. The FILENAME_API_ERROR(IGNORE) option was selected. The API could not find and load the API (see the message ZPAP005E below) and, because of the IGNORE option, SECZIP continues processing as if there was no API specified.

ZPGE001T UNZIP STARTUP STORAGE QUERY: 24BIT= 6100K 31BIT= 32768K CACHE= ZPLI001I SecureZIP(TM) for zSeries, Version 8.1 - 02/11/05 14.26 ZPLI001I Copyright 1989-2005 PKWARE Inc. All rights reserved. ZPLI001I SecureZIP(TM) is a trademark of PKWARE (R), Inc. ZPLI001I Registered, Processor Type=2066 Processor Group=00 Serial Number= ZPLI001I OS Level: HBB7707 SP7.0.4 * EXTRACT AND CHANGE NAME -ARCHIVE_DSN(FPD.APIIT.ZIP) -FILENAME_API_NAME(XSMFNAPI) -FILENAME_API_LANGUAGE(ASM) -FILENAME_API_ERROR(IGNORE) -OUTFILE_OVERWRITE(Y) FPD/TEST/SEQ1 ZPAP005E Filename Module XSMFNAPI Failed to Load ZPAM030I INPUT Archive opened: FPD.APIIT.ZIP ZPEX002I FPD/TEST/SEQ1 ZPEX003I Extracted to FPD.TEST.SEQ1 ZPAM140I FILES: EXTRACTED EXCLUDED BYPASSED IN ERROR ZPAM140I 1 0 0 0 ZPMT002I PKZIP processing complete. RC=00000000 0(Dec)

User API_Module Program Exception Trap This is an example of a user API, called FNEXIT, being invoked which subsequently abends with a PROGRAM EXCEPTION (S0C1). Using the default processing, SecureZIP for zSeries traps the abend and prints the registers of the API at abend.

1ZPGE001T UNZIP STARTUP STORAGE QUERY: 24BIT= 6100K 31BIT= 32768K ZPLI001I SecureZIP(TM) for zSeries, Version 8.1 - 02/11/05 14.26 ZPLI001I Copyright 1989-2005 PKWARE Inc. All rights reserved. ZPLI001I SecureZIP(TM) is a trademark of PKWARE (R), Inc. ZPLI001I Registered, Processor Type=2066 Processor Group=00 Serial Number= ZPLI001I OS Level: HBB7707 SP7.0.4 -ARCHIVE_DSN(FPD.APIIT.ZIP)

Page 329: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

317

-FILENAME_API_NAME(FNEXIT) -FILENAME_API_LANGUAGE(ASM) -FILENAME_API_WORKSIZE(1024) FPD/TEST/SEQ1 ZPAP010I Filename Module FNEXIT Loaded ZPAM030I INPUT Archive opened: FPD.APIIT.ZIP ZPAP050E Filename Module FNEXIT ABEND at Address=80052B70 Cond Code=01 ZPAP090E Registers at entry to Abend ZPAP091E 00 - 03 00000950 008BF6B0 1757E790 5880B004 ZPAP091E 04 - 07 1757E7A0 8006536A 00011010 1757BCD8 ZPAP091E 08 - 11 00066FE0 00068000 8000F000 1757E7A0 ZPAP091E 12 - 15 00052B00 1758E858 8006537C 00000000 ZPEX072W OUTFILE_OVERWRITE(N) excluded overwrite of {FPD.TEST.SEQ1 ZPAM140I FILES: EXTRACTED EXCLUDED BYPASSED IN ERROR ZPAM140I 0 0 1 0 ZPMT002I PKZIP processing complete. RC=00000008 8(Dec)

Page 330: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

318

15 Invoking SECZIP/SECUNZIP from an Application Program

SECZIP and SECUNZIP can be called (invoked dynamically) from other programs using standard calling conventions. Because SECZIP/SECUNZIP adheres to IBM’s standard linkage conventions, the passing of parameters is accomplished as described in the language reference manuals. Because standard conventions are used, the return code is passed back to your program.

SecureZIP for zSeries is specifically designed to compress and decompress data sets. When designing and writing your program, the following items should be considered:

• SECZIP/SECUNZIP adheres to standard IBM linkage conventions.

• Return codes are passed back to your program via the standard conventions of the language used (for example, in Assembly language, return codes are passed back via register 15).

• The configuration file will be used if available.

• The parameters for SECZIP/SECUNZIP can be set by passing one or more parameters separated by a blank in the pass area supplied by the calling program. The length of the pass area is defined by the calling program. The length passed should reflect actual lengths of parameters passed to avoid excess parsing of unused storage (which may result in errors).

• Specify the NOSYSIN command in the pass parameter area if you are not planning to use SYSIN for command input. Note that problems can occur if SECZIP attempts to open the SYSIN dataset after it has already been opened by the calling program.

• When using call parameters for command input, the following commands (if used) should be contained within the first 256 bytes of the command stream and must be upper case: NOSYSIN, DM, ECHO, NOECHO, VERBOSE, QUIET.

• It is your responsibility to allocate and free DD statements referenced in the run request (such as INFILE_DD).

• Output is written to SYSPRINT.

• To load SECZIP/SECUNZIP, the load library must in the link list, JOBLIB, or STEPLIB.

• SECZIP and SECUNZIP are NOT Reentrant. However, they are serially reusable.

Page 331: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

319

One way to use a program to call SECZIP is to set up a special setting in the parameters and to analyze return codes or to change the return. The included sample assembly program may be a good starting place to build such a pre-processor.

Sample source programs (and their JCL) are available in the data set seczip.mvs.INSTLIB. These samples demonstrate the dynamical calling of SECZIP by passing parameters and using SYSIN. The members in the following table are supplied in seczip.mvs.INSTLIB:

CALLASMJ JCL to compile, link and executes the Assembly sample CALLZIPA

CALLZIPA Sample Assembly source program to call SECZIP

CALLCOBJ JCL to compile, link and executes the COBOL sample CALLZIC

CALLZIPC Sample COBOL program source to call SECZIP

CALLPLIJ JCL to compile, link and executes the PL/I sample CALLZIPP

CALLZIPP Sample PL/I source program to call SECZIP

CALLREXJ JCL to run the REXX sample CALLZIPR

CALLZIPR Sample REXX source program to call SECZIP

CALLZCJ JCL to run the C sample CALLZC

CALLZC Sample C source program to call SECZIP

CALLZCPJ JCL to run the C++ sample CALLZCPP

CALLZCPP Sample C++ program source to call SECZIP

CALLZIPA Sample Assembly Source to Call SECZIP

CALLZIPA TITLE 'CALLZIPA - SecureZIP for zSeries PREPROCESSOR' *********************************************************************** * * * SecureZIP for zSeries (TM), DATA COMPRESSION, VERSION 8.1 * * COPYRIGHT. 1989-2005 PKWARE Inc. ALL RIGHTS RESERVED. * * * *********************************************************************** * * *NAME: CALLZIPA * *PURPOSE: Sample Assembly Program to fetch and call SECZIP * * Steps: - Pass Modified Parms * * - Examine The Return Code On Exit * * * * This sample Assembly programs demonstrates the ability to fetch * * and call SECZIP or SECUNZIP from an application program as a * * dynamic call (i.e., SECZIP and SECUNZIP are NOT linked into the * * program). There are three main variables used in calling SECZIP. * * First is the program variable (PKZIPEP) containing the name of * * program to call. The second variable is the parameters pass area * * which was passed from the JCL. You can build your own variable * * and use it as the PARMS to SECZIP by loading its address in EXECPARM.* * The third variable to be concerned about is the return code pass * * back from SECZIP/SECUNZIP program. This can be examine for other * * processing or verification. * * * * This Example is passing the parameter '- SHOW_SETTINGS'. If * * -NOSYSIN is also passed ('- SHOW_SETTINGS - NOSYSIN'), SECZIP would * * not read other parameters from SYSIN. This example will read * * parameters from //SYSIN. *

Page 332: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

320

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *********************************************************************** * REGISTERS EQUATES AND USAGE FOR PROGRAM CALLZIPA *********************************************************************** * ENTRY IN PROGRAM RETURN *R0 EQU 0 IRRELEVANT MACRO WORK RESTORED *R1 EQU 1 ADDR OF PARMS MACRO WORK RESTORED *R2 EQU 2 IRRELEVANT RESTORED *R3 EQU 3 IRRELEVANT COMMAND BUFFER MAPPING RESTORED *R4 EQU 4 IRRELEVANT RESTORED *R5 EQU 5 IRRELEVANT RESTORED *R6 EQU 6 IRRELEVANT RESTORED *R7 EQU 7 IRRELEVANT RESTORED *R8 EQU 8 IRRELEVANT RESTORED *R9 EQU 9 IRRELEVANT RESTORED *R10 EQU 10 IRRELEVANT RESTORED *R11 EQU 11 IRRELEVANT RESTORED *R12 EQU 12 IRRELEVANT *** BASE REGISTER *** RESTORED *R13 EQU 13 O/S SAVEAREA LOCAL SAVE/WORK AREAS RESTORED *R14 EQU 14 RETURN ADDR STANDARD RETURN ADDRESS RESTORED *R15 EQU 15 EP ADDR MACRO RET CODES RET CODE * *********************************************************************** * *** ESTABLISH STANDARD MODULE PROLOG. * *********************************************************************** * CALLZIPA CSECT CALLZIPA RMODE 24 CALLZIPA AMODE 31 * ** ESTABLISH BASIC LINKAGE * USING CALLZIPA,R15 TEMPORARY ADDRESSING SAVE (14,12) LA R14,SAVEAREA ST R14,8(R13) SAVE BACK OUR SAVE AREA ST R13,SAVEAREA+4 KEEP CALLER'S SAVE AREA LA R13,SAVEAREA LOCAL SAVE AREA ST R1,EXECPARM KEEP EXEC PARM ADDRESS LR R12,R15 ESTABLISH DROP R15 ADDRESSABILITY USING CALLZIPA,R12 USING R12 * ** LOAD THE SECZIP PROGRAM INTO STORAGE AND BRANCH-ENTER IT * L R3,=A(PKZIPEP) LOAD ADDRESS OF PROGRAM TO CALL * FETCH THE PROGRAM LOAD EPLOC=(R3) LR R15,R0 HAVE EP ADDRESS L R1,EXECPARM EXEC PGM=...,PARM='...' BASR R14,R15 * ** PLACE RETURN CODE EXAMINATION CODE BELOW * * C R15,=F'4' SAMPLE CHECK FOR RC4 * GOBACK L R13,SAVEAREA+4 GET CALLER'S SAVE AREA BACK RETURN (14,12),RC=(15) SAVEAREA DC 18F'0' EXECPARM DS F PASSED REG1 PKZIPEP DC CL8'PKZIP' LTORG ******** ***** ************************** ******************** R0 EQU 0 R1 EQU 1

Page 333: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

321

R2 EQU 2 R3 EQU 3 R4 EQU 4 R5 EQU 5 R6 EQU 6 R7 EQU 7 R8 EQU 8 R9 EQU 9 R10 EQU 10 R11 EQU 11 R12 EQU 12 R13 EQU 13 R14 EQU 14 R15 EQU 15 END CALLZIPA.

CALLZIPC Sample COBOL Source to Call SECZIP

000100 ID DIVISION. 000200 PROGRAM-ID. CALLZIPC. 000300* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * 000400* SecureZIP for zSeries (TM), DATA COMPRESSION, VERSION 8.1 * 000500* COPYRIGHT. 1989-2005 PKWARE Inc. ALL RIGHTS RESERVED. * 000600* * 000700* * 000800* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * 000900 ENVIRONMENT DIVISION. 001000 INPUT-OUTPUT SECTION. 001100* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * 001200* SecureZIP for zSeries (TM), DATA COMPRESSION, VERSION 8.0 * 001300* COPYRIGHT. 2004 PKWARE Inc. ALL RIGHTS RESERVED. * 001400* * 001500* Program: CALLZIPC * 001600* * 001700* This sample COBOL programs demonstrates the ability to call * 001800* SECZIP or SECUNZIP from an application program as a dynamic * 001900* call (i.e., SECZIP and SECUNZIP are NOT linked into the * 002000* program). There are two main variables used in calling * 002100* SECZIP. First is the program variable which contains the * 002200* name of program to call. By making it a variable forces a * 002300* dynamic call to SECZIP. The second variable is the * 002400* parameters pass area in the LINKAGE SECTION. * 002500* The length is left up to the user, but the first two bytes * 002600* must be a binary length of the pass area. See CALL-PARMS * 002700* variables. * 002800* * 002900* This example is using the pass area of 100 bytes. This * 003000* Example is passing the parameter '- SHOW_SETTINGS'. If * 003100* -NOSYSIN also passed ('- SHOW_SETTINGS - NOSYSIN'), SECZIP * 003200* would not read other parameters from SYSIN. n This example * 003300* it will read parameters from //SYSIN. * 003400* * 003500* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * 003600 FILE-CONTROL. 003700 DATA DIVISION. 003800 FILE SECTION. 003900 WORKING-STORAGE SECTION. 004000 01 CALL-PROGRAM PIC X(8). 004100 01 CALL-PARMS. 004200 02 CALL-PARM-LENGTH PIC 9(3) BINARY VALUE 100. 004300 02 CALL-PARM-DATA PIC X(100). 004400 LINKAGE SECTION. 004500 01 PARM-CARD.

Page 334: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

322

004600 02 PARM-LENGTH PIC 9(4) BINARY. 004700 02 PARM-DATA PIC X(80). 004800 PROCEDURE DIVISION USING PARM-CARD. 004900 DISPLAY 'ABOUT TO CALL SECZIP'. 005000* Move Of Program Name To Variable Forces Dynamic Call. 005100 MOVE 'SECZIP' TO CALL-PROGRAM. 005200* 005300* Set the PARM Variable field used by SECZIP. 005400* If you do not want to read any parameters in SECZIP add -NOSYSIN 005500* 005600 MOVE '-SHOW_SETTINGS' TO CALL-PARM-DATA. 005700 CALL CALL-PROGRAM USING CALL-PARMS. 005800 DISPLAY 'SECZIP COMPLETE RC=' RETURN-CODE. 005900 STOP RUN..

CALLZIPP Sample PL/I Source to Call SECZIP

CALLZIP: PROCEDURE OPTIONS(MAIN); /* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */ /* SecureZIP for zSeries (TM), DATA COMPRESSION, VERSION 8.1 */ /* COPYRIGHT. 1989-2005 PKWARE Inc. ALL RIGHTS RESERVED. */ /* */ /* */ /* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */ /* Program: CALLZIPP */ /* */ /* This sample PL/I programs demonstrates the ability to call*/ /* SECZIP or SECUNZIP from an application program as a dynamic */ /* call (i.e., SECZIP and SECUNZIP are NOT linked into the */ /* program). There are three main variables used in calling */ /* SECZIP. First is the program variable SECZIP which contains*/ /* the name of program to call. The second variable is the */ /* parameters pass area MY_PARM with the length being left up*/ /* to the user. This example is using the pass area of 30 */ /* bytes. */ /* This Example is passing the parameter '- SHOW_SETTINGS'. */ /* If -NOSYSIN is also passed ('- SHOW_SETTINGS - NOSYSIN') */ /* SECZIP, would not read other parameters from SYSIN. This */ /* example it will read parameters from //SYSIN. */ /* */ /* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */ /* define the SECZIP variable return code save area */ DECLARE MY_RETURN_CODE FIXED BINARY(15); /* define SECZIP as an external variable with options */ DECLARE SECZIP ENTRY EXTERNAL('SECZIP') OPTIONS(RETCODE,ASSEMBLER); /* define the area for the parameters that are passed to SECZIP.*/ /* The length is left to user */ DECLARE MY_PARMS CHAR(30) VARYING; DECLARE PLIRETV BUILTIN; DISPLAY ('Invoking Pkzip'); /* Set calling paramters and call SECZIP */ MY_PARMS ='-SHOW_SETTINGS'; /* Set the PARMS for SECZIP */ FETCH PKZIP; /* Dynamically fetch SECZIP */ CALL PKZIP(MY_PARMS); /* Call SECZIP passing the PARMS */ MY_RETURN_CODE=PLIRETV; /* save the Return code from SECZIP */ /* */ DISPLAY ('RETURNED FROM PKZIP RC=' || MY_RETURN_CODE); END;.

Page 335: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

323

CALLZIPR Sample REXX Source to Call SECZIP

/* REXX ------------------------------------------------------------*/ /* NAME: PKZZIP */ /* PARMS: PKZIPLoad - The name of the current PKZIP Load data set. */ /* ARGPARMS - PKZIP passed parameters enclosed in quotes */ /* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */ /* SecureZIP for zSeries (TM), DATA COMPRESSION, VERSION 8.1 */ /* COPYRIGHT. 1989-2005 PKWARE Inc. ALL RIGHTS RESERVED. */ /* */ /* */ /* This sample REXX program demonstrates the ability to call */ /* SECZIP or SECUNZIP from an application program as a dynamic */ /* call. There are three main variables used in calling SECZIP */ /* First is the current SECZIP Load Library (PKZIPLoad) where */ /* SECZIP can be found. The second variable is the parameter */ /* pass area CALLPARMS where the parameters for SECZIP are */ /* passed to SECZIP program. This example uses an input argument */ /* to REXX to load the PARMS. This Example is passing the */ /* parameter '-ECHO -VERBOSE -SHOW_SETTINGS'. */ /* If -NOSYSIN is also passed ('- SHOW_SETTINGS - NOSYSIN'), */ /* SECZIP would not read other parameters from SYSIN. This */ /* example will read parameters from //SYSIN. */ /* */ /* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */ /*-------------------------------------------------------------------*/ ARG PKZIPLoad ARGPARMS /* display the passed parameters */ LINE = 'REXX Sample to call SECZIP is starting' SAY LEFT(LINE,80) LINE = 'REXX Sample PKZIP Load lib is =' PKZIPLoad SAY LEFT(LINE,80) LINE = 'REXX Sample parameters =' ARGPARMS SAY LEFT(LINE,80) CALLPARMS = Strip(ARGPARMS,'B',"'") /* strip the quotes from PARMS */ /* If running from TSO other dataset will have to allocated */ /* "ALLOC FI(SYSPRINT) DA('*') SHR REUSE" */ /* "ALLOC FI(SYSABEND) DA('*') SHR REUSE" */ /* "ALLOC FI(SYSIN) DA('*') SHR REUSE" */ /* Could set other parameters such as CALLPARMS = '-SHOW_SETTINGS' */ "Call '"PKZIPLoad"(PKZIP)' '"CALLPARMS"'" LINE = 'REXX Sample to call PKZIP ended with Return=' RC SAY LEFT(LINE,80) /* If running from TSO you will need to reset all the file assignments */ /* "FREE FI(SYSIN)" */ /* "FREE FI(SYSABEND)" */ /* "FREE FI(SYSPRINT)" */ .

Page 336: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

324

CALLZC Sample C source program to call SECZIP

/* C -------------------------------------------------------------*/ /* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */ /* SecureZIP for zSeries (TM), DATA COMPRESSION, VERSION 8.1 */ /* COPYRIGHT 1989-2005 PKWARE, Inc. ALL RIGHTS RESERVED. */ /* */ /* */ /* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */ /* Program: CALLZC */ /* */ /* This sample C programs demonstrates the ability to call SECZIP */ /* or SECUNZIP from an application program as a dynamic call (i.e. */ /* SECZIP and SECUNZIP are NOT linked into the program). There are */ /* three main variables used in calling SECZIP */ /* First is the program variable "fetch_module" which contains the */ /* name of program to fetch and call. The second variable is the */ /* parameters pass area "PKCommarea" with the length being */ /* calculated. This Example is passing the parameter: */ /* '-NOAPI -VERBOSE -SHOW_SETTINGS'. */ /* On return pass back the return code */ /* */ /* If -NOSYSIN is also passed ('-NOAPI -SHOW_SETTINGS -NOSYSIN') */ /* SECZIP, would not read other parameters from SYSIN. This */ /* example it will read parameters from //SYSIN. */ /* */ /* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */ /*------------------------------------------------------------------*/ #include <stdio.h> #include <stdlib.h> #include <stdarg.h> #include <string.h> #define DOPRINTF printf /* define external ZIP Call function */ typedef int PKZIP_CALL(char *); #pragma linkage(PKZIP_CALL, OS) /* Define the Module to fetch and call */ char fetch_module [ 8] = {"PKZIP " } ; /* define MVS PKZIP Common pass area */ #pragma pack(packed) struct PK_Commarea { short int lenPKZBuffer; char PKZBuffer[5000]; } PKCommarea; char *pPKZCommands; #pragma pack(reset) /* A few common constants for testing */ char ProgamName1[] = "CALLZC "; char ZipParmNOSYSIN[] = "-NOSYSIN "; char ZipParmNOAPI[] = "-NOAPI "; char ZipParmVIEW[9] = "-View "; int main(void) { PKZIP_CALL * pPKZIP = NULL; /* Initial call var */ int Func_RC = 0; /* Function Return Code */ DOPRINTF("%s using C Starting \n", ProgamName1); /* PKZIP is has not been fetched then fetch load module */

Page 337: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

325

if (pPKZIP == NULL) { DOPRINTF("PKZIP API about to FETCH PKZIP \n"); pPKZIP = (PKZIP_CALL *) fetch(fetch_module); // Fetch PKZIP if (pPKZIP == NULL) { DOPRINTF("PKZIP API - Unable to FETCH %s module.\n", fetch_module); Func_RC = 12; return Func_RC; } else { DOPRINTF("%s API FETCHED ok. \n", fetch_module); } } /* end of pPKZIP == NULL */ /* setup the Parameters */ strcpy(PKCommarea.PKZBuffer, ZipParmNOSYSIN); strcpy(PKCommarea.PKZBuffer, ZipParmNOAPI); /* over lay NOSYSIN */ strcat(PKCommarea.PKZBuffer, "-VERBOSE " ); /* set the length of pass buffer */ PKCommarea.lenPKZBuffer = strlen(PKCommarea.PKZBuffer); DOPRINTF("Calling PKZIP with buffer Len=%d \n", PKCommarea.lenPKZBuffer); DOPRINTF("Calling Buffer=<%s> \n", PKCommarea.PKZBuffer); /* Now call the program by using the fetched function */ Func_RC = (*pPKZIP) ((char *)&PKCommarea); // Call PKZIP if (Func_RC != 0) { DOPRINTF("%s failed with return code:%d \n", fetch_module, Func_RC); return Func_RC; } DOPRINTF("%s API - returned OK \n", fetch_module); return Func_RC; } /* end of main func */

CALLZCPP Sample C++ program source to call SECZIP

/* C++ -----------------------------------------------------------*/ /* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */ /* SecureZIP for zSeries (TM), DATA COMPRESSION, VERSION 8.1 */ /* COPYRIGHT 1989-2005 PKWARE, Inc. ALL RIGHTS RESERVED. */ /* */ /* */ /* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */ /* Program: CALLZCPP */ /* */ /* This sample C++ programs demonstrates the ability to call SECZIP */ /* or SECUNZIP from an application program as a dynamic call (i.e. */ /* SECZIP and SECUNZIP are NOT linked into the program). There are */ /* three main variables used in calling SECZIP */ /* First is the program variable "fetch_module" which contains the */ /* name of program to fetch and call. The second variable is the */ /* parameters pass area "PKCommarea" with the length being */ /* calculated. This Example is passing the parameter: */ /* '-NOAPI -VERBOSE -SHOW_SETTINGS'. */ /* On return pass back the return code */ /* */ /* If -NOSYSIN is also passed ('-NOAPI -SHOW_SETTINGS -NOSYSIN') */

Page 338: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

326

/* SECZIP, would not read other parameters from SYSIN. This */ /* example it will read parameters from //SYSIN. */ /* */ /* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */ /*-------------------------------------------------------------------*/ #include <stdio.h> #include <stdlib.h> #include <stdarg.h> #include <string.h> #define DOPRINTF printf /* define external ZIP Call function */ extern "OS" { typedef int typedefPKZIP( char *); } typedefPKZIP *pPKZIP = NULL; /* Define the Module to fetch and call */ char fetch_module [ 8] = {"PKZIP " } ; /* define MVS PKZIP Common pass area */ #pragma pack(packed) struct PK_Commarea { short int lenPKZBuffer; char PKZBuffer[5000]; } PKCommarea; char *pPKZCommands; #pragma pack(reset) /* A few common constants for testing */ char ProgamName1[] = "CALLZCPP "; char ZipParmNOSYSIN[] = "-NOSYSIN "; char ZipParmNOAPI[] = "-NOAPI "; char ZipParmVIEW[] = "-View "; int main(void) { int Func_RC = 0; /* Function Return Code */ DOPRINTF("%s using C++ Starting \n", ProgamName1); /* PKZIP is has not been fetched then fetch load module */ if (pPKZIP == NULL) { DOPRINTF("PKZIP API about to FETCH PKZIP \n"); pPKZIP = (typedefPKZIP *) fetch("PKZIP"); // Fetch PKZIP if (pPKZIP == NULL) { DOPRINTF("PKZIP API - Unable to FETCH %s module.\n", fetch_module); Func_RC = 12; return Func_RC; } else { DOPRINTF("%s API FETCHED ok. \n", fetch_module); } } /* end of pPKZIP == NULL */ /* setup the Parameters befeore call */ strcpy(PKCommarea.PKZBuffer, ZipParmNOAPI); /* over lay NOSYSIN */ strcat(PKCommarea.PKZBuffer, "-VERBOSE " ); strcat(PKCommarea.PKZBuffer, "-SHOW_SETTINGS "); // strcat(PKCommarea.PKZBuffer, "-ARCHIVE(WSS.OS400.TEST03.ZIP) ");

Page 339: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

327

// strcat(PKCommarea.PKZBuffer, ZipParmVIEW); // strcat(PKCommarea.PKZBuffer, "-UPDATE " ); // strcat(PKCommarea.PKZBuffer, "WSS.MVS.ASM($*) " ); /* set the length of pass buffer */ PKCommarea.lenPKZBuffer = strlen(PKCommarea.PKZBuffer); DOPRINTF("Calling PKZIP with buffer Len=%d \n", PKCommarea.lenPKZBuffer); DOPRINTF("Calling Buffer=<%s> \n", PKCommarea.PKZBuffer); /* Now call the program by using the function */ Func_RC = (*pPKZIP) ((char *)&PKCommarea); // Call PKZIP if (Func_RC != 0) { DOPRINTF("%s failed with return code:%d \n", fetch_module, Func_RC); return Func_RC; } DOPRINTF("%s API - returned OK \n", fetch_module); return Func_RC; } /* end of main func */

Page 340: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

328

A Licensing Requirements

SecureZIP for zSeries is a licensed product. Without proper licensing the product can only be used to view archives. Product features can be licensed separately as the user needs dictate. The license key will contain all of the elements necessary to validate a customer’s use of SecureZIP for zSeries.

The licensing process is comprised of several key elements that are described in the following sections.

Licensed Types The license key will be comprised of codes to reflect the license types selected by the customer.

The following table contains the parameters, and a brief description, used to determine licensing:

Type Description Use BASIC The BASIC license type is the base line. It

represents a license for which there are no restrictions, other than time. In contrast, all the other license types define restrictions within which the application is licensed and the customer is to abide.

Customer will receive a predetermined set of product features.

CAPACITY The CAPACITY license type compares the capacity of the operating environment (as defined by the machine serial number) along with a predefined table; for instance, to assure the application is running in a machine whose computing capacity is not larger that that for which the product is licensed.

Customer will designate the serial number of the processor(s).

Page 341: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

329

Type Description Use DEMO A DEMO license is typically restricted to a certain

time period, number of executions, or limited set of functions. These licenses may allow any of the other types of use. This license is also known as “Try and Buy” or “Supply before Buy.” These terms and conditions can be an added restriction to any of the license types.

30-day trial period.

DISASTER RECOVERY

A DISASTER RECOVERY license is granted by the vendor to allow a specified product to execute under conditions defined as “disaster recovery” for a specified period of time or for a specified number of occurrences. These terms and conditions can be an added restriction to any of the license types.

Implemented with a 5-day grace period to allow the customer to contact PKWARE to update the license. The grace period will never expire on a weekend.

ENTERPRISE An ENTERPRISE license is assigned to an enterprise; which may be comprised of multiple sites, complexes, nodes, and/or serial numbers. It is an all-encompassing license to a single entity. These terms and conditions are derived from any of the license types.

Allows a customer full access to all features of SecureZIP for zSeries on all systems.

FEATURES A packaging and enablement option. An optional feature of a product can be packaged, licensed, and enabled at the discretion of the software publisher. Features can be licensed in the same manner as software products and can, therefore, be of any license type.

See product options below.

TIME-DELIMITED Each license type is modifiable by time. Each license will have a finite time period.

Product Features The license key comprises codes to reflect the product features selected by the customer.

SecureZIP for zSeries includes many features previously found in the PKZIP for zSeries Enterprise Edition. These features include an ISPF dialog user interface, all file handlers, self-extractors for smaller platforms, GZIP and ZIP64 extensions.

In addition to the PKZIP compression features, SecureZIP for zSeries includes the following security-related features:

• Advanced password-based encryption/decryption (AES, DES, 3DES and RC4 algorithms) using RSA’s BSAFE Crypto-C routines

• Certificate-based decryption and digital signature authentication

• Filename encryption

The following optional add-on modules are also available:

Module Description Advanced Encryption Module Provides public/private key PKI certificate-based encryption and digital signing

Directory Integration Module Enables access to certificates residing on an LDAP server

Page 342: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

330

Licensing Environment SecureZIP for zSeries contains a series of processes that update the current use license, allow reporting of the license information, allow conditional use of the product during a disaster recovery, and allow conditional use during a modification of the customer’s physical environment.

Evaluation Period License generation for a trial of the product allowing full use is a simple process of obtaining a key from the Sales Division. Once this process is completed, SecureZIP for zSeries allows access to all options for a period of 30 days. At some time during this process, you must contact PKWARE to obtain licensing to extend use beyond the initial period.

For Licensing, please contact the Sales Division at 937-847-2374 or email [email protected].

For Technical Support assistance, please contact the Product Services Division at 937-847-2687 or visit the support web site.

Release Licensing Each release of SecureZIP for zSeries requires that a new license key be obtained from Customer Service and that a new license record be generated. The new release fails with the message ZPLI901E Product License is Invalid if the license data set is used from a previous release.

Current Use License When you receive the license control card information from PKWARE, you build the license data set using the Build License program (there is a sample job stream in member LICUPDAT in the Installation Data set (INSTLIB)). Executing this job stream updates the LICENSE data set and produces a report that reflects the state of SecureZIP for zSeries at your location.

Following is a sample of the output:

ZPLI200I CONTROL CARD INPUT TO THE LICENSE RECORD *LICENSED BY PKWARE 12/22/04 FPD 55 X37C8901 104620127 PKWARE Inc. 23 RT1A2217 20050102 01052B70601B 12 RT1A1331 20050102 01462A903041 14 XXOP2217 20050102 01052B70601B 73 XZZX2217 20050102 01052B70601B 18 RT562217 20050102 01052B70601B 89 1414C1EF 20020930 01052B70601B ZPLI200I THE LICENSE RECORD HAS BEEN UPDATED FOR SecureZIP ON 01/08/01 AT 1:45pm FROM CPU *******************************************************************************************

Reporting To report on the status of the license at your location, run the sample job stream in member LICPRINT in the Installation Data set (seczip.mvs.INSTLIB).

Page 343: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

331

Following is a sample of the report with normal licensing:

********************************************************************************* ZPLI200I A LICENSE REPORT HAS BEEN REQUESTED ON 02/02/05 AT 9:56am VER: 8.1 IN PKZIP.MVS.LICENSE ZPLI200I For Technical Support assistance, please contact Product Services Division ZPLI200I at 937-847-2687 or go on-line at http://www.pkware.com/support ******************************************************************************************* ZPLI200I SecureZIP (TM) IS LICENSED TO CUSTOMER # 000012805 ZPLI200I - CUSTOMER NAME - PKWARE, INC ZPLI200I CPU model 2066 with 1 online ZPLI200I Service units per second per online CPU is 5612.07 ZPLI200I Approximate total MIPS (SUs/SEC / 48.5 * #CPUs) is 115.71 ZPLI200I CEC MSU per hour capacity is 20 - LPAR MSU per hour capacity is 20 ZPLI200I Central Processing Complex (CPC) Node Descriptor: CPC ND = 002066.0B1.IBM.02.00000001263B ZPLI200I CPC ID = 00 Type(002066) Model(0B1) Manufacturer(IBM) Plant(02) Seq Num(00000001263B) ZPLI200I CPU serial number for CPU 0 is 04263B2066 (4263B), version code 00, model 0B1. ZPLI200I Model from CPC SI ******************************************************************************************* ZPLI200I COMPRESSION IS LICENSED ON THE FOLLOWING PROCESSORS ZPLI200I SERIAL# *0263B PROCESSOR TYPE 2066 VERSION/MODEL 0B1 WITH AN EXPIRATION DATE OF 02/28/2400 ZPLI200I DECOMPRESSION IS LICENSED ON THE FOLLOWING PROCESSORS ZPLI200I SERIAL# *0263B PROCESSOR TYPE 2066 VERSION/MODEL 0B1 WITH AN EXPIRATION DATE OF 02/28/2400 ZPLI200I DECRYPTION IS LICENSED ON THE FOLLOWING PROCESSORS ZPLI200I SERIAL# *0263B PROCESSOR TYPE 2066 VERSION/MODEL 0B1 WITH AN EXPIRATION DATE OF 02/28/2400 ZPLI200I GZIP SUPPORTED FILES LICENSED ON THE FOLLOWING PROCESSORS ZPLI200I SERIAL# *0263B PROCESSOR TYPE 2066 VERSION/MODEL 0B1 WITH AN EXPIRATION DATE OF 02/28/2400 ZPLI200I ISPF IS LICENSED ON THE FOLLOWING PROCESSORS ZPLI200I SERIAL# *0263B PROCESSOR TYPE 2066 VERSION/MODEL 0B1 WITH AN EXPIRATION DATE OF 02/28/2400 ZPLI200I COMMAND LINE INTERFACE IS LICENSED ON THE FOLLOWING PROCESSORS ZPLI200I SERIAL# *0263B PROCESSOR TYPE 2066 VERSION/MODEL 0B1 WITH AN EXPIRATION DATE OF 02/28/2400 ZPLI200I ADVANCED ENCRYPTION MODULE IS LICENSED ON THE FOLLOWING PROCESSORS ZPLI200I SERIAL# *0263B PROCESSOR TYPE 2066 VERSION/MODEL 0B1 WITH AN EXPIRATION DATE OF 02/28/2400 ZPLI200I DIRECTORY INTEGRATION MODULE IS LICENSED ON THE FOLLOWING PROCESSORS ZPLI200I SERIAL# *0263B PROCESSOR TYPE 2066 VERSION/MODEL 0B1 WITH AN EXPIRATION DATE OF 02/28/2400 ZPLI200I SELF EXTRACTION CREATOR IS LICENSED ON THE FOLLOWING PROCESSORS ZPLI200I SERIAL# *0263B PROCESSOR TYPE 2066 VERSION/MODEL 0B1 WITH AN EXPIRATION DATE OF 02/28/2400

Following is a sample of the report with DEMO licensing:

ZPLI220I A demo license has been requested on 03/18/04 AT 9:12am ZPLI220I Please contact PKWARE Sales at 937-847-2374 to receive an evaluation license. ********************************************************************************* CPU model 2066 with 1 online CPU serial number for CPU 0 is 04263B2066 (4263B), version code 00. Service units per second per online CPU is 5612.07 Approximate total MIPS (SUs/SEC / 48.5 * #CPUs) is 115.71 Central Processing Complex (CPC) Node Descriptor: CPC ND = 002066.0B1.IBM.02.00000001263B CPC ID = 00 Type(002066) Model(0B1) Manufacturer(IBM) Plant(02) Seq Num(00000001263B) *********************************************************************************

Page 344: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

332

Show System Information To display hardware and software information at your location, run the sample job stream in member LICSHSYS in the Installation Data set (seczip.mvs.INSTLIB). Executing this job stream displayes a Show System Information report.

Following is a sample of the report:

ZPLI210I PKWARE - Display System Information - Version 8.1 SecureZIP(TM) is a trademark of PKWARE (R), Inc. PKZIP (R) is a registered trademark of PKWARE (R), INC. For Licensing, please contact the Sales Division at 937-847-2374 or email [email protected] For Technical Support assistance, please contact the Product Services Division at 937-847-2687 or go on-line at http://www.pkware.com/support Wednesday 02/02/2005 (2005.033) 10:06:19 CPU model 2066 with 1 online Service units per second per online CPU is 5612.07. Approximate total MIPS (SUs/SEC / 48.5 * #CPUs) is 115.71. CEC MSU per hour capacity is 20 - LPAR MSU per hour capacity is 20 Central Processing Complex (CPC) Node Descriptor: CPC ND = 002066.0B1.IBM.02.00000001263B CPC ID = 00 Type(002066) Model(0B1) Manufacturer(IBM) Plant(02) Seq Num(00000001263B) CPU serial number for CPU 0 is 04263B2066 (4263B), version code 00, Model(0B1). JES2 z/OS 1.4 DFSMS z/OS 1.3.0 Model from CPC SI READY

Conditional Use PKWARE recognizes that there may be periods where the licensing environment established by the customer is no longer valid. Circumstances such as disaster recovery processing or the installation or upgrade of new processors will affect the environment. In order to accommodate the customer, SecureZIP for zSeries has a process to allow the customer to continue to use the product for a period of 5 days. During this time, error messages are displayed on the console (as well as in the printout) for each execution of SecureZIP for zSeries. At the end of the grace period, if the license keys are not updated, the product will no longer function in any environment other than to VIEW an archive. This five-day grace period is designed so that the program does not cease to function on a weekend or the Monday following the five-day grace period. You must obtain proper licensing during this period to extend use beyond the period.

Page 345: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

333

B Sample Jobstreams

Example 1: Zip PDS to an Archive

JCL Used

//SAMPZIP1 JOB (XXXX),SAMPZIP1, // CLASS=B, // MSGCLASS=Q, // NOTIFY=&SYSUID, // REGION=8M //****************************************************************** //* Sample job stream to ZIP pds file "SYS1.MACLIB" to an * //* archive of "PKWARE.MACLIB.ARCHIVE" * //****************************************************************** //* //ZIP1 EXEC PGM=SECZIP,PARM='-ECHO ' //STEPLIB DD DISP=SHR,DSN=SECZIP.MVS.LOAD //SYSPRINT DD SYSOUT=* //SYSABEND DD SYSOUT=* //SYSIN DD * -ARCHIVE_DSN(PKWARE.MACLIB.ARCHIVE) -ACTION(ADD) SYS1.MACLIB /* //

Resulting Output

ZPAM030I OUTPUT Archive opened: PKWARE.MACLIB.ARCHIVE ZPAM253I ADDED File SYS1.MACLIB(ABEND) ZPAM254I as SYS1/MACLIB/ABEND ZPAM255I (DEFLATED 78%/78%) ZPAM253I ADDED File SYS1.MACLIB(ACB) ZPAM254I as SYS1/MACLIB/ACB ZPAM255I (DEFLATED 77%/77%) ZPAM253I ADDED File SYS1.MACLIB(ACBVS) ZPAM254I as SYS1/MACLIB/ACBVS ZPAM255I (DEFLATED 78%/77%) ZPAM253I ADDED File SYS1.MACLIB(ACI) ZPAM254I as SYS1/MACLIB/ACI

Page 346: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

334

ZPAM255I (DEFLATED 73%/72%) . . . . . . . . . . . . . . . . . . . . . . . . . ZPAM253I ADDED File SYS1.MACLIB(YREGS) ZPAM254I as SYS1/MACLIB/YREGS ZPAM255I (DEFLATED 83%/83%) ZPMT002I PKZIP processing complete. RC=00000000 0(Dec)

Example 2: Zip PDS to an Archive

JCL Used

//SAMPZIP2 JOB (XXXX),SAMPZIP2, // CLASS=B, // MSGCLASS=Q, // NOTIFY=&SYSUID, // REGION=8M //****************************************************************** //* Sample job stream to ZIP pds file "SYS1.MACLIB" to an * //* archive of "PKWARE.MACLIB.ARCHIVE" * //* * //* The second qualifier of the output member(s) will be * //* changed to "MYLIB" per the ZIPPED_DSN command. * //****************************************************************** //* //ZIP2 EXEC PGM=SECZIP,PARM='-ECHO ' //STEPLIB DD DISP=SHR,DSN=SECZIP.MVS.LOAD //SYSPRINT DD SYSOUT=* //SYSABEND DD SYSOUT=* //SYSIN DD * -ARCHIVE_DSN(PKWARE.MACLIB.ARCHIVE) -ACTION(ADD) -ZIPPED_DSN(*.MACLIB(*),*/MYLIB/*) SYS1.MACLIB /* //

Resulting Output

ZPAM030I OUTPUT Archive opened: PKWARE.MACLIB.ARCHIVE ZPAM253I ADDED File SYS1.MACLIB(ABEND) ZPAM254I as SYS1/MYLIB/ABEND ZPAM255I (DEFLATED 78%/78%) ZPAM253I ADDED File SYS1.MACLIB(ACB) ZPAM254I as SYS1/MYLIB/ACB ZPAM255I (DEFLATED 77%/77%) ZPAM253I ADDED File SYS1.MACLIB(ACBVS) ZPAM254I as SYS1/MYLIB/ACBVS ZPAM255I (DEFLATED 78%/77%) ZPAM253I ADDED File SYS1.MACLIB(ACI) ZPAM254I as SYS1/MYLIB/ACI ZPAM255I (DEFLATED 73%/72%) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Page 347: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

335

ZPAM253I ADDED File SYS1.MACLIB(YREGS) ZPAM254I as SYS1/MYLIB/YREGS ZPAM255I (DEFLATED 83%/83%) ZPMT002I PKZIP processing complete. RC=00000000 0(Dec)

Example 3: Zip VSAM KSDS to an Archive

JCL Used

//SAMPZIP3 JOB (XXXX),SAMPZIP3, // CLASS=B, // MSGCLASS=Q, // NOTIFY=&SYSUID, // REGION=8M //****************************************************************** //* Sample job stream to ZIP VSAM KSDS file "PKWARE.SAMPLE.KSDS" to a * //* archive of "PKWARE.VSAMKSDS.ARCHIVE". * //* * //* "ARCHIVE_VOLUMES" will write the Archive to the volume * //* specified. * //* * //* "COMPRESSION_LEVEL(STORE)" requests NO compression. * //****************************************************************** //* //ZIP3 EXEC PGM=SECZIP,PARM='-ECHO ' //STEPLIB DD DISP=SHR,DSN=SECZIP.MVS.LOAD //SYSPRINT DD SYSOUT=* //SYSABEND DD SYSOUT=* //SYSIN DD * -ARCHIVE_DSN(PKWARE.VSAMKSDS.ARCHIVE) -ACTION(ADD) -ARCHIVE_VOLUMES(PKWARE) -COMPRESSION_LEVEL(STORE) PKWARE.SAMPLE.KSDS /* //

Resulting output

ZPAM030I OUTPUT Archive opened: PKWARE.VSAMKSDS.ARCHIVE ZPAM253I ADDED File PKWARE.SAMPLE.KSDS ZPAM254I as PKWARE/SAMPLE/KSDS ZPAM255I (STORED 0%/ 2%) ZPMT002I PKZIP processing complete. RC=00000000 0(Dec)

Example 4: Summary View of a Dataset

JCL Used

//SAMVIEW1 JOB (XXXX),SAMVIEW1, // CLASS=B, // MSGCLASS=Q, // NOTIFY=&SYSUID,

Page 348: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

336

// REGION=8M //****************************************************************** //* Sample job stream to do a summary VIEW of dataset * //* "PKWARE.MACLIB.ARCHIVE". * //****************************************************************** //* //VIEW1 EXEC PGM=SECZIP,PARM='-ECHO ' //STEPLIB DD DISP=SHR,DSN=SECZIP.MVS.LOAD //SYSPRINT DD SYSOUT=* //SYSABEND DD SYSOUT=* //SYSIN DD * -ARCHIVE_DSN(PKWARE.MACLIB.ARCHIVE) -ACTION(VIEW) /* //

Resulting output

ZPAM030I INPUT Archive opened: PKWARE.MACLIB.ARCHIVE ZPAM014I There are 1539 file(s) in the input Archive. ZPAM012I ZIP comment: SecureZIP for zSeries by PKWARE Inc. ZPAM013I ****************************************************************************************************** ZPAM015I Length Method Size Ratio Date Time CRC-32 Name ZPAM016I --------------- ------------ --------------- ----- ---------- ----- ----------------------------------- ZPAM017I 12,957 DEFLATE-NORM 2,856 78% 08/09/2001 11:14 36BDC0D4 SYS1/MYLIB/ABEND ZPAM017I 6,315 DEFLATE-NORM 1,462 77% 08/09/2001 11:14 1E1A020B SYS1/MYLIB/ACB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ZPAM017I 2,543 DEFLATE-NORM 433 83% 08/09/2001 11:16 E0B4A859 SYS1/MYLIB/YREGS ZPAM018I --------------- --------------- ----- ZPAM019I 111,359,012 17,822,596 84% ZPMT002I PKZIP processing complete. RC=00000000 0(Dec)

Example 5: Summary View of a Dataset

JCL Used

//SAMVIEW2 JOB (XXXX),SAMVIEW2, // CLASS=B, // MSGCLASS=Q, // NOTIFY=&SYSUID, // REGION=8M //****************************************************************** //* Sample job stream to do a summary VIEW of dataset * //* "PKWARE.MACLIB.ARCHIVE". * //* * //* A request is also made to do a "BRIEF" which will * //* eliminate the "CRC-32" information from being displayed.* //****************************************************************** //*

Page 349: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

337

//VIEW2 EXEC PGM=SECZIP,PARM='-ECHO ' //STEPLIB DD DISP=SHR,DSN=SECZIP.MVS.LOAD //SYSPRINT DD SYSOUT=* //SYSABEND DD SYSOUT=* //SYSIN DD * -ARCHIVE_DSN(PKWARE.MACLIB.ARCHIVE) -ACTION(VIEWBRIEF) /* //

Resulting output ZPAM030I INPUT Archive opened: PKWARE.MACLIB.ARCHIVE

ZPAM014I There are 1539 file(s) in the input Archive. ZPAM012I ZIP comment: SecureZIP for zSeries by PKWARE Inc. ZPAM013I ******************************************************************************************************* ZPAM020I Length Method Size Ratio Date Time Name ZPAM021I --------------- ------------ --------------- ----- ---------- ----- ----------------------------------- ZPAM017I 12,957 DEFLATE-NORM 2,856 78% 08/09/2001 11:14 SYS1/MYLIB/ABEND ZPAM017I 6,315 DEFLATE-NORM 1,462 77% 08/09/2001 11:14 SYS1/MYLIB/ACB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ZPAM017I 2,543 DEFLATE-NORM 433 83% 08/09/2001 11:16 SYS1/MYLIB/YREGS ZPAM018I --------------- --------------- ----- ZPAM019I 111,359,012 17,822,596 84% ZPMT002I PKZIP processing complete. RC=00000000 0(Dec)

Example 6: View with Detail of an Archive

JCL Used

//SAMVIEW3 JOB (XXXX),SAMVIEW3, // CLASS=B, // MSGCLASS=Q, // NOTIFY=&SYSUID, // REGION=8M //****************************************************************** //* Sample job stream to do a VIEW with a DETAIL listing of the * //* entries in "PKWARE.MACLIB.ARCHIVE". * //* * //* A request is also made to do a "NAME" which will * //* do the listing in Data Set Name (Ascending) sequence. * //****************************************************************** //* //VIEW3 EXEC PGM=SECZIP,PARM='-ECHO ' //STEPLIB DD DISP=SHR,DSN=SECZIP.MVS.LOAD //SYSPRINT DD SYSOUT=* //SYSABEND DD SYSOUT=* //SYSIN DD * -ARCHIVE_DSN(PKWARE.MACLIB.ARCHIVE)

Page 350: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

338

-ACTION(VIEWDETAILNAME) /* //

Resulting output

ZPAM030I INPUT Archive opened: PKWARE.MACLIB.ARCHIVE ZPAM014I There are 1539 file(s) in the input Archive. ZPAM012I ZIP comment: SecureZIP for zSeries by PKWARE Inc. ZPAM013I ZPAM001I Filename: SYS1/MYLIB/ABEND ZPAM002I File type: TEXT ZPAM003I Date/Time: 09-AUG-2001 11:14:34 ZPAM004I Compression Method: DEFLATE -NORMAL ZPAM005I Compressed Size: 2,856 ZPAM006I Uncompressed Size: 12,957 ZPAM007I 32-bit CRC: 36BDC0D4 ZPAM008I Created by: PKZIP for MVS 5.5 * - 2.x compatible ZPAM009I Needed to extract: ZipSpec 2.0 ZPAM301I File Type: NONVSAM PDS ZPAM302I File PDS Directory Blocks: 200 ZPAM303I File Record Format: FB ZPAM304I File Allocation Type: TRK ZPAM305I File Primary Space Allocated: 2245 ZPAM306I File Secondary Space Allocated: 90 ZPAM307I File Record Size: 80 ZPAM308I File Block Size: 6160 ZPAM309I File Volume(s) Used: PKWARE ZPAM310I File Creation Date: 1998/07/27 ZPAM311I File Referenced Date: 2001/08/09 ZPAM312I File PDS Extended Directory Information: DIRECTORY INFORMATION FOLLOWS LENGTH=000004 000000 52540647 00000000 00000000 00000000 |................| ZPAM313I PDS member TTRKZC: 010E07000002 ZPAM013I ZPAM001I Filename: SYS1/MYLIB/ACB ZPAM002I File type: TEXT ZPAM003I Date/Time: 09-AUG-2001 11:14:34 ZPAM004I Compression Method: DEFLATE -NORMAL ZPAM005I Compressed Size: 1,462 ZPAM006I Uncompressed Size: 6,315 ZPAM007I 32-bit CRC: 1E1A020B ZPAM008I Created by: PKZIP for MVS 5.5 * - 2.x compatible ZPAM009I Needed to extract: PKUNZIP 2.0 ZPAM301I File Type: NONVSAM PDS ZPAM302I File PDS Directory Blocks: 200 ZPAM303I File Record Format: FB ZPAM304I File Allocation Type: TRK ZPAM305I File Primary Space Allocated: 2245 ZPAM306I File Secondary Space Allocated: 90 ZPAM307I File Record Size: 80 ZPAM308I File Block Size: 6160 ZPAM309I File Volume(s) Used: PKWARE ZPAM310I File Creation Date: 1998/07/27 ZPAM311I File Referenced Date: 2001/08/09 ZPAM312I File PDS Extended Directory Information: DIRECTORY INFORMATION FOLLOWS LENGTH=000004 000000 71620002 00000000 00000000 00000000 |................| ZPAM313I PDS member TTRKZC: 004307000002 ZPAM013I . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ZPAM001I Filename: SYS1/MYLIB/YREGS ZPAM002I File type: TEXT

Page 351: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

339

ZPAM003I Date/Time: 09-AUG-2001 11:16:24 ZPAM004I Compression Method: DEFLATE -NORMAL ZPAM005I Compressed Size: 433 ZPAM006I Uncompressed Size: 2,543 ZPAM007I 32-bit CRC: E0B4A859 ZPAM008I Created by: PKZIP for MVS 5.5 * - 2.x compatible ZPAM009I Needed to extract: ZipSpec 2.0 ZPAM301I File Type: NONVSAM PDS ZPAM302I File PDS Directory Blocks: 200 ZPAM303I File Record Format: FB ZPAM304I File Allocation Type: TRK ZPAM305I File Primary Space Allocated: 2245 ZPAM306I File Secondary Space Allocated: 90 ZPAM307I File Record Size: 80 ZPAM308I File Block Size: 6160 ZPAM309I File Volume(s) Used: PKWARE ZPAM310I File Creation Date: 1998/07/27 ZPAM311I File Referenced Date: 2001/08/09 ZPAM312I File PDS Extended Directory Information: DIRECTORY INFORMATION FOLLOWS LENGTH=000004 000000 71690198 00000000 00000000 00000000 |...q............| ZPAM313I PDS member TTRKZC: 00AC09000002 ZPAM013I ZPMT002I PKZIP processing complete. RC=00000000 0(Dec)

Example 7: Unzip an Archive to PDS

JCL Used

//SAMUNZP1 JOB (XXXX),SAMUNZP1, // CLASS=B, // MSGCLASS=Q, // NOTIFY=&SYSUID, // REGION=8M //****************************************************************** //* Sample job stream to UNZIP a zipped PDS file * //* archive of "PKWARE.MACLIB.ARCHIVE" back to it's original * //* content. * //* * //* The "FILE_EXTENSION(NAMEFILE)" will use the last * //* component of the ZIPPED name as the PDS member name. * //****************************************************************** //* //UNZIP1 EXEC PGM=SECUNZIP,PARM='-ECHO ' //STEPLIB DD DISP=SHR,DSN=SECZIP.MVS.LOAD //SYSPRINT DD SYSOUT=* //SYSABEND DD SYSOUT=* //SYSIN DD * -FILE_EXTENSION(NAMEFILE) -ARCHIVE_DSN(PKWARE.MACLIB.ARCHIVE) /* //

Resulting output

ZPAM030I INPUT Archive opened: PKWARE.MACLIB.ARCHIVE ZPEX002I SYS1/MACLIB/ABEND ZPEX003I Extracted to SYS1.MACLIB(ABEND) ZPEX002I SYS1/MACLIB/ACB

Page 352: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

340

ZPEX003I Extracted to SYS1.MACLIB(ACB) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ZPEX002I SYS1/MACLIB/YREGS ZPEX003I Extracted to SYS1.MACLIB(YREGS) ZPMT002I PKZIP processing complete. RC=00000000 0(Dec)

Example 8: Unzip an Archive to PDS

JCL Used

//SAMUNZP2 JOB (XXXX),SAMUNZP2, // CLASS=B, // MSGCLASS=Q, // NOTIFY=&SYSUID, // REGION=8M //****************************************************************** //* Sample job stream to UNZIP a zipped PDS file * //* archive of "PKWARE.MACLIB.ARCHIVE" back to it's original * //* content. * //* * //* The "FILE_EXTENSION(NAMEFILE)" will use the last * //* component of the ZIPPED name as the PDS member name. * //* * //* The "UNZIPPED_DSN" is being used to change the HLQ of * //* the file. While it was ZIPPED as "SYS1" it will be * //* UNZIPPED as "SYS2". * //****************************************************************** //* //UNZIP2 EXEC PGM=SECUNZIP,PARM='-ECHO ' //STEPLIB DD DISP=SHR,DSN=SECZIP.MVS.LOAD //SYSPRINT DD SYSOUT=* //SYSABEND DD SYSOUT=* //SYSIN DD * -UNZIPPED_DSN(SYS1,SYS2) -FILE_EXTENSION(NAMEFILE) -ARCHIVE_DSN(PKWARE.MACLIB.ARCHIVE) /*

Resulting output

ZPAM030I INPUT Archive opened: PKWARE.MACLIB.ARCHIVE ZPEX002I SYS1/MACLIB/ABEND ZPEX003I Extracted to SYS2.MACLIB(ABEND) ZPEX002I SYS1/MACLIB/ACB ZPEX003I Extracted to SYS2.MACLIB(ACB) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ZPEX002I SYS1/MACLIB/YREGS ZPEX003I Extracted to SYS2.MACLIB(YREGS) ZPMT002I PKZIP processing complete. RC=00000000 0(Dec)

Page 353: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

341

Example 9: Unzip an Archive to VSAM KSDS

JCL Used

//SAMUNZP3 JOB (XXXX),SAMUNZP3, // CLASS=B, // MSGCLASS=Q, // NOTIFY=&SYSUID, // REGION=8M //****************************************************************** //* Sample job stream to UNZIP a zipped VSAM file * //* archive of "PKWARE.VSAMKSDS.ARCHIVE" back to it's original * //* VSAM structure. * //****************************************************************** //* //UNZIP3 EXEC PGM=SECUNZIP,PARM='-ECHO ' //STEPLIB DD DISP=SHR,DSN=SECZIP.MVS.LOAD //SYSPRINT DD SYSOUT=* //SYSABEND DD SYSOUT=* //SYSIN DD * -ARCHIVE_DSN(PKWARE.VSAMKSDS.ARCHIVE) /* //

Resulting output

ZPAM030I INPUT Archive opened: PKWARE.VSAMKSDS.ARCHIVE ZPEX002I PKWARE/SAMPLE/KSDS ZPEX003I Extracted to PKWARE.SAMPLE.KSDS ZPMT002I PKZIP processing complete. RC=00000000 0(Dec)

Page 354: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

342

C 3490 Installation JCL (COPYCART)

//pkwaretp JOB (xxxxxx),'xxx', <=== // CLASS=x, <=== // MSGCLASS=x, <=== // MSGLEVEL=(1,1), // NOTIFY=&SYSUID, // REGION=6144K, // TIME=1440 //* //******************************************************************* //* * //* All lines with '<==='; "lowercase" values will require * //* review & change. * //* * //* In ISPF use the < CHANGE ALL > command to edit * //* the lower case parameter selections to the value * //* you select, for instance if UNIT=SYSDA is valid * //* for JCL enter < CHANGE ALL sysda SYSDA > to * //* replace all occurrences in this member. * //* * //* CHANGE ALL: * //* Edit the Job Card as needed. * //* * //* seczip.mvs - to the ALIAS for SecureZIP MVS files * //* * //* disk - to the UNIT type for PDS files * //* * //* sysda - to the UNIT type for temporary files * //* * //* seczip1 - to the Volume Serial Number of the install tape * //* * //* tape - to the UNIT type for tape * //* * //* volume - to the VOLUME for the PDS files * //* * //******************************************************************* //* //******************************************************************* //* ==>RESTORE "seczip.mvs.CEXEC" TO CUSTOMERS DASD<== * //******************************************************************* //JS010 EXEC PGM=IEBCOPY //* //SYSUT1 DD DSN=PKWARE.MVS.CEXEC, // UNIT=tape,LABEL=(,SL), <=== // DISP=OLD,VOL=(,RETAIN,,,SER=seczip1) <=== //* //SYSUT2 DD DSN=seczip.mvs.CEXEC, <===

Page 355: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

343

// DISP=(NEW,CATLG,DELETE), // SPACE=(CYL,(1,1,52)), // UNIT=disk, <=== // VOL=SER=volume <=== //* //SYSUT3 DD UNIT=sysda,SPACE=(CYL,(5,5)) <=== //SYSUT4 DD UNIT=sysda,SPACE=(CYL,(5,5)) <=== //* //SYSPRINT DD SYSOUT=* //* //SYSIN DD * COPY INDD=SYSUT1,OUTDD=SYSUT2 /* //* //******************************************************************* //* ==>RESTORE "seczip.mvs.HELP" TO CUSTOMERS DASD<== * //******************************************************************* //JS020 EXEC PGM=IEBCOPY //* //SYSUT1 DD DSN=PKWARE.MVS.HELP, // VOL=(,RETAIN,REF=*.JS010.SYSUT1), // UNIT=(tape,,DEFER),LABEL=(2,SL), <=== // DISP=OLD //* //SYSUT2 DD DSN=seczip.mvs.HELP, <=== // DISP=(NEW,CATLG,DELETE), // SPACE=(CYL,(10,10,99)), // UNIT=disk, <=== // VOL=SER=volume <=== //* //SYSUT3 DD UNIT=sysda,SPACE=(CYL,(5,5)) <=== //SYSUT4 DD UNIT=sysda,SPACE=(CYL,(5,5)) <=== //* //SYSPRINT DD SYSOUT=* //* //SYSIN DD * COPY INDD=SYSUT1,OUTDD=SYSUT2 /* //* //******************************************************************* //* ==>RESTORE "seczip.mvs.INSTLIB" TO CUSTOMERS DASD<== * //******************************************************************* //JS030 EXEC PGM=IEBCOPY //* //SYSUT1 DD DSN=PKWARE.MVS.INSTLIB, // VOL=(,RETAIN,REF=*.JS020.SYSUT1), // UNIT=(tape,,DEFER),LABEL=(3,SL), <=== // DISP=OLD //* //SYSUT2 DD DSN=seczip.mvs.INSTLIB, <=== // DISP=(NEW,CATLG,DELETE), // SPACE=(CYL,(10,10,52)), // UNIT=disk, <=== // VOL=SER=volume <=== //* //SYSUT3 DD UNIT=sysda,SPACE=(CYL,(5,5)) <=== //SYSUT4 DD UNIT=sysda,SPACE=(CYL,(5,5)) <=== //* //SYSPRINT DD SYSOUT=* //* //SYSIN DD * COPY INDD=SYSUT1,OUTDD=SYSUT2 /* //* //******************************************************************* //* ==>RESTORE "seczip.mvs.LOAD" TO CUSTOMERS DASD<== * //******************************************************************* //JS040 EXEC PGM=IEBCOPY

Page 356: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

344

//* //SYSUT1 DD DSN=PKWARE.MVS.LOAD, // VOL=(,RETAIN,REF=*.JS030.SYSUT1), // UNIT=(tape,,DEFER),LABEL=(4,SL), <=== // DISP=OLD //* //SYSUT2 DD DSN=seczip.mvs.LOAD, <=== // DISP=(NEW,CATLG,DELETE), // SPACE=(CYL,(50,10,52)), // UNIT=disk, <=== // VOL=SER=volume <=== //* //SYSUT3 DD UNIT=sysda,SPACE=(CYL,(5,5)) <=== //SYSUT4 DD UNIT=sysda,SPACE=(CYL,(5,5)) <=== //* //SYSPRINT DD SYSOUT=* //* //SYSIN DD * COPY INDD=SYSUT1,OUTDD=SYSUT2 /* //* //******************************************************************* //* ==>RESTORE "seczip.mvs.MACLIB" TO CUSTOMERS DASD<== * //******************************************************************* //JS050 EXEC PGM=IEBCOPY //* //SYSUT1 DD DSN=PKWARE.MVS.MACLIB, // VOL=(,RETAIN,REF=*.JS040.SYSUT1), // UNIT=(tape,,DEFER),LABEL=(5,SL), <=== // DISP=OLD //* //SYSUT2 DD DSN=seczip.mvs.MACLIB, <=== // DISP=(NEW,CATLG,DELETE), // SPACE=(CYL,(10,10,52)), // UNIT=disk, <=== // VOL=SER=volume <=== //* //SYSUT3 DD UNIT=sysda,SPACE=(CYL,(5,5)) <=== //SYSUT4 DD UNIT=sysda,SPACE=(CYL,(5,5)) <=== //* //SYSPRINT DD SYSOUT=* //* //SYSIN DD * COPY INDD=SYSUT1,OUTDD=SYSUT2 /* //* //******************************************************************* //* ==>RESTORE "seczip.mvs.SPKZCLIB" TO CUSTOMERS DASD<== * //******************************************************************* //JS060 EXEC PGM=IEBCOPY //* //SYSUT1 DD DSN=PKWARE.MVS.SPKZCLIB, // VOL=(,RETAIN,REF=*.JS050.SYSUT1), // UNIT=(tape,,DEFER),LABEL=(6,SL), <=== // DISP=OLD //* //SYSUT2 DD DSN=seczip.mvs.SPKZCLIB, <=== // DISP=(NEW,CATLG,DELETE), // SPACE=(CYL,(1,1,52)), // UNIT=disk, <=== // VOL=SER=volume <=== //* //SYSUT3 DD UNIT=sysda,SPACE=(CYL,(5,5)) <=== //SYSUT4 DD UNIT=sysda,SPACE=(CYL,(5,5)) <=== //* //SYSPRINT DD SYSOUT=* //* //SYSIN DD *

Page 357: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

345

COPY INDD=SYSUT1,OUTDD=SYSUT2 /* //* //******************************************************************* //* ==>RESTORE "seczip.mvs.SPKZMLIB" TO CUSTOMERS DASD<== * //******************************************************************* //JS070 EXEC PGM=IEBCOPY //* //SYSUT1 DD DSN=PKWARE.MVS.SPKZMLIB, // VOL=(,RETAIN,REF=*.JS060.SYSUT1), // UNIT=(tape,,DEFER),LABEL=(7,SL), <=== // DISP=OLD //* //SYSUT2 DD DSN=seczip.mvs.SPKZMLIB, <=== // DISP=(NEW,CATLG,DELETE), // SPACE=(CYL,(1,1,52)), // UNIT=disk, <=== // VOL=SER=volume <=== //* //SYSUT3 DD UNIT=sysda,SPACE=(CYL,(5,5)) <=== //SYSUT4 DD UNIT=sysda,SPACE=(CYL,(5,5)) <=== //* //SYSPRINT DD SYSOUT=* //* //SYSIN DD * COPY INDD=SYSUT1,OUTDD=SYSUT2 /* //* //******************************************************************* //* ==>RESTORE "seczip.mvs.SPKZPLIB" TO CUSTOMERS DASD<== * //******************************************************************* //JS080 EXEC PGM=IEBCOPY //* //SYSUT1 DD DSN=PKWARE.MVS.SPKZPLIB, // VOL=(,RETAIN,REF=*.JS070.SYSUT1), // UNIT=(tape,,DEFER),LABEL=(8,SL), <=== // DISP=OLD //* //SYSUT2 DD DSN=seczip.mvs.SPKZPLIB, <=== // DISP=(NEW,CATLG,DELETE), // SPACE=(CYL,(1,1,52)), // UNIT=disk, <=== // VOL=SER=volume <=== //* //SYSUT3 DD UNIT=sysda,SPACE=(CYL,(5,5)) <=== //SYSUT4 DD UNIT=sysda,SPACE=(CYL,(5,5)) <=== //* //SYSPRINT DD SYSOUT=* //* //SYSIN DD * COPY INDD=SYSUT1,OUTDD=SYSUT2 /* //* //******************************************************************* //* ==>RESTORE "seczip.mvs.SPKZTLIB" TO CUSTOMERS DASD<== * //******************************************************************* //JS090 EXEC PGM=IEBCOPY //* //SYSUT1 DD DSN=PKWARE.MVS.SPKZTLIB, // VOL=(,RETAIN,REF=*.JS080.SYSUT1), // UNIT=(tape,,DEFER),LABEL=(9,SL), <=== // DISP=OLD //* //SYSUT2 DD DSN=seczip.mvs.SPKZTLIB, <=== // DISP=(NEW,CATLG,DELETE), // SPACE=(CYL,(1,1,52)), // UNIT=disk, <=== // VOL=SER=volume <===

Page 358: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

346

//* //SYSUT3 DD UNIT=sysda,SPACE=(CYL,(5,5)) <=== //SYSUT4 DD UNIT=sysda,SPACE=(CYL,(5,5)) <=== //* //SYSPRINT DD SYSOUT=* //* //SYSIN DD * COPY INDD=SYSUT1,OUTDD=SYSUT2 /* //******************************************************************* //* ==>RESTORE "seczip.mvs.SPKZSLIB" TO CUSTOMERS DASD<== * //******************************************************************* //JS100 EXEC PGM=IEBCOPY //* //SYSUT1 DD DSN=PKWARE.MVS.SPKZSLIB, // VOL=(,RETAIN,REF=*.JS090.SYSUT1), // UNIT=(tape,,DEFER),LABEL=(10,SL), <=== // DISP=OLD //* //SYSUT2 DD DSN=seczip.mvs.SPKZSLIB, <=== // DISP=(NEW,CATLG,DELETE), // SPACE=(CYL,(1,1,52)), // UNIT=disk, <=== // VOL=SER=volume <=== //* //SYSUT3 DD UNIT=SYSDA,SPACE=(CYL,(5,5)) //SYSUT4 DD UNIT=SYSDA,SPACE=(CYL,(5,5)) //* //SYSPRINT DD SYSOUT=* //* //SYSIN DD * COPY INDD=SYSUT1,OUTDD=SYSUT2 /* //******************************************************************* //* ==>RESTORE "seczip.mvs.INSTLIB2" TO CUSTOMERS DASD<== * //******************************************************************* //JS110 EXEC PGM=IEBCOPY //* //SYSUT1 DD DSN=PKWARE.MVS.INSTLIB2, // VOL=(,RETAIN,REF=*.JS100.SYSUT1), // UNIT=(tape,,DEFER),LABEL=(11,SL), <=== // DISP=OLD //* //SYSUT2 DD DSN=seczip.mvs.INSTLIB2, <=== // DISP=(NEW,CATLG,DELETE), // SPACE=(CYL,(2,1,5)), // UNIT=disk, <=== // VOL=SER=volume <=== //* //SYSUT3 DD UNIT=SYSDA,SPACE=(CYL,(5,5)) //SYSUT4 DD UNIT=SYSDA,SPACE=(CYL,(5,5)) //* //SYSPRINT DD SYSOUT=* //* //SYSIN DD * COPY INDD=SYSUT1,OUTDD=SYSUT2 //* //******************************************************************* //* ==>RESTORE "seczip.mvs.SMP.MCS" TO CUSTOMERS DASD<== * //******************************************************************* //JS120 EXEC PGM=IEBGENER //* //SYSUT1 DD DSN=PKWARE.MVS.SMP.MCS, // VOL=(,RETAIN,REF=*.JS110.SYSUT1), // UNIT=(tape,,DEFER),LABEL=(12,SL), <=== // DISP=OLD //* //SYSUT2 DD DSN=seczip.mvs.SMP.MCS, <===

Page 359: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

347

// DISP=(NEW,CATLG,DELETE), // SPACE=(CYL,(2,9)), // UNIT=disk, <=== // VOL=SER=volume <=== //* //SYSUT3 DD UNIT=sysda,SPACE=(CYL,(5,5)) <=== //SYSUT4 DD UNIT=sysda,SPACE=(CYL,(5,5)) <=== //* //SYSPRINT DD SYSOUT=* //* //SYSIN DD DUMMY /* //******************************************************************* //* ==>RESTORE "seczip.mvs.SMP.DLOAD" TO CUSTOMERS DASD<== * //******************************************************************* //JS130 EXEC PGM=IEBCOPY //* //SYSUT1 DD DSN=PKWARE.MVS.SMP.DLOAD, // VOL=(,RETAIN,REF=*.JS120.SYSUT1), // UNIT=(tape,,DEFER),LABEL=(13,SL), <=== // DISP=OLD //* //SYSUT2 DD DSN=seczip.mvs.SMP.DLOAD, <=== // DISP=(NEW,CATLG,DELETE), // SPACE=(CYL,(10,10,99),RLSE), // UNIT=disk, <=== // VOL=SER=volume <=== //* //SYSUT3 DD UNIT=sysda,SPACE=(CYL,(5,5)) <=== //SYSUT4 DD UNIT=sysda,SPACE=(CYL,(5,5)) <=== //* //SYSPRINT DD SYSOUT=* //* //SYSIN DD * COPY INDD=SYSUT1,OUTDD=SYSUT2 /* //******************************************************************* //* ==>RESTORE "seczip.mvs.SMP.DCEXE" TO CUSTOMERS DASD<== * //******************************************************************* //JS140 EXEC PGM=IEBCOPY //* //SYSUT1 DD DSN=PKWARE.MVS.SMP.DCEXE, // VOL=(,RETAIN,REF=*.JS130.SYSUT1), // UNIT=(tape,,DEFER),LABEL=(14,SL), <=== // DISP=OLD //* //SYSUT2 DD DSN=seczip.mvs.SMP.DCEXE, <=== // DISP=(NEW,CATLG,DELETE), // SPACE=(CYL,(10,10,99),RLSE), // UNIT=disk, <=== // VOL=SER=volume <=== //* //SYSUT3 DD UNIT=sysda,SPACE=(CYL,(5,5)) <=== //SYSUT4 DD UNIT=sysda,SPACE=(CYL,(5,5)) <=== //* //SYSPRINT DD SYSOUT=* //* //SYSIN DD * COPY INDD=SYSUT1,OUTDD=SYSUT2 /* //******************************************************************* //* ==>RESTORE "seczip.mvs.SMP.DCLIB" TO CUSTOMERS DASD<== * //******************************************************************* //JS150 EXEC PGM=IEBCOPY //* //SYSUT1 DD DSN=PKWARE.MVS.SMP.DCLIB, // VOL=(,RETAIN,REF=*.JS140.SYSUT1), // UNIT=(tape,,DEFER),LABEL=(15,SL), <===

Page 360: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

348

// DISP=OLD //* //SYSUT2 DD DSN=seczip.mvs.SMP.DCLIB, <=== // DISP=(NEW,CATLG,DELETE), // SPACE=(CYL,(10,10,99),RLSE), // UNIT=disk, <=== // VOL=SER=volume <=== //* //SYSUT3 DD UNIT=sysda,SPACE=(CYL,(5,5)) <=== //SYSUT4 DD UNIT=sysda,SPACE=(CYL,(5,5)) <=== //* //SYSPRINT DD SYSOUT=* //* //SYSIN DD * COPY INDD=SYSUT1,OUTDD=SYSUT2 /* //******************************************************************* //* ==>RESTORE "seczip.mvs.SMP.DHELP" TO CUSTOMERS DASD<== * //******************************************************************* //JS160 EXEC PGM=IEBCOPY //* //SYSUT1 DD DSN=PKWARE.MVS.SMP.DHELP, // VOL=(,RETAIN,REF=*.JS150.SYSUT1), // UNIT=(tape,,DEFER),LABEL=(16,SL), <=== // DISP=OLD //* //SYSUT2 DD DSN=seczip.mvs.SMP.DHELP, <=== // DISP=(NEW,CATLG,DELETE), // SPACE=(CYL,(10,10,99),RLSE), // UNIT=disk, <=== // VOL=SER=volume <=== //* //SYSUT3 DD UNIT=sysda,SPACE=(CYL,(5,5)) <=== //SYSUT4 DD UNIT=sysda,SPACE=(CYL,(5,5)) <=== //* //SYSPRINT DD SYSOUT=* //* //SYSIN DD * COPY INDD=SYSUT1,OUTDD=SYSUT2 /* //******************************************************************* //* ==>RESTORE "seczip.mvs.SMP.DINST" TO CUSTOMERS DASD<== * //******************************************************************* //JS170 EXEC PGM=IEBCOPY //* //SYSUT1 DD DSN=PKWARE.MVS.SMP.DINST, // VOL=(,RETAIN,REF=*.JS160.SYSUT1), // UNIT=(tape,,DEFER),LABEL=(17,SL), <=== // DISP=OLD //* //SYSUT2 DD DSN=seczip.mvs.SMP.DINST, <=== // DISP=(NEW,CATLG,DELETE), // SPACE=(CYL,(10,10,99),RLSE), // UNIT=disk, <=== // VOL=SER=volume <=== //* //SYSUT3 DD UNIT=sysda,SPACE=(CYL,(5,5)) <=== //SYSUT4 DD UNIT=sysda,SPACE=(CYL,(5,5)) <=== //* //SYSPRINT DD SYSOUT=* //* //SYSIN DD * COPY INDD=SYSUT1,OUTDD=SYSUT2 /* //******************************************************************* //* ==>RESTORE "seczip.mvs.SMP.DPLIB" TO CUSTOMERS DASD<== * //******************************************************************* //JS180 EXEC PGM=IEBCOPY

Page 361: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

349

//* //SYSUT1 DD DSN=PKWARE.MVS.SMP.DPLIB, // VOL=(,RETAIN,REF=*.JS170.SYSUT1), // UNIT=(tape,,DEFER),LABEL=(18,SL), <=== // DISP=OLD //* //SYSUT2 DD DSN=seczip.mvs.SMP.DPLIB, <=== // DISP=(NEW,CATLG,DELETE), // SPACE=(CYL,(10,10,99),RLSE), // UNIT=disk, <=== // VOL=SER=volume <=== //* //SYSUT3 DD UNIT=sysda,SPACE=(CYL,(5,5)) <=== //SYSUT4 DD UNIT=sysda,SPACE=(CYL,(5,5)) <=== //* //SYSPRINT DD SYSOUT=* //* //SYSIN DD * COPY INDD=SYSUT1,OUTDD=SYSUT2 /* //******************************************************************* //* ==>RESTORE "seczip.mvs.SMP.DMACL" TO CUSTOMERS DASD<== * //******************************************************************* //JS190 EXEC PGM=IEBCOPY //* //SYSUT1 DD DSN=PKWARE.MVS.SMP.DMACL, // VOL=(,RETAIN,REF=*.JS180.SYSUT1), // UNIT=(tape,,DEFER),LABEL=(19,SL), <=== // DISP=OLD //* //SYSUT2 DD DSN=seczip.mvs.SMP.DMACL, <=== // DISP=(NEW,CATLG,DELETE), // SPACE=(CYL,(10,10,99),RLSE), // UNIT=disk, <=== // VOL=SER=volume <=== //* //SYSUT3 DD UNIT=sysda,SPACE=(CYL,(5,5)) <=== //SYSUT4 DD UNIT=sysda,SPACE=(CYL,(5,5)) <=== //* //SYSPRINT DD SYSOUT=* //* //SYSIN DD * COPY INDD=SYSUT1,OUTDD=SYSUT2 /* //******************************************************************* //* ==>RESTORE "seczip.mvs.SMP.DMLIB" TO CUSTOMERS DASD<== * //******************************************************************* //JS200 EXEC PGM=IEBCOPY //* //SYSUT1 DD DSN=PKWARE.MVS.SMP.DMLIB, // VOL=(,RETAIN,REF=*.JS190.SYSUT1), // UNIT=(tape,,DEFER),LABEL=(20,SL), <=== // DISP=OLD //* //SYSUT2 DD DSN=seczip.mvs.SMP.DMLIB, <=== // DISP=(NEW,CATLG,DELETE), // SPACE=(CYL,(10,10,99),RLSE), // UNIT=disk, <=== // VOL=SER=volume <=== //* //SYSUT3 DD UNIT=sysda,SPACE=(CYL,(5,5)) <=== //SYSUT4 DD UNIT=sysda,SPACE=(CYL,(5,5)) <=== //* //SYSPRINT DD SYSOUT=* //* //SYSIN DD * COPY INDD=SYSUT1,OUTDD=SYSUT2 /*

Page 362: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

350

//******************************************************************* //* ==>RESTORE "seczip.mvs.SMP.DTLIB" TO CUSTOMERS DASD<== * //******************************************************************* //JS210 EXEC PGM=IEBCOPY //* //SYSUT1 DD DSN=PKWARE.MVS.SMP.DTLIB, // VOL=(,RETAIN,REF=*.JS200.SYSUT1), // UNIT=(tape,,DEFER),LABEL=(21,SL), <=== // DISP=OLD //* //SYSUT2 DD DSN=seczip.mvs.SMP.DTLIB, <=== // DISP=(NEW,CATLG,DELETE), // SPACE=(CYL,(10,10,99),RLSE), // UNIT=disk, <=== // VOL=SER=volume <=== //* //SYSUT3 DD UNIT=sysda,SPACE=(CYL,(5,5)) <=== //SYSUT4 DD UNIT=sysda,SPACE=(CYL,(5,5)) <=== //* //SYSPRINT DD SYSOUT=* //* //SYSIN DD * COPY INDD=SYSUT1,OUTDD=SYSUT2 /* //******************************************************************* //* ==>RESTORE "seczip.mvs.SMP.DINS2" TO CUSTOMERS DASD<== * //******************************************************************* //JS220 EXEC PGM=IEBCOPY //* //SYSUT1 DD DSN=PKWARE.MVS.SMP.DINS2, // VOL=(,RETAIN,REF=*.JS210.SYSUT1), // UNIT=(tape,,DEFER),LABEL=(22,SL), <=== // DISP=OLD //* //SYSUT2 DD DSN=seczip.mvs.SMP.DINS2, <=== // DISP=(NEW,CATLG,DELETE), // SPACE=(CYL,(10,10,99),RLSE), // UNIT=disk, <=== // VOL=SER=volume <=== //* //SYSUT3 DD UNIT=sysda,SPACE=(CYL,(5,5)) <=== //SYSUT4 DD UNIT=sysda,SPACE=(CYL,(5,5)) <=== //* //SYSPRINT DD SYSOUT=* //* //SYSIN DD * COPY INDD=SYSUT1,OUTDD=SYSUT2 /* //******************************************************************* //* ==>RESTORE "seczip.mvs.SMP.DSLIB" TO CUSTOMERS DASD<== * //******************************************************************* //JS230 EXEC PGM=IEBCOPY //* //SYSUT1 DD DSN=PKWARE.MVS.SMP.DSLIB, // VOL=(,RETAIN,REF=*.JS220.SYSUT1), // UNIT=(tape,,DEFER),LABEL=(23,SL), <=== // DISP=OLD //* //SYSUT2 DD DSN=seczip.mvs.SMP.DSLIB, <=== // DISP=(NEW,CATLG,DELETE), // SPACE=(CYL,(10,10,99),RLSE), // UNIT=disk, <=== // VOL=SER=volume <=== //* //SYSUT3 DD UNIT=sysda,SPACE=(CYL,(5,5)) <=== //SYSUT4 DD UNIT=sysda,SPACE=(CYL,(5,5)) <=== //* //SYSPRINT DD SYSOUT=*

Page 363: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

351

//* //SYSIN DD * COPY INDD=SYSUT1,OUTDD=SYSUT2 /* //

Page 364: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

352

D Making Code Page Translate Tables (EDCICONV)

Translation Tables Text data is represented by one of two base English character encoding schemes: EBCDIC or ASCII. In each scheme, individual alphanumeric characters are assigned an internal numeric code within the range of 0-255 (hexadecimal 00-FF). Although most of the same characters (e.g., A-Z, a-z, 0-9) are contained in the EBCDIC and ASCII character sets, different numeric code assignments are used for each. SecureZIP for zSeries™ translates EBCDIC characters into the ASCII character set, which is the standard set used by ZIP compatible products to store text data.

Situations may arise in unique platform interchanges or when working with text files from different countries when the default translation table is not adequate. Users may select any available translation table by using the

TRANSLATE_TABLE_DATA command.

EBC#8859 is the default if TRANSLATE_TABLE_DATA is not specified. If a table other than ASCII is used often, you can make it the default, and eliminate the need to use the TRANSLATE_TABLE_DATA command each time.

Code Page Support SecureZIP for zSeries provides certain “ready to use” translation tables commonly used in an IBM EBCDIC environment. These tables are provided “as is” and are not supported as part of SecureZIP for zSeries. It is the user’s responsibility to ensure that data translation mapping satisfies their requirements. Additional source tables (as described under International Code Page Support below) have been provided as samples in the product install library for use by installations with special translation needs.

There are many other specialized character sets available to the user community that may be required. OS/390 and zOS provide a data translation feature, ICONV, that can be used to generate translate tables compatible with SecureZIP for zSeries. This section describes a process that can be used to create customized translation tables.

Page 365: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

353

For more details about specific code pages supported by the IBM ICONV utility, see the International Components for Unicode website at http://oss.software.ibm.com/cgi-bin/icu/convexp.

International Code Page Support The source tables for the following international code pages are provided in SecureZIP for zSeries. They are provided in the INSTLIB library as member name TRTxxyy. The suffix xx = LANGUAGE and suffix yy = ASCII OR EURO ASCII.

For example, to translate Spanish to Euro ASCII and back you would use table TRTEJAI.

Language EBCDIC Code Page

ASCII Code Page

EURO/ASCII Code Page

EBCDIC Code Set ID

ASCII Code Set ID

EURO/ ASCII CODE Set ID

Table Name ASCII

Table Name EURO

German 273 850 858 EB AA AI TRTEBAA TRTEBAI

Spanish 284 850 858 EJ AA AI TRTEJAA TRTEJAI

Portuguese 282 850 858 EI AA AI TRTEIAA TRTEIAI

Italian 280 850 858 EG AA AI TRTEGAA TRTEGAI

Danish 277 850 858 EE AA AI TRTEEAA TRTEEAI

Norwegian 277 850 858 EE AA AI TRTEEAA TRTEEAI

Swedish 278 850 858 EF AA AI TRTEFAA TRTEFAI

Finnish 278 850 858 EF AA AI TRTEFAA TRTEFAI

French 297 850 858 EM AA AI TRTEMAA TRTEMAI

English UNIX

IBM 1047

ISO 8859-1

EBC#8859

English PC IBM 1047

IBM 850

EBC#850

Code Conversion Utility The ICONV utility reads characters from the input file, converts them from “fronCodeSet” encoding to “toCodeSet” encoding, and writes them to the output file.

EDCICONV is a procedure provided with the IBM Language Extensions product that is used to invoke the ICONV functions. Documentation about the ICONV functions is contained within the procedure and is fully documented in IBM's z/OS V1R1.0 C/C++ Programming Guide.

The following sample job (found in SECZIP.MVS.INSTLIB(MAKETRT) executes the EDCICONV procedure twice to perform codeset translations and then combines the translation table source into a single source table that can be assembled for use by SecureZIP for zSeries.

In the example, the first step translates a known table from French to the Euro codeset and the second step converts it back. The CODEIN table is provided in the SecureZIP for zSeries install library and has all values from x'00' to x'ff'. The parameter FROMC= is the 2 character designator for the "from" codeset and the parameter TOC= is the 2 character designator for

Page 366: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

354

the "to" codeset. The third step executes a SECZIP utility, BUILDTAB, which takes the two codesets that were created and generates assembler language source for a table that can be assembled, linked and subsequently used with SECZIP.

The parameter required for this step is the 2 character designator for the "from" codeset followed by the 2 character designator for the "to" codeset.

Translate Table Generation Member ASMTRTS in INSTLIB will assemble the generated source and link it as a translate table in the SecureZIP for zSeries load library.

Sample Job

//JOBNAME JOB (ACCT),'PRGRMR',CLASS=A,MSGCLASS=X,MSGLEVEL=(1,1), // NOTIFY=&SYSUID,TIME=1440,REGION=6144K //* // JCLLIB ORDER=CEE.SCEEPROC //* //* step 1 uses the ICONV function of LE to create the codeset for //* converting from French in this example to the Euro codeset //* //STEP1 EXEC EDCICONV, // INFILE=SECZIP.MVS.INSTLIB(CODEIN), // OUTFILE=USERID.TEST.CODESETS(EMAI), // FROMC=IBM-297,TOC=IBM-858 //* //* step 2 uses the ICONV function of LE to create the codeset for //* converting from Euro in this example to the French codeset //* //STEP2 EXEC EDCICONV, // INFILE=SECZIP.MVS.INSTLIB(CODEIN), // OUTFILE=USERID.TEST.CODESETS(AIEM), // FROMC=IBM-858,TOC=IBM-297 //* //* step 3 uses a utility to generate assembler language source //* from the output created in the previous two steps. The assembler //* language source is used as input to the ASMTRTS job stream in //* the install library to create a table useable by SECZIP for //* zSeries. Please note that //* SecureZIP for zSeries relies on the DATA_DELIMITER and //* FILE_TERMINATOR characters. Anytime a non-standard table is //* used, it is the users' responsibility to ensure the correct //* values are specified for these processing options. Failure to //* do so may render the user data unuseable. //* //STEP3 EXEC PGM=BUILDTAB,PARM='EMAI' //STEPLIB DD DSN=SECZIP.MVS.LOAD,DISP=SHR //SYSPRINT DD SYSOUT=* //SYSUDUMP DD SYSOUT=* //TABIN DD DSN=USERID.TEST.CODESETS(EMAI),DISP=SHR // DD DSN=USERID.TEST.CODESETS(AIEM),DISP=SHR //TABOUT DD DSN=USERID.TEST.TRTABS(TRTEMAI),DISP=OLD

Page 367: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

355

Notes:

• The ICONV functions will make multiple code conversions if a direct translation from one codeset to another is not available. The interim codeset it uses is UCS2. Some installations disallow ICONV from using an interim code table via installation options and if that is the case it can be done manually by adding the additional steps.

• Currently, double byte character sets are not supported by the BUILDTAB utility.

• The specification of DATA_DELIMITER and FILE_TERMINATOR characters may be required depending on the character sets being used. The correct specification for those characters is critical for subsequent access to the data.

Page 368: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

356

E FIPS-197 AES Certification of PKZIP

The implementation of the AES algorithm used by PKZIP for MVS, Version 5.5 and higher (which includes SecureZIP for zSeries), has been validated in accordance with FIPS-197 for the Advanced Encryption Standard.

The NIST (National Institute of Standards and Technology), a branch of the US government and certified practitioners of the AES (Advanced Encryption Standard), has recognized PKWARE for demonstrating strong security competence in regards to the algorithm's strength and implementation within our products.

A list of AES implementations that NIST has validated as correctly implementing the AES algorithm can be found on the NIST Web site:

http://www.csrc.nist.gov/cryptval/aes/aesval.html

Page 369: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

357

F Contact Information

PKWARE, Inc. Web Site: www.pkware.com

For Licensing, please contact the Sales Division at 937-847-2374 or email [email protected].

For Technical Support assistance, please contact the Product Services Division at 937-847-2687 or visit the support web site.

PROBLEM REPORTING Providing appropriate documentation on the initial call for a problem expedites the analysis and resolution process. The following sections describe the type of information that should be supplied for each category of problem.

General

Licensing

ISPF

General When reporting a problem regarding SecureZIP for zSeries, please be prepared to provide the following information:

The release level of the operating system SecureZIP for zSeries is running under.

The release level of SecureZIP for zSeries being run. This information can be found in the SYSPRINT output in message-ID ZPLI001I.

A description of the process being run and any differentiating circumstances from job(s) that do run.

A copy of the SYSPRINT output from a failing execution, with the command "-SHOW_SETTINGS" as the last command in the SYSIN.

Page 370: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

358

Note: In ISPF, the SYSPRINT output can be found in a file immediately following the failure, the work file over-written with each new request, and can be found by selecting the following option from the main ISPF panel.

"S Sysprint Browse Log of last on-line execution"

A copy of the JOBLOG for a batch job execution.

If practical, please include the archive/Input File involved in the failing execution.

In the case of an Abend, a copy of the DUMP output from a failing execution with a //SYSABEND DD. This dump can be zipped (as TEXT) before transferring.

In the case of a LOOP/WAIT condition, cancel the run with a dump. Make sure the cancelled run contains a //SYSABEND DD. This dump can be zipped (as TEXT) before transferring.

When providing a SYSABEND DUMP, please remove any ABEND handlers such as ABEND AID or DUMP MASTER from the failing run.

ABEND AID can be circumvented by providing the "//ABNLIGNR DD DUMMY" JCL statement.

Output from a VIEWDETAIL before and after an update is performed.

If requested by Technical Support, SYSPRINT with various tracing options turned on.

Licensing When reporting a problem regarding LICENSING, please be prepared to provide the following information:

A copy of the JES output from the LICSHSYS job in INSTLIB.

A copy of the JES output from the LICPRINT job in INSTLIB.

If this is a build of a License then supply a copy of the JES output from the License update job (LICUPDAT) being run.

If the problem occurs in a SecureZIP job then follow the steps outlined above for SecureZIP for zSeries.

ISPF When reporting a problem regarding ISPF, please be prepared to provide the following description of the problem to include:

The option selected

Any additional panel selections

The archive file type

A copy of the archive if an UNZIP or View operation is involved.

Description of results

Copy of the SYSPRINT of last operation (Option S)

Any error messages (screen capture/cut and paste as needed).

Release level of SecureZIP for zSeries (is displayed in SYSPRINT).

Page 371: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

359

A logical print of active allocations for the session.

From the command line of the SecureZIP panel involved, issue the command "TSO ISRDDN”

From the ISRDDN screen display "Current Data Set Allocations", issue the command "PRINTL"

Exit ISPF, when prompted select LIST data set options, Keep data set - New

Note the data set name that is kept and include its contents.

FTP SERVER requirements To upload abend dumps or printouts to PKWARE use the following JCL as an example:

//FTPSTEP EXEC PGM=FTP,PARM='BIGIRON.PKWARE.COM (EXIT' //SYSPRINT DD SYSOUT=* //INPUT DD * FTP_SUPPORT PKW!PKW CWD USUPPORT BINARY PUT 'YOUR.FULLY.QUALIFID.DSN' CLOSE QUIT //

Page 372: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

360

Glossary

This glossary provides definitions for items that may have been referenced in the SecureZIP for zSeries documentation. It is not meant to be exhaustive. There are excellent source of documentation for computing terms on the Internet. For example:

IBM’s Terminology Web Site

http://www.networking.ibm.com/nsg/nsgmain.htm

Absolute Path Name

A string of characters that is used to refer to an object, starting at the highest level (or root) of the directory hierarchy. The absolute path name must begin with a slash (/), which indicates that the path begins at the root. This is in contrast to a Relative Path Name.

Access Method

A technique that is used to read a record from, or to write a record into, a file. Usually either: SAM (Sequential Access Method - where records are processed one after another in the order in which they appear in the file), or random (the individual records can be processed in any order) such as VSAM ).

AES

The Advanced Encryption Standard is the official US Government encryption standard for customer data.

Alternate Index

An index of a file based on a key different from the base. It allows the file to be processed in a secondary key order.

American Standard Code for Information Interchange (ASCII)

The ASCII code (American Standard Code for Information Interchange) was developed by the American National Standards Institute for information exchange among data processing systems, data communications systems, and associated equipment, and is the standard character set used on MS-DOS and UNIX-based operating systems. In a ZIP archive, ASCII is used as the normal character set for compressed text files. The ASCII character set consists of 7-bit control characters and symbolic characters, plus a single parity bit. Since ASCII is used by most microcomputers and printers, text-only

Page 373: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

361

files can be transferred easily between different kinds of computers and operating systems. While ASCII code does include characters to indicate backspace, carriage return, etc., it does not include accents and special letters that are not used in English. To accomodate those special characters, Extended ASCII has additional characters (128-255). Only the first 128 characters in the ASCII character set are standard on all systems. Others may be different for a given language set. It may be necessary to create a different translation tables (see Translation Table) to create standard translation between ASCII and other character sets.

American National Standards Institute (ANSI)

An organization sponsored by the Computer and Business Equipment Manufacturers Association for establishing voluntary industry standards.

Application Programming Interface (API)

An interface between the operating system (or systems-related program) that allows an application program written in a high-level language to use specific data or services of the operating system or the program. The API also allows you to develop an application program written in a high-level language to access SECZIP data and/or functions of the SECZIP system.

Application System/400 (iSeries)

One of a family of general purpose systems with a single operating system, Operating System/400, that provides application portability across all models.

Archive

(1) The act of transferring files from the computer into a long-term storage medium. Archived files are often compressed to save space.

(2) An individual file or group of files which must be extracted and decompressed in order to be used.

(3) A file stored on a computer network, which can be retrieved by a file transfer program (FTP) or other means.

(4) The SECZIP file that holds the compressed/zipped datafile.

Big ENDIAN

A binary data format in which the most significant bit comes first.

Binary File

A file that contains codes that are not part of the ASCII character set. Binary files can use all 256 possible values for each byte in the file.

Block

(1) A group of records that are recorded or processed as a unit.

Page 374: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

362

(2) A set of adjacent records stored as a unit on a disk, diskette, or magnetic tape.

Cipher Block Chain (CBC)

Cipher Block Chaining refers to a method of encryption of blocks of data that involves an initialization vector that is put together with the first block of data and the encryption key. This method of encryption makes sure that each block of data thereafter is uniquely modified, further protecting the data from fraudulent access.

Code Page

A specification of code points for each graphic character set or for a collection of graphic character sets. Within a given code page, a code point can have only one specific meaning. A code page is also sometimes known as a code set.

Configuration File

(1) A file that specifies the way a program functions.

(2) In SECZIP, the file that contains the default values needed for the system to run. These can usually be respecified to meet local user requirements. Several configuration files can be built and accessed via INCLUDE_CMD for certificate access, predefined command sequences, dataset selection lists and other processing settings.

Cryptography

(1) A method of protecting data. Cryptographic services include data encryption and message authentication.

(2) In cryptographic software, the transformation of data to conceal its meaning; secret code.

(3) The transformation of data to conceal its information content, to prevent its undetected modification, or to prevent its unauthorized use.

Cyclic Redundancy Check (CRC)

A Cyclic Redundancy Check is a number derived from a block of data, and stored or transmitted with the data in order to detect any errors in transmission. This can also be used to check the contents of a ZIP archive. It is similar in nature to a checksum. A CRC may be calculated by adding words or bytes of the data. Once the data arrives at the receiving computer, a calculation and comparison is made to the value originally transmitted. If the calculated values are different, a transmission error is indicated. The CRC information is called redundant because it adds no significant information to the transmission or archive itself. It is only used to check that the contents of a ZIP archive are correct. When a file is compressed, the CRC is calculated and a value is calculated based upon the contents and using a standard algorithm. The resulting value (32 bits in length) is the CRC that is stored with that compressed file. When the file is decompressed, the CRC is recalculated (again, based upon the extracted contents), and compared to the original CRC. Error results will be generated showing any file corruption that may have occurred.

Page 375: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

363

Data Compression

The reduction in size (or space taken) of data volume on the media when performing a save or store operations.

Data Integrity

(1) The condition that exists as long as accidental or intentional destruction, alteration, or loss of data does not occur.

(2) Within the scope of a unit of work, either all changes to the database management systems are completed or none of them are. The set of change operations are considered an integral set.

Delimiter

A character or sequence of characters that marks the beginning or end of a unit of data. This is commonly used in non-record data streams in workstation and UNIX-based systems. It is used in the SECZIP TEXT data format.

Dump

In problem analysis and resolution, to write, at a particular instant, all or part of the contents of main or auxiliary storage onto another data medium (such as tape, printer, or spool) for the purpose of protecting the data or collecting error information.

Dynamic Allocation (DYNALLOC)

Dynamic Allocation (DYNALLOC) is a facility utilizing the SVC99 function which allows a program to directly access a dataset without the need for corresponding JCL statements.

Encryption

The transformation of data into an unintelligible form so that the original data either cannot be obtained or can be obtained only by decryption.

Enqueue

The Enqueue macro (ENQ) is used to restrict access to a resource, so that only the appropriate number of users with the appropriate mode gain access to the resource at one time. It is commonly used to "lock" a resource to prevent modifications from multiple sources to cancel out each other.

Extended Attribute

Information attached to an object that provides a detailed description about the object to an application system or user.

Extended Binary Coded Decimal Interchange Code (EBCDIC)

The Extended Binary Coded Decimal Interchange Code a coded character set of 256 8

Page 376: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

364

bit characters. EBCDIC is similar in nature to ASCII code, which is used on many other computers. When ZIP programs compress a text file, they translate data from EBCDIC to ASCII characters within a ZIP archive using a translation table.

Fixed-Length

A dataset or data definition characteristic in which all of the records are the same length. See also Variable Length.

GDG

Generation Data Groups.

Greenwich Mean Time (GMT)

A synonym for Universal Time Coordinated (UTC) which is the mean solar time of the meridian of Greenwich, England, and is the prime basis of standard time throughout the world.

GZIP

GZIP (also known as GNU zip) is a compression utility designed to use a different standard for handling compressed file data in an archive.

ICF

Integrated Catalog Facility.

IDCAMS

The utility program used by IBM’s Access Method Services to create and manage cataloged datasets.

Installation Verification Procedure (IVP)

A sample application, script, or jobstream provided to verify successful installation of a product (may be either software or hardware).

iSeries

AS400 Operating environments.

JCL

Job Control Language is a command language for mainframes and minicomputers, used for launching applications.

Job Entry Subsystem (JES)

An IBM licensed program that receives jobs into the system and processes all output data produced by the jobs. Commonly known as JES2 or JES3

Page 377: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

365

Julian Date

A date format that contains the year in positions 1 and 2, and the day in positions 3 through 5. The day is represented as 1 through 366, right-adjusted, with zeros in the unused high-order positions. For example, the Julian date for April 6, 1987 is 87096.

Keyed Sequence

An order in which records are retrieved based on the contents of key fields in records. For example, a bank name and address file might be in order and keyed by the account number.

Keyword

A mnemonic (abbreviation) that identifies a parameter in a command.

Lempel-Ziv (LZ)

A technique for compressing data. This technique replaces some character strings, which occur repeatedly within the data, with codes. The encoded character strings are then kept in a common dictionary, which is created as the data is being sent.

Little ENDIAN

A binary data format in which the least signifcant bit would be on the left.

MVS

Multiple Virtual Storage is the generic name for the portion of the OS/390 and z/OS operating systems which runs non Unix-System-Services workloads such as batch and TSO/E. It is in this environment that SecureZIP for zSeries executes.

NIST

National Institute of Standards and Technology is a part of the U.S. Department of Commerce, formerly called the National Bureau of Standards, that defines standards for voice, data, and video transmissions, encryption, and other kinds of technology.

Parameter List

A list of values in a calling program that corresponds exactly to a list in a called program for the purposes of providing addressability and data exchange. It contains parameter names and the order in which they are to be associated in the calling and called program.

Partitioned Dataset

A Partitioned Dataset (PDS) is a dataset in direct access storage that is divided into partitions (which are called members), each of which can contain a program, part of a program, JCL, parameters, or other forms of data. When a compression program is compressing a PDS, each member is treated as a separate file within the resultant ZIP archive. When an archive is decompressed to a PDS, each file within the archive

Page 378: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

366

creates a separate member within the PDS.

Path Name

(1) A string of characters used to refer to an object. The string can consist of one or more elements, each separated by a slash (/), and may begin with a slash. Each element is typically a directory or equivalent, except for the last element, which can be a directory or another object (such as a file).

(2) A sequence of directory names followed by a file name, each separated by a slash.

Program Temporary Fix (PTF)

A temporary solution to (or a bypass of) a problem that is necessary to provide a complete solution to correct a defect in a current unaltered release of a program. May also be used to provide an enhancement to a product before a new release of the product is available. Generally, PTFs are incorporated in a future release of the product.

RDW

Record Descriptor Word: Contains record length information as a prefix to the data

Record Format

A document or display that names each part of a file and provides specific information for each field such as length and type of information contained within the field.

Relative Path Name

A string of characters that is used to refer to an object, starting at some point in the directory hierarchy other than the root. A relative path name does not begin with a slash (/). The starting point is frequently a user's current directory. This is in contrast to an Absolute Path Name and Path Name.

Return Code

A value generated by operating system software to a program to indicate the results of an operation by that program. The value may also be generated by the program and passed back to the operator.

Rijindael

The combined name of the two researchers that developed the Advanced Encryption Standard (AES) for the US Government (Dr. Joan Daemen and Dr. Vincent Rijmen).

Spanned Record

A logical record that stored across more than one block. This is commonly used to get around system limitations that blocks cannot be larger than x number of bytes. With spanned records, one record spans two or more blocks.

Page 379: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

367

Translation Table

Translation tables are used by the SECZIP and SECUNZIP programs for translating characters in compressed text files between the ASCII character sets used within a ZIP archive and the EBCDIC character set used on IBM-based systems. These tables may be created and modified by you as documented in the user's guide.

Truncate

To cut off or delete the data that will not fit within a specified line width or display. This may also be attributed to data that does not fit within the specified length of a field definition.

Universal Time Coordinated (UTC)

A synonym for Greenwich Mean Time (GMT) which is the mean solar time of the meridian of Greenwich, England, and is the prime basis of standard time throughout the world.

Variable-Length

A characteristic of a file in which the individual records (and/or the file itself) can be of varying length. Also see Fixed-Length.

Virtual Storage Access Method

The Virtual Sequential Access Method (VSAM) is an access method for the direct or sequential processing of fixed-length and variable-length records on direct access devices. The records in a VSAM dataset or file can be organized in logical sequence by a key field (key sequence dataset or KSDS), in the physical sequence in which they are written on the dataset or file (entry-sequence or PS), or by relative-record number (RR). The datasets are managed by the IDCAMS utility program and is used by commands and macros from within application programs.

ZIP Archive

A ZIP archive is used to refer to a single dataset that contains a number of files compressed into a much smaller physical space by SECZIP software.

Page 380: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

368

Index

&

&SYSUID, 127

3

3DES, 21

A

About this Manual, 1 Access Method Services, 42 ACTION, 128, 145 -ACTION(VIEWDETAIL), 52 –ADD, 145 Advanced Options, 288 AES, 21 –ALIAS_NAME, 225 –ALIASMEMBER, 216 Allocation Units, 292 Applying a License Key or Authorization Code, 46 –ARCH, 271 –ARCHBLKSIZ, 149 –ARCHBUFSPACE, 247 –ARCHCATALOG, 247 –ARCHCISIZE, 248 –ARCHCISZ, 248 –ARCHDATACISIZE, 250 –ARCHDATACISZ, 250 –ARCHDATAEEXT, 250 –ARCHDATAFILE, 250 –ARCHDATANAME, 251 –ARCHDATANORD, 251 –ARCHDATANRUS, 267 –ARCHDATANWCK, 271 –ARCHDATAORD, 251 –ARCHDATAOWNER, 265 –ARCHDATAPRI, 251 –ARCHDATARUS, 267 –ARCHDATASEC, 252 –ARCHDATASHR, 267 –ARCHDATASPACE, 252 –ARCHDATAVOL, 253 –ARCHDCLASS, 150, 152, 155, 183, 187, 189, 208, 238 –ARCHDIRBLKS, 150 –ARCHEEXT, 254 –ARCHERASE, 254

–ARCHFILE, 254 –ARCHFOR, 255, 270 –ARCHFREECA, 255 –ARCHFREECI, 255 –ARCHIFILE, 153 –ARCHINDD, 153 –ARCHINFILE, 153 –ARCHIVE, 151 Archive Name, 287 ARCHIVE_BLKSIZE, 128, 149 ARCHIVE_COMMENT, 128, 149 ARCHIVE_DATACLASS, 128, 150, 152, 155, 183, 187,

189, 208, 238 ARCHIVE_DIR_BLOCKS, 128, 150 –ARCHIVE_DIRBLKS, 150 ARCHIVE_DSN, 128, 151 –ARCHIVE_DSNAME, 151 ARCHIVE_DSORG, 128, 152 ARCHIVE_FASTSEEK, 128 –ARCHIVE_IFILE, 153 –ARCHIVE_INDD, 153 ARCHIVE_INFILE, 128, 153 ARCHIVE_LRECL, 128, 153 ARCHIVE_MGMTCLASS, 128, 153 –ARCHIVE_MODEL, 264 –ARCHIVE_OFILE, 154 –ARCHIVE_OUTDD, 154 ARCHIVE_OUTFILE, 129, 154 ARCHIVE_RECFM, 129, 154 –ARCHIVE_RELEASE, 156 –ARCHIVE_RLSE, 156 ARCHIVE_SPACE_MULTIVOL, 129 ARCHIVE_SPACE_PRIMARY, 129, 155 –ARCHIVE_SPACE_RELEASE, 156 ARCHIVE_SPACE_RLSE, 129, 156 ARCHIVE_SPACE_SECONDARY, 129, 156 ARCHIVE_SPACE_TYPE, 129, 156 ARCHIVE_STORCLASS, 129, 157 ARCHIVE_TIMESTAMP, 129, 157 ARCHIVE_UNIT, 129, 158 ARCHIVE_VOLUMES, 129, 158 –ARCHLRL, 153 –ARCHMCLASS, 153 –ARCHMODEL, 264 –ARCHNOERASE, 254 –ARCHNONSPANNED, 269

Page 381: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

369

–ARCHNOREUSE, 267 –ARCHNORLSE, 156 –ARCHNOWRITECHK, 271 –ARCHOFILE, 154 –ARCHOUTDD, 154 –ARCHOUTFILE, 154 –ARCHOWNER, 265 –ARCHPRIMARY, 155 –ARCHRECORDSIZE, 266 –ARCHREUSE, 267 –ARCHRLSE, 156 –ARCHSCLASS, 157 –ARCHSECONDARY, 156 –ARCHSHR, 267 –ARCHSPACE, 156 –ARCHSPANNED, 269 –ARCHTO, 270 –ARCHTYPE, 154 –ARCHUNIT, 158 –ARCHVOL, 158 –ARCHWRITECHK, 271 Assembling Your Changes, 60 –ATTRCOMPAT, 159 –ATTRIB, 222 –ATTRIB_COMPAT, 159 ATTRIB_COMPATIBILITY, 129, 159 –ATTRIBCENTRAL, 222 –ATTRIBLOCAL, 222 –ATTRIBUTE_COMPATIBILITY, 159 AUTHCHK, 129, 159 authentication, 11, 13, 15, 16, 69

B

B, 291 BASIC, 328 –BINARY, 169 Binary Records, 109 Block Size, 292 Browse, 291 Browse Binary, 291 Browse Text, 291 –BUFFERSPACE, 247 –BUFSPACE, 247

C

–CACHEMEMORY, 167 CALLMODE, 129, 162 CANCEL, 285 CAPACITY, 328 –CATALOG, 247 Cataloged Dataset Name and INFILE Request Restrictions,

103 Cataloged Dataset Name Filter Requests, 100 certificate authority, 17, 68 certificate stores, 12, 18, 20, 65, 66, 67, 72 certificates, 11, 16, 17, 20, 64

root, 18 validation, 68 validity, 69

Changing Default Options, 286 Chapter 1. An Introduction to SecureZIP for zSeries, 5 –CHECK_SYSIN_MEMBER, 129, 162 –CISIZE, 248 –CNVEXT, 178 Code Page, 352 Command Changes, 30 Command Details, 142 Command Icon Legend, 145 Command Syntax, 126 Compress and Store all of a User’s Files into Their Own

Archive, 58 Compressed by, 292 Compressing a Dataset, 50 Compressing a VSAM File, 118 Compressing Data from Tape, 122 Compressing Sequential Files, 113 Compression Method, 292 Compression Ratio, 292 COMPRESSION_LEVEL, 129, 162 Conditional Use, 332 Configuration (Option ‘C’), 283 Configuration Manager, 59 Configuration Manager Development: Managing Control

Statements, 61 Contact PKWARE (Option ‘A’), 307 Control Statement Definitions, 61 Conventions Used, 2 –COPY, 145 Copying a Tape-Based Archive to a Disk File, 122 Creation Date, 292 CRLF, 129, 163 Cross Platform Compatibility, 8 Current Use License, 330 Cyclic Redundancy Check, 7, 292

D

data base profile, 65 Data Compression, 6 Data Format - Binary Records, 109 Data Format - Text Records, 108 Data Formats - Text or Binary, 107 Data Set Filter, 287 Data Set Name, 286 DATA_DELIMITER, 129, 165 DATA_STORAGE, 129, 167 DATA_TRANS_API_ERRLIM, 167 DATA_TRANS_API_ERRLIM, 129 DATA_TRANS_API_ERROR, 168 DATA_TRANS_API_ERROR, 129 DATA_TRANS_API_LANGUAGE, 168 DATA_TRANS_API_LANGUAGE, 130 DATA_TRANS_API_NAME, 168 DATA_TRANS_API_NAME, 130 DATA_TRANS_API_PARM, 168 DATA_TRANS_API_PARM, 130 DATA_TRANS_API_TRACE, 169 DATA_TRANS_API_TRACE, 130 DATA_TRANS_API_WORKSIZE, 169

Page 382: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

370

DATA_TRANS_API_WORKSIZE, 130 DATA_TYPE, 130, 169 Alias, 38 Dataset Aliases, 38 dataset name, 128, 142 DATATYPE_DETECT_DEPTH, 171 DATATYPE_DETECT_TABLE, 172 –DATATYPE_SCAN_DEPTH, 171 DATATYPE_TEXT_PERCENT, 172 Date/Time Zipped, 292 DD Statements, 116 DDNAME_PARMLIB, 130, 173 DDNAME_QZSORTIN, 130 DDNAME_QZSORTOUT, 130 DDNAME_SYSIN, 130, 173 DDNAME_SYSPRINT, 130, 173 DDNAME_ZPSORTIN, 174 DDNAME_ZPSORTOUT, 174 Debugging Controls, 62 Decompressing

sequential datasets, 53 Decompressing a Dataset, 53 decryption, 71, 79, 94 Defaults (Options ZD and UD), 284 Defaults Files, 283 Defaults for –ZIPPED_DSN, 274 Defaults Module, 283 Delete, 291 –DELETE, 145 –DELIM, 165 DEMO, 329, 331 DES, 20 –DETECT_DEPTH, 171 –DETECTX, 169 Determining File Size, 110 digital certificates. See certificates digital signing. See signing Directory Blocks, 292 DISASTER RECOVERY, 329 DISP, 285 Display Fields, 291 Dsorg, 292

E

–E0, 162 EBCDIC, 286 ECHO, 130, 174 EDCICONV, 352

Sample Job, 354 –EN, 162 ENCRYPT_CERT_LIMIT, 130, 175 encryption, 10, 14, 23

algorithms, 10, 13, 20, 92 certificate-based, 12, 23, 65, 79 file name, 14, 75, 90 password, 10, 12, 23, 79 strong, 10

Encryption, 8 –ENCRYPTION_METHOD, 175

ENCRYTPION_METHOD, 130 Enhancements for Secure Data, 37 ENTERPRISE, 329 –ES, 162 –ESDS, 248 –EX, 162 Example

-VIEWDETAIL, 52 Example 1: Zip PDS to an Archive, 333 Example 2: Zip PDS to an Archive, 334 Example 3: Zip VSAM KSDS to an Archive, 335 Example 4: Summary View of a Dataset, 335 Example 5: Summary View of a Dataset, 336 Example 6: View with Detail of an Archive, 337 Example 7: Unzip an Archive to PDS, 339 Example 8: Unzip an Archive to PDS, 340 Example 9: Unzip an Archive to VSAM KSDS, 341 Examples

extracting data, 53 viewing archive contents, 51

–EXCLUDE(dsname mask), 130, 176 Exclusion Filter, 101 EXIT, 285 Extract, 291 –EXTRACT, 145 Extract with overwrite, 291 EXTRACT_PREVIEW, 130, 177 Extracting Data into a PDS, 116 Extracting Data into a VSAM File, 119 Extracting Data onto Tape, 123 Extracting Records into a Sequential File, 114

F

–FAILONDUPKEYS, 253 FEATURES, 329 File Attributes, 109, 123 File Concatenation for ZIP Processing, 115 File Considerations, 110 File Name, 292 File Name or File Mask, 115 File Selection Processing Notes, 102 File Selections vs. Commands, 127 File Support, 112 File Type, 292, 301 FILE_BUSY_WAITTIME, 130, 177 FILE_EXTENSION, 131, 178 FILE_TERMINATOR, 131, 184 filename encryption. See encryption FILENAME_API_ERRLIM, 179 FILENAME_API_ERRLIM, 131 FILENAME_API_ERROR, 179 FILENAME_API_ERROR, 131 FILENAME_API_LANGUAGE, 179 FILENAME_API_LANGUAGE, 131 FILENAME_API_NAME, 180 FILENAME_API_NAME, 131 FILENAME_API_PARM, 180 FILENAME_API_PARM, 131 FILENAME_API_TRACE, 180

Page 383: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

371

FILENAME_API_TRACE, 131 FILENAME_API_WORKSIZE, 181 FILENAME_API_WORKSIZE, 131 FILENAME_ENCRYPTION, 131, 181 FILENAME_SELECT_CASE, 131 –FILEPROCERR, 201 –FILESELERR, 201 FIPS, 20 –FRESHEN, 145 –FTRAN, 241

G

–GDGALL, 185 GDGALL_SUPPORT, 131, 185 Getting Started with the ISPF Interface, 282 GZIP, 131, 185 GZIP Extensions, 280 GZIP Restrictions, 280 GZIP_SUFFIX, 131, 186

H

HIERARCHY, 131, 186 –HLQ, 242

I

IBM’s Terminology Web Site, 360 ICONV, 352 IEBGENER, 42 –IFILE, 194 –IGNOREDUPKEYS, 253 Implementation Notes for GZIP, 280 INCLUDE_CMD, 131 INCLUDE_SFX, 131 Including Changed Defaults, 286 –INDD, 194 INFILE, 131, 194 INFILE Requests, 101 –INFILE_DD, 194 Info, 291 Input ZIP Archive Files, 102 Inputs, 60 INSERT_MEMBER, 131, 195 –INSERTMEMBER, 195 International Code Page, 353 Introduction to SecureZIP for zSeries, 48 Invoking SecureZIP for zSeries Services, 54 Invoking the SecureZIP for zSeries ISPF Panel Interface, 59 Invoking ZIP or UNZIP TSO Command Line Interface, 55

J

JCL to run SECZIP, 49 JES2 SYSIN INFILE Support, 101 Job Card, 283

K

–KEY_PROTECT_LEVEL, 131, 195 –KEYPROTECT1, 195 –KEYPROTECT2, 195 keys, 14, 16, 22

–KSDS, –RRDS, 248

L

Large File Considerations, 110 Last-Referenced Date, 292 LDAP, 65, 66, 87 LDAP_ENCRYPT_CERT_SELECT, 131, 196 License Display (Option ‘L’), 306 LICENSE_HLQ, 132, 197 LICENSE_WTO_INFO, 132, 198 Licensed Types, 328 Licensing and Initializing the Demo, 44 Licensing Environment, 330 LICPRINT, 330 LICSHSYS, 44, 332 Line Commands, 290 –LMM, 199 LMOD_SUPPORT, 132, 197 LOAD, 285 Load Libraries, 117 Load Library, 283 Load Module Control, 117 LOCATE, 285 LOGGING_LEVEL, 132, 198 Lowest Acceptable RC, 283

M

Magnetic Tapes and Cartridges, 121 –MAKEESDS, 204 –MAKELIBRARY, 204 –MAKEPDS, 204 –MAKEPDSE, 204 –MAKESEQ, 204 –MAKEVSAM, 204 Making Changes to the Defaults, 60 Managing a Sequential File ZIP Archive, 114 Managing a VSAM ZIP Archive, 121 Managing a ZIP Archive on Tape, 124 Managing ZIP Archives as PDS Members, 116 MASTER_RECIPIENT, 132, 198 –MEM_MDL, 199 –MEM_MODEL, 199 MEMORY_MODEL, 199 –MEMORY_MODEL, 132 Message, 292 Message Changes, 32 Messages, 62 Messages (Option ‘M’), 304 –METHOD, 162 –MML, 199 –MMM, 199 –MMS, 199 More Files, 287, 300 MULTI_THREAD_LIMIT, 132, 199

N

Needed to Extract, 292 New Commands, 27 New Features, 25

Page 384: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

372

New ZIP Archive, 278 –NIASEP, 275 –NOA, 242 –NOALIAS_NAME, 225 NOALIASMEMBER, 216 NOAPI, 132 –NOARCHRLSE, 156 –NOATTRIB, 222 –NOCRLF, 163 –NODYNMSGS, 235 –NOECHO, 174 –NOGDGALL, 185 –NOGZIP, 185 –NOHIERARCHY, 186 –NOINSERTMEMBER, 195 Non-labeled Tapes (NL), 122 –NOOVERWRITE, 206 –NOPADVSAM, 211 –NOPATH, 214 –NORECALL, 216 –NORECURSE, 159, 175, 196, 198, 217, 221, 224, 228,

230, 232, 233 NOSYSIN, 132, 200 –NOSYSIPT, 200 –NOTAPE, 226 Notes for Dataset Compression, 51 Notes for Decompressing a Dataset, 53 Notes for Viewing the Contents of an Archive, 52 Notes for –ZIPPED_DSN, 273 –NOVSAM, 245 Numeric, 286

O

Old ZIP Archive, 277 ON_FILE_ACCESS_ERROR, 132, 201 ON_FILE_IO_ERROR, 132, 201 Option ‘A’, 307 Option ‘C’, 283 Option ‘L’, 306 Option ‘M’, 304 Option ‘S’, 304 Option ‘U’, 300 Option ‘W’, 307 Option ‘Z’, 295 Option List, 286 Options ZD and UD, 284 –OUT_DSORG, 204 –OUTASTR, 246 –OUTATTEMPTS, 246 –OUTATTR, 248 –OUTAUTH, 246 –OUTBLKSIZ, 202 –OUTBLKSIZE, 202 –OUTBUFSPACE, 247 –OUTCATALOG, 247 –OUTCISIZE, 248 –OUTCISZ, 248 –OUTCODE, 249 –OUTCONTROLPW, 249

–OUTDATAASTR, 246 –OUTDATAATT, 246 –OUTDATAAUTH, 246 –OUTDATACISIZE, 250 –OUTDATACISZ, 250 –OUTDATACODE, 249 –OUTDATACTLPW, 249 –OUTDATAEEXT, 250 –OUTDATAFILE, 250 –OUTDATAMRPW, 263 –OUTDATANAME, 251 –OUTDATANORD, 251 –OUTDATANRUS, 267 –OUTDATANWCK, 271 –OUTDATAORD, 251 –OUTDATAOWNER, 265 –OUTDATAPRI, 251 –OUTDATARDPW, 265 –OUTDATARUS, 267 –OUTDATASEC, 252 –OUTDATASHR, 267 –OUTDATASPACE, 252 –OUTDATAUPDPW, 270 –OUTDATAVOL, 253 –OUTDATAWCK, 271 –OUTDCLASS, 203 –OUTDIRBLKS, 204 –OUTDUPLICATES, 253 –OUTEEXT, 254 OUTFILE_BLKSIZE, 132, 202 OUTFILE_DATACLASS, 132, 203 OUTFILE_DD, 132, 203 OUTFILE_DIR_BLOCKS, 132, 204 –OUTFILE_DIRBLKS, 204 OUTFILE_DSNTYPE, 132, 204 –OUTFILE_DSORG, 204 OUTFILE_LRECL, 132, 205 OUTFILE_MGMTCLASS, 132, 205 OUTFILE_OVERWRITE, 133, 206 OUTFILE_PDS_ENQ, 133, 206 OUTFILE_RECFM, 133, 207 –OUTFILE_RELEASE, 209 –OUTFILE_RLSE, 209 OUTFILE_SPACE_MULTIVOL, 133 OUTFILE_SPACE_PRIMARY, 133, 208 –OUTFILE_SPACE_RELEASE, 209 OUTFILE_SPACE_RLSE, 133, 209 OUTFILE_SPACE_SECONDARY, 133, 209 OUTFILE_SPACE_TYPE, 133, 209 OUTFILE_STORCLASS, 133, 210 OUTFILE_UNIT, 133, 210 OUTFILE_VOLUMES, 133, 210 –OUTFOR, 270 –OUTFREECA, 255 –OUTIMBED, 256 –OUTINDXASTR, 257 –OUTINDXATT, 256 –OUTINDXAUTH, 257 –OUTINDXCISIZE, 257

Page 385: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

373

–OUTINDXCISZ, 257 –OUTINDXCTLPW, 258 –OUTINDXEEXT, 258 –OUTINDXNAME, 260 –OUTINDXNORD, 260 –OUTINDXNRUS, 267 –OUTINDXORD, 260 –OUTINDXOWNER, 265 –OUTINDXPRI, 260 –OUTINDXRDPW, 261 –OUTINDXRUS, 267 –OUTINDXSEC, 261 –OUTINDXSHR, 267 –OUTINDXSPACE, 262 –OUTINDXUPDPW, 262 –OUTINDXVOL, 263 –OUTKEYS, 263 –OUTLRL, 205 –OUTMASTERPW, 263 –OUTMCLASS, 205 –OUTMODEL, 264 –OUTNOREPLICATE, 267 –OUTNOREUSE, 267 –OUTNORLSE, 209 –OUTNOWRITECHK, 271 –OUTOWNER, 265 –OUTPRIMARY, 208 –OUTREADPW, 265 –OUTRECOVERY, 266 –OUTREPLICATE, 267 –OUTREUSE, 267 –OUTRLSE, 209 –OUTSCLASS, 210 –OUTSECONDARY, 209 –OUTSHR, 267 –OUTSPACE, 209 –OUTSPEED, 266 –OUTTO, 270 –OUTTYPE, 207 –OUTUNIT, 210 –OUTUPDATEPW, 270 –OUTVOL, 210 –OUTWRITECHK, 271 –OVERWRITE, 206

P

–PAD, 211 PAD_CHAR, 133, 211 PAD_VSAM, 133, 211 –PADVSAM, 211 PARMLIB_DSNAME_UNZIP, 133, 212 PARMLIB_DSNAME_ZIP, 133, 212 PARMLIB_FILE_WAIT_MAX, 133, 212 PARMLIB_FILE_WAIT_TIMER, 133, 213 –PASS, 213 PASSWORD, 133, 213 passwords, 23, 97 PATCH_REPORT, 134 –PATCH_REPORT, 145

PATH, 134, 214 PDS and PDSE Members, 115 –PDS_TARGET, 225 PEM, 20 PKCS#12, 20, 71 PKCS#7, 20, 68 PKI, 15, 16 PKNODUMP, 42 PKSPRINT, 42 PKSUPPRC, 134, 215 PKUNZIP, 105 –PRESERVE_CMD_SPACES, 134 –PREVIEW, 177 Preview Extract, 291 Primary Commands, 285, 289 Primary File Selection Inputs, 100 Primary Space, 292 private key, 13, 16, 17, 24, 75 PROCESS_ALIAS, 134, 216 Processing Entire Load Library, 117 Processing GDGs, 114 Processing GZIP Archives, 281 Processing Individual Members, 117 Processing Mode, 287 Processing Order of Control Statements, 61 Product Features, 329 public key, 13, 16, 17 public-key, 65 –PWD, 213

Q

–Q, 198 –QUIET, 198

R

RC4, 22 –RDW, 223 –RECALL, 216 RECALL_TO_ZIP, 134, 216 RECIPIENT, 64, 134, 217 recipients, 13, 65, 66, 79

searching for, 87 recipients list, 86 Record Format, 292 Record Size, 292 –RECURSE, 159, 175, 196, 198, 217, 221, 224, 228, 230,

232, 233 RECURSE_LEVELS, 134, 221, 224 Region Size and Storage Usage, 39 Related IBM Publications, 3 Related Information on the Internet, 4 Related Publications, 3 Release Summary, 25 Reporting, 330 Reserved DDNAMEs, 41 RESET, 285 Restrictions for SecureZIP for zSeries, 37 Return Codes, 50 Running a Disaster Recovery Test, 47

Page 386: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

374

S

SAVE, 285 SAVE_FILE_ATTRIBUTES, 134, 222 SAVE_LRECL, 134, 223 Secondary Space, 292 SECUNZIP, 49, 68, 105

Invoking under TSO, 55 Invoking using JCL, 49, 54

SecureZIP for zSeries Release Information, 25 SECUREZIP_CONFIG, 134, 224 SECZIP, 49, 68, 105

Invoking under TSO, 55 Invoking using JCL, 49, 54

SELECT_CATALOGED_ALIAS, 134, 225 –SELECT_DSN_ALIAS, 225 SELECT_FROM_PDS, 134, 225 –SELECT_GDGALL, 185 –SELECT_MIGRATED, 216 SELECT_TAPE, 134, 226 –SELECT_VSAM, 245 Selecting PDS Members for Compression, 115 Sequential Files, 113 SET_ERROR_RC, 134, 227 Setting VIEW Options, 287, 293, 297, 298, 299, 302, 303,

304 Show System Information, 44, 332 SHOW_SETTINGS, 134, 227 SIGN_ARCHIVE, 134, 228 SIGN_FILES, 134, 230 SIGN_HASHALG, 135, 232 SIGNAL_ZIP64, 135, 233 signing, 11, 13, 16, 17

archives, 13 SIMULATE, 135, 233 Simulation Mode, 301 smart cards, 11 –SMM, 199 SNAP_SYSOUT_CLASS, 135, 234 SORT, 42 Sort Field, 287 Sort Order, 287 Sort Output, 287 –SS, 227 STAGE_TAPE_ON_DISK, 135, 234 –STAGE_TAPE_TO_DISK, 234 –STRIP, 235 STRIP_CHAR, 135, 235 Summary of Available Commands, 127 Summary of Commands Affecting ZIP Filename, 104 Summary View of a Dataset, 335, 336 SUPPRESS_DYNALLOC_MSGS, 135, 235 SYSPRINT, 42 Sysprint Allocation, 283 SYSPRINT Browse (Option ‘S’), 304 SYSPRINT_DCB, 236 –SYSPRINT_DCB, 135 SYSPRINT_SYSOUT_CLASS, 135, 236

T

–TASKS, 199 TEMP_BLKSIZE, 135, 236 TEMP_DATACLASS, 135, 237 TEMP_MGMTCLASS, 135, 237 TEMP_RECFM, 135, 237 TEMP_SPACE_MULTIVOL, 135 TEMP_SPACE_PRIMARY, 135, 238 TEMP_SPACE_SECONDARY, 135, 238 TEMP_SPACE_TYPE, 135, 239 TEMP_STORCLASS, 135, 239 TEMP_UNIT, 135, 239 TEMP_VOLUMES, 135, 240 –TEMPBLKSIZ, 236 –TEMPDCLASS, 237 Temporary Dataset, 277 –TEMPPRI, 238 –TEMPPRIMARY, 238 –TEMPSCLASS, 239 –TEMPSEC, 238 –TEMPSECONDARY, 238 –TEMPSPACE, 239 –TEMPTYPE, 237 –TEMPUNIT, 239 –TERM, 184 –TEST, 145 Text, 286 –TEXT, 169 Text Records, 108 TIME-DELIMITED, 329 –TIMESTAMP, 157 To Compress Data into a ZIP Archive on Tape, 124 To Create a New VSAM File, 120 To Extract Data from a Tape-Based Archive, 125 To Overwrite a current VSAM File, 120 To Process “Sparse” RRDS Files, 121 To Process Multiple-Volume Tape Archives, 124 To Restore a Compressed VSAM File, 120 To Update a VSAM ESDS ZIP Archive, 121 To Update Files in a Tape-Based Archive, 125 To View a Tape-Based Archive, 124 TRACE_TABLE_SIZE, 136, 240 –TRAN, 240 Translate table, 352 TRANSLATE_TABLE_DATA, 136, 240 TRANSLATE_TABLE_FILEINFO, 136, 241 TRANSLATION_MODE, 136 Trial Period, 44 Triple DES, 21 Troubleshooting, 62 TRTEBAA, 241, 353 TRTEBAI, 241, 353 TRTEEAA, 241, 353 TRTEEAI, 241, 353 TRTEFAA, 241, 353 TRTEFAI, 241, 353 TRTEGAA, 241, 353 TRTEGAI, 241, 353 TRTEIAA, 241, 353

Page 387: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

375

TRTEIAI, 241, 353 TRTEJAA, 241, 353 TRTEJAI, 241, 353 TRTEMAA, 241, 353 TRTEMAI, 241, 353 TSO Prefix, 283

U

Unsupported File Types, 121 UNZIP (Option ‘U’), 300 Unzip an Archive to PDS, 339, 340 Unzip an Archive to VSAM KSDS, 341 –UNZIPCONFI, 212 Unzipped Size, 292 UNZIPPED_DSN, 136, 242 –UNZIPPED_DSNAME, 242 –UPDATE, 145 Updating or Refreshing a File, 54 Use of System Utilities, 42 USE_FILE_ATTRIBUTES, 222 –USE_SAVED_LRECL, 223 User Input Sources (MVS), 61

V

Valid UNZIP Actions, 57 Valid ZIP Actions, 56 Valid ZIP Options, 57 –VERBOSE, 198 View, 291 –VIEW, 145 View Archive (Option ‘V’), 286 View Binary, 291 View Text, 291 View Type, 287 View with Detail of an Archive, 337 –VIEWDETAIL Display, 123 VIEWDETAIL of a KSDS in an Archive, 118 Viewing the Contents of an Archive, 51 Volume, 292 Volume List, 286 VSAM, 136, 245 VSAM Clusters for –ZIPPED_DSN, 274 VSAM Files, 117 VSAM_ACCOUNT, 136, 245 VSAM_ATTEMPTS, 136, 246 VSAM_AUTH_EP, 136, 246 VSAM_AUTH_STRING, 136, 246 VSAM_BUFFERSPACE, 136, 247 VSAM_CATALOG, 136, 247 VSAM_CISIZE, 136, 248 VSAM_CLUSTER_TYPE, 137, 248 VSAM_CODE, 137, 249 VSAM_CONTROLPW, 137, 249 VSAM_DATA_CISIZE, 137, 250 VSAM_DATA_EXCEPTIONEXIT, 137, 250 VSAM_DATA_FILE, 137, 250 VSAM_DATA_NAME, 137, 251 VSAM_DATA_ORDERED, 137, 251 VSAM_DATA_PRIMARY, 137, 251

VSAM_DATA_SECONDARY, 137, 252 VSAM_DATA_SPACE_TYPE, 138, 252 VSAM_DATA_VOLUMES, 138, 253 VSAM_DATACLASS, 138, 253 VSAM_DUPLICATE_ERROR, 138, 253 VSAM_ERASE, 138, 254 VSAM_EXCEPTIONEXIT, 138, 254 VSAM_FILE, 138, 254 VSAM_FOR, 138, 255 VSAM_FREESPACE_CA, 138, 255 VSAM_FREESPACE_CI, 138, 255 VSAM_IMBED, 138, 256 VSAM_INDEX_ATTEMPTS, 138, 256 VSAM_INDEX_AUTH_EP, 139, 257 VSAM_INDEX_AUTH_STRING, 139, 257 VSAM_INDEX_CISIZE, 139, 257 VSAM_INDEX_CODE, 139, 258 VSAM_INDEX_CONTROLPW, 139, 258 VSAM_INDEX_EXCEPTIONEXIT, 139, 258 VSAM_INDEX_FILE, 139, 259 VSAM_INDEX_MASTERPW, 139, 259 VSAM_INDEX_NAME, 139, 260 VSAM_INDEX_ORDERED, 139, 260 VSAM_INDEX_PRIMARY, 140, 260 VSAM_INDEX_READPW, 140, 261 VSAM_INDEX_SECONDARY, 140, 261 VSAM_INDEX_SPACE_TYPE, 140, 262 VSAM_INDEX_UPDATEPW, 140, 262 VSAM_INDEX_VOLUMES, 140, 263 VSAM_KEYS, 140, 263 VSAM_MASTERPW, 140, 263 VSAM_MGMTCLASS, 140, 264 VSAM_MODEL, 140, 264 VSAM_ORDERED, 140, 264 VSAM_OWNER, 141, 265 VSAM_READPW, 141, 265 VSAM_RECORDSIZE, 141, 266 VSAM_RECOVERY_OPT, 141, 266 VSAM_REPLICATE, 141, 267 VSAM_REUSE, 141, 267 VSAM_SHAREOPTIONS, 141, 267 –VSAM_SHROPT, 267 –VSAM_SHROPTS, 267 VSAM_SPACE_PRIMARY, 141, 268 VSAM_SPACE_SECONDARY, 141, 268 VSAM_SPACE_TYPE, 141, 269 VSAM_SPANNED, 141, 269 VSAM_STORCLASS, 142, 270 VSAM_TO, 142, 270 –VSAM_TYPE, 248 VSAM_UPDATEPW, 142, 270 –VSAM_VOLUMES, 253 VSAM_WRITECHECK, 142, 271 –VSAMCISIZE, 248 –VSAMCISZ, 248 –VSAMESDS, 248 –VSAMKSDS, 248 –VSAMRRDS, 248 –VSAMTYPE, 248

Page 388: (OS/390 and z/OS) · SecureZIP™ for zSeries (OS/390 and z/OS) User’s Guide SZZU-V8R1000 PKWARE Inc.

376

W

What is GZIP?, 279 What’s New (Option ‘W’), 307 Why use GZIP?, 279

X

X.509, 17, 68

Y

Y/N, 286

Z

–ZDW, 223

Zip (Option ‘Z’), 295 ZIP archive

viewing contents, 51 ZIP Archives, 6 ZIP File Names, 104 Zip PDS to an Archive, 333, 334 ZIP Processing File Selection, 100 Zip VSAM KSDS to an Archive, 335 –ZIPCONFIG, 212 –ZIPCUR, 225 ZIPPARM Copy Member, 319, 321, 322, 323 Zipped Size, 292 ZIPPED_DSN, 142, 271 ZIPPED_DSN_SEPARATOR, 142, 275