INSTALLATION, LICENSING, AND CONFIGURATION

FIPS 46-3, Data Encryption Standard (DES)

2 INSTALLATION, LICENSING, AND CONFIGURATION

Installation Overview

The installation of SecureZIPz_{is accomplished by following the steps summarized below:}

 Select the media to be used in installing SecureZIPz_.

 Install from downloaded file, CD or tape.

 Review the README.TXT file for recent information updates.

 Evaluate system requirements.

 Edit the supplied job control (JCL) with appropriate parameter changes for your data center.

 Review the present chapter on installation, license, and configuration in this manual and proceed accordingly.

 Run the installation verification jobs and test product features by modifying the sample JCL supplied in PKWARE.MVS.INSTLIB.

 Begin using the product.

Details of these summarized instructions may be found below.

Type of Media Distribution for Installation

The SecureZIPz_{program may be received and installed from a variety of media types:}

 Downloaded from the PKWARE web site  Received from PKWARE on compact disc (CD).

Installation from Downloaded File or CD

Non-SMP/E Installation

If you have downloaded SecureZIPz_{from PKWARE’s Web site, ftp site, or have received the}

product on CD, then the file you need to start with is the self-extracting zip file called

PKZIPzOS.exe (PKZIP), SecureZIPzOS.exe (SecureZIP) or PartnerLinkzOS.exe

(SecureZIP Partner). The self-extracting file contains the binary XMIT files needed for installation along with various other supporting text and documentation.

The files extracted include:

Text Files

GLOBAL CONTACTS.TXT How to contact domestic and international resellers LICENSE.TXT PKWARE's license agreement

README.TXT Installation and Configuration Instructions ALLOC.JCL Allocation JCL (IEFBR14)

RECEIVE.JCL Receive the transmitted files

WHATSNEW.TXT A text file documenting product changes

Product Binaries

PKZIP Data Set SecureZIP Data Set PartnerLink Data Set Distribution Library

PKZIP.XMIT.CEXEC SECZIP.XMIT.CEXEC PLINK.XMIT.CEXEC Compiled REXX Library PKZIP.XMIT.HELP SECZIP.XMIT.HELP PLINK.XMIT.HELP Help Library PKZIP.XMIT.INSTLIB SECZIP.XMIT.INSTLIB PLINK.XMIT.INSTLIB Install Library PKZIP.XMIT.INSTLIB2 SECZIP.XMIT.INSTLIB2 PLINK.XMIT.INSTLIB2 Install Library 2

PKZIP.XMIT.LOAD SECZIP.XMIT.LOAD PLINK.XMIT.LOAD Common Load Module PKZIP.XMIT.MACLIB SECZIP.XMIT.MACLIB PLINK.XMIT.MACLIB Macro Library

PKZIP.XMIT.SPKZCLIB SECZIP.XMIT.SPKZCLIB PLINK.XMIT.SPKZCLIB REXX Exec Library PKZIP.XMIT.SPKZMLIB SECZIP.XMIT.SPKZMLIB PLINK.XMIT.SPKZMLIB Message Library PKZIP.XMIT.SPKZPLIB SECZIP.XMIT.SPKZPLIB PLINK.XMIT.SPKZPLIB Panel Library PKZIP.XMIT.SPKZSLIB SECZIP.XMIT.SPKZSLIB PLINK.XMIT.SPKZSLIB Skeleton Library PKZIP.XMIT.SPKZTLIB SECZIP.XMIT.SPKZTLIB PLINK.XMIT.SPKZTLIB Table Library

Available Documentation (distributed in Adobe® Acrobat® .PDF format)

PKZIP and SecureZIP for zOS V11.0 SYSTEM ADMINISTRATORS GUIDE.PDF PKZIP and SecureZIP for zOS V11.0 MESSAGES GUIDE.PDF

PKZIP and SecureZIP for zOS V11.0 SECURITY ADMINISTRATORS GUIDE.PDF PKZIP and SecureZIP for zOS V11.0 USERS GUIDE.PDF

PKZIP and SecureZIP for zOS V11.0 APPLICATION INTEGRATION GUIDE.PDF PKZIP and SecureZIP for zOS V11.0 SEARCHABLE INDEX.PDX

Review the installation instructions found below if you are installing from download or CD. If the software was received on magnetic cartridge, please see “Installing from Tape”, below, for the installation JCL, or download the JCL . In either case, follow the

instructions applicable to your installation method before continuing through this document. Below are the step-by-step non-smp/e installation instructions.

I. TRANSFERRING THE TEXT FILES TO THE HOST

1. Transfer the text file "ALLOC.JCL" to the host. You may transfer the file into an existing

PDS, or you may use the allocation in step 2 below:

o Convert the data from ASCII to EBCDIC o Insert CR/LF's

2. A suitable allocation for "ALLOC.JCL" is as follows:

SPACE UNITS: TRKS BLKS: 1 (PRI) 1 (SEC) DIRBLKS: 0 RECFM: FB LRECL: 80 BLKSIZE: 6160

DSORG: PS (or BASIC; release dependent)

3. Follow the same procedure for the "RECEIVE.JCL" provided file.

II. RUNNING THE ALLOC JCL

The “ALLOC” job contains JCL that will perform an IEFBR14 for the eleven (11) binary dataset allocations. You will need to edit the ALLOC JCL with the appropriate variables in order to achieve a RC=00.

1. Before you submit the ALLOC JCL (ALLOC.JCL), you will need to supply a job card. You

will also need to modify the job variables. As an example:

// CEXEC DD DSN={pkware}.XMIT.CEXEC,DISP=(NEW,CATLG), // UNIT={sysda},VOL=SER={volume1},SPACE=(CYL,(2,2)), // DCB=(RECFM=FB,LRECL=80,BLKSIZE=3120)

2. {pkware} is the name of the pre-allocated dataset that is being created by this job.

These are the target datasets that you transfer the binary files into.

4. {volume1} is the volume where the SecureZIPz files reside

5. Submit the job, and review and correct any non-zero return codes. 6. Your eleven (11) target datasets have successfully been allocated.

III. TRANSFERRING THE BINARY FILES TO THE HOST

Before you transfer the files to the host, it is imperative that you do not perform any kind of translation of the data from ASCII to EBCDIC or append CR/LF's. If you do, your uploaded datasets will be corrupted.

1. Transfer the binary files (PKWARE.XMIT.*) from your PC into the target datasets that

you created in Step II:

o Do not translate the data o Do not insert CR/LF's

2. Be sure to transfer all eleven binaries, and then move onto the next step.

IV. RUNNING THE RECEIVE JCL

The “RECEIVE” job contains JCL that will perform an IKJEFT01 for the eleven binary datasets. You will need to edit the RECEIVE JCL with the appropriate variables in order to achieve a RC=00.

1. Before you submit the RECEIVE JCL, you will need to supply a job card. You will also

need to modify the job variables. As an example:

RECEIVE INDSN('{xmitdsn}.XMIT.CEXEC') DSNAME('{dsnhlq}.CEXEC')

2. INDSN {xmitdsn} is the high-level qualifier of the XMIT'd dataset you transferred from

the PC to the host.

3. DSNAME {dsnhlq} is the DSN that gets created by this job. It’s what you want to call

the installed SecureZIPz_{product libraries.}

4. Submit the job, and review and correct any non-zero return codes.

5. Your eleven binary datasets have successfully been converted to a trial-ready version

of SecureZIPz_.

V. Licensing PKZIP/SecureZIP for z/OS

Please refer to “Initializing the License,” later in this chapter, for information and instructions on how to license your copy of SecureZIPz_.

This ends the installation of SecureZIPz if you are installing from PKZIPzOS.exe or

SecureZIPzOS.exe. If you are performing an SMP/E installation or installing from a tape

cartridge, then continue on to the next section.

SMP/E Installation

The installation and software management of SecureZIPz_{can also be accomplished with}

SMP/E. Although the product requires no operating system modifications or authorized routines, the ability to manage the software is enhanced using IBM’s SMP/E facilities.

The PKZIPzOSSMP.exe (PKZIP), SecureZIPzOSSMP.exe (SecureZIP) or

PartnerLinkzOSSMP.exe (PartnerLink) file contains the binary XMIT files needed for

installation, along with text files, a README.TXT, and other files that have sample JCL to

process the files for implementation. The files are listed in the following tables.

Text Files

GLOBAL CONTACTS.TXT How to contact domestic and international resellers LICENSE.TXT PKWARE's license agreement

README.TXT Installation and Configuration Instructions RECEIVE.JCL Receive the transmitted files

ALLOC.JCL Allocation JCL (IEFBR14)

SMPALCSI.TXT This job allocates the VSAM files needed to build a new SMP/E environment. If SecureZIPzis being installed in an existing SMP/E CSI, this job will not be needed.

SMPALPDS.TXT This job allocates the Partitioned Data Set files needed to build an SMP/E environment.

SMPAPPLY.TXT This job applies the elements of the FUNCTION PKZIP82. A return code of four (RC=4) is expected in the listings from IEBCOPY for z/OS load modules. SMPRECV.TXT This job receives the FUNCTION PKZIP82. All of the

++ MCS elements are in the input file PKWARE.MVS.SMP.MCS.

SMPUCLIN.TXT This job updates the SMP/E CSI environment to prepare for the install of SecureZIPz.

WHATSNEW.TXT A text file documenting product changes

Product Binaries

PKZIP Data Set SecureZIP Data Set PartnerLink Data Set Distribution Library

PKZIP.XMIT.SMP.DCEXE SECZIP.XMIT.SMP.DCEXE PLINK.XMIT.SMP.DCEXE Compiled REXX Library PKZIP.XMIT.SMP.DHELP SECZIP.XMIT.SMP.DHELP PLINK.XMIT.SMP.DHELP Help Library

PKZIP.XMIT.SMP.DINST SECZIP.XMIT.SMP.DINST PLINK.XMIT.SMP.DINST Install Library PKZIP.XMIT.SMP.DINST2 SECZIP.XMIT.SMP.DINST2 PLINK.XMIT.SMP.DINST2 Install Library 2

PKZIP.XMIT.SMP.DLOAD SECZIP.XMIT.SMP.DLOAD PLINK.XMIT.SMP.DLOAD Common Load Module PKZIP.XMIT.SMP.DMACL SECZIP.XMIT.SMP.DMACL PLINK.XMIT.SMP.DMACL Macro Library

PKZIP.XMIT.SMP.DCLIB SECZIP.XMIT.SMP.DCLIB PLINK.XMIT.SMP.DCLIB REXX Exec Library PKZIP.XMIT.SMP.DMLIB SECZIP.XMIT.SMP.DMLIB PLINK.XMIT.SMP.DMLIB Message Library PKZIP.XMIT.SMP.DPLIB SECZIP.XMIT.SMP.DPLIB PLINK.XMIT.SMP.DPLIB Panel Library PKZIP.XMIT.SMP.DSLIB SECZIP.XMIT.SMP.DSLIB PLINK.XMIT.SMP.DSLIB Skeleton Library PKZIP.XMIT.SMP.DTLIB SECZIP.XMIT.SMP.DTLIB PLINK.XMIT.SMP.DTLIB Table Library PKZIP.XMIT.SMP.MCS SECZIP.XMIT.SMP.MCS PLINK.XMIT.SMP.MCS SMP MCS Control Cards

Documentation (distributed in Adobe® Acrobat® .PDF format)

PKZIP and SecureZIP for z/OS SYSTEM ADMINISTRATOR’S GUIDE.PDF PKZIP and SecureZIP for z/OS MESSAGES AND CODES.PDF

PKZIP and SecureZIP for z/OS SECURITY ADMINISTRATOR’S GUIDE.PDF PKZIP and SecureZIP for z/OS USER’S GUIDE.PDF

PKZIP and SecureZIP for z/OS APPLICATION INTEGRATION GUIDE.PDF

INDEX.PDX

You should have downloaded or copied a file on your PC called PKZIPzOSSMP.exe (PKZIP), SecureZIPzOSSMP.exe (SecureZIP) or PartnerLinkzOSSMP.exe (PartnerLink). These are

self-extracting ZIP files. Double-click on the file to extract the files inside to a pre-defined folder on your PC.

Below are step-by-step SMP/E installation instructions.

I. TRANSFERRING THE TEXT FILES TO THE HOST

1. Transfer the text file "ALLOC.JCL" to the host. You may transfer the file into an existing

PDS or you may use the allocation in step "2" below:

o Convert the data from ASCII to EBCDIC o Insert CR/LF's

2. A suitable allocation for "ALLOC.JCL" is as follows:

SPACE UNITS: BLKS BLKS: 5 (PRI) 1 (SEC) DIRBLKS: 0 RECFM: FB LRECL: 80 BLKSIZE: 3120 DSORG: PS

3. Follow the same procedure for the "RECEIVE.JCL" provided file.

II. RUNNING THE ALLOC JCL

The “ALLOC” job contains JCL that will perform an IEFBR14 for the twelve binary dataset allocations. You will need to edit the ALLOC JCL with the appropriate variables in order to achieve a RC=00.

1. Before you submit the ALLOC JCL (ALLOC.JCL), you will need to supply a job card. You

will also need to modify the job variables. As an example:

// CEXEC DD DSN={pkware}.XMIT.SMP.DCEXE,DISP=(NEW,CATLG), // UNIT={sysda},VOL=SER={pkware1},SPACE=(CYL,(2,2)),

// DCB=(RECFM=FB,LRECL=80,BLKSIZE=3120)

These are the target datasets that you transfer the binary files into.

3. {sysda} is the unit where SecureZIPz files will reside. 4. {volume1} is the volume where the SecureZIPz files reside

5. Submit the job, and review and correct any non-zero return codes. 6. Your twelve target datasets have successfully been allocated.

III. TRANSFERRING THE BINARY FILES TO THE HOST

1. Transfer the binary files (PKWARE.XMIT.*) from your PC into the target datasets that

you created in step IV.

o Do not translate the data o Do not insert CR/LF's

2. Be sure to transfer all twelve binaries, and then move onto the next step.

IV. RUNNING THE RECEIVE JCL

The "RECEIVE" job contains JCL that will perform an IKJEFT01 for the twelve binary datasets. You need to edit the RECEIVE JCL with the appropriate variables in order to achieve a RC=00.

1. Before you submit the RECEIVE JCL, you will need to supply a job card. You will also

need to modify the job variables. As an example:

RECEIVE INDSN('{xmitdsn}.XMIT.SMP.DCEXE') DSNAME('{dsnhlq}.SMP.DCEXE')

2. INDSN {xmitdsn} is the high level qualifier of the XMIT'd dataset you transferred from

the PC to the host.

3. DSNAME {dsnhlq} is the DSN that gets created by this job.

4. Submit the job, and review and correct any non-zero return codes.

5. Your twelve binary datasets have successfully been converted to a distribution package

for the SMP installation.

V. SMP/E INSTALLATION:

The installation and software management of SecureZIPz_{can be accomplished with SMP/E.}

Although the product requires no operating system modifications or authorized routines, the ability to manage the software is enhanced using IBM’s SMP/E facilities.

The file PKWARE.MVS.SMP.MCS is the SMPPTFIN DD file for the RECEIVE processing. This file contains all of the control information to build the SecureZIPz_{environment. After running the}

RECEIVE JCL, all of the necessary files that you need to start the SMP process have been allocated on your system. The included five (SMP*.JCL files) jobs allocate, define, and build

SMPALPDS.JCL SMPALCSI.JCL SMPUCLIN.JCL SMPRECV.JCL SMPAPPLY.JCL

Please note that user-specific customization may be required if you choose to install

SecureZIPz_{in an existing SMP/E CSI. Consideration has been given to this possibility, but it}

is up to each individual site to verify that there are no problems with duplicate DDDEF, library structures, or utility definitions that may prevent these job streams from completing

successfully.

VI. Licensing PKZIP for z/OS and SecureZIP for z/OS

Please refer to the section “Tailoring Site-Specific Changes to the Defaults Module,” below, for required information and procedures to properly license your copy of SecureZIPz_.

This ends the SMP/E installation of SecureZIPz_{. If you are installing from a tape cartridge,}

then continue on to the next section.

Installing from Tape

If you have received SecureZIPz_{on a magnetic cartridge, the installation is as simple as an}

IEBCOPY of the SecureZIPz_{libraries from tape to DASD.}

The screen below shows the first step of the IEBCOPY, one of the steps needed to complete the installation of SecureZIPz_{from tape.}

//JS010 EXEC PGM=IEBCOPY //* //SYSUT1 DD DSN=PKWARE.MVS.CEXEC, // UNIT=tape,LABEL=(,SL), <=== // DISP=OLD,VOL=(,RETAIN,,,SER=seczip1) <=== //* //SYSUT2 DD DSN=pkware.mvs.CEXEC, <=== // DISP=(NEW,CATLG,DELETE), // SPACE=(CYL,(2,1,52)), // UNIT=disk, <=== // VOL=SER=volume <=== //* //SYSUT3 DD UNIT=sysda,SPACE=(CYL,(5,5)) <=== //SYSUT4 DD UNIT=sysda,SPACE=(CYL,(5,5)) <=== //* //SYSPRINT DD SYSOUT=* //* //SYSIN DD * COPY INDD=SYSUT1,OUTDD=SYSUT2 /*

If you prefer not to type this entire job stream, you may download the COPYCART.TXT JCL and upload it to a data set or member. Remember to perform an ASCII or TEXT transfer to convert the data from ASCII to EBCDIC, modify the JCL, and submit.

Tailoring Site-Specific Changes to the Defaults Module

The configuration defaults module, *.MVS.LOAD(ACZDFLT), is provided with the product. It is coded to allow for execution in a generic MVS environment. However, to make changes to the defaults, you will need to modify the *.MVS.INSTLIB(ACZDFLT) module. YOU MUST MODIFY THIS MODULE BEFORE YOU PROCEED TO USE SecureZIPz_{. It is recommended that the}

values defined in the module be reviewed before running in a production setting.

Upgrade note: Installations suppressing the //SYSIN PDS member verification for

performance reasons with PROC_OPT1=N (available with 5.0.10 maintenance and above) in ACZDFLT should change to CHECK_SYSIN_MEMBER=N in the assembly of ACZDFLT.

PROC_OPT1 will no longer be used for this purpose in Release 5.5 and above.

MCZDFLTS TYPE=CSECT, *

LICENSE_HLQ=PKWARE.MVS, * == Change this to reflect your installation

ACTIVITY_LOG=PKWARE.ACTIVITY.LOG, * == Change this to reflect your installation

PARMLIB_DSNAME_ZIP=NULLFILE * PARMLIB_DSNAME_UNZIP=NULLFILE, *

Once you have, at minimum, modified the LICENSE_HLQ statement to reflect your installation, you will need to assemble these changes via the ASMDFLT member in the *.MVS.INSTLIB to assist in creating a customized defaults module.

You may modify the other values in this module, or you may add to it. At minimum, the above four lines need to be modified or validated.

The table below represents the contents of the SecureZIPz_{defaults module. This table}

explains, in brief, the default parameters of the ACZDFLT’s member and their relevance.

LICENSE_HLQ The high-level qualifiers of the

xxx.LICENSE dataset. LICENSE_HLQ=

is generally set to the same qualifier used during installation of SecureZIPz The default qualifier is PKWARE.MVS. See also: $INSTLIC and LICxxxx members.

ARCHIVE_UNIT

OUTFILE_UNIT TEMP_UNIT

Device types to use during dynamic allocation request for non-VSAM files.

ARCHIVE_STORCLASS

OUTFILE_STORCLASS TEMP_STORCLASS VSAM_STORCLASS

In DF/SMS environment, dynamic allocation information in lieu of volume allocation specifications.

ARCHIVE_VOLUMES

OUTFILE_VOLUMES TEMP_VOLUMES VSAM_VOLUMES

Dynamic allocation target volumes for non-DF/SMS datasets. These are optional for non-VSAM datasets but are required for VSAM DEFINE CLUSTER control cards.

Tailoring Site-Locking Commands

Commands may be locked in the defaults module by adding a MCZLOCKS macro preceding the MCZDFLTS macro. This forces the use of the MCZDFLTS value in all executions regardless of the commands entered for the run.

MCZLOCKS accepts the same list of commands as MCZDFLTS, and expects ZIP, and/or UNZIP as the parameter. ZIP locks the command during ZIP runs. UNZIP locks the command during UNZIP runs. If both are specified the command is locked in both modes.

Usage notes:

 Only one MCZLOCKS macro should be coded with all keyword options requiring a lock specification.

 Specifying a setting to be locked with MCZLOCKS will lock the keyword even if a default value is taken for the MCZDFLTS macro.

 If a locked command is encountered in a ZIP or UNZIP run, message ZPCM101W is issued, the command is ignored, and the return code is set to 4. The return code may be overridden by using the command –PKSUPPRC(ZPCM101W), but the message will always be issued, and the command ignored.

 Commands for locked settings are blocked from usage regardless of the command source (SYSIN, INCLUDE_CMD, PARMLIB, EXEC parm).

The following example forces the License HLQ to PKWARE.MVS, and COMPRESSION_LEVEL to FAST.

MCZLOCKS LICENSE_HLQ=(ZIP,UNZIP), * == Forces use of the MCZDFLTS value on all runs

COMPRESSION_LEVEL=ZIP == Forces use of the MCZDFLTS value on all runs

MCZDFLTS TYPE=CSECT, *

LICENSE_HLQ=PKWARE.MVS, * == Change this to reflect your installation

ACTIVITY_LOG=PKWARE.ACTIVITY.LOG, * == Change this to reflect your installation

In document PKZIP /SecureZIP for z/os (Page 42-85)