z/VM provides proven system integrity, security, availability, and reliability

z/VM is built on a foundation of system integrity and security, and incorporates many design features for availability and reliability:
  • Integrity and security:
    • z/VM supports guest use of the cryptographic facilities provided by supported IBM® servers.
    • z/VM supports drive-based data encryption with IBM System Storage® tape drives. z/VM supports native and guest use of the IBM Encryption Key Manager for encryption of tapes.
    • z/VM® supports IBM Fibre Channel Endpoint Security between an IBM z15® T01, IBM LinuxONE III LT1, IBM z16® A01, IBM LinuxONE Emperor 4 LA1, and the DS8900F; this includes the ability to query the encryption and authentication states of FCP devices and channel paths.
    • z/VM supports the use of DASD volumes that reside on data encryption drives (DEDs).
    • Support for Transport Layer Security (TLS) and Secure Sockets Layer (SSL) is provided through TCP/IP for z/VM. The z/VM 6.4 System SSL cryptographic module has been validated in accordance with Federal Information Processing Standard (FIPS) 140-2. The z/VM TLS/SSL server supports TLS 1.2, SHA-2 certificates, and National Institute of Standards and Technology's (NIST) SP 800-131a compliant configurations.

      z/VM 7.1 is also designed to meet the requirements for FIPS validation.

      The z/VM 7.2 System SSL module has been validated as conforming to the Federal Information Processing Standard (FIPS) 140-2. This industry-recognized cryptographic standard mandates modern digital key sizes and integrity checking for TLS operations. z/VM 7.2 System SSL is used by the z/VM LDAP server and the z/VM TLS/SSL server. This satisfies a Statement of Direction from the April 2020 z/VM 7.2 preview announcement.

    • Integrated access control and authentication services can be augmented with the addition of an external security manager (ESM), such as the RACF Security Server for z/VM. RACF® can also be used to audit connections to z/VM real devices.
    • RACF Security Server for z/VM supports Multi-Factor Authentication (MFA), which provides for the establishment of a user's identity by utilizing more than one type of authentication.
    • z/VM 6.4, with the SSI and RACF Security Server features enabled, has been certified to conform to the Operating System Protection Profile (OSPP) with Virtualization (-VIRT) and Labeled Security (-LS) extensions of the Common Criteria standard for IT security, ISO/IEC 15408, at Evaluation Assurance Level 4 (EAL4+). See Certification Report "IBM z/VM 6.4".

      z/VM V7.2, with the RACF and SSI features enabled and in conjunction with IBM Z® Multi-factor Authentication for logon support, has been certified to conform to the BSI Operating System Protection Profile (OSPP) with Virtualization (-VIRT) and Labeled Security (-LS) extensions of the Common Criteria standard for IT security, ISO/IEC 15408, at an Evaluation Assurance Level (EAL) of 4+. See Certification Report "IBM z/VM 7.2".

      z/VM Version 7 Release 2.0 has completed a second Common Criteria evaluation as of June 10, 2022. This certifies the product in accordance with the NIAP Virtualization Protection Profile (VPP), with Server Virtualization Extended Package. The successful certification affirms z/VM's continued commitment to meeting the newest security and integrity requirements in the IT industry. The Certification Report can be found at:
    • RSCS TCPNJE traffic can be encrypted by directing the flow through a TLS/SSL server.
    • VM/Pass-Through Facility (PVM) connectivity across TCP/IP can be encrypted by directing the flow through a TLS/SSL server.

    IBM develops and maintains z/VM in accordance with its Secure Engineering best practices and principles. These processes include, but are not limited to: risk assessment, threat modeling and vulnerability analysis, code scanning, security scanning, and penetration-testing. IBM will correct any security or integrity exposures introduced by unauthorized programs into the hypervisor layer.

  • Availability and reliability:
    • Application recovery: z/VM provides services which permit recovery of incomplete interactions with resource managers.
    • Automated operations: z/VM offers several levels of automated system management support. One example is the Programmable Operator. For a higher degree of automation, IBM Operations Manager for z/VM can be added.
    • z/VM provides duplexed data with transparent ongoing synchronization between the primary and backup copy, and automatic transparent switching to the backup copy in case of an error in the primary copy.
    • Online configuration changes eliminate many previously required outages.
    • z/VM systems can be connected for improved server and user availability.
    • Fast restart reduces the end user impact of any outage.
    • Setting up an SSI cluster and using live guest relocation allows z/VM and hardware maintenance to be less disruptive to workloads and allows less disruptive workload balancing.