IBM Hyper Protect Virtual Servers enables DevSecOps for the secure build, deployment, and management of applications on IBM Z and LinuxONE hybrid multicloud platforms

IBM Asia Pacific Software Announcement AP20-0034
February 25, 2020

Table of contents
OverviewOverviewTechnical informationTechnical information
Key requirementsKey requirementsOrdering informationOrdering information
Planned availability datePlanned availability dateTerms and conditionsTerms and conditions
DescriptionDescriptionPricesPrices
Program numberProgram numberAP distributionAP distribution
PublicationsPublications


Overview

Top rule

Many organizations need to protect their mission-critical applications in production, , but security threats can also surface during the development and pre-production phases. Additionally, during deployment and production, insiders who manage the infrastructure that hosts critical applications, may pose a threat given their super-user credentials and level of access to secrets or encryption keys. Organizations need to incorporate secure design practices in their development operations and embrace DevSecOps to protect their applications from the vulnerabilities and threat vectors that can compromise their data and potentially threaten their business.

IBM® Hyper Protect Virtual Servers, the evolution of the IBM Secure Service Container for IBM Cloud™ Private offering, protects Linux® workloads on IBM Z® and LinuxONE platforms throughout their lifecycle, build, management, and deployment phases. This solution delivers the security needed to protect mission-critical applications in hybrid multicloud deployments.

Hyper Protect Virtual Servers enables:

  • Developers to securely build their applications in a trusted environment with integrity
  • IT infrastructure providers to manage the servers and virtualized environment where the applications are deployed without having access to those applications or their sensitive data
  • Application users to validate that those securely built applications originate from a trusted source by integrating this validation into their own auditing processes
  • Chief Information Security Officers (CISOs) to be confident that their data is both protected and private from internal and external threats

Hyper Protect Virtual Servers uses the IBM continuous delivery (CD) support model.

For additional information on how Hyper Protect Virtual Servers uses CD, see the program technical support topic of the Terms and conditions section.



Back to topBack to top

Key requirements

Top rule

Hyper Protect Virtual Servers requires one of the following IBM servers1:

  • z15™ (all models)
  • z14 (all models)
  • LinuxONE III
  • LinuxONE Emperor II
  • LinuxONE Rockhopper II

For one of the chosen server platform, clients must order and install the Container Hosting Foundation (feature code 0104) and which is orderable by using the hardware configurator.

1 IBM recommends Integrated Facility for Linux (IFL) for deployment of Hyper Protect Virtual Servers.

For details, see the Technical information section.



Back to topBack to top

Planned availability date

Top rule

February 28, 2020



Back to topBack to top

Description

Top rule

The Hyper Protect Virtual Servers solution delivers security capabilities to combat security threats that may appear during different phases of an application's lifecycle that can include build, deployment, and management. It is designed to uniquely protect such workloads that are deployed on IBM Z and LinuxONE servers in hybrid multicloud environments.

Build images with integrity utilizing a trusted continuous integration continuous delivery

Developers can securely build their own applications by using the Hyper Protect Virtual Servers secure build Continuous Integration Continuous Delivery (CICD) pipeline flow to sign their applications and also sign and encrypt the application configuration information. Through this CICD, developers can validate the code that is used to build their images and reassure their users of the integrity level of their applications.

Hyper Protect Virtual Servers can also use the IBM Crypto Express® hardware security module, with FIPS 140-2 Level 4-certified cryptographic capabilities, to generate public or private key pairs for signing and encryption of the securely built, signed application images that are deployed as virtual servers.

Deploy images with trusted provenance

The origin of Hyper Protect Virtual Servers images can be validated to ensure the image to be deployed and its components come from a trusted source, such as an ISV organization or internal development team. The images can be checked to verify that no back door is introduced during the image build. Users of Hyper Protect Virtual Servers application images may utilize a given image's manifest in an audit process to approve an image for deployment.

Manage infrastructure with least privilege access to applications and data

After deploying signed Hyper Protect Virtual Servers images, infrastructure providers can manage the underlying infrastructure that hosts the images without having access to the application's sensitive data to ensure separation of duties and access. The Hyper Protect Virtual Server image, which is deployed in a Secure Service Container appliance, can be managed with:

  • Only RESTful APIs alone
  • Disabled Secure Shell (SSH) for production builds
  • Enabled SSH for development builds

This provides a flexible choice in access level to match the lifecycle stage of the application.

Accessibility by people with disabilities

Accessibility Compliance Reports (previously known as a VPAT) containing details on accessibility compliance to standards, including the Worldwide Consortium Web Content Accessibility Guidelines, European Standard EN 301 349, and US Section 508, can be found on the IBM Accessibility Conformance Report Request website.



Back to topBack to top

Reference information

Top rule

For additional information about Hyper Protect Virtual Servers, see IBM Marketplace.

Hyper Protect Virtual Servers is the follow-on to Secure Service Container for IBM Cloud Private. Clients should move to Hyper Protect Virtual Servers in the future. For additional information about Secure Service Container for IBM Cloud Private, see Software Announcement AP18-0144, dated October 2, 2018.

For information about the z15 server, see Hardware Announcement AG19-0032, dated September 12, 2019.

For information about the LinuxONE III server, see Hardware Announcement AG19-0015, dated September 12, 2019.

For information on the z14 servers, see the following Hardware Announcements:

For information on the z14 Model ZR1 server, see the following Hardware Announcements:

For information on the LinuxONE Rockhopper II server, see the following Hardware Announcements:

For information on the LinuxONE Emperor II server, see the following Hardware Announcements:



Back to topBack to top

Program number

Top rule

Program number VRM Program name
5737-I09 1.2.0 IBM Hyper Protect Virtual Servers


Back to topBack to top

Education support

Top rule

Not applicable



Back to topBack to top

Offering Information

Top rule

Product information is available on the IBM Offering Information website.

More information is also available on the Passport Advantage® and Passport Advantage Express® website.



Back to topBack to top

Publications

Top rule

Documentation for Hyper Protect Virtual Servers is available in IBM Knowledge Center.



Back to topBack to top

Technical information

Top rule

Specified operating environment

Hyper Protect Virtual Servers comprises 2 major components:

  • Linux Management Server
  • Secure Service Container appliance
Hardware requirements

The Linux Management Server is supported on the following hardware platforms:

  • z15
  • z14 (all models)
  • LinuxONE III
  • LinuxONE Emperor II
  • LinuxONE Rockhopper II
  • 64-bit x86 Linux server

The Secure Service Container appliance is supported on the following hardware platforms:

  • z15
  • z14 (all models)
  • LinuxONE III
  • LinuxONE Emperor II
  • LinuxONE Rockhopper II
See the IBM Knowledge Center for the appropriate firmware level for the IBM Z or LinuxONE server platforms.

Clients will also need to select feature code 0104 Container Hosting Foundation on their IBM Z or LinuxONE server.

Software requirements

The Linux Management Server (x86 or s390x) is supported on the following operating system and platform:

  • Platform: Linux 64-bit
  • Operating system: Ubuntu 16.04 LTS and 18.04 LTS

The Secure Service Container appliance supports deployment of Ubuntu 18.04 based Virtual Server images.

Red Hat® and SUSE operating systems are currently not supported.

IBM Support

IBM Support is your gateway to technical support tools and resources that are designed to help you save time and simplify support. IBM Support can help you find answers to questions, download fixes, troubleshoot, submit and track problem cases, and build skills. Learn and stay informed about the transformation of IBM Support, including new tools, new processes, and new capabilities, by going to the IBM Support Insider.

Planning information

Packaging

This offering is delivered through the internet as an electronic download. There is no physical media.

Security, auditability, and control

Hyper Protect Virtual Servers uses the security and auditability features of the host software.

The client is responsible for evaluation, selection, and implementation of security features, administrative procedures, and appropriate controls in application systems and communication facilities.



Back to topBack to top

Ordering information

Top rule

For ordering information, consult your IBM representative or IBM Business Partner, or go to the Passport Advantage website.

This product is only available through Passport Advantage. It is not available as shrinkwrap.

These products may only be sold directly by IBM or by IBM Business Partners.

To locate an IBM Business Partner in your geography, see the Find a Business Partner page.


Passport Advantage

IBM Hyper Protect Virtual Servers (5737-I09)

Program name/Description Part number
IBM Hyper Protect Virtual Servers Virtual Processor Core (VPC) License + SW Subscription & Support 12 Months D1XG3LL
IBM Hyper Protect Virtual Servers VPC Annual SW Subscription & Support Renewal 12 Months E0PBULL
IBM Hyper Protect Virtual Servers VPC SW Subscription & Support Reinstatement 12 Months D1XG4LL
IBM Hyper Protect Virtual Servers VPC Monthly License D1XG5LL


Cross-platform product for use on IBM Z or LinuxONE Integrated Facility for Linux (IFL) engines

Order the appropriate part numbers when the product is intended to run on the Linux operating system on IBM Z or LinuxONE servers with IBM Integrated Facility for Linux (IFL) engines.

IBM Hyper Protect Virtual Servers (5737-I09)

Program name/Description Part number
IBM Hyper Protect Virtual Servers for Linux on IBM Z VPC License + SW Subscription & Support 12 Months D1XI6LL
IBM Hyper Protect Virtual Servers for Linux on IBM Z VPC Annual SW Subscription & Support Renewal 12 Months E0PC9LL
IBM Hyper Protect Virtual Servers for Linux on IBM Z VPC SW Subscription & Support Reinstatement 12 Months D1XI7LL
IBM Hyper Protect Virtual Servers for Linux on IBM Z VPC Monthly License D1XI9LL

Charge metric

The charge metrics for this licensed program can be found in the following License Information document:

Program identifier License Information document title License Information document number
5737-I09 IBM Hyper Protect Virtual Servers L-AKYE-BGHCUE

Select your language of choice and scroll down to the Charge Metrics section.



Back to topBack to top

Terms and conditions

Top rule

The information provided in this announcement letter is for reference and convenience purposes only. The terms and conditions that govern any transaction with IBM are contained in the applicable contract documents such as the IBM International Program License Agreement, IBM International Passport Advantage Agreement, and the IBM Agreement for Acquisition of Software Maintenance.

This product is only available through Passport Advantage.

Licensing

IBM International Program License Agreement including the License Information document and Proof of Entitlement (PoE) govern your use of the program. PoEs are required for all authorized use. Part number products only, offered outside of Passport Advantage, where applicable, are license only and do not include Software Maintenance.

This software license includes Software Subscription and Support (also referred to as Software Maintenance).

Software Maintenance

Licenses under the IBM International Program License Agreement (IPLA) provide for support with ongoing access to releases and versions of the program. IBM includes one year of Software Subscription and Support (also referred to as Software Maintenance) with the initial license acquisition of each program acquired. The initial period of Software Subscription and Support can be extended by the purchase of a renewal option, if available. Two charges apply: a one-time license charge for use of the program and an annual renewable charge for the enhanced support that includes telephone assistance (voice support for defects during normal business hours), as well as access to updates, releases, and versions of the program as long as support is in effect.

License Information number

The following License Information document applies to the offering in this announcement:

Program identifier License Information document title License Information document number
5737-I09 IBM Hyper Protect Virtual Servers L-AKYE-BGHCUE

Follow-on releases, if any, may have updated terms. See the License Information documents website for more information.

Limited warranty applies

Yes

Limited warranty

IBM warrants that when the program is used in the specified operating environment, it will conform to its specifications. The warranty applies only to the unmodified portion of the program. IBM does not warrant uninterrupted or error-free operation of the program or that IBM will correct all program defects. You are responsible for the results obtained from the use of the program.

IBM provides you with access to IBM databases containing information on known program defects, defect corrections, restrictions, and bypasses at no additional charge. For further information, see the IBM Support Guide.

IBM will maintain this information for at least one year after the original licensee acquires the program (warranty period).

Program technical support

Technical support of a program product version or release will be available for a minimum of one year from the general availability date, as long as your Software Subscription and Support (also referred to as Software Maintenance) is in effect.

This technical support allows you to obtain assistance (by telephone or electronic means) from IBM for product-specific, task-oriented questions regarding the installation and operation of the program product. Software Subscription and Support (Software Maintenance) also provides you with access to versions, releases, and updates (CD releases, Long Term Support Releases or fixes) of the program. You will be notified, through an announcement letter, of discontinuance of support with six months' notice. If you require additional technical support from IBM, including an extension of support beyond the discontinuance date for up to one year, contact your IBM representative or IBM Business Partner. This extension may be available for a fee.

For additional information on the IBM Software Support Lifecycle Policy, see the IBM Software Support Lifecycle Policy website.

Money-back guarantee

If for any reason you are dissatisfied with the program and you are the original licensee, you may obtain a refund of the amount you paid for it, if within 30 days of your invoice date you return the program and its PoE to the party from whom you obtained it. If you downloaded the program, you may contact the party from whom you acquired it for instructions on how to obtain the refund.

For clarification, note that (1) for programs acquired under the IBM International Passport Advantage offering, this term applies only to your first acquisition of the program and (2) for programs acquired under any of IBM's On/Off Capacity on Demand (On/Off CoD) software offerings, this term does not apply since these offerings apply to programs already acquired and in use by you.

Volume orders (IVO)

No

Passport Advantage applies

Yes, information is available on the Passport Advantage and Passport Advantage Express website.

Usage restrictions

Yes

For usage restrictions, see the License Information documents listed in this Terms and conditions section.

Software Subscription and Support applies

Yes. Software Subscription and Support, also referred to as Software Maintenance, is included with licenses purchased through Passport Advantage and Passport Advantage Express. Product upgrades and Technical Support are provided by the Software Subscription and Support offering as described in the Agreements. Product upgrades provide the latest versions and releases to entitled software, and Technical Support provides voice and electronic access to IBM support organizations, worldwide.

IBM includes one year of Software Subscription and Support with each program license acquired. The initial period of Software Subscription and Support can be extended by the purchase of a renewal option, if available.

While your Software Subscription and Support is in effect, IBM provides you assistance for your routine, short duration installation and usage (how-to) questions, and code-related questions. IBM provides assistance by telephone and, if available, electronic access, only to your information systems (IS) technical support personnel during the normal business hours (published prime shift hours) of your IBM support center. (This assistance is not available to your users.) IBM provides Severity 1 assistance 24 hours a day, 7 days a week. For additional details, see the IBM Support Guide. Software Subscription and Support does not include assistance for the design and development of applications, your use of programs in other than their specified operating environment, or failures caused by products for which IBM is not responsible under the applicable agreements.

Unless specified otherwise in a written agreement with you, IBM does not provide support for third-party products that were not provided by IBM. Ensure that when contacting IBM for covered support, you follow problem determination and other instructions that IBM provides, including in the IBM Support Guide.

For additional information about the International Passport Advantage Agreement and the IBM International Passport Advantage Express Agreement, go to the Passport Advantage and Passport Advantage Express website.

Variable charges apply

No

Educational allowance available

Not applicable.



Back to topBack to top

Statement of good security practices

Top rule

IT system security involves protecting systems and information through intrusion prevention, detection, and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, or misappropriated or can result in misuse of your systems to attack others. Without a comprehensive approach to security, no IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a regulatory compliant, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products, or services to be most effective.

Important: IBM does not warrant that any systems, products, or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party.



Back to topBack to top

Prices

Top rule

For all local charges, contact your local IBM representative or IBM Business Partner.


Business Partner information

If you are an IBM Business Partner acquiring products from IBM, you may link to Passport Advantage Online for resellers where you can obtain Business Partner pricing information. An IBMid and password are required to access the IBM Passport Advantage or IBM PartnerWorld® website.


Passport Advantage

For Passport Advantage information and charges, contact your IBM representative or IBM Business Partner for Channel Value Rewards. Additional information is also available on the Passport Advantage and Passport Advantage Express website.

IBM Global Financing

IBM Global Financing offers competitive financing to credit-qualified clients to assist them in acquiring IT solutions. Offerings include financing for IT acquisition, including hardware, software, and services, from both IBM and other manufacturers or vendors. Offerings (for all client segments: small, medium, and large enterprise), rates, terms, and availability can vary by country. Contact your local IBM Global Financing organization or go to the IBM Global Financing website for more information.

IBM Global Financing offerings are provided through IBM Credit LLC in the United States, and other IBM subsidiaries and divisions worldwide to qualified commercial and government clients. Rates are based on a client's credit rating, financing terms, offering type, equipment type, and options, and may vary by country. Other restrictions may apply. Rates and offerings are subject to change, extension, or withdrawal without notice.

Financing from IBM Global Financing helps you preserve cash and credit lines, enables more technology acquisition within current budget limits, can help accelerate implementation of economically attractive new technologies, offers payment and term flexibility, and can help match project costs to projected benefits. Financing is available worldwide for credit-qualified clients.



Back to topBack to top

AP distribution

Top rule

Country/Region Announced
AP
ASEAN * Yes
India/South Asia ** Yes
Australia Yes
Hong Kong Yes
Macao SAR of the PRC Yes
Mongolia Yes
New Zealand Yes
People's Republic of China Yes
South Korea Yes
Taiwan Yes

* Brunei Darussalam, Cambodia, Indonesia, Lao People's Democratic Republic, Malaysia, Myanmar, Philippines, Singapore, Thailand, Timor-Leste, and Vietnam

** Bangladesh, Bhutan, India, Maldives, Nepal, and Sri Lanka

Trademarks

IBM Cloud and z15 are trademarks of IBM Corporation in the United States, other countries, or both.

IBM, IBM Z, PartnerWorld, Passport Advantage and Express are registered trademarks of IBM Corporation in the United States, other countries, or both.

Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both.

Red Hat is a registered trademark of Red Hat Inc. in the U.S. and other countries.

Other company, product, and service names may be trademarks or service marks of others.

Terms of use

IBM products and services which are announced and available in your country can be ordered under the applicable standard agreements, terms, conditions, and prices in effect at the time. IBM reserves the right to modify or withdraw this announcement at any time without notice. This announcement is provided for your information only. Reference to other products in this announcement does not necessarily imply those products are announced, or intend to be announced, in your country. Additional terms of use are located at

Terms of use

For the most current information regarding IBM products, consult your IBM representative or reseller, or go to the IBM worldwide contacts page

IBM Directory of worldwide contacts