IBM System z10 - Delivering security-rich offerings to protect your dataIBM Europe, Middle East, and Africa Hardware Announcement ZG09-0798
October 20, 2009
(Corrected on December 3, 2009)Revised text for Response time improvements with OSA-Express3 optimized latency mode in Description section.
|At a glance|
For many years the IBM® mainframe has been acknowledged as a platform of choice for running mission-critical workloads. The System z10 Enterprise Class and Business Class servers have built on these strengths to deliver leadership capabilities to help mitigate risk for your business, to simplify the management of business-critical data, to offer the agility and responsiveness that businesses require in today's ever-changing environment, to help reduce the costs of maintaining, managing, and operating the proliferation of small servers, and to provide flexibility and choice to users. Improvements being announced today include:
- Managing risk
- Next generation of cryptographic feature with Crypto Express3
- z/TPF support for Crypto Express3 accelerator
- Stronger cryptography encryption for TKE protocol authentication
- TKE smart card support
- Simplified key management with TKE 6.0 Workstation
- New HMC security features to help protect against malware and help with FIPS 140-2 level 1 security
- EAL5 Common Criteria certification for System z10 EC and System z10 BC platforms
- Improving service
- Performance improvements with OSA-Express3 optimized latency mode (OLM) for the z/OS® environment
- Configuration flexibility with four-port exploitation for OSA-Express3 1000BASE-T and two-port exploitation for OSA-Express3-2P 1000BASE-T Ethernet Integrated Console Controllers (ICC)
- Simplified FICON® problem determination with HMC improvements
- Simplified usability with Crypto Express3 migration wizard
- Usability enhancements with TKE 6.0
- New z/OS Messaging for STP
- Throughput improvements with Protected Key CPACF
- Reducing cost
- Improved Capacity for Planned Event (CPE), which allows you to select the capacity to meet your business needs rather than providing temporary access to all dormant capacity
- One-port Crypto Express3 for System z10 BC
- Foundation for future virtualization growth with z/VM® V6.1
Back to top
As the pace of business continues to accelerate and the planet becomes smarter, the physical and digital foundations on which progress depends are straining to keep up. They're too complex, too inefficient, and too inflexible. With our dynamic infrastructure strategy, IBM is positioned to help clients succeed in this new world, addressing today's challenges to improve service, reduce cost, and manage risk, while also laying the foundation for what is to come. We are helping clients address the increasing cost and complexity of infrastructure, link and manage all their IT and business assets, and make their business and IT infrastructure as dynamic as the business demands.
The System z10 family of servers is well positioned to participate in this new dynamic model. It delivers many innovative technologies for flexible enterprise computing and includes proven leadership capabilities for security, availability, scalability, virtualization, and management. As environmental concerns raise the focus on energy consumption, the System z10 is designed to reduce energy usage and save floor space when consolidating workloads from distributed servers. The System z10 specialty engines continue to help users expand the use of the mainframe for a broad set of applications, while helping to lower the cost of ownership.
Protection of the IT infrastructure and data continues to be of key importance. This announcement strengthens the System z10 position in security with the next generation of cryptographic feature. The new Crypto Express3 is a state-of-the-art, tamper-sensing and tamper-responding programmable cryptographic feature available for the System z10. This feature can be configured as a secure key coprocessor or an accelerator. The tamper-resistant hardware security module, which is contained on the Crypto Express3, is designed to meet the FIPS 140-2 Level 4 security requirements for hardware security modules. This new generation in cryptography raises the bar in error checking by using a two lock-step cross-checking CPUs process for enhanced error detection and fault isolation of cryptographic operations performed by this coprocessor. New usability enhancements in this announcement enable the grouping of domains across multiple coprocessor features, helping to simplify the management and migration of coprocessor configuration with a new TKE Migration wizard.
Back to top
Back to top
|Planned availability date|
Improved Capacity for Planned Events options will be available December 31, 2009.
TKE 6.0 Workstation will be available January 1, 2010.
Four-port exploitation for OSA-Express3 1000BASE-T (#3367) and two-port exploitation for OSA-Express3-2P 1000BASE-T (#3369) for OSA-ICC will be available in the first quarter of 2010.
All other new-build and MES functions and features described in this announcement will be available November 20, 2009.
HiperSockets network traffic analyzer will be available in the first quarter, 2010.
Availability of programs with an encryption algorithm in France is subject to French government approval.
Back to top
The newest-generation cryptographic feature - Crypto Express3
Crypto Express3 represents the newest-generation cryptographic feature designed to complement the cryptographic functions of CPACF. The Crypto Express3 resides in the I/O cage of the z10 EC and the I/O drawer of the z10 BC, and continues to support all of the cryptographic functions available on Crypto Express2.
Crypto Express3 is a state-of-the-art, tamper-sensing and tamper-responding, programmable cryptographic feature. The cryptographic electronics and microprocessor provide a secure cryptographic environment using two PCI-Express (PCI-E) adapters. Each PCIe adapter contains dual processors that operate in parallel to support the IBM Common Cryptographic Architecture (CCA) with high reliability.
Crypto Express3 applications
The Crypto Express3 feature is suited to applications requiring high-speed, security-sensitive, RSA acceleration, cryptographic operations for data encryption and digital signing, secure management, and use of cryptographic keys, or custom cryptographic applications. These can include financial applications such as PIN generation and verification in automated teller and point-of-sale (POS) transaction servers, remote key loading of ATMs and POS terminals, Web-serving applications, Public Key Infrastructure applications, smart card applications, and custom proprietary solutions. Applications can benefit from the strong security characteristics of the coprocessor and the opportunity to offload computationally intensive cryptographic processing.
An option of one PCI-Express adapter per feature, in addition to the current two PCI-Express adapters per feature, is being offered for the z10 BC to help customers scale their Crypto Express investments for their business needs.
The Crypto Express3-1P feature with one PCI-Express adapter may be defined as either a Coprocessor or an Accelerator. A minimum of two features must be ordered.
Crypto Express3 key features
Key features of Crypto Express3 include:
- Dynamic power management to maximize RSA performance while keeping within temperature limits of the tamper-responding package
- For virtualization, the ability of all logical partitions (LPARs) in all Logical Channel Subsystems (LCSSs) to access the Crypto Express3 feature, up to 32 LPARs per feature
- Improved reliability, availability, and serviceability (RAS); even better than the excellent RAS offered by the Crypto Express2 feature
- Secure code loading that enables the updating of functionality while installed in application systems
- Lock-step checking of dual CPUs for enhanced error detection and fault isolation of cryptographic operations performed by a coprocessor when a PCI-E adapter is defined as a coprocessor
- Dynamic addition and configuration of cryptographic features to logical partitions without an outage
- Updated cryptographic algorithms used in loading the Licensed Internal Code (LIC) with the TKE workstation to keep in step with current recommendations for cryptographic strength
- Support for smart card applications using Europay, MasterCard, and Visa specifications
Crypto Express3 is designed to provide improved performance for symmetric and asymmetric operations.
Crypto Express3 continues to support the following features:
- Cryptographic key generation
- Pseudo Random Number Generation (PRNG)
- Random Number Generation Long (RNGL) - 8 bytes to 8096 bytes
- Personal identification number (PIN) processing
- PIN generation, verification, and translation functions
Each Crypto Express3 feature may be configured as:
- Two PCI-E cryptographic coprocessors (default mode)
- One PCI-E cryptographic coprocessor and one PCI-E cryptographic accelerator
- Two PCI-E cryptographic accelerators
Crypto Express3 PCI-E adapter defined as a coprocessor
When one or both of the two PCI-E cryptographic adapters are configured as a coprocessor, the adapter, which contains a tamper-resistant hardware security module designed for Federal Information Processing Standard (FIPS) 140-2 Level 4 certification, can be used to:
- Encrypt and decrypt data by utilizing secret-key algorithms. Algorithms
supported for data confidentiality are:
- Single-length key DES
- Double-length key DES
- Triple-length key DES
- AES algorithms that have 128-, 192-, and 256-bit data-encrypting keys
- Generate, install, and distribute cryptographic keys securely using both public and secret key cryptographic methods
- Generate, verify, and translate personal identification numbers (PINs)
- Generate, verify, and translate 13- through 19-digit personal account numbers (PANs)
- Ensure the integrity of data by using message authentication codes (MACs), hashing algorithms, and Rivest-Shamir-Adelman (RSA) public key algorithm (PKA) digital signatures
- Perform financial PIN processing and other specialized banking functions
- Manage DES, TDES, AES, and RSA keys
- Offer highly secure encryption processing, use of secure encrypted key values, and User Defined Extensions (UDX) to CCA
- Provide secure remote key loading of encryption keys to ATMs, point of sale terminals (POS), and PIN entry devices
- Exchange cryptographic keys between IBM CCA and non-CCA servers
- Generate high-quality random numbers for keys and other cryptographic applications
Crypto Express3 accelerator
The Crypto Express3 accelerator is configured by the installation process so that it uses only a subset of the coprocessor functions at a higher speed. When one or both of the two PCI-E cryptographic adapters are configured as an accelerator, the Crypto Express3 feature may be used for:
- High-performance clear-key RSA functions
- Acceleration of modular arithmetic operations, the RSA cryptographic operations used with the SSL/TLS protocol
- Offloading of compute-intensive RSA public-key and private-key cryptographic operations employed in the SSL protocol
Supported functions include:
- PKA Decrypt (CSNDPKD), with PKCS-1.2 formatting
- PKA Encrypt (CSNDPKE), with zero-pad formatting
- Digital Signature Verify
The RSA encryption and decryption functions support key lengths of 512 bits to 4,096 bits, in the Modulus Exponent (ME) and Chinese Remainder Theorem (CRT) formats.
More information on IBM System z10 cryptographic performance can be found on the IBM System z® Security Web site at
For Crypto Express3 prerequisites, refer to the Software requirements section of this announcement.
z/TPF support for Crypto Express3 accelerator
z/TPF Version 1.1 with PTFs supports RSA Keys of 1024- and 2048-bit lengths for the following applications:
- Data privacy and confidentiality: RSA key pair generation for data encryption and decryption
- Authentication: RSA digital signature generation and verification to associate a person with data or objects based on knowledge that is associated with the data or object
CP Assist for Cryptographic Function (CPACF)
The CP Assist for Cryptographic Function is available on every processor unit defined as a CP. It provides a set of symmetric cryptographic functions that enhance the encryption/decryption performance of clear-key operations for SSL, Virtual Private Network (VPN), and data storing applications not requiring a high level of security such as FIPS 140-2 level 4.
Cryptographic keys must be protected by the application system, as these keys are provided in the clear-key form to the CPACF. CPACF must be explicitly enabled, using a no-charge enablement feature (#3863). SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512 are shipped enabled on all servers with processor units (PUs) defined as CPs, IFLs, zIIPs, or zAAPs.
The CP Assist for Cryptographic Function offers:
- For data privacy and confidentiality
- Data Encryption Standard (DES)
- Triple Data Encryption Standard (TDES)
- Advanced Encryption Standard (AES) for 128-bit, 192-bit, and 256-bit keys
- For data integrity
- Secure Hash Algorithms
- SHA-1: 160 bit
- SHA-2: 224, 256, 384, and 512 bit
- Secure Hash Algorithms
- For message authentication codes (MAC)
- Single-key MAC
- Double-key MAC
For CPACF prerequisites, refer to the Software requirements section of this announcement.
Protected key CPACF - blending clear-key and secure-key cryptography
The security of encryption relies upon keeping the value of the key a secret. A secure key should NEVER exist in the clear outside of the secure boundary of the card. If and when a secure key needs to exist outside of the tamper-resistant hardware it should be encrypted under another key, usually the master key.
An enhancement to Central Processor Assist to Cryptographic Function (CPACF) is designed to help facilitate the continued privacy of cryptographic key material when used by the CPACF for high-performance data encryption. Leveraging the unique z/Architecture®, protected key CPACF helps to ensure that key material is not visible to applications or operating systems when used for encryption operations.
Protected key CPACF is designed to provide significant throughput improvements for large volumes of data and low latency for small blocks of data. In addition, an enhancement to the information management tool, IBM Encryption Tool for IMS™ and DB2® Databases, improves performance for protected key applications.
For Protected Key CPACF prerequisites, refer to the Software requirements section of this announcement.
Stronger cryptography encryption for TKE protocols inbound/outbound authentication
TKE uses cryptographic algorithms and protocols in communication with the target cryptographic adapters in the host systems it administers. Cryptography is first used to verify that each target adapter is a valid IBM cryptographic coprocessor. It then ensures there are secure messages between the TKE workstation and the target Crypto Express2 and Crypto Express3 feature.
The cryptography has been updated to keep pace with industry developments and with recommendations from experts and standards organizations.
The following enhancements have been made:
- TKE Certificate Authorities (CAs) initialized on a TKE workstation with TKE 6.0 LIC can issue certificates with 2048-bit keys. Previous versions of TKE used 1024-bit keys.
- The transport key used to encrypt sensitive data sent between the TKE workstation and a Crypto Express3 coprocessor has been strengthened from a 192-bit TDES key to a 256-bit AES key.
- The signature key used by the TKE workstation and the Crypto Express3 coprocessor has been strengthened from 1024-bit to a maximum of 4096-bit strength.
- Replies sent by a Crypto Express3 coprocessor on the host are signed with a 4096-bit key.
TKE smart card support
TKE 6.0 contains support to increase the key strength for TKE Certificate Authority (CA) smart cards, TKE smart cards, and signature keys stored on smart cards from 1024-bit to 2048-bit strength.
Only feature number 0884 smart cards with the feature number 0885 smart card reader support the creation of TKE CA smart cards, TKE smart cards, or signature keys with the new 2048-bit key strength. Existing feature number 0888 smart cards and feature number 0887 smart card readers are limited to 1024-bit key strengths.
Simplified key management with TKE 6.0 workstation
The feature number 0840 Trusted Key Entry (TKE) workstation and the feature number 0858 TKE 6.0 level of Licensed Internal Code are optional features on the System z10. The TKE 6.0 Licensed Internal Code (LIC) is loaded on the TKE workstation prior to shipment. The TKE workstation offers security-rich local and remote key management, providing authorized persons a method of operational and master key entry, identification, exchange, separation, and update. The TKE workstation supports connectivity to an Ethernet Local Area Network (LAN) operating at 10 or 100 Mbps. Up to ten TKE workstations can be ordered.
TKE feature number 0840 will be available on z9™ BC, z9 EC, z10 BC, and z10 EC servers, beginning January 1, 2010.
Common Criteria Evaluation Assurance Level 5 (EAL5)
The System z10 has Common Criteria Evaluation Assurance Level 5 (EAL5) certification for security of logical partitions. System z security is one of the many reasons why the world's top banks and retailers rely on the IBM mainframe to help secure sensitive business transactions.
Simplified usability with Crypto Express3 migration wizard
A wizard is now available to allow users to collect configuration data from a Crypto Express2 and Crypto Express3 coprocessor and migrate the data to a different Crypto Express coprocessor. The target Crypto Express coprocessor must have the same or greater capabilities.
Benefits of using this wizard include:
- Reduces migration steps, thereby minimizing user errors
- Minimizes the number of user "clicks"
- Significantly reduces migration task duration
Usability enhancements with TKE 6.0
Trusted Key Entry (TKE) 6.0 Licensed Internal Code (LIC) includes domain grouping. This is a significant usability enhancement. The TKE 6.0 LIC provides capabilities for:
- Grouping of up to 16 domains across one or more cryptographic adapters. These adapters may be installed in one or more servers or LPARs. Grouping of domains applies to Crypto Express3 and Crypto Express2 features.
- Greater flexibility and efficiency by executing domain-scoped commands on every domain in the group. For example, a TKE user can load master key parts to all domains with one command.
- Efficiency by executing Crypto Express2 and Crypto Express3 scoped commands on every coprocessor in the group. This allows a substantial reduction of the time required for loading new master keys from a TKE workstation into a Crypto Express3 or Crypto Express2 feature.
Response time improvements with OSA-Express3 optimized latency mode
Optimized latency mode (OLM) can help improve performance for z/OS workloads with demanding low-latency requirements. This includes interactive workloads such as SAP using DB2 Connect™. OLM can help improve performance for applications that have a critical requirement to minimize response times for inbound and outbound data when servicing remote clients. This enhancement applies exclusively to OSA-Express3 QDIO mode (CHPID type OSD).
For prerequisites, refer to the Software requirements section of this announcement.
HiperSockets network traffic analyzer (HS NTA)
Problem isolation and resolution can now be made simpler by an enhancement to the HiperSockets architecture. This function is designed to allow tracing of Layer 2 and Layer 3 HiperSockets network traffic. HS NTA allows Linux on System z to control the trace for the internal virtual LAN to capture the records into host memory and storage (file systems) using Linux on System z tools to format, edit, and process the trace records for analysis by system programmers and network administrators.
Configuration flexibility with four-port exploitation for OSA-ICC
Integrated Console Controllers (ICC) allow the System z10 to help reduce cost and complexity by eliminating the requirement for external console controllers.
You can now exploit the four ports on an OSA-Express3 1000BASE-T Ethernet feature (#3367) on the z10 EC and z10 BC, or the two ports on an OSA-Express3-2P 1000BASE-T on a z10 BC (#3369), when defining the feature as an Integrated Console Controller (OSA-ICC) for TN3270E, local non-SNA DFT, 3270 emulation, and 328x printer emulation. There are two PCI-E adapters per feature and two channel path identifiers (CHPIDs) to be assigned. Each PCI-E adapter has two ports, but prior to this only one of the two PCI-E adapter ports was available for use when defined as CHPID type OSC. Removal of this restriction can improve configuration flexibility by allowing the ability to connect two local LAN segments to each CHPID.
OSA-ICC continues to support 120 sessions per CHPID.
Four-port exploitation for OSA-Express3 1000BASE-T (feature number 3367) and two-port exploitation for OSA-Express3-2P 1000BASE-T (feature number 3369) for OSA-ICC will be available in the first quarter of 2010.
For prerequisites, refer to the Software requirements section of this announcement.
New HMC security features
The Hardware Management Console (HMC) and Support Element (SE) versions 2.10.2 provide a new feature called Digitally Signed Firmware (Licensed Internal Code). This new feature provides the following benefits.
- It helps ensure no malware can be installed on System z products during LICC updates.
- It enables, with other existing security functions, System z10 CPACF functions to comply to Federal Information Processing Standard (FIPS) 140-2 Level 1 for Cryptographic Licensed Internal Code (LIC) changes.
This new Digitally Signed Firmware follows the System z focus of security for the Hardware Management Console and Support Element. More details of the security aspects of the Hardware Management Console and Support Element are described in the z10 publication System z Hardware Management Console Security, which can be found in the z10 Technical Notes area on IBM Resource Link™.
Serviceability enhancement for FICON channels
Problem determination can now be simplified by using the Hardware Management Console (HMC) to more quickly pinpoint fiber optic cabling issues in your Storage Area Network (SAN) fabric without IBM service personnel involvement.
All FICON channel error information is forwarded to the HMC where it is analyzed to help detect and report the trends and thresholds for all FICON channels on System z10. The Fibre Channel Analyzer task on the HMC can be used to display analyzed information about errors on FICON channels (CHPID type FC) of attached Support Elements. Data includes information about the PCHID, CHPID, channel type, source link address, and destination link address of where the error occurred. This report shows an aggregate view of the data and can span multiple systems.
Capacity on Demand
Improved Capacity for Planned Events options
Capacity for Planned Events (CPE) allows for the temporary access to dormant capacity intended to replace capacity lost within the enterprise due to a planned event such as a facility upgrade or system relocation. CPE is similar to CBU in that it can be used to replace lost capacity; however it differs in its scope and intent. Where CBU addresses disaster recovery scenarios that can take up to three months to remedy, CPE is intended for short-duration events like those previously mentioned.
CPE is changing with this announcement. CPE now allows you to select the capacity to meet your business needs rather than providing temporary access to all dormant capacity.
Improved Capacity for Planned Events options will be available December 31, 2009.
Parallel Sysplex and Server Time Protocol (STP)
Improved STP system management with new z/OS messaging
This new function is designed to generate z/OS messages when various hardware events that affect the External Time Sources (ETSs) configured for an STP-only Coordinated Timing Network (CTN) occur. This may improve problem determination and correction times. Previously, the messages were generated only on the Hardware Management Console (HMC).
The ability to generate z/OS messages is supported on IBM System z10 and System z9® servers with z/OS V1.11 with enabling support rolled back to z/OS V1.10 and V1.9.
Foundation for future virtualization growth with z/VM V6.1
Version 6 Release 1 (V6.1) is the newest version of z/VM and is intended to be the base for all future z/VM enhancements. This release implements a new Architecture Level Set (ALS) available only on the IBM System z10 Enterprise Class server and System z10 Business Class server and future generations of System z servers. System z10 technology together with z/VM V6.1:
- Acknowledges the highly attractive economics of workload consolidation on the highly secure and reliable System z10 servers designed to reduce energy usage and save floor space
- Allows z/VM to take advantage of newer hardware technology for future exploitation
Guest LAN and Virtual Switch support has been updated in z/VM V6.1 to use cache prefetch capabilities that are exclusive to the IBM System z10 and later platforms in order to give the hardware hints about likely memory access patterns. This enables the hardware to prefetch data into the processor cache so that the processor does not have to wait for data to be moved from main memory. Avoidance of a "cache miss" may help improve the performance of heavy guest-to-guest streaming workloads.
z/VM V6.1 is planned for availability October 23, 2009. More information about z/VM V6.1 can be found in "IBM z/VM V6.1 - Foundation for future virtualization growth," Software Announcement ZP09-0459, dated October 20, 2009.
Accessibility by people with disabilities
A U.S. Section 508 Voluntary Product Accessibility Template (VPAT) containing details on accessibility compliance can be requested at
Back to top
The future does run on System z. The System z10 design quad-core processor chip represents a revolution in the IBM System z family of products. The new processor chip allows expanded scalability, and when combined with larger memory capacity, faster internal bandwidth, and more subcapacity options, it offers greater growth and enables consolidation on a new level. Businesses of all sizes can use the mainframe to run legacy work and should consider using their mainframe to run new applications using hundreds or thousands of virtual servers in a single energy-efficient server.
Protection of the IT infrastructure continues to be important. The System z10 processor chip has on-board cryptographic functions called CP Assist for Cryptographic Function (CPACF). These standard clear-key integrated cryptographic coprocessors provide high-speed cryptography for protecting data in storage. The new Protected Key CPACF is a blending of clear-key and secure-key cryptography and is intended to help facilitate the continued privacy of cryptographic key materials when used by the CPACF for high-performance data encryption. IBM announced Crypto Express3, a state-of-the-art, tamper-sensing and tamper-responding programmable cryptographic feature available for the System z10. Usability enhancements to the optional Trusted Key Entry (TKE) workstation enable the grouping of domains across multiple coprocessor features, helping to simplify the management and migration of coprocessor configuration with a new TKE Migration wizard.
IBM is strengthening the System z10 relationship with z/OS V1R11 Communications Server and the OSA-Express3 with this announcement. An enhancement may improve response time for interactive workloads when configuring the OSA-Express3 to operate in a new mode - optimized latency mode (OLM). This is intended to help reduce the cost of running applications that have a critical requirement to quickly send and receive data when communicating with a remote client.
The System z10 continues to stand by the Mainframe Charter announced in 2003. We continue to provide value to our customers with unique specialty engines, energy advantages, and generation-to-generation price/performance gains. We know that innovation matters to you and we have delivered new z10 processor chip performance, unmatched scalability from the smallest z10 BC to the largest z10 EC, just-in-time capacity, improvements in I/O and networking that allow for faster access to data, and unprecedented resiliency and security. We have a vibrant community with a strong Academic Initiative, new applications available using Linux® on System z, and over 6,300 applications available from over 1,700 ISVs. Our commitment delivers a compelling case for the future to run on the System z10.
Back to top
|Statement of general direction|
Power Sequence Controller (PSC) feature quantities
The optional PSC feature provides the ability to turn on and off specific control units from the central processor complex (CPC). IBM intends to make three changes in the area of PSC support:
- IBM intends for System z10 to be the last platform to support greater than two Power Sequence Controller (PSC) features (#6501).
- Systems with water-cooling will further limit the maximum quantity of PSC features to one.
- IBM intends for System z10 to be the last platform to allow the PSC feature to be ordered individually when not part of a new-build server or when not part of a box MES order.
Support for optional overhead cabling
On future System z servers, IBM intends to support optional overhead cabling. This would be applicable to some data center environments and would apply to cabling for I/O (fiber optic and 1000BASE-T Ethernet). Overhead cabling is designed to provide an additional option and increased flexibility, to help remove floor hazards in a non-raised-floor environment, and to help increase air flow in a raised-floor environment.
Removal of specific smart card features
The IBM System z10 EC and System z10 BC will be the last platforms to support smart card feature number #0888 and the #0887 smart card reader. The #0888 smart card has been replaced by the #0884 smart card. The #0887 smart card reader has been replaced by the #0885 smart card reader. The #0885 smart card reader and the #0884 smart card were made available on October 28, 2008. Refer to "IBM System z10 Enterprise Class - The future runs on System z10, the future begins today," Hardware Announcement ZG08-0843, dated October 21, 2008.
Customers should begin to migrate information from the #0888 smart card to the #0884 smart card to prepare for the change. Refer to the Trusted Key Entry PCIX Workstation User's Guide for instructions on how to make backups of TKE Certificate Authority (CA) smart cards and how to move key material from one TKE smart card to another.
Removal of Crypto Express2 feature
The IBM System z10 EC and z10 BC will be the last servers to offer Crypto Express2 (#0863) as a feature, either as part of a new-build order, or carried forward on an upgrade.
All statements regarding IBM's plans, directions, and intent are subject to change or withdrawal without notice. Any reliance on these statements of general direction is at the relying party's sole risk and will not create liability or obligation for IBM.
Back to top
More information on z/VM V6.1 can be found in "IBM z/VM V6.1 - Foundation for future virtualization growth," Software Announcement ZP09-0459, dated October 20, 2009.
Back to top
Machine Description Type Model Feature System z10 EC 2097 E12 E26 E40 E56 E64 TKE 6.0 Workstation 0840 TKE 6.0 LIC 0858 Crypto Express3 0864 1 CPE Capacity Unit 0116 100 CPE Capacity Unit 0117 10000 CPE Capacity Unit 0118 1 CPE Capacity Unit-IFL 0119 100 CPE Capacity Unit-IFL 0120 1 CPE Capacity Unit-ICF 0121 100 CPE Capacity Unit-ICF 0122 1 CPE Capacity Unit-zAAP 0123 100 CPE Capacity Unit-zAAP 0124 1 CPE Capacity Unit-zIIP 0125 100 CPE Capacity Unit-zIIP 0126 1 CPE Capacity Unit-SAP 0127 100 CPE Capacity Unit-SAP 0128 System z10 BC 2098 E10 TKE 6.0 Workstation 0840 TKE 6.0 LIC 0858 Crypto Express3 0864 Crypto Express3-1P 0871 1 CPE Capacity Unit 0116 100 CPE Capacity Unit 0117 10000 CPE Capacity Unit 0118 1 CPE Capacity Unit-IFL 0119 100 CPE Capacity Unit-IFL 0120 1 CPE Capacity Unit-ICF 0121 100 CPE Capacity Unit-ICF 0122 1 CPE Capacity Unit-zAAP 0123 100 CPE Capacity Unit-zAAP 0124 1 CPE Capacity Unit-zIIP 0125 100 CPE Capacity Unit-zIIP 0126 1 CPE Capacity Unit-SAP 0127 100 CPE Capacity Unit-SAP 0128 System z9 BC 2096 S07 R07 TKE 6.0 Workstation 0840 TKE 6.0 LIC 0858 System z9 EC 2094 S08 S18 S28 S38 S54 TKE 6.0 Workstation 0840 TKE 6.0 LIC 0858
Back to top
Visit the following Web site for additional information
Contact your IBM representative for course information.
Back to top
The following publications are available now in the Library section of Resource Link:
Title Order number z10 EC System Overview SA22-1084 z10 BC System Overview SA22-1085 z10 EC Installation Manual for Physical Planning (IMPP) GC28-6865 z10 BC Installation Manual for Physical Planning (IMPP) GC28-6875 System z Functional Matrix ZSW0-1335 z10 PR/SM™ Planning Guide SB10-7153
The following publications are shipped with the product and available in the Library section of Resource Link:
Title Order number System z Service Guide for TKE Workstations GC28-6862 z10 EC Installation Manual GC28-6864 z10 EC Service Guide GC28-6866 z10 EC Safety Inspection GC28-6870 z10 BC Installation Manual GC28-6874 z10 BC Safety Inspection GC28-6877 z10 BC Service Guide GC28-6878 Systems Safety Notices G229-9054 System z Statement of Limited Warranty GC28-6883
The following publications will be available at planned availability in the Library section of Resource Link:
Title Order number System z API for Java™ API-JAVA System z Application Programming Interfaces SB10-7030 System z HMC Operations Guide (Version 2.10.2) SC28-6881 System z CIM Management Interface SB10-7154 System z CHPID Mapping Tool User's Guide GC28-6825 System z Service Guide for HMCs and SEs GC28-6861 z10 Capacity on Demand User's Guide SC28-6871 z10 SE Operations Guide (Version 2.10.2) SC28-6882
Publications for System z10 can be obtained at Resource Link by accessing the following Web site
Using the instructions on the Resource Link panels, obtain a user ID and password. Resource Link has been designed for easy access and navigation.
The following IBM Redbooks® have been updated:
Title Order number IBM System z Connectivity Handbook SG24-5444 IBM System z10 Enterprise Class Technical Introduction SG24-7515 IBM System z10 Enterprise Class Technical Guide SG24-7516 IBM System z10 Business Class Technical Overview SG24-7632
For other IBM Redbooks publications, refer to
Back to top
Global Technology Services
IBM services include business consulting, outsourcing, hosting services, applications, and other technology management.
These services help you learn about, plan, install, manage, or optimize your IT infrastructure to be an On Demand Business. They can help you integrate your high-speed networks, storage systems, application servers, wireless protocols, and an array of platforms, middleware, and communications software for IBM and many non-IBM offerings. IBM is your one-stop shop for IT support needs.
For details on available services, contact your IBM representative or visit
For details on available IBM Business Continuity and Recovery Services, contact your IBM representative or visit
For details on education offerings related to specific products, visit
Select your country, and then select the product as the category.
Back to top
Specified operating environment
You should review the PSP buckets for minimum Machine Change Levels (MCLs) and software PTF levels before IPLing operating systems. To support new functions and features, MCLs are required.
Descriptions of the MCLs are available now through Resource Link
Access Resource Link at
Select: Fixes, Hardware, Exception Letters.
Click on System z10 EC or System z10 BC.
Click on Driver xxx Customer Exception Letter.
The most recent driver information is at the top of the list.
Peripheral hardware and device attachments
IBM devices previously attached to IBM System z9 and zSeries® servers are supported for attachment to System z10 channels, unless otherwise noted. The subject I/O devices must meet ESCON® or FICON/FCP architecture requirements to be supported. I/O devices that meet OEMI architecture requirements are supported only using an external converter. Prerequisite Engineering Change Levels may be required. For further detail, contact IBM service personnel.
While the System z10 supports devices as described above, IBM does not commit to provide support or service for an IBM device that has reached its End of Service effective date as announced by IBM.
Note:IBM cannot confirm the accuracy of performance, compatibility, or any other claims related to non-IBM products. Questions regarding the capabilities of non-IBM products should be addressed to the suppliers of those products.
Listed are the operating system minimum versions and releases. Select the releases appropriate to your operating system environments.
Note: Refer to the z/OS, z/VM, and z/VSE™ subsets of the 2097DEVICE and 2098DEVICE Preventive Service Planning (PSP) bucket prior to installing a System z10.
OSA-Express3 optimized latency mode (OLM) on System z10 requires at a minimum:
- z/OS V1.11 with PTFs
- z/VM V5.3 with PTFs for guest exploitation
OSA-Express3 1000BASE-T (#3367) and OSA-Express3-2P 1000BASE-T (#3369)
CHPID type OSC supporting TN3270E and non-SNA DFT on System z10 requires at minimum:
- z/OS V1.7 with the IBM Lifecycle Extension for z/OS V1.7 (5637-A01)
- z/OS V1.8 with the IBM Lifecycle Extension for z/OS V1.8 (5638-A01)
- z/VM V5.3
- z/VSE V4.1
- TPF 4.1 and z/TPF 1.1
Crypto Express3 and Crypto Express3-1P on the System z10 requires at a minimum:
- z/OS V1.9, z/OS V1.10, or z/OS V1.11 with the Cryptographic Support for z/OS V1R9-V1R11 Web deliverable planned to be available November 20, 2009. This may be obtained at
- z/VM V5.3 with PTFs for guest exploitation.
- zVSE V4.2 and IBM TCP/IP for VSE/ESA™ V1.5.0 with PTFs.
- z/TPF V1.1 (acceleration mode only).
- Linux on System
- Current Novell SUSE and Red Hat distributions support the same functionality as Crypto Express2. Secure key is not supported.
Note: Crypto Express3-1P is available only on the System z10 BC.
Note:z/VSE supports clear-key RSA operations only. z/VM V5.3 and later support clear- and secure-key operations.
z/VM support for Crypto Express3 on System z10 requires at a minimum z/VM V5.3 with PTFs, planned to be available in November 2009. It is intended to provide:
- The ability to dedicate any available domain to a guest for clear-key and secure-key cryptographic functions.
- The ability for guests to share all available, non-dedicated domains for clear-key cryptographic functions.
- Enhancements to the CP QUERY CRYPTO APQS to display information about both shared and dedicated cryptographic domains. Prior to this enhancement, the command only displayed user information for dedicated domains.
Each Crypto Express2 and Crypto Express3 feature contains two cryptographic coprocessors, each with 16 cryptographic domains. Up to 256 domains can be configured for use within a single z/VM system.
Each Crypto Express2-1P and Crypto Express3-1P feature contains a single cryptographic coprocessor with support for 16 cryptographic domains. Up to 128 domains can be configured for use within a single z/VM system when using 1P.
CP Assist for Cryptographic Function (CPACF) (#3863) on the System z10 requires at a minimum:
- z/OS V1.10 or later.
- z/OS V1.9 with the Cryptographic Support for z/OS V1R7-V1R9 and z/OS.e V1R7-V1R8 Web deliverable. This is available at
- z/VSE V4.1 and IBM TCP/IP for VSE/ESA V1.5.0 with PTFs.
- z/VM V5.3.
- z/TPF V1.1.
- TPF V4.1.
- Linux on System
- Current releases of Red Hat and Novell SUSE.
Protected Key CP Assist for Cryptographic Function (CPACF) on the System z10 requires at a minimum:
- z/OS V1.9, z/OS V1.10, or z/OS V1.11 with the Cryptographic Support for z/OS V1R9-V1R11 Web deliverable planned to be available November 20, 2009. Note this will be available at
- Linux on System z - IBM is working with its Linux distribution partners to include support in future Linux on System z distribution releases.
STP System Management with new z/OS Messaging On System z10 requires at a minimum:
- z/OS V1.11
- z/OS V1.9 and V1.10 with PTFs
Information on customer responsibilities for site preparation can be found in the Library section of Resource Link at
Fiber optic cable orders
Fiber optic cables for the z10 EC, z10 BC, z9 EC, z9 BC, z990, and z890 are available from IBM Site and Facilities Services.
IBM Site and Facilities Services has a comprehensive set of scalable solutions to address IBM cabling requirements, from product-level to enterprise-level. The IBM Facilities Cabling Services - fiber transport system and the IBM IT Facilities Assessment, Design, and Construction Services - optimized airflow assessment for cabling, offered by IBM Site and Facilities Services, provide services for small, medium, and large enterprises:
- Assessment and planning for IBM Fiber Transport System (FTS) trunking components
- Planning and installation services for individual fiber optic connections
IBM Global Technology Services has the expertise and personnel available to effectively plan and deploy the appropriate cabling with the future in mind. These services may include assessment, planning, consultation, cable selection, installation, and documentation, depending upon the services selected.
These services are designed to be right-sized for your products or the end-to-end enterprise, and to take into consideration the requirements for all of the protocols and media types supported on the System z10, System z9, and zSeries (ESCON, FICON, Coupling Links, and OSA) whether the focus is the data center, the Storage Area Network (SAN), the Local Area Network (LAN), or the end-to-end enterprise.
IBM Site and Facilities Services is designed to deliver convenient, packaged services to help reduce the complexity of planning, ordering, and installing fiber optic cables. The appropriate fiber cabling is selected based upon the product requirements and the installed fiber plant.
The services are packaged as follows:
Under IBM Facilities Cabling Services there is the option to provide IBM Fiber Transport System (FTS) trunking commodities (fiber optic trunk cables, fiber harnesses, and panel-mount boxes) for connecting to the z10 EC, z10 BC, z9 EC, z9 BC, z990, and z890. IBM can reduce the cable clutter and cable bulk under the floor. An analysis of the channel configuration and any existing fiber optic cabling is performed to determine the required FTS trunking commodities. IBM can also help organize the entire enterprise. This option includes enterprise planning, new cables, fiber optic trunking commodities, installation, and documentation.
Under IBM IT Facilities Assessment, Design, and Construction Services there is the option to provide the optimized airflow assessment for cabling to provide you with a comprehensive review of your existing data center cabling infrastructure. This service provides an expert analysis of the overall cabling design required to help improve data center airflow for optimized cooling, and to facilitate operational efficiency through simplified change management.
Contact IBM Global Technology Services for details.
Refer to the services section of Resource Link for further details. Access Resource Link at
Fiber optic cables, cable planning, labeling, and placement are all customer responsibilities for new installations and upgrades. Fiber optic conversion kits and Mode Conditioning Patch (MCP) cables are not orderable as features on a z10 EC and z10 BC. Installation Planning Representatives (IPRs) and System Service Representatives (SSRs) will not perform the fiber optic cabling tasks without a services contract.
The following tasks are required to be performed by the customer prior to machine installation:
- All fiber optic cable planning.
- All purchasing of correct fiber optic cables.
- All installation of any required Mode Conditioning Patch (MCP) cables.
- All installation of any required Conversion Kits.
- All routing of fiber optic cables to correct floor cutouts for proper
installation to server.
- Use the Physical Channel Identifier (PCHID) report or the report from the Channel Path Identifier (CHPID) Mapping Tool to accurately route all cables.
- All labeling of fiber optic cables with PCHID numbers for proper installation
- Use the PCHID report or the report from the CHPID Mapping Tool to accurately label all cables.
Additional service charges may be incurred during the server installation if the above cabling tasks are not accomplished as required.
Fiber Quick Connect (FQC), a fiber harness integrated in the z10 EC and z10 BC frame for "quick" connect, is offered as a feature on the z10 EC and z10 BC for connection to ESCON and FICON LX channels.
Cables for ICB links continue to be available as features. Refer to the Special features section of the Sales Manual on the Web for a list of these features and cables for ICB links
For further details also refer to the Installation Manual for Physical Planning (IMPP), available on Resource Link.
Note:IBM Site and Facilities Services can satisfy your fiber optic as well as your copper cabling requirements.
Security, auditability, and control
The z10 EC and z10 BC use the security and auditability features and functions of host hardware, host software, and application software.
The customer is responsible for evaluation, selection, and implementation of security features, administrative procedures, and appropriate controls in application systems and communications facilities.
Global Technology Services
Contact your IBM representative for the list of selected services available in your country, either as standard or customized offerings, for the efficient installation, implementation, and/or integration of this product.
Back to top
|IBM Electronic Services|
IBM has transformed its delivery of hardware and software support services to help you achieve higher system availability. Electronic Services is a Web-enabled solution that offers an exclusive, no-additional-charge enhancement to the service and support available for IBM servers. These services are designed to provide the opportunity for greater system availability with faster problem resolution and preemptive monitoring. Electronic Services comprises two separate, but complementary, elements: Electronic Services news page and Electronic Services Agent.
The Electronic Services news page is a single Internet entry point that replaces the multiple entry points traditionally used to access IBM Internet services and support. The news page enables you to gain easier access to IBM resources for assistance in resolving technical problems.
The Electronic Service Agent™ is no-additional-charge software that resides on your server. It monitors events and transmits system inventory information to IBM on a periodic, client-defined timetable. The Electronic Service Agent automatically reports hardware problems to IBM. Early knowledge about potential problems enables IBM to deliver proactive service that may result in higher system availability and performance. In addition, information collected through the Service Agent is made available to IBM service support representatives when they help answer your questions or diagnose problems. Installation and use of IBM Electronic Service Agent for problem reporting enables IBM to provide better support and service for your IBM server.
To learn how Electronic Services can work for you, visit
Back to top
|Terms and conditions|
Field installable feature
Features assume the same warranty or maintenance terms as the machine in which they are installed for the full warranty or maintenance period announced for such machine.
Same license terms and conditions as base machine
Back to top
For all charges, contact your IBM representative.
Back to top
All European, Middle Eastern, and African countries.
IMS, z9, DB2 Connect, Resource Link, PR/SM, z/VSE, VSE/ESA and Electronic Service Agent are trademarks of IBM Corporation in the United States, other countries, or both.
IBM, z/OS, FICON, z/VM, System z, z/Architecture, DB2, System z9, Redbooks, zSeries and ESCON are registered trademarks of IBM Corporation in the United States, other countries, or both.
Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both.
Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both.
Other company, product, and service names may be trademarks or service marks of others.
For the most current information regarding IBM products, consult your IBM representative or reseller, or visit the IBM worldwide contacts page
Back to top