zPDT license servers

Alternative zPDT® license and serial number servers that provide enterprise-wide management are available for ZD&T systems. However, the software licensing does not support the native zPDT systems.

Note: For definitions of some of the terms used in these topics, see the Terminology.
A zPDT system must have a license supplied by a 1090 or 1091 token or by a software license server. The tokens identified as 1091 tokens are for ZD&T customers. The material in this section applies to both 1090 and 1091 tokens, and to software-only (LDK) license users. For several reasons, simple local token usage is not always appropriate:
  • Due to security concerns, some PCs no longer have usable USB ports. The physical distribution of tokens might present a problem.
  • Rack-mounted blade PCs might not have normal, dedicated USB ports. A token in a work location can be easily carried away.
In virtual environments the dedicated use of a USB port might be a problem.
  • If multiple tokens are used, or are changed, the CP serial numbers become unpredictable. The consistency of the z Systems® serial numbers might be important for some software licenses (for z Systems software) and might be important for some z Systems operating systems.
  • In some cases, especially related to cloud usage, a hardware token at any location is difficult to manage.
Recognizing these concerns, alternative zPDT license and serial number servers that provide enterprise-wide management are available for ZD&T systems. Figure 1 shows the available options: a simple local configuration, a remote LDK-SL license server, and a remote SHK license server.
Important: The SHK and LDK-SL terminology associated with these servers, as shown in this figure, is used throughout this section. SHK servers have physical 1090 (or 1091) tokens and LDK-SL servers do not have physical tokens. The terms Software-based License Serverand license server are used interchangeably. zPDT refers to both the ISV zPDT product (1090) and the ZD&T (1091) product except where distinctions are noted.
Figure 1. Options for obtaining zPDT licenses
Options for obtaining zPDT licenses

In a simple configuration, a local token is installed in a USB port on the base machine running zPDT. In this case (one token installed in a local USB port), the token supplies both the zPDT license and the serial number used for the z Systems CPs, assuming that the local zPDT system has never been connected to a remote Software-based License Server or server, and has never used multiple local tokens. This configuration is used by the majority of zPDT users.

The SHK server uses a hardware token, while the LDK-SL server uses a software-only license with no physical token. An SHK server can be shifted to another physical PC by moving the token(s) and reinstalling zPDT software. An LDK-SL license server cannot be moved to a different PC. To move the server to a different PC, you must obtain new LDK-SL server software. Also, additional license charges may be associated with the use of LDK servers; consult your zPDT provider for more details.
Restriction: LDK-SL server function is intended primarily for systems accessed in the cloud.

Figure 1 also indicates UIM components. UIM means Unique Identification Manager; this is a function that provides a consistent z System serial number to zPDT. The UIM function can be used with remote UIM servers. In principle, these are separate servers from the license servers and might be on different Linux® PCs. In practice, the remote UIM servers are almost always installed on the same Linux PC having the remote license server. These topics assume that a UIM server is installed concurrently with an LDK-SL or SHK license server. There is also a local UIM component with operational zPDT systems (clients) not indicated in the figure.

A license server is accessed (via TCP/IP) by a client PC running zPDT and the zPDT operational license is supplied this way. The licenses needed to decrypt z/OS® IPL volumes are also provided by the server. The client machine does not have a token and does not need a USB port. A client machine must have access to the license server as long as zPDT is operational on the client. Likewise, the client machine has access to a UIM server that supplies consistent serial numbers for the z Systems CPs.

All zPDT systems have remote client functionality but, by default, it is not configured for remote operation. If a token is installed zPDT operates normally (with a local token). If a remote client function is configured, then zPDT attempts to connect to remote servers to obtain a zPDT license and serial number.

The owner of the client machine must do some minor configuration work to enable clients to use remote license servers and UIM servers; the enabling this interface differs for SHK and LDK-SL servers. Before enabling client access to a remote server the server networking environment (IP address, domain name, firewall controls, appropriate tokens for the server) must be arranged.

The remote license and UIM servers are normally on a single remote system. However, the two servers could be on separate machines. A UIM server and/or an SHK server could be on the same machine as the client, but would still be considered remote servers in the context described here. All the following text assumes that the license server and the UIM server are on the same machine. An LDK-SL server cannot be present on the same PC running zPDT.
Tip: The LDK and SHK terminology represents different generations of license management functions from Safenet, with LDK being the newer technology. (The company is now owned by Gemalto, but these help topics continue to refer to the Safenet token products.) The LDK technology can use both software license (denoted by LDK -SL) or new hardware tokens (denoted by LDK-HL). At the time of writing, zPDT does not use the newer hardware tokens (LDK-HL).