A fix is available
APAR status
Closed as new function.
Error description
Provide support for encryption of data as it is moved between active memory and a paging volume owned by z/VM. Encrypted paging is exclusive to the IBM z14.
Local fix
N/A
Problem summary
**************************************************************** * USERS AFFECTED: All users of z/VM running on IBM z14 * * hardware. * **************************************************************** * PROBLEM DESCRIPTION: * **************************************************************** * RECOMMENDATION: APPLY PTF * **************************************************************** This PTF implements New Function in the z/VM Control Program to allow for the encryption and decryption of guest data as it moves to and from paging volumes owned by CP.
Problem conclusion
Temporary fix
Comments
This APAR allows z/VM 6.4 to enable encryption of guest page data when running on the IBM z14 (D/T3906). This APAR improves system security by making customer data defensible from attack or breach of volumes, even in cases where a system administrator has unintended access to those volumes. When enabled, guest data will be ciphered as it moves from active memory onto a paging volume owned by CP (ECKD, SCSI, or native FBA). This support will be limited to guest pages (in primary host address spaces and VM data spaces) and VDISK pages written by the CP Paging subsystem to paging extents (or when paging space has been exhausted, to spool extents). A new configuration statement and command has been added to allow the user to manipulate the way this new support functions on the system. The ENCRYPT PAGING configuration statement allows the encryption capability to be toggled (ON, OFF, or REQUIRED). This setting may be adjusted later through the new CP SET ENCRYPT command. NOTE: If REQUIRED is specified for a system missing IBM z14 Feature 3863 (CPACF), the system will enter a disabled wait-state. The REQUIRED option is provided for regulatory compliance and should be used cautiously, as there is no work-around for it. It is recommended that the ON option be used when testing workloads with this new capability. Additionally, it is recommended that back-up system configuration files be kept locally to boot such systems during emergencies or in DR scenarios. For information about managing a system with encryption, refer to z/VM CP Planning And Administration, section entitled "Pervasive Encryption for z/VM". The encryption algorithm may be selected the first time encryption is enabled for PAGING. This may happen during system IPL or via the CP SET ENCRYPT command. Once set, the encryption algorithm may not be changed without a system IPL. (If encrypted paging is disabled and re-enabled, the same algorithm will be in effect.) The available algorithms are AES128, AES192, and AES256 (default) in Cipher Block Chaining (CBC) mode. The strength of the algorithm may have implications on the performance of guest workload. Refer to z/VM Performance, section entitled "Major Factors Affecting Performance" for more information. For more information about the CP SET ENCRYPT and CP QUERY ENCRYPT commands introduced in this APAR, refer to "z/VM CP Commands and Utilities Reference".
APAR Information
APAR number
VM65993
Reported component name
VM CP
Reported component ID
568411202
Reported release
640
Status
CLOSED UR1
PE
NoPE
HIPER
NoHIPER
Special Attention
YesSpecatt / New Function / Xsystem
Submitted date
2017-02-07
Closed date
2017-12-05
Last modified date
2018-12-14
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
UM35256 UM35257
Modules/Macros
CBITABLE CPLOAD CPQUERY CPSET ENCRYPT HCPALG HCPASATE HCPBSC HCPBSI HCPBSM HCPCBI HCPCLD HCPCLS HCPENC HCPENCBK HCPFRMTE HCPFST HCPHAM HCPHPC HCPHSU HCPHTU HCPHTV HCPIIO HCPKRY HCPKRYPT HCPKYM HCPKYMGR HCPKYSBK HCPMDLAT HCPMES HCPMESA HCPMESB HCPMOM HCPMONEQ HCPMOT HCPMPS HCPMSM HCPMXF HCPMXRBK HCPOM1 HCPOM2 HCPPAF HCPPAG HCPPAH HCPPAI HCPPAU HCPPFR HCPPGT HCPPGV HCPPLP HCPPLSBK HCPPPI HCPPPR HCPPTA HCPQUY HCPRLB HCPRLT HCPRP HCPSCFBK HCPSET HCPSYC HCPSYS HCPSYSCM HCPSZK HCPSZL HCPVMDBK HCPVPGBK HCPZSC HCP1137E HCP1139I HCP1390E HCP1391E HCP1392E HCP1393W HCP1394I HCP1395W HCP2768E HCP6706E HCWAI8 HCWA12 IPLPARMS MRMTRENC MRMTRSYS MRSTORSP
SC24617511 | SC24617812 | GC24617710 | SC24623303 | SC24620809 |
GC24620112 |
Fix information
Fixed component name
VM CP
Fixed component ID
568411202
Applicable component levels
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG27M","label":"APARs - z\/VM environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"640","Edition":"","Line of Business":{"code":"LOB16","label":"Mainframe HW"}}]
Document Information
Modified date:
14 December 2018