SecureZIP™ for iSeries

User’s Guide SZIU-V8R0000

PKWARE Inc.

PKWARE Inc. 9009 Springboro Pike Miamisburg, Ohio 45342 Sales: 937-847-2374 Support: 937-847-2687 Fax: 937-847-2375 Web Site: http://www.pkware.com Sales - Email: pksales@pkware.com Support - http://www.pkware.com/support 8.1 Edition (2005) SecureZIP for iSeries ™, PKZIP for iSeries, PKZIP for MVS™, PKZIP for zSeries™, PKZIP for OS/400™, PKZIP for VSE™, PKZIP for UNIX™, and PKZIP for Windows™ are just a few of the many members in the PKZIP® family. PKWARE, Inc. would like to thank all the individuals and companies -- including our customers, resellers, distributors, and technology partners -- who have helped make PKZIP® the industry standard for Trusted ZIP solutions. PKZIP® enables our customers to efficiently and securely transmit and store information across systems of all sizes, ranging from desktops to mainframes.

This edition applies to the following PKWARE, Inc. licensed program:

SecureZIP for iSeries ™ (Version 8, Release 1, 2005)

PKZIP is a registered trademark of PKWARE Inc. SecureZIP is a trademark of PKWARE Inc. Other product names mentioned in this manual may be a trademark or registered trademarks of their respective companies and are hereby acknowledged.

Any reference to licensed programs or other material, belonging to any company, is not intended to state or imply that such programs or material are available or may be used. The copyright in this work is owned by PKWARE, Inc., and the document is issued in confidence for the purpose only for which it is supplied. It must not be reproduced in whole or in part or used for tendering purposes except under an agreement or with the consent in writing of PKWARE, Inc., and then only on condition that this notice is included in any such reproduction. No information as to the contents or subject matter of this document or any part thereof either directly or indirectly arising there from shall be given or communicated in any manner whatsoever to a third party being an individual firm or company or any employee thereof without the prior consent in writing of PKWARE, Inc.

Copyright © 1989 - 2005 PKWARE, Inc. All rights reserved.

iii

Contents

PREFACE............................................................................................................. 1 Notices ........................................................................................................................ 1 About this Manual ...................................................................................................... 1 Conventions Used in this Manual ............................................................................ 2 Related Publications.................................................................................................. 3 Related IBM Publications .......................................................................................... 3 Related Information on the Internet ......................................................................... 4 User Help and Contact Information.......................................................................... 4

1 SECUREZIP FOR ISERIES ............................................................................ 5 Data Compression ..................................................................................................... 5 ZIP Archives ............................................................................................................... 6 Cyclic Redundancy Check ........................................................................................ 6 Encryption .................................................................................................................. 7 Large Files Considerations....................................................................................... 7

Large File Support Summary ................................................................................... 7 Large File Support File Capacities ........................................................................... 7

Cross Platform Compatibility ................................................................................... 8 ZIP File Format Specification.................................................................................... 9 Release Summary .................................................................................................... 10

New Features in SecureZIP for iSeries Release 8.1.............................................. 10 New Features in SecureZIP for iSeries Release 8.0.............................................. 10

SecureZIP for iSeries Restrictions ......................................................................... 10

2 DATA SECURITY ......................................................................................... 12 Encryption ................................................................................................................ 12 Authentication .......................................................................................................... 13

Data Integrity .......................................................................................................... 13 Digital Signature Validation .................................................................................... 13 Digital Signature Source Validation........................................................................ 14

iv

Public-Key Infrastructure and Digital Certificates................................................ 14 Public-Key Infrastructure (PKI)............................................................................... 14 X.509 ...................................................................................................................... 15 Digital Certificates................................................................................................... 15 Certificate Authority (CA)........................................................................................ 15 Private Key ............................................................................................................. 15 Public Key............................................................................................................... 16 Certificate Authority and Root Certificates ............................................................. 16

Types of Encryption Algorithms ............................................................................ 16 FIPS 46-3, Data Encryption Standard (DES) ......................................................... 16 Triple DES Algorithm (3DES) ................................................................................. 16 Advanced Encryption Standard (AES) ................................................................... 17 Comparison of the 3DES and AES Algorithms ...................................................... 17 RC4 ........................................................................................................................ 18

Key Management...................................................................................................... 18 Passwords and PINS ............................................................................................... 19 Recipient Based Encryption ................................................................................... 19 Random Number Generation .................................................................................. 19 Integrity of Public and Private Keys....................................................................... 20 Meeting Current Challenges ................................................................................... 20

Industry-Specific Mandates .................................................................................... 20 Data Encryption........................................................................................................ 22

Cross Product Matrix .............................................................................................. 23 Operating System Levels ....................................................................................... 23 Windows Compatibility ........................................................................................... 23 General Questions to help you get started with SecureZip for iSeries .................. 24

User Encryption Examples ..................................................................................... 26 Zip Compress File(s) and Write to an Archive File................................................. 27 Display the contents of an Archive File .................................................................. 28 Incorrect Password Use ......................................................................................... 29

3 GETTING STARTED WITH SECUREZIP FOR ISERIES............................. 30 Basic Features of SecureZIP for iSeries................................................................ 30 Extended Features of SecureZIP for iSeries ......................................................... 30 Invoking SecureZIP for iSeries Services ............................................................... 31 SecureZIP for iSeries Differences with other Platforms ...................................... 31 Use of SAVF Method................................................................................................ 32

4 SECUREZIP FOR ISERIES INSTALLATION............................................... 33 Unloading SecureZIP for iSeries from Tape.......................................................... 33 Unloading SecureZIP for iSeries from a CD-ROM ................................................ 34

METHOD A. LODRUN Command.......................................................................... 34 METHOD B. RSTLIB Command ............................................................................ 34

Using FTP to iSeries to Transfer a PKZIP Save File............................................. 35 Restoring SecureZIP for iSeries Product Library from a Save File .................... 35

v

Installation Procedures ........................................................................................... 35 Licensing Requirements ......................................................................................... 36

Trial Period ............................................................................................................. 36 Release Licensing .................................................................................................. 36 Reporting Environment........................................................................................... 36 Updating License Files ........................................................................................... 37 Licensed Product Features .................................................................................... 38 Record Layouts ...................................................................................................... 40 Reporting ................................................................................................................ 42 Conditional Use ...................................................................................................... 44

Operating Environment ........................................................................................... 44 PKZDTA5 Data Area .............................................................................................. 45 How to Change the Standard PKZIP Library Name............................................... 45 Alternate Install from SAVF with Non-Standard Library Name .............................. 46 Running Without the PKZIP Library in the Library List........................................... 46

5 FILE SELECTION AND NAME PROCESSING............................................ 48 ZIP Processing File Selection................................................................................. 48 Primary File Selection Inputs.................................................................................. 48 File Exclusion Inputs ............................................................................................... 50 Input ZIP Archive Files ............................................................................................ 51 SPOOL File Selecting .............................................................................................. 51

6 ZIP FILES ..................................................................................................... 52 Data Format - Text Records vs. Binary Records .................................................. 52 File Attributes ........................................................................................................... 53 PC Shared Drives Format........................................................................................ 54

7 FILE EXTRACTING PROCESS ................................................................... 55 Extracting Files to the QSYS Library File System ................................................ 55

Authority Settings ................................................................................................... 56 Extracting Files to the IFS....................................................................................... 57

Path Considerations ............................................................................................... 57 Changing the path(s) .............................................................................................. 57 File Type Considerations........................................................................................ 57

Extracting Spool Files ............................................................................................. 58

8 ISERIES FILE PROCESSING SUPPORT.................................................... 61 QSYS (Library File System) .................................................................................... 61

QSYS Summary ..................................................................................................... 61 IFS (Integrated File System).................................................................................... 62

Directories and Current Directory........................................................................... 62 Path and Path Names ............................................................................................ 62 Stream Files ........................................................................................................... 63 Other IFS Objects................................................................................................... 63

vi

File Systems in the IFS .......................................................................................... 63 Document Library Services File System (QDLS) ................................................... 64 Optical File System (QOPT)................................................................................... 65 Using QSYS.LIB via the Integrated File System Interface..................................... 66 IFS Summary.......................................................................................................... 67

SAVF.......................................................................................................................... 67 Compressing a SAVF file ....................................................................................... 67 Extracting Records into a SAVF file ....................................................................... 67 Overwriting Current SAVF File ............................................................................... 68

Compressing Spool Files........................................................................................ 68

9 ZIP ARCHIVES ............................................................................................. 70 “Old” ZIP Archive..................................................................................................... 71 “Temporary” Archive File ....................................................................................... 71 “New” ZIP Archive ................................................................................................... 71 Self-Extracting Archive............................................................................................ 71

10 ABOUT SECURITY, CERTIFICATES, AND ENCRYPTION........................ 75 Keywords, Phrases, and Acronyms Used in This Chapter.................................. 75 Accessing Public and Private Key Certificates .................................................... 76

Public Key Certificate ............................................................................................. 76 Private Key Certificates .......................................................................................... 76

Enterprise Security Configuration ......................................................................... 77 Contents of the Configuration Profile ..................................................................... 77 File and Data Base (DB) (Local Certificate Store) ................................................. 79 LDAP Profile (Networked Certificate Store) ........................................................... 80

Certificate Store Administration and Configuration............................................. 80 Access x.509 Public and Private Key Certificates.................................................. 80 Local Certificate Store ............................................................................................ 80 Certificate Authority and Root Certificates Stores.................................................. 80 Certificate Revocation List Stores .......................................................................... 81 Local Certificate Locator Database ........................................................................ 81 LDAP Certificate Store ........................................................................................... 81

Certificate Authority, Root Certificates and CRL Store Administration............. 82 Local Certificate Store Administration .................................................................. 84

Build Private and Public Store Paths...................................................................... 84 Initialize and Build Certificate Locator Database:................................................... 85

Directory Certificate Store Configuration - LDAP................................................. 86 Testing the LDAP Connection ................................................................................ 86

Getting Started with PKWARE Test Digital Certificates....................................... 87 Step 1: Define IFS Certificate Stores .................................................................... 88 Step 2: Extract Test Certificates, Inlist, Inputs, and Stores................................... 89 Step 3: Setup Security Configuration File with PKCFGSEC Command ............... 90 Step 4: Add Trusted Roots and Intermediate Certificates to the Certificate Stores.91 Step 5: Build the Certificate Locator Database with PKBLDCDB ......................... 92 Step 6: Compress File with Public Digital Certificates .......................................... 93 Step 7: View Details of Archive ............................................................................. 94

vii

Step 8: Decrypting File with Private Key Certificates ............................................ 94 Step 9: Using Input List File for ENTPREC Certificate List ................................... 95 Step 10: Sign Files and Archive with Private Keys ............................................... 96 Step 11: Authenticate Signed Files and Archive ................................................... 97 Step 12: Sign Files and Archive with PK Test 9 Certificate .................................. 99 Step 13: Add CA to Make the Trust Valid and Then Sign Archive........................ 99 Step 14: Revoke PK Test 9 Certificate and Confirm Revocation........................ 100

Filename Encryption.............................................................................................. 102 How SecureZIP Encrypts File Names.................................................................. 102 When SecureZIP Encrypts File Names................................................................ 102 Encrypting File Names When You Update an Archive......................................... 103 Opening and Viewing an Archive that Has Encrypted File Names ...................... 103

Security Examples ................................................................................................. 104 SecureZIP using Recipients or Combo ................................................................ 104 SecureZIP Encryption Using a Recipients List..................................................... 105 SecureZIP Encryption using LDAP search for Recipients ................................... 106

UNZIP Compressed File(s) from an Archive File Using Recipients.................. 106 Unzip Output using Recipients ............................................................................. 107

View the Contents of an Archive File................................................................... 107 View Detail Display............................................................................................... 108

11 PKZIP COMMAND ..................................................................................... 110 PKZIP Command Summary with Parameter Keyword Format.......................... 110 PKZIP Command Keyword Details....................................................................... 116

12 PKUNZIP COMMAND ................................................................................ 152 PKUNZIP Command Summary with Parameter Keyword Format..................... 152 PKUNZIP Command Keyword Details.................................................................. 156

13 PKCFGSEC “CONFIGURE SECURITY PARAMETERS” COMMAND..... 176 PKCFGSEC Command Summary with Parameter Keyword Format ................ 176

Usage Notes......................................................................................................... 176 PKCFGSEC Command Keyword Details ............................................................. 180

Windows Compatibility ......................................................................................... 198

14 PKLDAPTST “LDAP TEST” COMMAND.................................................. 199 PKLDAPTST Command Summary with Parameter Keyword Format............... 199 PKLDAPTST Command Keyword Details............................................................ 200

15 PKBLDCDB “BUILD CERTIFICATE DATABASE” COMMAND............... 203 PKBLDCDB Command Summary with Parameter Keyword Format ................ 203 PKBLDCDB Command Keyword Details ............................................................. 204

viii

16 PKQRYCDB “QUERY CERT DATABASE” COMMAND .......................... 210 PKQRYCDB Command Summary with Parameter Keyword Format............... 210 PKQRYCDB Command Keyword Details............................................................. 210

17 PKSTORADM “CERTIFICATE STORE ADMINISTRATION” COMMAND215 PKSTORADM Command Summary with Parameter Keyword Format ............. 215 PKSTORADM Command Keyword Details .......................................................... 216

18 PROCESSING WITH GZIP......................................................................... 227 Introduction to GZIP (GNU zip)............................................................................. 227 GZIP Archive Files Used By SecureZIP for iSeries ............................................ 228 Cross Platform Compatibility ............................................................................... 229

GZIP Restrictions ................................................................................................. 229 Special Note on GZIP Passwords ........................................................................ 229

Processing GZIP Archives .................................................................................... 229 GZIP Compressing............................................................................................... 230 GZIP Extracting .................................................................................................... 230

Sample GZIP Processing ...................................................................................... 231 Compressing a file................................................................................................ 231

19 MESSAGES................................................................................................ 232 AQZ0001 - AQZ0799 Messages ............................................................................ 234 AQZ0800 - AQZ0899 *VIEW Display Messages................................................... 288 AQZ8xxx Configuration Messages....................................................................... 302 AQZ9xxx LICENSE Messages............................................................................... 311 ZPCA801x – ZPCA899x Messages ....................................................................... 321

A PERFORMANCE CONSIDERATIONS ...................................................... 335 Interactive Performance ........................................................................................ 335 Compression Type Performance.......................................................................... 335 Data Type Selection............................................................................................... 336 Archive Placement (IFS or in a Library)............................................................... 336 ZIP64 Processing Considerations........................................................................ 336 Encryption Performance ....................................................................................... 337 Extended Attributes Selections............................................................................ 337

B EXAMPLES ................................................................................................ 339 Example 1 - PKUNZIP Files to a New or Different Library ................................. 339 Example 2 - CLP with Override for Stdout and Stderr to an OUTQ .................. 340 Example 3 - Creating an Archive in Personal Folders (QDLS).......................... 341

ix

Example 4 - Processing Archive on a CD (QOPT) .............................................. 342 Example 5 - Compressing files from a CD (QOPT)............................................. 343 Example 6 - Compressing CL with MSG Checking ............................................ 344 Example 7 – Compressing Spool Files Samples ................................................ 345 Example 8 – PKZSPOOL The Last Spool File of Current Job ........................... 346 Example 9 - CL to Compress All Spool Files for a Job to a PDF ..................... 346

C MEMORY ERRORS.................................................................................... 348

D EXTERNAL NAME CONVERSION PROGRAM CVTNAME...................... 349 Sample CVTNAME.................................................................................................. 350

E LIST FILES ................................................................................................. 356 Creating List Files .................................................................................................. 356 Using List Files as Input........................................................................................ 356

F TRANSLATION TABLES ........................................................................... 358 Standard Code Page Support with Tables .......................................................... 358 International Code Page Support ......................................................................... 359

Translation Table Layout...................................................................................... 360 Creating New Translation Table Members........................................................... 360 Example of PKZTABLES (USASCII) Translation Table....................................... 360

G IMPLEMENTATION CONSIDERATIONS .................................................. 362 Key Features........................................................................................................... 362

H SPOOL FILES CONSIDERATIONS........................................................... 364 Spool File Selections............................................................................................. 364

SPLF Attributes .................................................................................................... 364 PDF Creation Attributes ....................................................................................... 365

I HISTORY OF CHANGES ........................................................................... 367 RELEASE 5.6 September 2003 ............................................................................ 367 RELEASE 5.5 January 2003 ................................................................................. 368 RELEASE 5.5.1 – March 2003 ............................................................................... 369 RELEASE 5.5.2 – May 2003 ................................................................................... 370

J CREATING COMMANDS WITH NEW DEFAULTS ................................... 371

K EXTENDED ATTRIBUTES......................................................................... 372 Standard QSYS Library File System Attributes .................................................. 372

x

Physical Files (both Source and Data) ................................................................. 372 SAVF .................................................................................................................... 373

Standard IFS Attributes......................................................................................... 373 Advanced Encryption Attributes .......................................................................... 373 DATABASE Attributes ........................................................................................... 373

File Physical Attributes ......................................................................................... 374 File Field Attributes............................................................................................... 375 Key Field Attributes .............................................................................................. 376 Database Attribute Considerations....................................................................... 376 Source File Considerations .................................................................................. 377

Spool File Attributes.............................................................................................. 377

L FIPS-197 CERTIFICATION OF PKZIP FOR AES...................................... 378 Advanced Encryption Standard FIPS Validation ................................................ 378 The AES Algorithm ................................................................................................ 378 AES Key Sizes ........................................................................................................ 378

M CONTACT INFORMATION ........................................................................ 380 PKWARE, Inc. ......................................................................................................... 380

PROBLEM REPORTING ..................................................................................... 380 PROBLEM REPORTING (General) ..................................................................... 380 PROBLEM REPORTING (Licensing)................................................................... 381

GLOSSARY...................................................................................................... 382

INDEX ............................................................................................................... 394

1

Preface

The PKZIP® family of products consists of high performance data compression software. The archives resulting from compression by SecureZIP for iSeries can be transported or transmitted to other operating system platforms where they will undergo decompression by PKUNZIP or an acceptable substitute.

Notices Licensing requirements have changed for this release. See “Licensing Requirements” in Chapter 4 for more details.

About this Manual This manual provides the information needed to utilize SecureZIP for iSeries in an operational environment. It is assumed that people using this manual have a good understanding of (Control Language) CL and dataset processing. Note that the contents of this manual apply to the following operating systems:

• OS/400

• iSeries

• Chapter 1. Provides a general description of the SecureZIP product, which is applicable to all supported platforms. It goes on to describe the OS/400 specific features of the SecureZIP for iSeries product and provides a simple description of how the SecureZIP for iSeries product is used to provide the compression and decompression of datasets.

• Chapter 2. Provides a general discussion of data security along with specific implementations of encryption

• Chapter 3. Provides all of the general getting started information for invoking PKZIP and PKUNZIP. This chapter explains the details associated with compression, decompression, restrictions, migration, and a complete view of the general SecureZIP for iSeries features.

• Chapter 4. Provides detailed information and guidance on installation from tape, CD-ROM, using FTP, general installation procedures, and licensing procedures

• Chapter 5. Provides all of the general file selection and naming processing to include: primary file selection, exclusions, and ZIP archive files

• Chapter 6. Provides a summary of the ZIP file data formats, such as text versus binary, and file attributes

2

• Chapter 7. Provides all of the general rules for extracting files to the QSYS library file system, integrated file system (IFS), and spool files

• Chapter 8. Provides information regarding the OS/400 file processing support for library, integrated file system, SAVF (save files), and spool files

• Chapter 9. Provides detailed information regarding old ZIP files, temporary archives, and new ZIP archives

• Chapter 10. Provides s quick reference to how to start using certificates and file name encryption and discusses how to utilize SecureZIP for iSeries to secure your data

• Chapter 11. Provides a summary and detail of the PKZIP command’s parameters with keyword formats and details

• Chapter 12. Provides a summary and detail of the PKUNZIP command’s parameters with keyword formats and details

• Chapter 13. Provides a summary and detail of the PKCFGSEC command’s parameters with keyword formats and details

• Chapter 14. Provides a summary and detail of the PKLDAPTST command’s parameters with keyword formats and details

• Chapter 15. Provides a summary and detail of the PKBLDCDB command’s parameters with keyword formats and details

• Chapter 16. Provides a summary and detail of the PKQRYCDB command, used to query the certificate locator database files or a certificate file in the IFS

• Chapter 17. Describes the PKSTORADM (Certificate Store Administration) command

• Chapter 18. Describes the GZIP archive format and the GZIP processing supported by SecureZIP for iSeries

• Chapter 19. Lists and explains SecureZIP-generated messages

• Glossary. Contains a glossary of OS/400 specific terms

• Index. Contains a detailed list of terms and their locations within this document

This manual is intended for persons responsible for implementing and using SecureZIP for iSeries. The manual assumes that the reader has a good understanding of CL and dataset processing.

Conventions Used in this Manual Throughout this manual, the following conventions are used:

The use of the Courier font indicates text that may be found in control language (CL), parameter controls, or printed output.

The use of italics indicates a value that must be substituted by the user, for example, a dataset name. It may also be used to indicate the title of an associated manual or the title of a chapter within this manual.

Bullets (•) indicate items (or instructions) in a list.

3

The use of <angle brackets> in a command definition indicates a mandatory parameter.

The use of [square brackets] in a command definition indicates an optional parameter.

A vertical bar (|) in a command definition is used to separate mutually exclusive parameter options or modifiers.

Related Publications The PKZIP family of products includes the following manuals:

• SecureZIP for iSeries User's Guide

• PKZIP for iSeries User's Guide

• SecureZIP for zSeries User's Guide

• PKZIP for zSeries User's Guide

• PKZIP for zSeries & PKZIP for VSE Messages and Codes

• PKZIP for VSE User's Guide

• PKZIP for Command Line - UNIX User's Guide

• PKZIP for Command Line - Windows User's Guide

Related IBM Publications IBM manuals relating to the SecureZIP for iSeries product include:

• System Messages: This manual documents messages issued by the iSeries operating system. The descriptions explain why the component issued the message, provide the actions of the operating system, and suggest responses by the applications programmer, system programmer, and/or operator.

• OS/400 CL Programming (SC41-5721): This manual provides a wide-range discussion of iSeries e Advanced Series programming topics, including: Control language programming, iSeries e Advanced Series programming concepts, objects and libraries, and message handling.

• OS/400 CL Reference (SC41-5722 thru SC41-5726): This manual may be used in the iSeries Information Center to find information on the following CL reference topics: OS/400 commands, OS/400 objects, command description format, command parts, command syntax, about syntax diagrams, CL character sets and values, object naming rules, expressions in CL commands, and command definition statements.

• Integrated File System Introduction (SC41-5711): This book provides an overview of the integrated file system includes these topics:

• What is the integrated file system?

• Why might you want to use it

• Integrated file system concepts and terminology

• Interfaces you can use to interact with the integrated file system

4

• APIs and techniques you can use to create programs that interact with the integrated file system

• Characteristics of individual file systems

• File Management (SC41-5710): This manual describes the data management portion of the Operating System/400 licensed program. Data management provides applications with access to input and output file data that is external to the application. There are several types of these input and output files, and each file type has its own characteristics. In addition, all of the file types share a common set of characteristics.

• DDS Reference (RBAF-P000-00): This manual contains detailed instructions for coding the data description specifications (DDS) for files that can be described externally. These files are the physical, logical, display, printer, and intersystem communications functions, hereafter referred to as ICF files.

Related Information on the Internet PKWARE, Inc. www.pkware.com

FTP site Product Downloads Product Manuals

National Institutes of Standards Computer Security Resource Center http://csrc.ncsl.nist.gov

Information on AES development http://csrc.nist.gov/encryption/aes/

Information on key Management http://csrc.nist.gov/CryptoToolkit/tkkeymgmt.html/

RSA BSAFE® Content library http://www.rsasecurity.com

User Help and Contact Information For Licensing, please contact the Sales Division at 937-847-2374 or email PKSALES@PKWARE.COM.

For Technical Support assistance, please contact the Product Services Division at 937-847-2687 or email technical support or visit the support web site

Appendix M lists the types of information needed to resolve issues with the product.

5

1 SecureZIP for iSeries

SecureZIP for iSeries uses two main commands—PKZIP and PKUNZIP—to control its high-performance data compression functionality. The PKZIP command launches a utility that compresses files and places them in a ZIP format archive. PKUNZIP reverses this process: it decompresses data in a ZIP archive created by SecureZIP or another file compression program and restores the files to their original form. Both commands are controlled by options that allow a variety of functions to be performed.

Multiple levels of processing control are available through the use of customized option modules, shared command lists, and individual job inputs. In addition to file selection, features such as compression levels and performance selections can be specified. Also, a 32-bit cyclic redundancy check (CRC) is a standard feature used to guarantee data integrity.

A ZIP archive is platform-independent; therefore, data compressed (ZIPPED) on one platform, for example, UNIX, can be decompressed (UNZIPPED) on another platform, for example, OS/400 and MVS/ESA, by using a compatible version of PKUNZIP.

Data Compression Because data compression techniques reduce file size, a compressed data file will use less storage space and can be transferred in a faster, more efficient manner. A file can be compressed (a ZIP candidate) to a compact size (ZIPPED file), and then to use the file again, it must be uncompressed or extracted to its original size (UNZIPPED file).

One easy data compression method eliminates repeating or redundant data by replacing it with representative information that will be used when restoring the data. An example of this data compression technique is the Run-Length Encoding method, which applies to redundant data where a repeating character (the run) is represented as a count or value (the length). The compressed form is the repeated character with its count.

Example: B 2 2 2 2 E H H H H H H H H H

Compressed: B *4 2 E *9 H

Note: The efficiency of this method is dependent upon the amount of redundancy in the data.

6

To perform a thorough compression operation, more advanced algorithms and enhanced techniques are required. SecureZIP for iSeries uses just such methods to achieve maximum results.

ZIP Archives SecureZIP for iSeries is capable of storing compressed data in ZIP archives. There is no limit to the number of archives you may create.

ZIP archive capability:

• ZIP archive refers to any valid ZIP-format file created by a PKZIP® 4.x-compatible product.

• ZIP64 refers to ZIP archives that include the ZIP64 format that can handle more than 65,534 files and files that exceed 4 GB. (See “Large Files Considerations”).

• Each standard archive can store up to 65,534 files.

• Files that are over 4 GB have to be archived with GIZP or by using the Large File Support.

• Each standard archive may contain up to 4 GB of data. ZIP64 is required for larger archives.

For each file in the archive, the following information is stored with the compressed data:

• Filename.

• File directory date and time.

• File’s initial CRC value (see Cyclic Redundancy Check).

• Method of compression used.

• SecureZIP for iSeries version required for file extraction.

• File size, uncompressed.

• File size, compressed.

Some files may contain the following additional information:

• The version of SecureZIP for iSeries that created the file.

• File attributes.

• Any comment about the file.

• Any comment about the archive.

• Platform specific attributes (see Cross Platform Compatibility).

• If encrypted and what method of encryption.

Cyclic Redundancy Check Cyclic redundancy check (CRC) is a method used to verify the integrity of a data file after it is restored from a ZIP archive.

7

Before a file is compressed, a SecureZIP for iSeries algorithm computes a 32 bit hexadecimal value for its data. The CRC value is stored in a file that is within the ZIP archive. When the data in the file is extracted, SecureZIP for iSeries processes it again using the same algorithm to produce a second CRC value. Once the file is processed, the original CRC value is compared to the new CRC value to ensure that they match.

Note: If the data is the same as its previous state, the same CRC value will be produced. When the two CRC values are compared, and should the extracted value not match the stored, initial value, the integrity of the file is in question and SecureZIP for iSeries reports the results. In this case, it is possible the data was corrupted within the ZIP Archive.

Encryption SecureZIP for iSeries can encrypt data for security control and provide a password lockout for extracting data. Various security levels are available, with multiple encryption algorithms. See Chapter 2 for a description of security features in SecureZIP for iSeries.

Large Files Considerations

Large File Support Summary The large file support feature known as ZIP64 throughout this manual was added to PKZIP for iSeries in release 5.6. This separately licensed feature of SecureZIP for iSeries provides several enhancements relating to capacity, size, and performance. Some of the key features include:

Processing support (ZIP and UNZIP) for Archives enabled with the standard ZIP64 formats from other platforms.

An increased ZIP archive file capacity is raised from 65,534 to the theoretical limit of 4,294,967,295 files.

An increased user file size handler, raised from 4 Gigabytes minus 1 byte (32 bit binary counter) to a theoretical limit of 9 Exabytes (64 bit binary counter).

An increased support for ZIP archive sizes exceeding 4 Gigabytes (same as user file size limit).

The preceding values are given only as theoretical limits. In practice, there are reasonable limitations due to the availability of resources along with processing tolerances.

Note: 4 GB or Gigabyte is equal to 4,294,967,295 bytes. 9 EB or Exabyte is equal to 9,223,372,036,854,775,807 bytes.

Large File Support File Capacities The original .ZIP file format has faithfully met the needs of computer users since it was introduced by PKWARE in 1989. As computer technology has advanced over time, storage capacities have increased dramatically. These increases make the

8

numbers and sizes of files that seemed unimaginable ten years ago a reality today. To extend the utility of the .ZIP file format to meet these changing system needs, PKWARE extended the .ZIP file format to support more than 65,535 files per archive and archive sizes greater than 4 Gigabytes (GB). This is known as the ZIP64 format.

The specification for the .ZIP file format has been publicly available and distributed by PKWARE in a file called APPNOTE.TXT. This file documents the internal data structures and layout that define a .ZIP archive. The extensions introduced by PKWARE fully supports all the features of your existing archives and newer versions of PKZIP that supports these new extensions will continue to read all of your current archives. Prior to the PKZIP for iSeries 5.6 release, versions of PKZIP on the OS/400 were limited to storing no more than 65,534 files in a .ZIP archive.

Another limitation that existed prior to the 5.6 version of the PKZIP for iSeries was that a single .ZIP archive or files in archive could not be larger than 4 GB (4,294,967,295 bytes). The extended ZIP64 file format specification available with PKZIP 5.6 supports creating .ZIP archives containing over 4 billion files and with sizes larger than 9 quintillion bytes. These are only theoretical limits and most iSeries systems and other computer systems in common use today do not have enough storage capacity, CPU or available memory to create and store ZIP64 archives approaching these limits.

The practical limits imposed by a typical iSeries system in use today and configured with various memory sizes will support compressing up to approximately 265,000 files. Compressing this number of files can take a long time, not only for the compression process, but to manage the directories and properties of each of these files.

Your available system resources (processor speed, DADS, Memory, and other processing) limits the performance you can expect from SecureZIP when processing large numbers of files or large archives. If you are compressing large numbers of files on an iSeries with insufficient memory or other resources you can expect slow processing.

When compressing large files, it is a good idea to have your archives set up to be stored in the IFS rather than in a library/file. The overhead is much less when storing the archive in the IFS. It is even more important when updating or adding to an archive where the temporary archive will also be processed in the IFS

Versions of PKZIP for iSeries prior to 5.6 will not recognize these new features and will be unable to view or extract any files in your archives that are dependent on these ZIP64 features. Also, any ZIP compatible programs you may be using from other companies will not be able to access all of the contents of your large archives. They may report that an archive is too large, or they may incorrectly report that the archive has errors. To ensure access to data in your large archives, always use genuine PKZIP/SecureZIP from PKWARE.

Cross Platform Compatibility Cross platform compatibility provides SecureZIP for iSeries its ability to allow data to move between different computer operating environments. SecureZIP was intentionally designed for cross platform use. Regardless of platform, SecureZIP for iSeries archives are compatible with PKZIP for zSeries, PKZIP for MVS, PKZIP for OS/400, PKZIP for VSE, PKZIP for UNIX, PKZIP for LINUX, PKZIP for DOS, and PKZIP for Windows to name a few. Because SecureZIP for iSeries

9

automatically converts the data between EBCDIC and ASCII, files prepared on the host are readable on any PC or UNIX system. The internal format of a ZIP archive is identical regardless of which platform compressed the files that the archive contains. If you want to transfer data across platforms using any other ZIP utility, you should always run a test to verify the cross platform compatibility.

SecureZIP for iSeries uses the same ZIP file format used by other ZIP compatible products, independent of the platform on which it is running. SecureZIP for iSeries archives are not platform dependent allowing greater flexibility in file usage. Data can be zipped on one platform, for example UNIX, and unzipped onto another platform, such as OS/400. To do this, SecureZIP for iSeries converts the data structure into the ZIP format and saves the appropriate file information in the ZIP archival directory entries.

ZIP File Format Specification The following table lists features of the ZIP file format specification supported on the zSeries and iSeries platforms.

ZIP Feature Version MVS/zSeries OS400/iSeries

Default 1.0

File represents a volume label 1.1 Not supported Not supported

File represents a folder 2.0 Not supported Not supported

Deflate compression 2.0 2.x 2.x

Traditional encryption 2.0 2.x 2.x

Deflate64 compression 2.1 Not supported Not supported

DCL Implode compression 2.5 Not supported Not supported

File is a patched data set 2.7 Not supported Not supported

File uses Zip64 size extensions 4.5 5.6 5.6

BZip2 compression 4.6 Not supported Not supported

DES encryption 5.0 8.0 8.0

3DES encryption 5.0 8.0 8.0

RC2 encryption 5.0 Not supported Not supported

RC4 encryption 5.0 8.0 8.0

AES encryption 5.1 5.5 5.5

Certificate encryption using non-OAEP key wrapping 6.1 8.0 8.0

Central Directory Encryption (File Name Encryption) 6.2 8.0 8.0 If you want to transfer data across platforms using any other ”ZIP compatible” product, you should check with the supplier first to confirm which versions of PKZIP it is compatible with.

For more information regarding data formats, see “Data Format - Text Records vs. Binary Records” in Chapter 6 for a discussion regarding special considerations when transferring files between different platform types.

10

Release Summary

New Features in SecureZIP for iSeries Release 8.1 • File and archive signing

• File and archive authentication

• Digital signing and authentication

• Support for a static certificate revocation list

• Master recipient/contingency key for use with strong encryption

• New command PKSTORADM – Certificate Store Administration

• New command PKQRYCDB – Query Certificate Locator Database

New Features in SecureZIP for iSeries Release 8.0 • Product separation: PKZIP for iSeries™ and SecureZIP™ for iSeries

• BSAFE® encryption

• More encryption algorithms for strong security

• Performance improvement with AES encryption

• ZIP and UNZIP supports encrypting and decrypting using digital certificates.

• Support for storing and managing digital certificates

• Support for utilizing directory integration (LDAP) for public certificate access

• File name encryption

• More translations tables included for ASCII-EDCDIC translations

• Provided the ability to have embedded spaces in the EXCLUDE file names

• Added the new option *LIBS to Spool File selection parameter SFQUEUE. By specifying *LIBS (Library Scan) for the OUTQ and a valid OUTQ library name, PKZIP will only select spool files from all OUTQs in the specified library.

• Expanded the CRTLIST file name parameter to handle up to 255 characters for longer paths in the IFS

• Added *SIMULATE to the CRTLIST parameter in the PKZIP command. *SIMULATE will list all files selected instead of writing the selected list to a file.

• Default Changes: For SecureZIP ADVCRYPT is now AES256

• New Commands: PKCFGSEC –Update Security Configuration, PKLDAPTST -LDAP Testing, and PKBLDCDB –Build Certificate Locator Database

SecureZIP for iSeries Restrictions Due to various iSeries processing characteristics, the following restrictions should be carefully reviewed to determine the best way to proceed when using SecureZIP for iSeries:

11

SecureZIP for iSeries in the QSYS file system will only work with objects that have an object type of *FILE and an attribute of PF-DTA, PF-SRC, and SAVF. To process other objects such as *PGM, *CMD, etc., use the SAVF method (see “Use of SAVF Method” in Chapter 3).

SecureZIP for iSeries in the integrated file system (IFS) will only work with stream files (*STRM) and directories (*DIR).

Special database functionality, such as triggers, file constraints, alternate collating sequence, and logical files are not stored in an archive. To maintain this functionality, use the SAVF method (see “Use of SAVF Method”).

Special database fields for large objects (LOB) are not supported. These fields include: character large objects (CLOBs), double-byte character large objects (DBCLOBs), and binary large objects (BLOBs). In cases where the database contains one of these types of fields, use the SAVF Method.

12

2 Data Security

This chapter details how SecureZIP for iSeries can strongly encrypt data for security control and protection. Much of the reference information in this chapter derives from the National Institutes of Standards and Technology. The NIST Computer Security Resource Center web site, http://csrc.ncsl.nist.gov/, contains FAQ’s and documentation relating to computer security along with the Federal Information Processing Standard (FIPS) documents. In addition, the PKWARE web site, WWW.PKWARE.COM, contains information relating to security and links to the RSA Security, Inc web site that describes in detail the BSAFE implementation used in SecureZIP for iSeries.

The following sections describe encryption, authentication, types of algorithms in use, information about specific mandates requiring the use of secure data and how SecureZIP for iSeries will secure that data. Examples of how SecureZIP for iSeries can be used are provided in Chapter 10. Documentation for each command can be found in the subsequent chapters.

Encryption Encryption provides confidentiality for data. The data to be protected is called plaintext. Encryption transforms the plaintext data into an unreadable form, called ciphertext, using an encryption key. Decryption transforms the ciphertext back into plaintext using a decryption key. Several algorithms have been approved in FIPS for the encryption of general purpose data. Each of these algorithms is a symmetric key algorithm, where the encryption key is the same as the decryption key. In order to maintain the confidentiality of the data encrypted by a key, the key must be known only by the entities that are authorized to access the data. These symmetric key algorithms are commonly known as block cipher algorithms, because the encryption and decryption processes each operate on blocks (chunks) of data of a fixed size.

FIPS 46-3 and FIPS 197 have been approved for the encryption of general-purpose data. The protection of keys is discussed below under Key Management.

SecureZIP for iSeries uses symmetric key algorithms when encrypting user data.

13

Authentication Authentication is the process of validating digital signatures that may be attached to files in an archive or to an archive’s central directory.

Authentication is a separate operation from data encryption. Whereas encryption is concerned with preventing parties from accessing sensitive data (such as private medical or financial information), authentication confirms that information actually comes unchanged from the purported source.

Authenticating digitally signed data both verifies the signature and validates the signed data.

Data Integrity SecureZIP uses a cyclic redundancy check (CRC) to ensure that data is successfully transferred into and out of a ZIP archive. The CRC process creates a unique hash value “thumbprint” from the original data stream. The thumbprint is regenerated at the receiving end and compared with the hash of the source for equality. The thumbprint value is stored independently of the data stream and is used during UNZIP processing to complete validation of the data.

SecureZIP extends the concept of the CRC in two ways for the purpose of providing a tamper-resistant container within the ZIP archive. First, more rigorous HASH algorithms (MD5 and SHA-1) are used (as specified by the SIGN_HASHALG command) in place of the 32-bit CRC to accurately reflect the uniqueness of the data stream. Second, the hash value is encrypted within a digital signature using a private-key certificate to protect it from tampering.

For more information regarding SHA-1 (Secure Hash Algorithm), see FIPS PUB 180-1, describing the Secure Hash Standard, at http://www.itl.nist.gov/fipspubs/fip180-1.htm.

SecureZIP for iSeries provides two commands, SIGN_ARCHIVE and SIGN_FILES, to intiate the creation of digital signatures within the ZIP archive. The AUTHCHK command is used to perform a tamper check operation using the digital signature and hash.

Digital Signature Validation SecureZIP makes use of certificate-based encryption within the public key infrastructure (PKI) to generate and validate digital signatures. PKI provides an authentication chain for certificates to guarantee that the signature was created by the purported source. SecureZIP supports the certificate chain authentication process by including necessary identification information within the ZIP archive. Subsequently, the certificate(s) used for signing can be authenticated through a complete chain of trust.

To complete the chain of trust, a root (or self-signed) certificate representing the certificate’s issuing organization is installed on the authenticating system. This provides the receiving organization with the authority to declare how the final trust sequence should be treated. Signatures based on certificates from certificate authorities (CA) that are not authorized or trusted are declared as being untrusted by SecureZIP.

14

Additional facets of validating a certificate’s viability for use include a defined range of dates within which a certificate may be used and whether the certificate has been declared to have been revoked. Configurable SecureZIP policies (EXPIRED and REVOKED attributes) provide support to ensure that the certificates involved in authentication also adhere to these restrictions.

SecureZIP for iSeries provides a means to install and access the certificates necessary for signing and authentication. The AUTHCHK command, along with configured policy settings governs the type (archive directory or data files) and level of authentication that is to be performed.

Digital Signature Source Validation A final step in completing the authentication process is to ensure that the archive and/or file data was sent from a particular source. Up to this point, using the previous two aspects of authentication, we are certain that the archive directory and/or files were signed with a private-key certificate that came from a trusted source (CA) and that the data stream has not been tampered with since it was placed into the ZIP archive. However, these steps alone do not guarantee that a different party under the same root/CA chain did not perform the signing operation.

SecureZIP for iSeries provides an optional parameter in the AUTHCHK command to declare the specific party from whom the data is expected.

Public-Key Infrastructure and Digital Certificates

Public-Key Infrastructure (PKI) Use of digital certificates for encryption and digital signing relies on a combination of supporting elements known as a public-key infrastructure (PKI). These elements include software applications such as SecureZIP that work with certificates and keys as well as underlying technologies and services.

The heart of PKI is a mechanism by which two cryptographic keys associated with a piece of data called a certificate are used for encryption/decryption and for digital signing and authentication. The keys look like long character strings but represent very large numbers. One of the keys is private and must be kept secure so that only its owner can use it. The other is a public key that may be freely distributed for anyone to use to encrypt data intended for the owner of the certificate or to authenticate signatures.

How the Keys Are Used With encryption/decryption, a copy of the public key is used to encrypt data such that only the possessor of the private key can decrypt it. Thus anyone with the public key can encrypt for a recipient, and only the targeted recipient has the key with which to decrypt.

With digital signing and authentication, the owner of the certificate uses the private key to sign data, and anyone with access to a copy of the certificate containing the public key can authenticate the signature and be assured that the signed data really proceeds unchanged from the signer.

15

Authentication has one additional step. As an assurance that the signer is who he says he is—that the certificate with Bob’s name on it is not fraudulent—the signer’s certificate itself is signed by an issuing certificate authority (CA). The CA in effect vouches that Bob is who he says he is. The CA signature is authenticated using the public key of the CA certificate used. This CA certificate too may be signed, but at some point the trust chain stops with a self-signed root CA certificate that is simply trusted. The PKI provides for these several layers of end-user public key certificates, intermediate CA certificates, and root certificates, as well as for users’ private keys.

X.509 X.509 is an International Telecommunication Union (ITU-T) standard for PKI. X.509 specifies, among other things, standard formats for public-key certificates. A public-key certificate consists of the public portion of an asymmetric cryptographic key (the public key), together with identity information, such as a person’s name, all signed by a certificate authority. The CA essentially guarantees that the public key belongs to the named entity.

Digital Certificates A digital certificate is a special message that contains a public key and identify information, such as the owner’s name and perhaps email address, about the owner. An ordinary, end-user digital certificate is digitally signed by the CA that issued it to warrant that the CA issued the certificate and has received satisfactory documentation that the owner of the certificate is who he says he is. This warrant, from a trusted CA, enables the certificate to be used to support digital signing and authentication, and encryption of data uniquely for the owner of a certificate.

For example, Web servers frequently use digital certificates to authenticate the server to a user and create an encrypted communications session to protect transmitted secret information such as Personal Identification Numbers (PINs) and passwords.

Similarly, an email message may be digitally signed, enabling the recipient of the message to authenticate its authorship and that it was not altered during transmission.

To use PKI technology in SecureZIP for iSeries for encryption and to attach digital signatures, you must have a digital certificate. To learn how to get a digital certificate and to use certificates for encryption, see Chapter 10.

Certificate Authority (CA) A certificate authority (CA) is a company (usually) that, for a fee, will issue a public-key certificate. The CA signs the certificate to warrant that the CA issued the certificate and has received satisfactory documentation that the owner of the new certificate is who he says he is.

Private Key A digital certificate contains both private and public portions of an asymmetric cryptographic key together with identity information, such as a person's name and (possibly) email address. The private portion of the key is called the private key and

16

is used to decrypt data encrypted with the associated public key and to attach digital signatures.

A private key must be accessible solely by the owner of the certificate because it represents that person and provides access to encrypted data intended only for the owner.

SecureZIP for iSeries uses a private key maintained in x.509 PKCS#12 format. This means that the private key cannot be accessed unless a password is entered for each SecureZIP request.

Public Key A public key consists of the public portion of an asymmetric cryptographic key in a certificate that also contains identity information, such as the certificate owner’s name.

The public key is used to authenticate digital signatures created with the private key and to encrypt files for the owner of the key’s certificate.

For information on the digital enveloping process SecureZIP for iSeries uses for certificate-based encryption, see the Secure .ZIP Envelopes whitepaper at the PKWARE Web site.

Certificate Authority and Root Certificates End entity certificates and their related keys are used for signing and authentication. They are created at the end of the trust hierarchy of certificate authorities. Each certificate is signed by its CA issuer and is identified in the “Issued By” field in the end certificate. In turn, a CA certificate can also be issued by a higher level CA. Such certificates are known as intermediate CA certificates. At the top of the issuing chain is a self-signed certificate known as the root.

SecureZIP for iSeries uses public-key certificates in PKCS#7 format. The intermediate CA certificates are maintained independently from the ROOT certificates.

Types of Encryption Algorithms

FIPS 46-3, Data Encryption Standard (DES) The FIPS (Federal Information Processing Standards) specification 46-3 formerly specified the DES algorithm for use in Federal government applications. In 2004, the specification was changed such that DES is no longer approved for Federal government applications.

Triple DES Algorithm (3DES) Triple DES is a more recent algorithm related to DES. Triple DES is a method for encrypting data in 64-bit blocks using three 56-bit keys by combining three successive invocations of the DES algorithm.

17

ANSI X9.52 specifies seven modes of operation for 3DES and three keying options: 1) the three keys may be identical (one key 3DES), 2) the first and third key may be the same but different from the second key (two key 3DES), or 3) all three keys may be different (three key 3DES). One key 3DES is equivalent to DES under the same key; therefore, one key 3DES, like DES, will not be approved after 2004. Two key 3DES provides more security than one key 3DES (or DES), and three key 3DES achieves the highest level of security for 3DES. NIST recommends the use of three different 56-bit keys in Triple DES for Federal Government sensitive/unclassified applications.

SecureZIP for iSeries uses three-key 3DES when Triple DES is selected as the data encryption algorithm.

Advanced Encryption Standard (AES) The Advanced Encryption Standard (AES) encryption algorithm specified in FIPS 197 is the result of a multiyear, worldwide competition to develop a replacement algorithm for DES. The winning algorithm (originally known as Rijndael) was announced in 2000 and adopted in FIPS 197 in 2001.

The AES algorithm encrypts and decrypts data in 128-bit blocks, with three possible key sizes: 128, 192, or 256 bits. The nomenclature for the AES algorithm for the different key sizes is AES-x, where x is the size of the AES key. NIST considers all three AES key sizes adequate for Federal Government sensitive/unclassified applications.

Please see http://www.nist.gov/public_affairs/releases/g00-176.htm a press release recapping NIST’s position

SecureZIP for iSeries uses AES as the default encryption algorithm.

Comparison of the 3DES and AES Algorithms Both the 3DES and AES algorithms are considered to be secure for the foreseeable future. Below are some points of comparison:

• 3DES builds on DES implementations and is readily available in many cryptographic products and protocols. The AES algorithm is new; although many implementers are quickly adding the algorithm to their products, and protocols are being modified to incorporate the algorithm, it may be several years before the AES algorithm is as pervasive as 3DES.

• The AES algorithm was designed to provide better performance (e.g., faster speed) than 3DES.

• Although the security of block cipher algorithms is difficult to quantify, the AES algorithm, at any of the key sizes, appears to provide greater security than 3DES. In particular, the best attack known against AES-128 is to try every possible 128-bit key (i.e., perform an exhaustive key search, also known as a brute force attack)). By contrast, although three key 3DES has a 168-bit key, there is a “shortcut” attack on 3DES that is comparable, in the number of required operations, to performing an exhaustive key search on 112-bit keys. However, unlike exhaustive key search, this shortcut attack requires a lot of memory. Assuming that such shortcut attacks are not discovered for the AES algorithm, the uses of the AES algorithm may be more appropriate for the protection of high-risk or long-term data.

18

• The smallest AES key size is 128 bits; the recommended key size for 3DES is 168 bits. The smaller key size means that fewer resources are needed for the generation, exchange, and storage of key bits.

• The AES block size is 128 bits; the 3DES block size is 64 bits. For some constrained environments, the smaller block size may be preferred; however, the larger AES block size is more suitable for cryptographic applications, especially those requiring data authentication on large amounts of data.

See http://www.nist.gov/public_affairs/releases/g00-176.htm for a press release describing NIST’s position on the two algorithms.

With a block cipher algorithm, the same plaintext block will always encrypt to the same ciphertext block whenever the same key is used. If the multiple blocks in a typical message were to be encrypted separately, an adversary could easily substitute individual blocks, possibly without detection. Furthermore, data patterns in the plaintext would be apparent in the ciphertext. Cryptographic modes of operation have been defined to alleviate these problems by combining the basic cryptographic algorithm with a feedback of the information derived from the cryptographic operation.

FIPS 81, DES Modes of Operation, defines four confidentiality (encryption) modes for the DES algorithm specified in FIPS 46-3: the Electronic Codebook (ECB) mode, the Cipher Block Chaining (CBC) mode, the Cipher Feedback (CFB) mode, and the Output Feedback (OFB) mode.

SecureZIP for iSeries uses Cipher Block Chaining for data encryption.

RC4 The RC4 algorithm is a stream cipher designed by Rivest for RSA Security. It is a variable key-size stream cipher with byte-oriented operations. The algorithm is based on the use of a random permutation. Analysis shows that the period of the cipher is overwhelmingly likely to be greater than 10100. Eight to sixteen machine operations are required per output byte, and the cipher can be expected to run very quickly in software. Independent analysts have scrutinized the algorithm and it is considered secure.

RC4 is used for secure communications, as in the encryption of traffic to and from secure web sites using the SSL protocol.

Key Management The proper management of cryptographic keys is essential to the effective use of cryptography for security. Keys are analogous to the combination of a safe. If the combination becomes known to an adversary, the strongest safe provides no security against penetration. Similarly, poor key management may easily compromise strong algorithms. Ultimately, the security of information protected by cryptography directly depends on the strength of the keys, the effectiveness of mechanisms and protocols associated with keys, and the protection afforded the keys.

Cryptography can be rendered ineffective by the use of weak products, inappropriate algorithm pairing, poor physical security, and the use of weak protocols. All keys need to be protected against modification, and secret and private keys need to be protected against unauthorized disclosure. Key management provides the foundation

19

for the secure generation, storage, distribution, and destruction of keys. Another role of key management is key maintenance, specifically, the update/replacement of keys.

Further information is available on key management at the NIST Computer Security Resource Center web site, http://csrc.nist.gov/CryptoToolkit/tkkeymgmt.html

Passwords and PINS FIPS 112, Password Usage, provides guidance on the generation and management of passwords that are used to authenticate the identity of a system user and, in some instances, to grant or deny access to private or shared data. This standard recognizes that passwords are widely used in computer systems and networks for these purposes, although passwords are not the only method of personal authentication, and the standard does not endorse the use of passwords as the best method.

The password used to encrypt a file with SecureZIP may be from 1 to 200 characters in length. Different passwords may be used for various files within a ZIP archive, although only one password may be specified per run.

The password is not stored in the ZIP archive and, as a result, care must be taken to keep passwords secure and accessible by some other source.

Recipient Based Encryption Password-based encryption depends on both the sender and receiver knowing, and providing intellectual input (the password) in clear text. The password is used to derive a binary master session key for each decryption run. No key information is kept within the ZIP Archive, therefore both parties must retain the password in an external location.

Recipient-based encryption provides a means by which the master session key (MSK) information can be hidden, protected, and carried within the ZIP Archive. This is done by using technique known as Digital Enveloping with public key Encryption. The technique requires that the creating process have a copy of the recipient's public key Digital Certificate, which is used to protect and store the MSK. In addition, the receiving side must have a copy of the recipient’s private key digital certificate. With these two pieces of information in place, there is no need for users to retain or recall a password for decryption.

Random Number Generation Random numbers are used within many cryptographic applications, such as the generation of keys and other cryptographic values, the generation of digital signatures, and challenge response protocols. Some approved algorithms to produce random numbers have been specified in FIPS 186-2, Digital Signature Standard. An effort is in progress by the Financial Services Committee of ANSI to develop a random number generation standard.

20

Integrity of Public and Private Keys Public and private keys must be managed properly to ensure their integrity. The key owner is responsible for protecting private keys. The private signature key must be kept under the sole control of the owner to prevent its misuse. The integrity of the public key, on the other hand, is established through a digital certificate issued by a certificate authority that cryptographically binds the individual’s identity to his or her public key. Binding the individual’s identity to the public key corresponds to the protection afforded to an individual’s private signature key.

A PKI includes the ability to recover from situations where an individual’s private signature key is lost, stolen, compromised, or destroyed; this is done by revoking the digital certificate that contains the private signature key’s corresponding public key. The user then creates or is issued a new public/private signature key pair, and receives a new digital certificate for the new public key.

The certificate authority (CA) plays a critical role in ensuring the integrity of public keys in the PKI. Upon being presented with proper evidence of identity (usually through a separate entity called a Registration authority), the CA issues a digital certificate which contains the applicant’s public key, identity, and other information (such as duration of the certificate), all signed by the CA’s private signature key. The certificate may then be distributed or placed in publicly available databases, called repositories. The CA operates under a Certificate Policy (CP) and Certification Practices Statement (CPS) that collectively describe the CA’s responsibilities and duties to its customers and trading partners. These policies include how the CA is conducting its affairs in compliance with its contracts and, where applicable, federal or state laws. The uses for which a certificate may be employed depend upon the requirements surrounding its issuance; for example, the method of identity proofing by the RA before certificate issuance and how well the private signature key is protected.

Meeting Current Challenges The need to secure sensitive data during transport and storage is increasingly evident. Combining proven data compression technology with sophisticated data security capabilities provides a logical mechanism for securely and efficiently storing and transferring sensitive information. Millions of users around the world already rely on and trust the ZIP format to store and exchange data. By offering support for multiple levels of encryption, SecureZIP for iSeries is now advancing the usability and accessibility of file security, enabling ZIP users to achieve more secure and efficient modes of data communication than were previously possible.

SecureZIP for iSeries enables support for encryption and meets government established requirements by applying strong encryption (DES, RC4, 3DES and AES). See Appendix L for FIPS-197 AES Certification of PKZIP.

Industry-Specific Mandates Financial Services Modernization Act - Gramm-Leach-Bliley Act (GLBA), also known as the Financial Services Modernization Act, permits the cross ownership of banks, brokerage firms and insurance companies, which was banned during the Great Depression. Prompted by the merger of Citicorp and Travelers Insurance, which also owned brokerage house Salomon Smith Barney, to form what is now known as

21

Citigroup, the GLB Act was enacted in 1999 to enable financial services firms to provide a wide range of services to their customers. To protect sensitive customer information, the GLB Act requires institutions to ensure the privacy and security of customer data. Compliance with these security standards requirements is essential and organizations must have their infrastructures audited to ensure they are meeting federal guidelines.

The Electronic Signature Act - A digital signature is now just as valid as a handwritten one. The Electronic Signature Act went into effect in 2000 and states that a digital signature is legally binding. However, there has been no simple software tool that a business can give to an employee, or a customer for that matter, that allows individuals to easily invoke a digital signature on a file. By accepting digital signatures, companies can more expeditiously eliminate paper documents from processes that once required handwritten ones-such as filing an application for a loan or opening a new brokerage account online. This streamlines business' ability to process transactions by eliminating the need and cost of human intervention, and it promises to improve customer satisfaction.

The Health Insurance Portability and Accountability Act (HIPAA)- HIPAA allows for the secure exchange of patient records between insurance companies and agencies, including clearing houses and the Medicare and Medicaid programs, with the aim of simplifying administration. HIPAA stipulates that industry participants should be able to exchange documentation electronically and that electronic signatures are binding. Those transmitting the data over networks are responsible for encrypting patient data to assure patient privacy is not compromised. Meeting critical HIPAA electronic security requirements using SecureZIP extends the trusted de-facto standard ZIP archive in an evolutionary way to provide persistent secure archive for sensitive medical records for online transmission or transport. The United States Department of Health and Human Services has established rolling deadlines for supporting HIPAA, with some already in effect while others are yet to be determined. HHS recommends, however, that affected healthcare providers implement standards prior to any established deadlines. Meeting HIPAA security and electronic signature requirements now helps protect against fraud and abuse of patient information. Once the rules take effect, those entities that do not protect sensitive patient information as mandated by HIPAA could face criminal penalties and fines of $25,000 per individual per year.

The Basel II Capital Accord - Basel II is an amended regulatory framework that has been developed by the Bank of International Settlements that requires all internationally active banks, at every tier within the banking group, to adopt similar or consistent risk-management practices for tracking and publicly reporting exposure to operational, credit and market risks. It requires the identification of risks that a company is exposed to, a report detailing the processes in place for identifying and measuring future risk, and confirmation that sufficient cash reserves are available to cover all risk exposure – capital held must be closely matched to risks undertaken.

UK Data Protection Act - The Data Protection Act 1998 came into force on March 1, 2000 and implements the EC Directive. It applies to computerized personal data as well as data held in structured manual files. There are eight principles put in place by the DPA to make sure that sensitive personal information is handled properly. They say that data must be:

22

• Fairly and lawfully processed

• Processed for limited purposes

• Adequate, relevant and not excessive

• Accurate

• Not kept for longer than is necessary

• Processed in line with the individual’s rights

• Secure

• Not transferred to countries without adequate protection

Data Encryption SecureZIP for iSeries security functions include strong encryption tools using RSA BSAFE and the PKWARE implementation of the Advanced Encryption Standard. SecureZIP for iSeries provides the option for password encryption using DES, RC4, 3DES and AES.

RSA High-Quality Security - RSA Security submits its Crypto-C products for FIPS 140 testing and validation. FIPS 140-1 and FIPS 140-2 are U.S. Government standards which specify the security requirements to be satisfied by a cryptographic module. RSA Security supports this testing and certification with over 20 years of experience in the security industry.

SecureZIP for iSeries uses a multi-layer key generation process, based on a user-specified password of up to 200 characters, and/or a user’s digital certificate, that creates a unique internal key for each file being processed. In addition, the same password will result in a different system generated key for each file.

SecureZIP for iSeries also implements the use of Cipher Block Chaining (CBC) to further enhance industry standard encryption algorithms. This feature ensures that each block of data is uniquely modified, further protecting the data from fraudulent access.

SecureZIP for iSeries encryption is activated through the use of the -PASSWORD and -RECIPIENT commands. If a value is present for either setting, whether through commands or default settings, then encryption will be attempted in accordance with other settings (for example, -ADVCRYPT); however, if ADVCRYPT=NONE is specified, then encryption will be bypassed.

The following matrix illustrates cross-product compatibility of encrypted data and general encryption options available on the operating systems supported by PKZIP.

23

Cross Product Matrix The following table shows encryption methods and features available with various PKWARE products.

ENCRYPTION TYPES/ PRODUCTS

96 bit Password

PKWARE Certificate*

128, 192, & 256-bit AES Password

BSAFE® AES 128, 192, & 256-bit

CIPHER-BLOCK CHAINING

BSAFE® DES, 3DES, & RC4

Generic ZIP Utilities

X

PKZIP for Windows

X X X X X X

PKZIP for UNIX

X X X X X X

PKZIP for OS/400

X X X

PKZIP for zSeries

X X X X X

SecureZIP for zSeries

X X X X X X

PKZIP for VSE X

PKZIP for MVS 5.5

X X X

PKZIP for iSeries

X X X X X

SecureZIP for iSeries

X X X X X X

*Archives created under PKZIP for Windows and PKZIP for UNIX using the setting Strong: Recipient List or Password can be decrypted with the password on iSeries systems running release 8.0 or later.

Operating System Levels V5R1M0 or above is required to run certificate-based operations.

Windows Compatibility When using BSAFE AES encryption with recipients, there is a cross-system compatibility issue to be addressed by the user community. Windows operating systems running pre-Windows XP may experience a decryption problem depending on the state of the private-key certificate on the workstation. During the Windows certificate import process, a dialog check-box "Mark the private key as exportable" may be selected. If this option was not selected, then Windows will not allow an AES encrypted file to be decrypted unless the master session key was wrapped with 3DES.

The setting of the parameter is enterprise wide and is set using the PKCFGSEC command. When turned on, the MSK3DES flag is set in the NDH/DIB; indicating that

24

the master session key information is protected with 3DES when recipients are specified.

PKZIP for Windows has a variance in processing for 6.0 and 7.x due to OAEP processing. PKZIP for Windows 5.0 through 6.0 used OAEP processing. However, that was found to be incompatible with SmartCards, so 6.1 and above began setting the NO_OAEP flag in the NDH/DIB flags and stopped creating OAEP encryption-mode files.

SecureZIP for iSeries will always set NO_OAEP, therefore PKZIP for Windows 5.0 - 6.0 will not be able to read recipient-based files from the large platforms.

SecureZIP for iSeries should be able to detect whether the NO_OAEP flag is set and successfully extract either. No change in logic is required within the SecureZIP high-level code, but the low-level EVTCERTD code should handle the switch based on the flag.

General Questions to help you get started with SecureZip for iSeries

How do I activate encryption in SecureZIP for iSeries? Encryption is activated through the use of the PASSWORD (and/or ENTPREC for SecureZIP) parameters. If a value is present for either setting then encryption will be attempted in accordance with other settings (such as ADVCRYPT). However, if ENTPREC (*NONE) is specified, then encryption will be bypassed.

Note that certificate-based encryption with ENTPREC for recipients is only supported by SecureZIP. In addition, this mode of encryption requires that one of the Strong ENCRYPTION Methods (minimum 128-bit) be selected.

How does Master Recipient / Contingency Key affect activation? When SecureZIP is used to encrypt data, either with ENTPREC or PASSWORD, then a recipient specified in the enterprise security configuration file is automatically included. However, simply setting a master recipient in the enterprise security configuration file does not cause encryption to take place.

How does recipient-based encryption differ from password? Password-based encryption depends on both the sender and receiver knowing, and providing input (the password) in clear text. The password is used to derive a binary master session key for each decryption run. No key information is kept within the ZIP Archive, therefore both parties must retain the password in an external location.

Recipient-based encryption provides a means by which the master session key (MSK) information can be hidden, protected, and carried within the ZIP archive. This is done by using technique known as digital enveloping with public key encryption. The technique requires that the creating process have a copy of the recipient's public key digital certificate, which is used to protect and store the MSK. In addition, the receiving side must have a copy of the recipient's private key digital certificate. With these two pieces of information in place, there is no need for users to retain or recall a password for decryption.

25

What is a digital certificate store? Recipient-based encryption requires that public and private key certificates be used by SecureZip for iSeries. These are kept in file streams encoded according to the X.509 standard. A certificate store is the location of where various types of certificates are kept and accessed.

The primary stores used by SecureZip for iSeries include:

CSPUB: Certificate store for individual public-key X.509 certificates on the local system.

CSPRVT: Certificate store for individual private-key X.509 certificates on the local system.

CSCA: Certificate store For Certificate authority public-key X.509 certificates on the local system.

CSROOT: Certificate store for the trusted root public-key X.509 certificates on the local system.

CSCRL: Certificate revocation list store static CRL processing on the local system.

LDAP: Certificate store for individual public-key X.509 certificates accessible via a TCPIP network.

Can both recipient-based and password encryption be used together? Yes, when both ENTPREC for recipient and PASSWORD settings are used, to encrypt a file, the master session key is derived from the password and also protected by using public key encryption. This means that a ZIP file may be decrypted either by a user who knows the password, or who has their private key certificate available.

How does ENCRYPTION METHOD pertain to recipient or password encryption? Public/private key encryption using BSAFE is used to digitally envelope the master session key information. Once the master session key is determined, an independent file session key is derived (which is unique for each file) to encrypt the file data with a symmetric algorithm specified by ADVCRYPT. Several algorithms are supplied with SecureZip for iSeries. Any algorithm may be specified for use with PASSWORD. However, only those prefixed with "BSAFE" are valid for use with ENTPREC for recipients.

Which encryption settings should I choose? Various external factors such as legislative requirements or corporate policy may influence your decision to select an algorithm or mode of encryption. However, when operating within those requirements, the following SecureZip for iSeries information may be of value.

NIST has instructional information regarding password versus certificate-based (PKI) encryption. In general, certificate-based encryption is accepted to be more secure than password-based encryption.

With the exception of supporting the older 96-bit "Standard" SecureZip for iSeries ADVCRYPT, newer algorithms are provided at a minimum of 128 bits.

PKWARE provides interoperability between OS/390, zOS, OS400, iSeries, UNIX and Windows for all algorithms provided with ADVCRYPT with its product set at release

26

8.0 and above. This includes more advanced algorithms with minimum key lengths of 128 bits.

Older releases of PKWARE products, including PKZIP for VSE and PKZIP for VM support "Standard" 96-bit encryption for wider cross-platform compatibility when required.

When RECIPIENT PKI exchanges are required, then ADVCRYPT must specify algorithms that begin with BSAFE.

Password-based AES encryption is supported by PKWARE products at release 5.5 or higher.

BSAFE_AES and AES password-based encryption are 100% compatible. Archives created with PKZIP for iSeries Release 5.5 can be bi-directionally exchanged with SecureZip or PKZIP products using the BSAFE AES algorithms.

The BSAFE algorithms provided for the OS/400 and iSeries products are high-performance algorithms. The 128-bit BSAFE algorithms out-perform the older 96-bit PKZIP "Standard" algorithm.

How many recipients can be specified? The ZIP file format specification allows for a maximum recipient list size of 3,275. This can be restricted further by other file attributes associated with the data, and by run-time capacity limitations (such as virtual storage). (Note: Approximately 20 bytes are required for each recipient within the ZIP Archive central directory record for each file. This area is limited to 64K in size). At this time the command allows 30 recipients so to reach the max would require using the Inlist approach.

What is Filename Encryption? Someone who cannot decrypt the contents of an archive may still be able to infer sensitive information just from the unencrypted names of files. To prevent this, you can encrypt the names of files in addition to their contents. Encrypted file names can be viewed in the clear—that is, unencrypted—only when the archive is opened by an intended recipient, if the archive was encrypted using a recipient list, or by someone who has the password, if the archive was encrypted using a password.

SecureZip for iSeries encrypts file names using your current settings for (strong) encryption method and algorithm. File names can be encrypted using either strong password encryption or a recipient list (or both). You must use one of the strong encryption methods: you cannot encrypt file names using traditional, ADVCRYPT(ZIPSTD), which uses a 96-bit key.

Encrypting names of files and folders in an archive encrypts and hides a good deal of other internal information about the archive as well. To encrypt file names, SecureZip for iSeries encrypts the archive's central directory, where virtually all such metadata about the archive is stored. Be aware, however, that archive comments are not encrypted even when you encrypt file names. Do not put sensitive information in an archive comment.

User Encryption Examples Below are examples of how to invoke encryption processing using PKZIP commands.

27

Zip Compress File(s) and Write to an Archive File This is the main PKZIP compression screen. Here you specify the method and mode of encryption.

File Compression 8.0 (PKZIP) Type choices, press Enter. Archive Zip File name . . . . . '/pkzshare/encryption/as400.des3.zip' List Include file or pattern . . '/pkzshare/encryption/*.txt' + for more values Type of processing . . . . . . . *ADD *ADD, *UPDATE, *FRESHEN .. Compression Level . . . . . . . *SUPERFAST *FAST, *NORMAL, *MAX... File Types . . . . . . . . . . . *DETECT *DETECT *TEXT *BINARY ........ Advance Encryption : Method . . . . . > 3des ZIPSTD, AES128, AES192... Mode . . . . . . > BSAFE PKWARE, BSAFE More... F3=Exit F4=Prompt F5=Refresh F10=Additional parameters F12=Cancel F13=How to use this display F24=More keys Parameter ARCHIVE required.

Placing the cursor on the “Method” and hitting F4 presents the next screen that allows you to select one of the encryption methods to use.

Specify Value for Parameter ADVCRYPT Type choice, press Enter. Method . . . . . . > 3DES ZIPSTD AES128 AES192 AES256 3DES DES RC4_128

When the next screen appears if you do not enter a password no encryption processing is completed on the file(s) to be archived. If you desire encryption, you must enter the password twice; once in the Archive Password and again in the Verify Password.

File Compression 8.0 (PKZIP) Type choices, press Enter. Archive Password . . . . . . . . Verify Password . . . . . . . . Archive File Type . . . . . . . *ifs *DB, *IFS Files to Zip Type . . . . . . . *ifs *DB, *IFS, *IFS2, *DBA, *SPL Before/After Selection . . . . . *NO *NO, *BEFORE, *AFTER Date for Selection . . . . . . . 0 Date mmddyyyy File Name actions . . . . . . . *SUFFIX *NONE, *DROP, *SUFFIX External Conversion Flags . . . *NONE Character value, *NONE Create Self Extract Archive . . *MAINTAIN *MAINTAIN, WINDOWS, AIX... Bottom

28

F3=Exit F4=Prompt F5=Refresh F10=Additional parameters F12=Cancel F13=How to use this display F24=More keys

Following is the output of the PKZIP run.

SecureZIP for iSeries (tm) Compression Utility Version 8.0.0, 2004/02/13 Copyright. 2004 PKWARE, Inc. All Rights Reserved. PKZIP (R) is a registered trademark of PKWARE (R), Inc. Scanning files in *IFS for match ... Found 2 matching files Compressing /pkzshare/encryption/appnote.txt in BINARY mode Add /pkzshare/encryption/appnote.txt -- Deflating (69%) encrypt(BSAFE 3DES) Compressing /pkzshare/encryption/readme.txt in BINARY mode Add /pkzshare/encryption/readme.txt -- Deflating (58%) encrypt(BSAFE 3DES) PKZIP Compressed 2 files in Archive /pkzshare/encryption/as400.des3.zip PKZIP Completed Successfully

Commands generated from the PKZIP screen using the retrieve key after the PKZIP run.

Command Entry COSMOS Request level: 4 Previous commands and messages: (No previous commands or messages) Bottom Type command, press Enter. ===> PKZIP ARCHIVE('/pkzshare/encryption/as400.des3.zip') FILES('/pkzshare/encryption/*.txt') ADVCRYPT(3DES BSAFE) PASSWORD() VPASSWORD() TYPARCHFL(*IFS) TYPF

Display the contents of an Archive File When the files within an archive have strong encryption the “!” (bang) character is placed in front of the file name to inform you that you must have the correct password to view or extract the file.

File Extraction 8.0 (PKUNZIP) Type choices, press Enter. Archive Zip File name . . . . . '/pkzshare/encryption/as400.des3.zip' List Include file or pattern . . *ALL + for more values Type of processing . . . . . . . *VIEW *VIEW, *EXTRACT, *NEWER... File Types . . . . . . . . . . . *DETECT *DETECT *TEXT *BINARY ... Press ENTER to end terminal session. SecureZIP for iSeries (tm) Compression Utility Version 8.0.0, 2004/02/13 Copyright. 2004 PKWARE, Inc. All Rights Reserved. PKZIP (R) is a registered trademark of PKWARE (R), Inc. PKZIP for iSeries(tm) is running under Beta release B1 Archive: /pkzshare/encryption/as400.des3.zip 33451 bytes 2 files Length Method Size Ratio Date Time CRC-32 Name -------- ------ ------- ----- ---- ---- ------ ---- 97182 Defl:F 30230 69% 01-30-04 13:16 223c2ea4 !/pkzshare/encryption/ appnote.txt

29

5747 Defl:F 2710 53% 10-06-03 15:14 d193af9b !/pkzshare/encryption/ readme.txt -------- ------- ---- ------- 102929 32940 68% 2 files PKUNZIP extracted 0 files PKUNZIP Completed Successfully

Incorrect Password Use The following illustration is an example of what to expect if you enter an incorrect password. The error message indicates that the file(s) were skipped because of an incorrect password and that PKUNZIP completed with errors.

PKZIP for iSeries(tm) Compression Utility Version 8.0.0, 2004/02/17 Copyright. 2004 PKWARE, Inc. All Rights Reserved. PKZIP (R) is a registered trademark of PKWARE (R), Inc. PKZIP for iSeries(tm) is running under Beta release B1 PKUNZIP Archive: /pkzshare/encryption/as400.des.zip Archive Comment:"PKZIP for iSeries by PKWARE" Searching Archive /pkzshare/encryption/as400.des.zip for files to extract skipping: /pkzshare/encryption/appnote.txt incorrect password skipping: /pkzshare/encryption/readme.txt incorrect password Caution: zero files tested in /pkzshare/encryption/as400.des.zip. 2 file(s) skipped because of incorrect password PKUNZIP Completed with Errors Press ENTER to end terminal session.

30

3 Getting Started with SecureZIP for iSeries

SecureZIP for iSeries is a broad, flexible product on the iSeries, and AS/400 platforms, allowing for compression and decompression of files. It is fully compliant with other PKZIP-compatible compression products running on other operating systems.

Because the PKZIP standard for text data storage is ASCII, SecureZIP for iSeries facilitates conversion between the ASCII and EBCDIC character sets. Therefore, compressed text files can be transferred between IBM mainframe environments and systems using the ASCII character sets, including UNIX, DOS, SecureZIP for iSeries, PKZIP for zSeries, and PKZIP for VSE™.

In addition to PKZIP-format archive support, SecureZIP for iSeries can also produce and manipulate (GNU) GZIP-format archives. See Chapter 18.

Basic Features of SecureZIP for iSeries SecureZIP for iSeries is generally compatible with PKZIP 2.x, and as such, has the following features:

Compliance with compression programs on other platforms, including Windows, LINUX, UNIX, DOS, SecureZIP for iSeries , PKZIP for zSeries, and PKZIP for VSE™.

• User-selected compression ratios.

• Storage capability of 65,535 files within one ZIP Archive.

• Compression of files of up to 4 gigabytes.

• A maximum ZIP archive size of 4 gigabytes.

• Data integrity assurance using 32-bit CRC error detection.

• Translation of data to a system-independent format, thus providing easy file transfers within a mixed or varied file environment.

Extended Features of SecureZIP for iSeries SecureZIP for iSeries also offers a series of extended features such as creation of GZIP archive, spool files support, large file support (files greater than 4 GB and files

31

in archive exceeding 65,535), advanced encryption and self-extracting archives. All licensable features can be found in “Licensed Product Features” in Chapter 4.

Invoking SecureZIP for iSeries Services Three main commands control SecureZIP for iSeries functionality in the OS/400 operating environments. The commands are:

• PKZIP - Launches compression utility

• PKUNZIP - Launches archive extraction utility

• PKZSPOOL - Launches compression utility for spool files

Each of the commands can be invoked interactively, submitted for a batch run, or used anywhere that an iSeries command can be issued.

Help panels for each command can be activated by using the F1 (help) key.

SecureZIP for iSeries Differences with other Platforms This section covers the differences between SecureZIP for iSeries and other versions, including versions that run on other operating systems or platforms. Most of the differences are due to the QSYS library file type system and the iSeries object-oriented base.

Attributes (non-extended)

Various MS/DOS options support the selection of files by file attributes such as hidden, read-only, and system. These attributes are not meaningful on the OS/400 file system.

ANSI comments Because OS/400 does not support ANSI control codes, related options are not supported. When unzipping from an archive, the archive comment will be displayed, but ANSI control codes in this comment will not be masked out. This could cause attribute changes on the iSeries display.

Archive file date controls PKZIP

DOS options control whether the ZIP file date is updated or retained when altering the archive. Because the last used date on OS/400 is not under program control or alterable by a command, these options are not supported.

Archive Comments PKZIP

DOS options allow editing of comments for individual files in an archive. This version supports editing of a file’s text description, but is not recommended for batch running, or for a large number of files due to the interactive message responses required.

File naming differences

The files used in the QSYS library file system have their own naming style. Each file associated with a library file and members would be depicted as library/file(member). Usually, all file names are stored as open system file names with directories, ending with a file name. For a detailed description and techniques see Chapter 8.

32

HELP PKZIP for DOS™ has options to display a list of commands. Because SecureZIP for iSeries uses iSeries commands, the help system is built for each command and is activated by PF1 on each parameter.

Mixed Case Filenames

When using the IFS (integrated file system), the file names are case sensitive and act like other file systems (UNIX, DOS, Windows, etc.). When using the QSYS library file system, the file names are always in UPPER CASE. Occasionally, when trying to update and archive (or select from an archive), you may encounter a case sensitive search. Use PKUNZIP view to get the exact name stored. This would be appropriate when doing a PKZIP TYPE( *DELETE) where the selection file would need to match.

Use of SAVF Method At this time, only physical files with attributes of PF-DTA, PF-SRC, and SAVF in the QSYS file system, stream files and directories in the IFS, and spool files can be processed by SecureZIP for iSeries. Also, some special database functionality such as triggers, file constraints, alternate collating sequence, and large object fields, are not stored in the archives.

To overcome some of the restrictions listed above, SecureZIP for iSeries can compress and decompress SAVF. The objects to be compressed are saved to a SAVF using SAVOBJ or SAVLIB. The SAVF is then compressed to an archive using PKZIP. To restore the data, first use PKUNZIP to re-create the SAVF, and then use RSTOBJ or RSTLIB to restore objects from within the decompressed SAVF. SAVF are binary and only pertain to OS/400.

33

4 SecureZIP for iSeries Installation

This chapter describes the process of receiving SecureZIP for iSeries, either by tape, CD-ROM or by FTP, the process of setting the environment (optional) and the process of installing the license. These processes consists of building the SecureZIP for iSeries version library, adding the library to your library list, optionally setting environmental pointers and running the install license command with an authorized license.

Even though the default library for SecureZIP for iSeries Version 8.0 patch level 0 is PKW81051S and is referenced in this manual, the library name for the product can be named otherwise to suit your environmental needs. The SecureZIP for iSeries product is distributed with a predefined library of PKW810vrT (where vr is the minimum OS/400 operation system release supported, T is the product type, P=PKZIP and S=SecureZIP). V5R1M0 would be 51. If you would like to use another library name or would like to run SecureZIP for iSeries without it being in the library list, review the operating environment discussion later in this chapter.

It is recommended that you use a generic name for the library that will be used for production (such as PKZIP or PKZIPPROD). This will allow new updates to be implemented without changing a lot of CL programs or processes. To use another library name, review the procedures described later in this chapter (section “Operating Environment”) on how to use the CALL PKZSETLIB program to change the standard library name or run without the library in your library list.

Unloading SecureZIP for iSeries from Tape The SecureZIP for iSeries installation tape contains a SAVF file with the product library for the OS/400. The file PKW810vrT library contains SecureZIP for iSeries Version 8.0 patch level 0 with the OS/400 version specified as vr (OS/400 version, target release, and modification for the product build, for example, 51 for V5R1M0) and T is the product type.

To unload the required library for SecureZIP for iSeries, load the tape and issue the following command:

RSTLIB SAVLIB( PKW810vrT) DEV(tapnn)

Where vr is the version, release, and modification level, T is product type, and tapnn is the appropriate tape device name.

34

At this point the PKZIP library exists on your system and you can proceed to the section, “Restoring SecureZIP for iSeries Product Library from a Save File.”

Unloading SecureZIP for iSeries from a CD-ROM The SecureZIP for iSeries installation from a CD-ROM can be performed using either of the following two methods. One method is to use the LODRUN command and the second method would be to restore the library manually. First load the SecureZIP for iSeries CD into the optical unit and note the device name (usually OPT01).

METHOD A. LODRUN Command At a command line type LODRUN DEV(*OPT) or LODRUN DEV(optical device). LODRUN will first display the following screen showing the default library with the version of SecureZIP for iSeries that will be installed from the CD. The display will wait for a valid library and the pressing of the Enter key to install SecureZIP for iSeries. If the F3 or F12 key is pressed the install will end without installing the product.

LODRUN screen example:

SecureZIP for iSeries (tm) Version V8.0.0 Install SecureZIP for iSeries (tm) to Library PKW81051S (Note: Library Must Not Exist) Press Enter to Continue F3-Exit F12-Cancel Error message Area------------------------------------------------------

Next the install process will restore the SecureZIP for iSeries product to the library requested and add the new library to the library list. Then using the program PKZIP program PKZSETLIB, all settings for commands, data area and help files will be resolved to the new library.

At this point, SecureZIP for iSeries is in your library list and is ready to load keys (DEMO or registered) using the INSTPKLIC command as describe later in this chapter.

METHOD B. RSTLIB Command The SecureZIP for iSeries installation CD-ROM contains a Save file with the product library for the OS/400. The PKW810vrT library contains SecureZIP for iSeries Version 8.0 patch level 0 with the OS/400 version specified as vr (OS/400 version, Target Release, and Modification for the product build, for example, 510 for V5R1M0) and T is product type.

To unload the required library for SecureZIP for iSeries, load the CD-ROM and issue the following command:

RSTLIB SAVLIB( PKW810vrT) DEV(optnn) OPTFILE(pkzip)

35

Where vr is the version, release, T is product type and optnn is the correct optical device name to use.

Using FTP to iSeries to Transfer a PKZIP Save File 1. After downloading the product self-extracting file to your PC, extract it. The

save file is named PKW81051S.SAV. Be sure to note the path to this file, as it will be required in your FTP session (defaults to C:\PKZIP\PKAS4R\PKW81051S.SAV).

2. Start an iSeries workstation type session, and then sign on with sufficient authority to perform the commands used below.

3. Create a save file on the iSeries - CRTSAVF YourLIB/PKZIP810. The TCP/IP network server must be running (or start the TCP/IP network server with STRTCP).

4. Start a PC-based FTP session with your normal FTP procedures and send the PC file in binary mode to the iSeries SAVF you created, or run the following:

5. Type "FTP" at the command prompt.

6. Open the iSeries IP address and sign on (ftp> open 208.222.150.11 as an example).

7. Next, type "BIN" at the command line (this will transfer the file as a binary object which is required).

8. Now type "PUT" and then the local file name (in other words, "PUT C:\PKZIP\PKAS4R\PKW81051S.SAV")

9. Finally, you type your remote file name (the destination): (YourLIB/PKZIP810) and the FTP transfer of the file should start.

Restoring SecureZIP for iSeries Product Library from a Save File At this time you should have the save file built on your system. Now you can restore the library from the save file.

RSTLIB SAVLIB(PKW81051S) DEV(*SAVF) SAVF(YourLIB/PKZIP810) RSTLIB(your_pkzip_lib)

where "your_pkzip_lib" - is the name you want to call the restored PKZIP library.

At this point the SecureZIP for iSeries product library should exist on iSeries and you can proceed to the Installation procedures below.

If you want, you can now delete the save file created earlier with:

DLTF YourLIB/PKZIP810

Installation Procedures The SecureZIP for iSeries product library should now exist on the iSeries. All objects including the library are owned by QPGMR. The objects’ owner can be change

36

to any valid owner with the CHGOBJOWN command. The SecureZIP for iSeries library should now be added to the library list (ADDLIBLE your_pkzip_lib).

If you keep the PKZIP library name at PKW81051S, then you do not need to take this additional step. If you change the name from PKW81051S to something else, then you will need to run a program to setup your PKZIP Environment. In this case you will type on a command line, "CALL PKZSETLIB your_pkzip_lib", where "your_pkzip_lib" is the name of the PKZIP library you restored. This will link the objects to your PKZIP library name. For more information see “How to Change the Standard PKZIP Library Name” later in this chapter.

Licensing Requirements SecureZIP for iSeries is a licensed product. Without proper licensing, the product can only be used to view archives. Product features and license types can be licensed separately as the user’s needs dictate. The license key will contain all of the elements necessary to validate a customer’s use of SecureZIP for iSeries.

The licensing process is comprised of several key elements that are described in the following sections.

Trial Period You will need to contact your reseller or PKWARE, Inc. Sales at 937.847.2374, or email Sales at pksales@pkware.com to initialize your version of SecureZIP for iSeries for the 15-day DEMO. If you do not work in the USA, please refer to the GLOBAL CONTACTS.TXT file to contact a dealer in your region.

Release Licensing Each release of SecureZIP for iSeries requires that a new license key be obtained from Customer Service and that a new license record be generated. The new release will fail with AQZ9077 "License Keys have invalid version setting" if the license file is used from a previous release.

Reporting Environment To report on the status of a license at your location, you can run the environment “WHATOSV” program by doing a program call: CALL WHATOSV. It will provide a report similar to:

PKWARE WHATOSV Current Operating Environment Thu May 15 12:05:49 2003 SecureZIP for iSeries (tm) Version 8.0.0 with build date 2003/05/14 Current PKZIP Library is PKW81051S IBM iSeries Model 9406, Type 270-23E7 Serial Number <010-7X8WT >, PRC Group < P10>, OS is at V5R2M0. Press ENTER to end terminal session.

The output of this report is what you will need to send to your reseller or PKWARE sales representative to obtain a DEMO code.

37

Note: The PKZIP Library must be added to the library list prior to running this program.

Please have the output of this report handy when speaking with your reseller or account rep. You will be expected to supply the following additional information:

• Company name

• Company contact

• Phone number

• Contact email

Updating License Files Installing the PKZIP license activation keys is done by adding the licensing information into a source file member (one is provided with distribution library call PKZLICIN) and then running the install license program to activate.

Trial activation is accomplished by first editing the member PKWARELIC and adding the company customer record and keys supplied by PKWARE, Inc. One way of editing the member would to use the following command with the correct library:

EDTF FILE(PKW81051S/PKZLICIN) MBR(PKWARELIC)

or

STRSEU SRCFILE(PKW81051S/PKZLICIN) SRCMBR(PKWARELIC)

Remember since this a source file member and you use the EDTF command that the data will start in column 13, because the source sequence number and date stamp is in the true columns 1 thru 12.

For example:

EDTF FILE(PKW81051S /PKZLICIN) MBR(PKWARELIC)

Edit File: PKW81051S /PKZLICIN(PKWARELIC) Record : 1 of 3 by 8 Column : 13 92 by 74 Control : CMD ..+....2....+....3....+....4....+....5....+....6....+....7....+....8....+. ************Beginning of data************** *LICENSED BY PKWARE, Inc 06/03/03 Tait Hamiel 55 A4CMD1NR 000014581 PKWARE Internal Demo Customer 99 CMDOAXB1 20030703 0107X8WTP10 ************End of Data******************** F2=Save F3=Save/Exit F12=Exit F15=Services F16=Repeat find

Notice in this case the columns on the ruler shows column 13 for the first column of the license data.

For Example:

STRSEU SRCFILE(PKW81051S/PKZLICIN) SRCMBR(PKWARELIC) :

Columns . . . : 1 71 Edit PKW81051S/PKZLICIN SEU==> PKWARELIC

38

FMT ** ...+... 1 ...+... 2 ...+... 3 ...+... 4 ...+... 5 ...+... 6 ...+... 7 *************** Beginning of data ************************************* 0001.00 *LICENSED BY PKWARE, Inc 06/03/03 Tait Hamiel 0002.00 55 A4CMD1NR 000014581 PKWARE Internal Demo Customer 0003.00 99 CMDOAXB1 20030703 0107X8WTP10 ****************** End of data **************************************** F3=Exit F4=Prompt F5=Refresh F9=Retrieve F10=Cursor F11=Toggle F16=Repeat find F17=Repeat change F24=More keys

Once you have typed or copied the license information provided by PKWARE, you will need to save these changes by pressing F3 and exit the edited member by pressing F3 again. Next, run the install program using the following command:

INSTPKLIC INFILE(*LIBL/PKZLICIN) INMBR(PKWARELIC) or prompt F4

Install SecureZIP for iSeries License (INSTPKLIC) Type choices, press Enter. Type . . . . . . . . . . . . . *INSTALL *INSTALL, *VIEW Input Control File . . . . . . . PKZLICIN Name, PKZLICIN Library name . . . . . . . . . *LIBL Name, *LIBL Control Member . . . . . . . . . pkwarelic Name, *FIRST Bottom F3=Exit F4=Prompt F5=Refresh F12=Cancel F13=How to use this display F24=More keys

By executing the INSTPKLIC command, the LICENSE dataset will be updated and a report will be produced that will reflect the state of SecureZIP for iSeries at your location.

SecureZIP for iSeries (tm) Compression Utility Version 8.0.0, 2003/06/09 Copyright. 2004 PKWARE, Inc. All Rights Reserved. PKZIP (R) is a registered trademark of PKWARE (R), Inc. Machine ID = 0107X8WT, Processor Group = P10 Rec - 1 *LICENSED BY PKWARE, Inc 06/03/03 Tait Hamiel Rec - 2 55 A4CMD1NR 000014581 PKWARE Internal Demo Customer Rec - 3 99 CMDOAXB1 20030703 0107X8WTP10 Compression - Evaluation set to expire in 23 days on 20030703 Decompression - Evaluation set to expire in 23 days on 20030703 Database File Handlers- Evaluation set to expire in 23 days on 20030703 IFS File Handlers - Evaluation set to expire in 23 days on 20030703 GZIP - Evaluation set to expire in 23 days on 20030703 Spool Files - Evaluation set to expire in 23 days on 20030703 Self Extracting - Evaluation set to expire in 23 days on 20030703 License File PKW81051S/PKZLIC(PKZLIC) Updated successfully Press ENTER to end terminal session.

Licensed Product Features The license key will be comprised of codes to reflect the product features selected by the customer.

39

Licensing Product Type Cross Reference with Features Codes.

Type Feature Code

PKZIP SecureZIP Standard

77

Enterprise

66

x Demo Days

99

BASE Module 01 X X X X X

Compression 02 X X X X X

Decompression 03 X X X X X

GZIP 04 Opt X X X

Directory Integration 05 N/A Opt Opt Opt X

(SecureZIP Only)

ADVANCED Encryption

06 N/A Opt N/A X

(SecureZIP Only)

X

(SecureZIP Only)

Decryption 07 Included Included X X

X

(SecureZIP Only)

Spool File Support 08 Opt X N/A X X

Self Extraction Creator

10 Opt X N/A X X

40

Licensing Features Code Descriptions The following table shows the product features available:

Feature Code

Type Description

01 Base Module The base module is either PKZIP or SecureZIP (depending on the product has been selected and which licensed code was issued).

02 Compression This licensable module allows for the compression of data into a ZIP file. This license is required to read the input data and write out the archive or ZIP file.

03 Decompression This licensable module allows for the decompression of data from a ZIP file or an archive. This license is required to read the ZIP archive and to write the OS/400 datasets during the extraction routine.

04 GZIP Support This licensable module allows a user to read and write GZIP compatible files. GZIP files created using PKZIP for iSeries can be extracted with any compatible GZIP utility on any other platform.

05 Directory Integration This module allows the use of LDAP for certificate accessing.

06 Advanced Encryption Module

This licensable module allows a user to compress files with advanced encryption methods, encrypt files with certificates, sign files/archives, and authenticate files/archives.

07 Decryption This licensable module allows a user to extract files with advanced encryption methods.

08 Spool File Handler This licensable module allows a user to compress and extract spool files. The module also allows the spool file to be converted another format, such as a PDF or text format.

10 Self Extract Support

This licensable feature allows the creation and maintenance of self extracting archives.

Splash Screens: SecureZIP:

SecureZIP(tm) for iSeries Compression Utility Version 8.0.0B, 2004/07/21 Copyright. 2004 PKWARE, Inc. All Rights Reserved. SecureZIP(tm) is a trademark of PKWARE (R), Inc.

PKZIP:

PKZIP for iSeries(tm) Compression Utility Version 8.0.0B, 2004/07/21 Copyright. 2004 PKWARE, Inc. All Rights Reserved. PKZIP(R) is a registered trademark of PKWARE (R), Inc.

Record Layouts The record layouts for control file records (portions of which your reseller of PKWARE, Inc. will provide) are described below for each type. Remember, the columns are relative to column 1 in a source file and if you use EDTF then column 1 is now column 13.

41

Comment Control Card Comment cards are free format and begin with an * in column 1.

Customer Control Card Customer records always begin with a “55” or ‘57”.

Control Code

Check Characters

Customer Number

Customer Name

Format 55 cccccccc nnnnnnnnn xxx . . . xxx Columns 1-2 4-11 13-21 23-74 Length 2 8 9 50

55 Feature Control Code (always a 55 or 57)

cccccccc Check Character (supplied by PKWARE, Inc.)

nnnnnnnnn Customer Number (supplied by PKWARE, Inc.)

xxx . . . xxx Customer Name (supplied by customer - must be alphanumeric (AA-99)

Feature Control Card

Feature Code

Check Characters

Expiration Date

Hardware Information

Format ff cccc yyyymmdd ssssssstttt Columns 1-2 4-11 13-20 22-33 Length 2 8 8 12

ff Feature Control Code (provided by PKWARE, Inc.)

cccccccc Check Character (provided by PKWARE, Inc.)

yyyy year (2001)

mm month (01-12)

dd day (01-31)

sssssss CPU serial # (12345ABC)

tttt CPU Processing Group (P10) By executing this command, the LICENSE dataset will be updated and a report will be produced that will reflect the state of SecureZIP for iSeries at your location.

Install Demo

SecureZIP for iSeries (tm) Compression Utility Version 8.0.0, 2003/06/09 Copyright. 2004 PKWARE, Inc. All Rights Reserved. PKZIP (R) is a registered trademark of PKWARE (R), Inc. Machine ID = 0107X8WT, Processor Group = P10 Rec - 1 *LICENSED BY PKWARE, Inc 06/03/03 Tait Hamiel Rec - 2 55 A4CMD1NR 000014581 PKWARE Internal Demo Customer Rec - 3 99 CMDOAXB1 20030703 0107X8WTP10 Compression - Evaluation set to expire in 23 days on 20030703 Decompression - Evaluation set to expire in 23 days on 20030703 Database File Handlers- Evaluation set to expire in 23 days on 20030703 IFS File Handlers - Evaluation set to expire in 23 days on 20030703

42

GZIP - Evaluation set to expire in 23 days on 20030703 Advanced Encryption - Evaluation set to expire in 23 days on 20030703 Spool Files - Evaluation set to expire in 23 days on 20030703 Self Extracting - Evaluation set to expire in 23 days on 20030703 License File PKW81051S/PKZLIC(PKZLIC) Updated successfully Press ENTER to end terminal session.

Install Basic

SecureZIP for iSeries (tm) Compression Utility Version 8.0, 2003/07/12 Copyright. 2004 PKWARE, Inc. All Rights Reserved. PKZIP (R) is a registered trademark of PKWARE (R), Inc. Machine ID = 0107X8WT, Processor Group = P10 Rec - 1 *LICENSED BY PKWARE 07/13/01 WSS Rec - 2 55 B7LJJ3A0 110531837 My Company Name, Dayton OH Rec - 3 * yyyymmdd ssssssssttt Rec - 4 77 lLTJ1233 20020801 0107X8WTP10 License File PKW81051S/PKZLIC(PKZLIC) Updated successfully

Install Single

SecureZIP for iSeries (tm) Compression Utility Version 8.0, 2003/07/12 Copyright. 2004 PKWARE, Inc. All Rights Reserved. PKZIP (R) is a registered trademark of PKWARE (R), Inc. Machine ID = 0107X8WT, Processor Group = P10 Rec - 1 *LICENSED BY PKWARE 07/13/01 WSS Rec - 2 55 X1LT83K1 110531837 My Company Name, Dayton OH Rec - 3 * yyyymmdd ssssssttttii Rec - 4 * ssssssssttt Rec - 5 01 LLTB7233 20030801 0107X8WTP10 Rec - 6 02 ELTH823F 20030801 0107X8WTP10 Rec - 7 03 RLTB723U 20030801 0107X8WTP10 Rec - 8 04 MLTH823B 20030801 0107X8WTP10 License File PKW81051S/PKZLIC(PKZLIC) Updated successfully

Reporting To report on the status of a license at your location, you can run the license program with the following command: INSTPKLIC TYPE(*VIEW).

Examples from above:

View Demo

SecureZIP for iSeries (tm) Compression Utility Version 8.0.0, 2003/06/09 Copyright. 2004 PKWARE, Inc. All Rights Reserved. PKZIP (R) is a registered trademark of PKWARE (R), Inc. Machine ID = 0107X8WT, Processor Group = P10 ********************************************* A License Report requested on 0107X8WT from CPU Serial# 8.0 Product Licensed to Customer # 000014581 -PKWARE Internal Demo Customer ********************************************* Compression -DEMO with 23 Days remaining (07/03/2003) Contact PKWARE, Inc. for Licensing ********************************************* Decompression -DEMO with 23 Days remaining (07/03/2003) Contact PKWARE, Inc. for Licensing ********************************************* GZIP -DEMO with 23 Days remaining (07/03/2003) Contact PKWARE, Inc. for Licensing *********************************************

43

IFS File Handlers -DEMO with 23 Days remaining (07/03/2003) Contact PKWARE, Inc. for Licensing ********************************************* Database File Handlers-DEMO with 23 Days remaining (07/03/2003) Contact PKWARE, Inc. for Licensing ********************************************* Advanced Encryption -DEMO with 23 Days remaining (07/03/2003) Contact PKWARE, Inc. for Licensing ********************************************* Spool Files -DEMO with 23 Days remaining (07/03/2003) Contact PKWARE, Inc. for Licensing ********************************************* Self Extracting -DEMO with 23 Days remaining (07/03/2003) Contact PKWARE, Inc. for Licensing ********************************************* Press ENTER to end terminal session.

View Single

SecureZIP for iSeries (tm) Compression Utility Version 8.0.0, 2003/06/09 Copyright. 2004 PKWARE, Inc. All Rights Reserved. PKZIP (R) is a registered trademark of PKWARE (R), Inc. Machine ID = 0107X8WT, Processor Group = P10 ********************************************* A License Report requested on 0107X8WT from CPU Serial# 8.0 Product Licensed to Customer # 000003079 -Key Testers Inc. ********************************************* Compression :Licensed -Expires 02/28/2400 for processors: Serial# 0107X8WT Processor Type P10 ********************************************* Decompression :Licensed -Expires 02/28/2400 for processors: Serial# 0107X8WT Processor Type P10 ********************************************* GZIP :Licensed -Expires 02/28/2400 for processors: Serial# 0107X8WT Processor Type P10 ********************************************* IFS File Handlers :Licensed -Expires 02/28/2400 for processors: Serial# 0107X8WT Processor Type P10 ********************************************* Database File Handlers:Licensed -Expires 02/28/2400 for processors: Serial# 0107X8WT Processor Type P10 ********************************************* Advanced Encryption :Licensed -Expires 02/28/2400 for processors: Serial# 0107X8WT Processor Type P10 ********************************************* Spool Files :Licensed -Expires 02/28/2400 for processors: Serial# 0107X8WT Processor Type P10 ********************************************* Self Extracting :Licensed -Expires 00/00/0000 for processors: ********************************************* Press ENTER to end terminal session.

View Single with Exception

SecureZIP for iSeries (tm) Compression Utility Version 8.0.0, 2003/06/09 Copyright. 2004 PKWARE, Inc. All Rights Reserved. PKZIP (R) is a registered trademark of PKWARE (R), Inc. Machine ID = 0107X8WT, Processor Group = P10 ********************************************* A License Report requested on 0107X8WT from CPU Serial# 8.0 Product Licensed to Customer # 000003079 -Key Testers Inc. ********************************************* Compression :Licensed -Expires 02/28/2400 for processors: Serial# 0107X8WT Processor Type P10 ********************************************* Decompression :Licensed -Expires 02/28/2400 for processors:

44

Serial# 0107X8WT Processor Type P10 ********************************************* GZIP :Licensed -Expires 02/28/2400 for processors: Serial# 0107X8WT Processor Type P10 ********************************************* IFS File Handlers :Licensed -Expires 02/28/2400 for processors: Serial# 0107X8WT Processor Type P10 ********************************************* Database File Handlers:Licensed -Expires 02/28/2400 for processors: Serial# 0107X8WT Processor Type P10 ********************************************* Advanced Encryption :Licensed -Expires 02/28/2400 for processors: Serial# 0107X8WT Processor Type P10 ********************************************* Spool Files :Licensed -Expires 02/28/2400 for processors: Serial# 0107X8WT Processor Type P10 ********************************************* Self Extracting :Licensed -Expires 00/00/0000 for processors: Serial# 0107X8WT is Not Licensed. Use Of The Product will CEASE in 7 days (6/17/2003) ********************************************* Press ENTER to end terminal session

Conditional Use PKWARE, Inc. recognizes that there may be periods where the licensing environment established by the customer is no longer valid. Circumstances such as disaster recovery processing or the installation or upgrade of new processors will affect the environment. To accommodate the customer, SecureZIP for iSeries has a process that will allow a customer to continue using the product for a period of five days. During this time, error messages will be displayed on the console (as well as the printout) for each execution of SecureZIP for iSeries. At the end of the grace period, if the license keys are not updated, the product will no longer function in any environment other than to view an archive. This five-day grace period is designed in such a way that it will not cease to function on a weekend or the Monday following the five-day grace period.

During this process you must contact your reseller or PKWARE, Inc. at 1-937-847-2687 to obtain licensing to allow use beyond the conditional period.

Operating Environment SecureZIP for iSeries is distributed in a standard library, such as PKW81051S where the 800 is the version release of SecureZIP for iSeries and 510 is the minimum OS/400 operation system release that it supports (such as V5R1M0). The SecureZIP for iSeries library contains programs, commands, help panels, message file, license files, translation source file, command source file, CL source file (CVTNAME CL program and examples), and the SecureZIP for iSeries control data area necessary to run the product. As released, the distributed library PKW81051S must be in the library list and the library name must be the same as distributed.

The library name used by SecureZIP for iSeries is determined by the data area PKZDTA5.

45

PKZDTA5 Data Area The “PKZDTA5” data area is required to be in the library list in order run the programs and commands of SecureZIP for iSeries. The data area is 50 bytes in length with the following layout:

Bytes 1 thru 10 - Library name for the product (required to run the product).

Bytes 11 thru 20 - Release Levels for SecureZIP for iSeries.

Bytes 21 thru 40 - Distribution and Generation Information only.

Bytes 41 thru 50 - Global settings.

Byte 41 - Disallow wildcard selection

N = Wildcard selection is permitted (default).

Y = Wildcard selection with PKZIP is not permitted.

An example of the “DSPDTAARA PKZDTA5” output might look like:

Display Data Area Data area . . . . . . . : PKZDTA5 Library . . . . . . . : PKW81051S Type . . . . . . . . . : *CHAR Length . . . . . . . . : 50 Text . . . . . . . . . : SecureZIP for iSeries Library-V8.0 Value Offset *...+....1....+....2....+....3....+....4....+....5 0 'PKW81051S V8.0 NNOV5R1M0 N '

The running of SecureZIP for iSeries requires the data area to determine the library name to use for running the commands, help panels, and message file.

How to Change the Standard PKZIP Library Name To assist the customer in changing the environment for running the SecureZIP for iSeries product, the program “PKZSETLIB” has been included in the distribution library. PKZSETLIB will set the PKZDAT5 data area’s library name and will change the commands and help panels to recognize the library links.

An example of how use PKZSETLIB to change the standard library name to a user environment library name is shown in the steps below:

1. Rename the SecureZIP for iSeries standard library to the new library name:

RNMOBJ OBJ('PKW81051S) OBJTYPE(*LIB) NEWOBJ(newlib)

2. Verify that newlib is in library list with ADDLIBLE or EDTLIBL:

ADDLIBLE newlib

3. Execute PKZSETLIB program to change the data area and change links:

CALL PKZSETLIB ('newlib')

4. Display the PKZDTA5 data area and verify that the Library has been changed.

DSPDTAARA PKZDTA5 (Positions 1 thru 10 should contain newlib)

5. Test the commands PKZIP or PKUNZIP to make sure they execute correctly.

46

At this point the “newlib” is the new SecureZIP for iSeries library for this environment and will need to be placed in the library list to run.

Alternate Install from SAVF with Non-Standard Library Name After the SAVF is ready to restore the library, a slight modification to the commands as shown in above will be required. In the RSTLIB command you will specify “newlib” in the parameter RSTLIB to restore the library with the new library name.

For example:

RSTLIB SAVLIB('PKW81051S) DEV(*SAVF) SAVF(mylib/ PKW810) RSTLIB(newlib)

To complete the installation, do the following:

1. Add the “newlib” to your library list with ADDLIBLE:

ADDLIBLE newlib

2. Execute the PKZSETLIB program to change data area and change links:

CALL PKZSETLIB ('newlib')

3. Display the PKZDTA5 data area and verify that the Library has been changed.

DSPDTAARA PKZDTA5 (Positions 1 thru 10 should contain newlib)

4. Test the commands PKZIP or PKUNZIP to make sure they execute correctly.

At this point the “newlib” is the new SecureZIP for iSeries library for this environment and will need to be placed in the library list to run.

Running Without the PKZIP Library in the Library List SecureZIP for iSeries can run without the library in the library list as long as a data area as described above is in a library that is in the library list. One method is qualifying the command with the library name, such as:

mylibrary/PKZIP ARCHIVE(‘myarchive/V5(test1)’ FILES(“testlib/*all’)

The other method copies the commands to a library that exist in their library List.

Note: The running of SecureZIP for iSeries requires the data area to determine the library name to use for running the commands, help panels, and message files. The following are five steps to run SecureZIP for iSeries without its distribution library in the library list.

Assume 'PKW81051S’ is the SecureZIP for iSeries library and the customer’s library MYlibrary is in the customer’s standard library list. We will now add three new objects to the library MYlibrary.

1. Create a new data area in the chosen library MYlibrary:

CRTDTAARA DTAARA(MYlibrary/PKZDTA5) TYPE(*CHAR) LEN(50) TEXT('PKZIP control data area')

2. Next set the data area value to the same values found in supplied data area

in the PKZIP Library.

“DSPDTAARA 'PKW81051S/PKZDTA5” output might look like:

47

Display Data Area Data area . . . . . . . : PKZDTA5 Library . . . . . . . : PKW81051S Type . . . . . . . . . : *CHAR Length . . . . . . . . : 50 Text . . . . . . . . . : SecureZIP for iSeries Library-V8.0 Value Offset *...+....1....+....2....+....3....+....4....+....5 0 'PKW81051S V8.0 NNOV5R1M0 N '

3. Now change the data area:

CHGDTAARA DTAARA(MYlibrary/PKZDTA5) VALUE(''PKW81051S V8.0xxxV5R1M0')

4. Next we need to copy the two commands to the MYlibrary Library.

CRTDUPOBJ OBJ(PKZIP) FROMLIB(PKW81051S) OBJTYPE(*CMD) TOLIB(MYlibrary)

RTDUPOBJ OBJ(PKUNZIP) FROMLIB(PKW81051S) OBJTYPE(*CMD) TOLIB(MYlibrary)

At this point, PKZIP will work for all users that have the library MYlibrary in their library list.

Note: When installing another SecureZIP for iSeries version the same process should be followed in order to pick up the latest settings of the data area and commands.

Next ensure the SecureZIP for iSeries library is NOT in your library list and run a few sample tests for PKZIP and PKUNZIP to make sure the product works.

48

5 File Selection and Name Processing

ZIP Processing File Selection This section discusses how file selection is performed for ZIP processing with SecureZIP for iSeries. The primary commands used for ZIP processing are discussed here, along with some overview notes and known restrictions.

This section also discusses how files are selected within an iSeries environment. Remember, ZIP directory entries within a ZIP archive will be defined in a system-independent format, which is not iSeries compatible.

Note: Directory entries within a ZIP archive are actually in a format compatible with UNIX systems and have been translated into the ASCII character set. In addition, the dataset level separators are typically set as the forward slash (“/”), not the period (“.”) as in iSeries, although this can be controlled through command actions in SecureZIP for iSeries.

See Chapter 8 for further information on how SecureZIP for iSeries handles file name interchanges between iSeries and common ZIP format.

Primary File Selection Inputs SecureZIP for iSeries will only process:

• iSeries objects of type FILE (only with attributes PF-SRC, PF-DTA, and SAVF).

• IFS stream files (*STMR) and IFS directories(*DIR).

• Spool files.

Other objects must first be unloaded into an iSeries save file (SAVF) before they can be processed by SecureZIP for iSeries (see: Use of SAVF Method).

The FILES parameter in both PKZIP and PKUNZIP specifies which files are to be processed for all files except spool files (SPLF have their own selection parameters). One or more names can be specified, and each name is in either OS/400 QSYS format, or IFS format, depending on F2ZTYPE settings. An asterisk may be used at the end of the library name, file name, or member name to select names beginning with the prefix used. To select all members of a file, *ALL may be used. To select all files in a library *ALL may be used (as long as it is qualified by at least a library

49

name), for example, FILES('mylib/*ALL' ). If *ALL is specified without at least a qualifying library name, the specification is ignored and no files will be selected.

The SecureZIP for iSeries QSYS file system expands a partial file specification in several ways to make file specification more convenient. Each file specification may consist of a filename; a library name; a file name and member name; a library name and file name; or a library name, file name, and member name. iSeries SAVF may also be selected, but because a *SAVF file does not contain members, a SAVF will not be selected if a member name was included in the file specification.

In the Integrated file system, each file specification may consist of a directory, a path of directories, a directory and file, or a path of directories and file.

The various combinations that may be used are shown below:

File Type

File specification Expanded As Notes

QSYS library*/ library*/*all(*all) Finds all files in libraries beginning with library.

fileinlib *LIBL/fileinlib(*ALL) Searches library list for all files called fileinlib. If a matching file is found, all of its members will be selected. If a SAVF is found, it will be selected.

fileinlib*(mem*) *LIBL/fileinlib*(mem*) Searches library list for all files beginning with fileinlib. If a matching file is found, members beginning with mem* will be selected. If a SAVF is found, it will NOT be selected because the file specification includes a member name.

library*/file* library*/file*(*ALL) Searches libraries that begin with library prefix and for files that begin with file prefix. If a matching file is found, all of its members will be selected. If a SAVF is found, it will be selected.

50

File Type

File specification Expanded As Notes

library*/file*(memo*) library*/file*(mem*) Searches libraries that begin with library prefix and files that begin with file prefix. If a matching file is found, members beginning with mem prefix will be selected. If a SAVF is found, it will not be selected because the file specification includes a member name.

IFS Dir/* Dir/*all Searches all files in path DIR.

Spool Files

N/A Uses parameters: SPLFILE, SFUSER, SFQUEUE, SFFORM, SFUSRDTA, SFSTATUS, SFJOBNAM, and/or SPLNBR.

Note: If parameter TYPE(*DELETE) is used, then the file name format for these names must be in MS/DOS format (that is, if CVTFLAG has not been used). See the FILES keyword. Files may also be excluded. See the EXCLUDE keyword.

The valid parameter values for the FILES keyword are as follows:

'file specification 1' 'file specification 2'...'file_specification nn'

This is the list of one or more file specifications, separated by spaces.

For example:

mylib/myfile(prf*)

mylib/*all(*all)

By default, SecureZIP for iSeries does a match on files in the QSYS library system with no case sensitivity and in the IFS with case sensitivity. Some IFS file systems contain case sensitive file names. To force SecureZIP for iSeries to perform non-case sensitive file name matching use TYPFL2ZP(*IFS2).

File Exclusion Inputs Using similar file specification techniques as described above in the Primary file Selection Inputs section, SecureZIP for iSeries can specify from one to many file patterns that will be used to exclude files that were selected with the FILE parameter. The files can be inputted into the command parameter EXCLUDE or into a text file that can be processed by parameter EXCLFILE.

Care should be taken when using wildcards excluding inputs to ensure that FILES and EXCLUDE parameters select the desired files.

51

Input ZIP Archive Files During a FRESHEN or UPDATE request, files contained within the existing ZIP archive are added to a candidate list. Names stored previously are used to search the system files for viability (any file names not found in the system remain in the ZIP archive).

SPOOL File Selecting The FILES parameter is not used to select spool files for compression, but instead uses its own selection parameters.

There are eight positional parameters that can be specified to select the spool files: the SPOOL FILE NAME (SPLFILE), the SPOOL FILE NUMBER (SPLNBR), the user that created the files (SFUSER), the OUTQ that the file is residing (SFQUEUE), the form type specified (SFFORM), the user data tag associated with the spool file (SFUSRDTA), the status of the spool file (SFSTATUS), or the specific job name/user name/job number (SFJOBNAM). Only files that meet all of the selection values will be selected.

If the parameter SFJOBNAM is coded, the job must exist and the parameter SFUSER will be ignored, since it is already part of the SFJOBNAM parameter.

52

6 ZIP Files

Data Format - Text Records vs. Binary Records Binary data is stored in a ZIPPED archive in its original format. Binary data may be graphics or numbers that are already in “computer format.” Therefore, no translation is done, and EBCDIC will remain EBCDIC. The length of binary records in UNZIP processing is determined by the archive’s fixed-length records. SecureZIP for iSeries will fill the available block automatically according to allocation specifications.

In the context of ZIPPED archives, a “text file” is one that is stored in the ASCII format. A text file contains records of data, each separated by a delimiter to signify the end of the record.

Note: An EBCDIC file containing text information (such as source code) can be stored in its original format by using BINARY, but it is not considered to be a “text” file within the ZIP architecture.

SecureZIP for iSeries uses the default line delimiter CR-LF (X’0D0A’) at the end of each text record. Text file members in the QSYS library file system use new line characters (NL=X’15’) internally. SecureZIP for iSeries will handle the CR-LF and NL in both extraction and compressions automatically.

At the time of PKUNZIP file extraction, SecureZIP for iSeries will convert text data from ASCII to EBCDIC by using a translation table. During installation, several translation tables are available, and the customization process will select one of the translation tables as a default. Additional translation tables may be created through the customizing procedure.

Situations may arise in unique platform interchanges, or when working with text files from other countries where the default text translation table is not adequate. Users may select any available translation table by using TRAN and FTRAN parameters.

SecureZIP for iSeries extracts text records stored in the ZIP archive by examining data for record delimiter and file terminator indicators. Using these indicators, SecureZIP for iSeries aligns records in accordance with target file attributes.

Text files (such as program source code) are held within an archive using the ASCII character set for compatibility with other versions of PKZIP®. For these to be usable on OS/400, they must be converted to the IBM EBCDIC character set. Additionally, the carriage return and line feed characters must be removed before writing lines to

53

a file because OS/400 files are record-based and do not use control characters to separate records or lines. Text files usually have spaces at the end of a line. When using the text file handlers, SecureZIP for iSeries has less data to read because the input/output routines remove trailing spaces and replace them with a new line character. This improves SecureZIP for iSeries performance.

When extracting files from an archive, SecureZIP for iSeries must know whether to perform text conversions. SecureZIP for iSeries stores an indicator in the archive file’s local header defining if a file is binary or text-based. Because this indicator may be wrong in some circumstances, use the FILETYPE keyword to specify whether text conversions are required. When adding files to an archive, SecureZIP for iSeries will flag the file according to the FILETYPE used.

SecureZIP for iSeries uses translation tables that should be suitable for most customers, but some users may wish to alter the tables. The procedure for changing the translation tables is discussed. If text files are only used on iSeries, then the FILETYPE(*EBCDIC) may be used. This uses iSeries files “as is” for the file (which are faster for text files), but does not translate the data to ASCII. This will provide a small improvement in performance.

Additionally, SecureZIP for iSeries will translate each character in a text file from EBCDIC character format to ASCII character format by default. This is done using one of the two internal translation tables, which are named UKASCII and USASCII. It is recognized that these translation tables may not suffice for all countries or all situations, especially on those sites where text files are received from several different countries for processing into a single format. The source of the translation tables used by the PKZIP and PKUNZIP programs has been supplied, together with instructions for modifying the tables to create additional files (see Appendix F for details). This enables sites to modify the translation table as required.

In a case where FILETYPE is neither *TEXT nor *BINARY, *DETECT is the default mode. PKZIP will read up to 64K of data from the input file and scan it for non-translatable text characters using the active text translation table. If any characters will not translate successfully using this method, the entire file will be treated as if *BINARY has been used.

Note: One exception to this is X’00’ or the NULL terminator character, which is commonly used in C language. The NULL character will be allowed within the files. If file type is of a file in the archive is unknown whether it is text or binary, the user may use the TYPE(*VIEW) and VIEWOPT(*DETAIL) parameters to examine the file attributes.

File Attributes Within each ZIP archive there are two different directories providing information about the files held in that archive. A local directory is included at the front of each file, with information pertaining to each file (for example: file size and date ZIPPED), and a central directory is located at the end of the ZIP archive. The central directory lists the complete contents of the ZIP archive and is the primary source of information for UNZIP processing.

SecureZIP for iSeries will store extended attributes about the file that can be useful in recreating the file during UNZIP processing. See Appendix K.

54

PC Shared Drives Format One common mistake made when extracting a text file to a shared drive folder in the IFS where the file will be used by a Windows application is to extract the file in text mode. Extracting a file as a TEXT file on the iSeries will cause PKUNZIP to translate the file to the EBCDIC format since this is the native iSeries format. The Windows application expects the file to be in ASCII, so therefore this file should be extracted using binary, since the files are stored in ASCII in the archive.

55

7 File Extracting Process

Extracting Files to the QSYS Library File System When extracting files to the QSYS library file system using TYPFL2ZP(*DB), some items to consider are 1) does the file exist or will a new file be create?, 2) did the file come from SecureZIP for iSeries or did it come from another platform?, 3) are the files text type files from another platform where I need to know the record length, etc. These are just a few questions that might impact how you want to extract the files.

If the file does not exist and if the file did not come from SecureZIP for iSeries, you should provide a record length for the file with the parameter DFTDBRECLN. If the file is coming from SecureZIP for iSeries or PKZIP for zSeries the record length will be in the extra data. If the file is from SecureZIP for iSeries and the parameter was DBSERVICE(*YES), the complete database definition from the extract data for database will be used to create the file.

If the file is to be created as text and the record length is too short then you will receive messages indicating the records are being truncated.

Two common parameters that are used to alter or guide the extraction process are the EXDIR and DROPPATH parameters. EXDIR provides the path library or library/file that the file will be extracted to when no library or path exist for the files in the archive. Of course, this is where the DROPPATH comes in to drop the first path or library with *LIB or to remove all paths in a name with *ALL.

For example, files in an archive might look like this:

Archive/#1: My Document/myfiles/test/myheader.txt My Document/myfiles/test/mydata.txt My Document/myfiles/test/mytrailer.txt Archive/#2: QGPL/QCLSRC/MYCL01 QGPL/QCLSRC/MYCL02 QGPL/QCLSRC/MYCL03 QGPL/QCLSRC/MYCL04

In archive #1 lets assume that all three text files are of different records lengths. If we want to extract each with their own length, we would have to make three runs to

56

create the files with different parameters. Or we could use CRTPF and create each of the files so the files would exist with the proper record length.

PKUNZIP ARCHIVE('Archive/#1') FILES('My Document/myfiles/test/myheader.txt') TYPE(*EXTRACT) EXDIR('MYLIB/MYHEADER') DROPPATH(*ALL) DFTDBRECLN(50) CVTTYPE(*DROP)

PKUNZIP ARCHIVE('Archive/#1') FILES('My Document/myfiles/test/mydata.txt') TYPE(*EXTRACT) EXDIR('MYLIB/MYDATA') DROPPATH(*ALL) DFTDBRECLN(150) CVTTYPE(*DROP)

PKUNZIP ARCHIVE('Archive/#1') FILES('My Document/myfiles/test/myheader.txt') TYPE(*EXTRACT) EXDIR('MYLIB/MYTRAILER') DROPPATH(*ALL) DFTDBRECLN(20) CVTTYPE(*DROP)

The commands above would create three files in library MYLIB, with all files having different record lengths.

Now suppose the files already exist with the names and record lengths. In this case, we could do all three files at once with:

PKUNZIP ARCHIVE('Archive/#1') TYPE(*EXTRACT) EXDIR('MYLIB/?MBR') DROPPATH(*ALL) CVTTYPE(*DROP) OVERWRITE(*YES)

The MBR will force each member name to also become the file name.

In archive #2, let’s assume that we want to extract the CL source member and place them in a different library call MYNEWLIB. If the QCLSRC file does not exist and the archive was not built with DBSERVICE(*YES), then you would need to do a

CRTSRCPF FILE(MYNEWLIB/QCLSRC)

to have the file setup correctly for source files. If the QCLSRC file already exist in MYNEWLIB or the archive was built with DBSERVICE(*YES), then no special handling is required.

Authority Settings When extracting files into the QSYS library file system, whether the files came from the AS/400 or another platform, the authorities are not taken from the archive, but from the user’s current environment settings. The file’s authority is not stored in the archive.

If a library is required to be created, PKUNZIP would create the library as if the current user was issuing a CRTLIB command. For standard settings, it might create the library with the following authority settings:

Data --Object Authorities-- User Authority Exist Mgt Alter Ref *PUBLIC *RWX USER *RWX X X X X.

If the file does not exist, PKUNZIP will be required to create the file. If the file does exist no authorities are changed. If the file is created, the authority will be the same as if the user was issuing a CRTPF command in their environment. For most standard settings, it would create the file with the following authority settings:

57

Data --Object Authorities-- User Authority Exist Mgt Alter Ref *PUBLIC *RWX MYOWNER *RWX X X X X

Extracting Files to the IFS When extracting files to the integrated file system with TYPFL2ZP(*IFS), record lengths are not a concern as they were in the QSYS library file system. The main considerations when extracting to the IFS is “what paths do you want for the file, or should the file be stored in EBCDIC or ASCII”.

Path Considerations If the name of files in the archive, starts with ‘/’, then with no other changes this will be extracted to the root of the system with the first name in the path. This form of pathname is called a fully qualified path.

If the name does not start with a ‘/’, the item will be extracted to the paths based on the current directory (DSPCURDIR). This form of pathname is called a relative path.

In both cases if the path(s) does not exist, the path(s) will be created with the attributes of the parent folder.

Changing the path(s) In cases where the path that is stored with a name of the file in archive is not desired, then using the EXDIR and DROPPATH parameters should help guide the file to where it should be placed.

Using EXDIR, you can define the path of the file(s) that will be extracted. If you need to remove the path of the file in the archive, you can use DROPPATH(*ALL) to remove all the paths before extracting or you can use DROPPATH(*LIB) to remove only the first path name.

Again the coding of EXDIR follows the same rule with regards to fully qualified path or relative path.

File Type Considerations When extracting a file, the decision to whether the contents of file should be stored in ASCII or EBCDIC needs to be made.

If the file is not a text file, it does not matter and should be stored as binary. If the file is text, and will be used by a PC program, chances are the data is expected to be in ASCII. Since the files are stored in the archive as ASCII, these files should be extricated as TYPEFILE(*BINARY). If the file is to be used by an AS/400 application or will be translated later, then chances are the file should be stored in EBCDIC. In this case use TYPEFILE(*TEXT) to extract the file in EBCDIC.

58

Authority Settings If directories are required to be created during the extraction, the authority settings will be created according to the create directory definitions of the DTAAUT(*INDIR) and OBJAUT(*INDIR) parameters.

The authority for the directory being created is determined by the directory it is being created in. The directory immediately preceding the new directory determines the authority. A directory created in the root is assigned the public authority given to objects in the root directory. A directory created in QDLS for a folder defaults to *EXCLUDE for a first level folder. If created in the second level or greater, the authority of the previous level is used. The QOpenSys and root file systems use the parent directory's DTAAUT value.

The object authority is based on the authority for the directory where this directory is being created.

For IFS files, the access permissions flags of the file are captured. For Example:

• S_IRUSR - Read permission for the file owner

• S_IWUSR - Write permission for the file owner

• S_IXUSR - Search permission (for a directory) or execute permission (for a file) for the file owner

• S_IRGRP - Read permission for the file's group

• S_IWGRP - Write permission for the file's group

• S_IXGRP - Search permission (for a directory) or execute permission (for a file) for the file's group

• S_IROTH - General read permission

• S_IWOTH - General write permission

• S_IXOTH - General search permission (for a directory) or general execute permission (for a file)

These access permission flags will be set for the owner that is running the PKUNZIP job and not the original owner.

Other user permissions from the parent folder will also be set for the file.

For example, the folder being extracted into has *PUBLIC as *EXCLUDE, the extracted file will also have *PUBLIC as *EXCLUDE.

Extracting Spool Files When extracting spool files with PKUNZIP, the attributes at the time of compression, will be preserved except for new spool file numbers. That will be generated. Parameter SPLUSRID is for the user ID on the new extracted spool file. If it is *DFT the original user ID will stay with the new spool file. Parameter SFQUEUE is for the OUTYQ and OUTQ library that the new extracted spool file will be placed. If *DFT is specified then the original OUTQ will be used to place the spool file.

59

Note on extracting Spool Files: To create or extract spool file with PKUNZIP, the user must have *USE authority to the API QSPCRTSP. The normal setting for the API QSPCRTSP is Authority PUBLIC(*EXCLUDE). The API authority is set this way so that system administrators can control the use of this API. This API has security implications because you can create spooled file from the data of another spooled file. To allow user to extract spool files change the API authority on a need basis.

When extracting a spool file with PKUNZIP, the new spooled file will be created with attributes based on values taken from the spooled file attributes when PKZIP archived the spool file. The spool file’s file number, job, job user, job number, date, and time are controlled by IBM OS/400 operating system during the creation of a spool file.

The new spool file that is created by the PKUNZIP is spooled under one of two jobs and is dictated by IBM’s create spool file API. The job is determined by the user-name field from the attributes. If the user name is the current user, it is a part of the user's job and is owned by the user profile that the job was started with. First the user profile for the user name must already exist. When using the user id override (parameter SPLUSRID), the spool file will be now belong to the override user.

If the ownership of the new spooled file is assigned to a different user by a different user profile name in the user-name field from the attributes, then the current user must have *SPLCTL authority to assign the spooled file to another user. When this is done, the new spooled file is by the user specified in the user name field or override parameter. The new spooled file is then part of a special system job (QPRTJOB) that is created for each user.

The new spooled file is placed on the output queue specified in the output queue name field from the original spool file attributes. If the parameter SFQUEUE is used it will override the attribute for the output queue.

In both cases, the spooled file name is the one contained in the spooled file attributes parameter. The spooled file number will be the next sequential one available for the job that the spooled file becomes a part of.

OS/400 authority requirements when extracting spool files:

• Special Authority - *SPLCTL. This authority is needed if you are creating a spooled file for another user.

• Output Queue Authority -*USE

• Output Queue Library Authority - *EXECUTE

• Object QSPCRTSP API Authority -*USE

The following are several examples of results of extracting spool files:

Start with archiving the following spool files that were created with job MYJOB1 and user EVWSS:

File File Nbr Job User Number Date Time QSYSPRT 397 MYJOB1 EVWSS 010893 12/11/02 13:35:29 QSYSPRT 398 MYJOB1 EVWSS 010893 12/11/02 13:36:09 QSYSPRT 399 MYJOB1 EVWSS 010893 12/11/02 13:36:09

60

Now extract with job MYJOB1 and user EVWSS but now on a different day and job number:

File File Nbr Job User Number Date Time QSYSPRT 2 MYJOB1 EVWSS 010927 12/12/02 09:57:42 QSYSPRT 3 MYJOB1 EVWSS 010927 12/12/02 09:57:42 QSYSPRT 4 MYJOB1 EVWSS 010927 12/12/02 09:57:42

Next extract with job MYJOB2 and user EVWSS but now on a different day and job number:

File File Nbr Job User Number Date Time QSYSPRT 2 MYJOB2 EVWSS 010928 12/12/02 09:59:06 QSYSPRT 3 MYJOB2 EVWSS 010928 12/12/02 09:59:06 QSYSPRT 4 MYJOB2 EVWSS 010928 12/12/02 09:59:06

Next, using the user, override with the SPLUSRID(WSS) and submit MYJOB1 with user EVWSS.

File File Nbr Job User Number Date Time QSYSPRT 26 QPRTJOB WSS 010118 12/12/02 10:02:50 QSYSPRT 27 QPRTJOB WSS 010118 12/12/02 10:02:50 QSYSPRT 28 QPRTJOB WSS 010118 12/12/02 10:02:50

Notice that the job was changed to QPRTJOB since the user being extracted was different than the user running the Job.

Next being signed on as user WSS, submit a job MYJOB11 with the job parameter USER profile specified for user EVWSS.

SBMJOB CMD(PKUNZIP ARCHIVE('atest/splftst/tst02') TYPE(*EXTRACT)) JOB(MYJOB11) USER(EVWSS)

File File Nbr Job User Number Date Time QSYSPRT 2 MYJOB11 EVWSS 010936 12/12/02 10:25:25 QSYSPRT 3 MYJOB11 EVWSS 010936 12/12/02 10:25:25 QSYSPRT 4 MYJOB11 EVWSS 010936 12/12/02 10:25:25

61

8 iSeries File Processing Support

SecureZIP for iSeries can support files maintained in both the traditional QSYS library file system and in IFS (integrated file system) along with supporting spool files.

QSYS (Library File System) The QSYS file system supports the iSeries library structure. This file system provides access to database files and all other iSeries object types that the library manages. On the IBM iSeries system, each QSYS type file (also called a file object) has a description that details the file characteristics and how the data associated with the file is organized into records, and, in many cases, the fields associated for each record. Whenever a file is processed, the iSeries uses this description.

Of the objects in the library system, SecureZIP for iSeries will only process physical files that have an attribute type of PF-DTA (physical data files), PF-SRC (physical source file), or SAVF (save files).

QSYS files always exist in a library, and the PF-DTA and PF-SRC files (if data exist) will always have one to many members in the file. Therefore, PF-DTA and PF-SRC files have a name format of “library/file(member).” A SAVF (a special type of iSeries file for saving and restoring iSeries objects) does not have any members giving a file format of “library/file.” Because SAVF types are handled in a special way, they are given additional consideration (see SAVF and use of SAVF method).

QSYS Summary If the archive file is to be in the QSYS library system, set parameter TYPARCHFL(*DB).

If the file being compressed or extracted is in the QSYS library system, set parameter TYPFL2ZP(*DB).

If the list files (see Appendix E) are to be in the QSYS library system, set parameter TYPLISTFL(*DB).

62

Format Summary:

PF-DTA LIBRARY/FILE(MEMBER)

PF-SRC LIBRARY/FILE(MEMBER)

SAVF LIBRARY/FILE

IFS (Integrated File System) The integrated file system is a part of iSeries which supports stream input/output and storage management similar to personal computer and UNIX operating systems, while providing an integrating structure over all information stored in the iSeries.

The key features of the integrated file system are:

• Support for storing information in stream files that can contain long continuous strings of data. These strings of data might be, for example, the text of a document or the picture elements in a picture. The stream file support is designed for efficient use in client/server applications.

• A hierarchical directory structure that allows objects to be organized by specifying the path through the directories to an object for access to an object.

• A common view of stream files stored locally on iSeries, Integrated Netfinity Server for iSeries, or a remote Windows NT server. Stream files can also be stored remotely on a local Area Network (LAN) server.

Directories and Current Directory A directory is a special object that is used to locate objects by names specified by users. Each directory contains a list of objects that are attached to it, and that list may include other directories.

The current directory is the first directory in which the operating system locates files, and where it also stores temporary files and output files. When you request an operation for an object, such as a file, the system searches for the object in the current directory, unless a different directory path is specified. The current directory is similar in nature to the current library. If the file selection does not start with ‘/’ (Root Directory), the files should be in the path of the current directory.

Path and Path Names A path name (also called a pathname on some systems) informs the system how to locate an object. The path name is expressed as a sequence of directory names followed by the name of the object. Individual directories and the object name are separated by a slash (/) character. An example might be: directory1/directory2/file.

For convenience, the back slash (\) can be used instead of the slash in integrated file system commands.

There are two ways of indicating a path name:

An absolute path name begins at the highest level, or root directory (which is identified by the / character). For example, consider the following path from the / directory to the file named testit: /mydept/myfiles/testit.

63

If the path name does not begin with the / character, the system assumes that the path begins at your current directory. This type of path name is called a relative path name. For example, if your current directory is mydept and it has a sub-directory named myfiles containing the file testit, the relative path name to the file is: myfiles/testit. Notice that the path name does not include the name of the current directory. The first item in the name is the directory or object at the next level below the current directory.

Stream Files A stream file is a randomly accessible sequence of bytes with no further structure imposed by the system. The integrated file system provides support for storing and operating on information in the form of stream files. Documents that are stored in iSeries folders are stream files. Other examples of stream files are PC files and the files in UNIX systems. An integrated file system stream file is a system object that has an object type of *STMF.

Other IFS Objects There are other object types (such as link objects, etc.) in the IFS which at this time are not supported by SecureZIP for iSeries.

File Systems in the IFS There are currently ten (10) file systems that are part of the integrated file system. Each file system is a major sub-tree in the IFS directory structure. A file system provides the support to access specific segments of storage that are organized as logical units. These logical units on the iSeries are files, directories, libraries, and objects.

Each of these file systems has a set of logical structures and rules for interacting with information in storage. These structures and rules may be (and often are) different from one file system to another. The IFS treats the library support and folders support as separate file systems.

The ten file systems are:

• “root” - / file system. This file system takes full advantage of stream file support and hierarchical directory structure of the integrated file system. The root file system has the characteristics of the Disk Operating System (DOS) and OS/2 file systems. Most of references throughout this guide refer to the “root” system.

• QDLS - Document Library Services file system. This file system provides access to documents and folders. See IBM’s Office Services Concepts and Programmer’s Guide (SH21-0703) for additional information.

• QOPT - Optical file system. This file system provides access to stream data that is stored on optical media (such as CDs). See IBM’s Optical Support (SC41-5310) for additional information.

• QSYS.LIB - Library file system. This file system supports the iSeries library structure and provides access to database files and all of the other iSeries object types that the library support manages.

64

• NFS - Network File System. This file system provides the user with access to data and objects that are stored on a remote NFS server. An NFS server can export a network file system that NFS clients will then mount dynamically. See IBM’s OS/400 Network File System Support (SC41-5714) for additional information.

• QFileSvr.400. This file system provides access to other file systems that reside on remote iSeries systems. See IBM’s Integrated File System Introduction (SC41-5711) for additional information.

• QNetWare - QNetWare file system. This file system provides access to local or remote data and objects that are stored on a server that runs Novell NetWare 4.10 or 4.11 or to standalone PC servers running Novell Netware 3.12, 4.10, 4.11, or 5.0. A user can mount NetWare file systems over existing local file systems dynamically. See File Management (SC41-5710) for additional information.

• QNTC Windows NT Server file system. This file system provides access to data and objects that are stored on a server running Windows NT 4.0 or higher. It allows iSeries applications to use the same data as Windows NT clients. This includes access to the data on a Windows NT Server that is running on an integrated PC Server. See IBM’s OS/400-iSeries Integration with Windows NT Server (SC41-5439) for details.

• QOpenSys - Open Systems file system. This file system is compatible with UNIX-based open system standards, such as POSIX and XPG. Like the root file system, this file system takes advantage of the stream file and directory support that is provided by the integrated file system. In addition, it supports case-sensitive object names. See IBM’s Integrated File System Introduction (SC41-5711) for additional information.

• UDFS - User-Defined File System. This file system resides on the Auxiliary storage pool (ASP) of the user’s choice. The user creates and manages this file system. See IBM’s Integrated File System Introduction (SC41-5711) for additional information.

SecureZIP for iSeries works with all file systems, but the rules of each file system must be adhered to or a file I/O error will most likely occur. In most cases, the files can be compressed and extracted in one run when all the file names and paths meet the file system’s rules. When creating an archive file in one file system, one restriction is that when using the TMPPATH option, the temp path must also be in the same file system as the archive files.

On the following pages are rules for some of the most used file systems.

Document Library Services File System (QDLS) The QDLS file system supports the folders structure. It provides access to documents and folders. Additionally, it supports iSeries folders and document library objects (DLOs) and supports data stored in stream files.

Considerations and Limitations:

• You must be enrolled in the system distribution directory when working with objects in QDLS.

• QDLS converts the lowercase English alphabetic characters a through z to uppercase when used in object names. Therefore, a search for object names

65

using only those characters is not case sensitive. All other characters are case sensitive in QDLS.

• Each component of the path name can consist of just a name, such as: /QDLS/MYFLR1/MYDOC1 - or - a name plus an extension (similar to a DOS file extension), such as: /QDLS/MYFLR1/MYDOC1.TXT.

• The name in each component can be up to 8 characters long, and the extension (if any) can be up to 3 characters long. The maximum length of the path name is 82 characters, assuming an absolute path name that begins with /QDLS.

• The directory hierarchy within QDLS can be 32 levels deep.

• Must have proper authority within the path.

• The folders in the path must already exist.

• PKZIP will not create folders at this time.

• For more details, see the “Rules for Specifying Folder and Document Names” discussion in the publication CL Reference.

Optical File System (QOPT) The QOPT file system provides access to stream data that is stored on optical media (such as CDs). Additionally, it provides a hierarchical directory structure (similar to PC operating systems such as DOS and OS/2), is optimized for stream file input/output, and supports data stored in stream files (known as DSTMF or Distributed Stream Files).

Considerations and Limitations:

• QOPT converts the lowercase English alphabetic characters a to z to uppercase when used in object names. Therefore, a search for object names using only those characters is not case-sensitive. For more details, see the publication Optical Support.

• The path name must begin with a slash (/) and contain no more than 294 characters. The path is made up of the file system name, the volume name, the directory and sub-directory names, and the file name. For example: /QOPT/VOLUMENAME/DIRECTORYNAME/SUBDIRECTORYNAME/FILENAME

• The file system name (/QOPT) is required.

• The volume name is required and can be up to 32 characters long.

• You can include one or more directories or sub-directories in the path name, but QOPT requires none. The total number of characters in all directory names and sub-directory names (including the leading slash) cannot exceed 256 characters. Directory and file names allow any character except X'00' through X'3F', X'FF', lowercase alphabetic characters, and the following characters:

• Asterisk (*)

• Hyphen (-)

• Question mark (?)

• Quotation mark (")

66

• Greater than (>)

• Less than (<)

• The file name is the last element in the path name. The file name length is limited by the directory name length in the path. The directory names and file name combined cannot exceed 256 characters, including the leading slash.

For more details on path name rules in the QOPT file system, see the “Path Name Rules” discussion in the publication Optical Support.

Using QSYS.LIB via the Integrated File System Interface Even though SecureZIP for iSeries accesses the QSYS library file system directly, there is an ability to access the QSYS.LIB file system through the integrated file system interface. In using the integrated file system interface, you should be aware of the following considerations and limitations:

• File handling restrictions in the QSYS.LIB file system are:

• Logical files are not supported.

• Physical files supported for text mode access are program-described physical files containing a single field and source physical files containing a single text field. Physical files supported for binary mode access include externally-described physical files in addition to files supported for text mode access.

• If any job has a database file member open, only one job is given write access to that file member at any given time. Other requests are allowed read-only access.

• In general, the QSYS.LIB file system does not distinguish between uppercase and lowercase in the names of objects. A search for object names achieves the same result, regardless of whether characters in the names are uppercase or lowercase. If a name is enclosed in quotation marks, the case of each character in the name is preserved. A search involving quoted names, therefore, is sensitive to the case of the characters in the quoted name.

• Each component of the path name must contain the object name followed by the object type of the object. For example: /QSYS.LIB/TESTLIB.LIB/MYFILE.FILE/MYFILE.MBR. The object name and object type are separated by a period (.). Objects in a library can have the same name if they are different object types, so the object type must be specified uniquely to identify the object.

• The object name in each component can be up to 10 characters long, and the object type can be up to 6 characters long.

• The directory hierarchy within QSYS.LIB can either be two or three levels deep (two or three components in the path name), depending on the type of object being accessed. If the object is a database file, the hierarchy can contain three levels (library, file, or member), otherwise, there can be only two levels (library or object). The combined length of each component name plus the number of directory levels determine the maximum length of the path name. If / and QSYS.LIB are included as the first two levels, the directory hierarchy for QSYS.LIB can be up to five levels deep.

• The characters in names are converted to code when the names are stored. Quoted names, however, are stored using the code page of the job.

67

For information about code pages, see the publication National Language Support.

IFS Summary Only directories and stream files are supported by SecureZIP for iSeries.

If the archive file is to be in IFS, set parameter TYPARCHFL(*IFS).

If the file being compressed or extracted is in IFS, set parameter TYPFL2ZP(*IFS)

If the files to be selected for compression are to be non-case sensitive set parameter TYPARCHFL(*IFS2).

If the list files are to be in IFS (see Appendix E), set parameter TYPLISTFL(*IFS).

Format Summary:

Directory Directory1/directory2 will be current directory

Stream File filename or directory/filename will be current directory

Full Path /Directory1/Directory2/filename For more information, see the IBM publication Integrated File System Introduction (SC41-5711) or visit the IBM web site.

SAVF SAVF, denoted by the OS/400 system TYPE(*FILE) and ATTR(SAVF), is a special form of file designed specifically to handle save/restore data in the iSeries system.

Some SAVF special characteristics are:

• The SAVF is always processed as binary with all records being 528 characters in length.

• Only a save and restore iSeries function can update or change data.

• A SAVF will not be selected if a member name is included in the file specification.

• A SAVF is a means to compress other iSeries object types (programs, modules, commands, logical files, triggers, etc.) that are in the iSeries system by first doing a SAVLIB or SAVOBJ for those objects to a SAVF. Then you can compress and extract the SAVF.

Compressing a SAVF file The only difference when compressing a SAVF is not to specify a member (only library/file). If a member is specified, then no SAVF types will be compressed.

Extracting Records into a SAVF file It is helpful before extracting records from a ZIP archive to be aware of what file names and file attributes are being stored for the compressed file. VIEWOPT(

68

*DETAIL) may be used on the archive to verify the information. An attribute is stored in the archive header that identifies if the file is a SAVF. The PKUNZIP program will also retain the original attribute from the extended attributes, such as SAVF description and library description.

A common problem in some iSeries environments is that some users may not have the authority to the SAVF commands which can result in failures.

Overwriting Current SAVF File When extracting a compressed file, it may be desirable to overwrite the existing file. By using the OVERWRITE(*YES) parameter, PKUNZIP will first issue a CLRSAVF command to clear the save file. This demonstrates why care should be taken when extracting a SAVF.

Compressing Spool Files SecureZIP for iSeries has the ability to select, compress and extract spool files. Not only can a spool file be compressed, they can be converted to other document formats that will allow the document file to be distributed and read by other media and software.

All spool files are eligible for compression but only spool file types *SCS, *IPDS are supported for text document conversion.

By using the PKZIP command and setting parameter TYPFL2ZP(*SPL), other parameters will be shown to help select the spool files. To assist, a new command PKZSPOOL is provided to sequenced the selections and to eliminate parameters that are not valid for the selection of spool files.

Spool file parameters specifies the group of spool files that are to be selected. Eight positional values can be specified to select the spool files: the spool file name (SPLFILE), the spool file number (SPLNBR), the user that created the files (SFUSER), the OUTQ that the file is residing (SFQUEUE), the form type specified (SFFORM), the user data tag associated with the spool file (SFUSRDTA), the status of the spool file (SFSTATUS), or the specific job name/user name/job number (SFJOBNAM). Only files that meet all of the selection values will be selected. A sample of the default selection parameters is shown in the window below:

Selection sample using the PKZSPOOL command.

SPLF File Compression 8.0 (PKZSPOOL) Type choices, press Enter. Archive Zip File name . . . . . > myar Spool File . . . . . . . . . . . *ALL Spool File Name, *All Spool File User . . . . . . . . *CURRENT User ID, *CURRENT, *ALL + for more values Output Queue Name . . . . . . . *ALL OutQ name, *ALL Library . . . . . . . . . . . Library, *LIBL, *CURLIB Print Form Type . . . . . . . . *ALL Form Type, *STD, *ALL Print File User Specified Data *ALL User Data, *all Spool Files Status . . . . . . . *ALL *ALL, *READY, *HELD... + for more values

69

Spool File Job Name . . . . . . Job name, blank for all User . . . . . . . . . . . . . User Id Job Number . . . . . . . . . . Job Number Spooled file number . . . . . . *ALL 1-9999, *ALL, *LAST Target File Format . . . . . . . *SPLF *SPLF, *TEXT, *PDF, *TEXT1... Target File Name . . . . . . . . *GEN1 Type of processing . . . . . . . *ADD *ADD, *UPDATE, *FRESHEN .. Compression Level . . . . . . . *SUPERFAST *NO, *FAST, *NORMAL, *MAX... File Types . . . . . . . . . . . *DETECT *DETECT *TEXT *BINARY ........ Zip Spool Files . . . . . . . . *SPL *SPL Archive Password . . . . . . . .

After defining what spool files are to be selected for compression, you will need to define the file format the spool file should be stored in the archive. At this time, there three formats: *SPLF (spool file native mode), *TEXT (ASCII text document with three variations of how a new page is handled) and *PDF (Adobe portable document format).

For use with *TEXT and *PDF there are three variations of storing the file name in the archive with the parameter SFTGFILE. SFTGFILE (*GEN1) will generate a very specific name using most of the spool file name attributes to form the file name so that it will not be a duplicated. The name will be built as follows:

"Job-Name/User-Name/#Job-Number/Spool-File-Name/Fspool- File-Number.Suffix"

For example: "MYJOB/BILLS/#152681/INVOICE/F0021.SPLF"

The suffix is dependent on the SFTARGET setting. *SPLF can only be stored as SFTGFILE (*GEN1).

SFTGFILE (*GEN1P) will generate the same specific name generated by *GEN1 except the ‘/’ for folders will all be replaced by ‘.’ to make the file name one lone name. For example:

MYJOB.BILLS.#152681.INVOICE.F0021.SPLF

SFTGFILE (*GEN2) uses the spool file name and appends the spool file number followed by the suffix that is depended on the SFTARGET setting. Caution should be taken in that a duplicate file name in the archive could be created. An example of GEN2 is a spool file INVOICE with spool file number of 21 that will be converted to a text file will generate a file name of INVOICE21.TXT.

In cases where a very specific name is desired for the file in archive name, SFTGFILE() can be coded with the name. This is designed for selecting only one file at a time otherwise file names will be duplicated. Alternatively, you could add coding to the CVTNAME routine and use the CVTFLAG to generate the desired file name.

70

9 ZIP Archives

A ZIP archive is the storage facility for files that are compressed (or simply stored) using the PKZIP product. The basic archive can hold up to 65,535 files, which may have been compressed by up to 99% of their original size. Data integrity is validated by a cyclic redundancy check (CRC) to maintain integrity of the data from the compression through the extraction process. If the archive contains the ZIP64 archive format, the archive can support more than the 65,535 files and can be larger than 4 Gig (See “Large Files Considerations”). In addition to the data, file attributes are retained, allowing extraction of the same file characteristics without the need of control card specifications. An archive can exist in three possible states during processing, described as “old archive,” “temporary archive,” and “new archive.” An explanation of the functions of each of these is described in the sections below.

A ZIP archive is transferable between platforms. That is, files that are compressed by PKZIP on one platform may be extracted by PKZIP on a different platform, maintaining identical data.

This chapter describes the types of files used by SecureZIP for iSeries and provides a description of the way in which they are accessed by SecureZIP for iSeries ZIP archives.

SecureZIP for iSeries (by default) creates a new archives in the *DB file system as members of PF-DTA files with 132-byte records. The archive file is given a text field of “file created by SecureZIP for iSeries.” The archive member is given a text field of “Member created by SecureZIP for iSeries.” If you wish to create your own archive (perhaps to have a larger record size, for performance) then you can do so, but try to adhere to the following:

• When you create the file, do not create any members in it.

• After having created the file, change the MAXMBRS parameter for the file from 1 to *NOMAX.

A ZIP archive holds files internally in one of several formats, which are compatible with other platforms supported by PKZIP. These formats are described here, and several commands are available for transforming files into one of these formats as they are compressed. You may specify in which format a file is stored using the FILETYPE(*BINARY) or FILETYPE(*TEXT) command parameters. OS/400 SAVF are always stored as *BINARY type. If you do not specify FILETYPE(*BINARY) or (*TEXT), then the PKZIP and PKUNZIP programs both will default to FILETYPE(*DETECT). For more information, see FILETYPE(*DETECT).

71

“Old” ZIP Archive When the PKZIP or PKUNZIP command is run, the ZIP archive (which is specified by use of the ARCHIVE parameter is known as the old ZIP archive, except when the TYPE(*ADD) parameter is being used to create a new ZIP archive. The old ZIP archive may have been created by SecureZIP for iSeries during an earlier operation or may have been created by PKZIP on another platform and transferred from there. When a ZIP archive is being updated (or when PKUNZIP is extracting files from a ZIP archive), the necessary details are taken from the old ZIP archive. It should be noted that when SecureZIP for iSeries is updating a ZIP archive, it takes the necessary data from the old ZIP archive, merges it with any new data, and transfers it to a new ZIP archive (in a temporary member in the same iSeries file as the old archive). When all updating is completed, SecureZIP for iSeries deletes the old ZIP archive and then renames the new ZIP archive to the same name as the old ZIP archive. For this reason a file containing a ZIP archive should allow for at least one temporary member to be allocated. When SecureZIP for iSeries creates an archive file, it uses MAXMBRS(*NOMAX).

“Temporary” Archive File A temporary archive file refers to an archive work in progress. SecureZIP for iSeries will always use a temporary archive file and its definition depends on the file system. If the file system type is IFS, then the temporary archive file will be in the same directory of the specified new archive. If the file system type is QSYS, the temporary archive file will become a member of the specified archive file. The temporary file or member will have a unique name PKnnnnnnnn (where nn represents an internal random number). When the file has been completed successfully, the temporary name will be renamed to the specified name in the ARCHIVE parameter. If this is a process in which an old archive is being updated, then (if successful) the old archive will be deleted before the rename. If a problem occurs, the temporary archive may stay with the temporary name. View the job log if this happens to determine the status of the archive.

“New” ZIP Archive When the processing of the temporary dataset is finalized, SecureZIP for iSeries creates a new ZIPPED archive that is the modified “after” version of the old archive. The modified name of the old archive and specified allocation information is transferred automatically to the new archive after updating, and the old Archive is deleted. A new ZIP archive is created when an old ZIP archive is updated, or when a TYPE(*ADD) parameter (see Chapter 11) is used with SecureZIP for iSeries where there is no old ZIP archive.

Self-Extracting Archive The self extracting programs are held as binary entities in the file PKZIPSFX of the SecureZIP for iSeries library. The appropriate member is loaded and the executable data copied to the beginning of the Archive as a preamble when requested.

72

The resulting archive can still be processed by SecureZIP for iSeries as a normal ZIP Archive.

When an input archive containing a self-extraction preamble is passed to SecureZIP for iSeries for PKZIP processing and no value is supplied by SELFXTRACT, the default of *MAINTAIN will keep any preamble if one exist. If the parameter SELFXTRACT(*REMOVE) is supplied then the PREAMBLE is removed when writing the new archive.

A self-extracting archive can be created from an existing archive by using SELFXTRACT with a valid self-extractor. If the original archive contained a preamble, it will be removed and the newly specified preamble will be inserted.

When transferring a self-extracting archive to a target system, be sure to transfer the archive in binary format and adhere to requirements for executables in that environment. (For example, a Windows program should be saved with an application extension of EXE, and a UNIX file attribute should have executable authorization set via the UNIX chmod command).

The self-extraction programs provided are at the 2.5 level of PKZIP. As such, the following restrictions apply to the operation of the self-extraction program(s). Care should be taken to control the creation of the self-extracting archive within these restrictions, although the resulting archive may still be processed with PKZIP programs at higher levels that support these features.

• The number of files in the archive should be limited to 65,535 or less.

• Strong encryption is not supported.

• The size of the archive should not exceed 4 gigabytes.

• The uncompressed size of individual files should be less than 4 gigabytes.

• Some target file systems (such as Windows FAT and UNIX kernals earlier than release 2.4) do not support files greater than 2 gigabytes.

To assist in the usage of the self-extraction programs on the target systems, some of the command parameters are listed below. Note that some parameters may not be valid on all systems. By executing the transferred self-extracting archive on the target system with “-help”, the commands syntax appropriate to that system will be displayed.

Usage: sfx.exe [options] [.ZIP archive] [files...] Where sfx.exe = the name of the self-extracting executable file Options: after extract files that are newer than or equal to a specified date suboptions: "date specification" [format: mmddyy or mmddyyyy] e.g.: sfx.exe -aft=12311999 file.zip before extract files that are older than a specified date suboptions: "date specification" [format: mmddyy or mmddyyyy] e.g.: sfx.exe -bef=12311999 file.zip console display the contents of specified archived files on your screen e.g.: sfx.exe -con= file.zip readme.txt directories recreate directory path while extracting including any sub-directories e.g.: sfx.exe -dir file.zip

73

exclude exclude specified files from being extracted e.g.: sfx.exe -exc=*.txt file.zip extract extract files from the .ZIP archive suboptions: all [extract everything in archive] freshen [extract if newer than destination copy] update [extract if newer or not in destination directory] e.g.: sfx.exe -ext=all file.zip help display help screen e.g.: sfx.exe -help Id preserve original file uid/gid. Must be root/file owner (UNIX only) include include specified files for extraction e.g.: sfx.exe -inc=*.txt file.zip larger extract files that are the specified size (in bytes) and larger suboptions: a numerical value (in bytes) that indicates a minimum desired file size e.g.:sfx.exe -larger=400 license displays license information e.g.: sfx.exe -lic locale reads and/or adjusts the locale variable for date and time format input suboptions: environment [read system variable and apply accordingly] "valid country name" [for example locale=germany] e.g.: sfx.exe -loc=us -aft=12311999 file.zip lowercase change filenames to lower case on extraction e.g.: sfx.exe -lowercase mask remove specified file attributes upon extraction suboptions: archive [mask archive attribute from file(s)/folder(s)] hidden [mask hidden attribute from file(s)/folder(s)] system [mask system attribute from file(s)/folder(s)] readonly [mask read-only attribute from file(s)/folder(s)] none [do not mask attributes from file(s)/folder(s)] all [mask all attributes from file(s)/folder(s)] e.g.: sfx.exe -mask=archive,readonly file.zip more display output one screen at a time e.g.: sfx.exe -more file.zip newer process only those files that are newer than a specified (calendar) day in the past suboptions: a numerical value (in calendar days) that indicates some date in the past relative to the current date e.g.: sfx.exe -newer=2 noextended suppress the extraction of extended attributes e.g.: sfx.exe -noex file.zip older process only those files that are older than a specified (calendar) day in the past suboptions: a numerical value (in calendar days) that indicates some date in the past relative to the current date e.g.: sfx.exe -older=2 overwrite overwrite existing files prompt [prompt before overwriting] all [always overwrite]

74

never [never overwrite] e.g.: sfx.exe -o=all file.zip password specify a decryption password e.g.: sfx.exe -pass=grendel file.zip print print the specified archived file suboptions: "print device name" [for example print=lpt1] e.g.: sfx.exe -print=lpt2 file.zip readme.txt silent suppress warning messages when extracting e.g.: sfx.exe -silent file.zip smaller extract files that are the specified size (in bytes) and smaller suboptions: a numerical value (in bytes) that indicates a maximum desire file size e.g.:sfx.exe -smaller=400 sort sort files when extracting suboptions: crc [sort by crc value] date [sort by date of the file] extension [sort by file extension] name [sort by file name] natural [sort in the order that the file was archived] ratio [sort by compression ratio] size [sort by file size] none [do not sort] e.g.: sfx.exe -sort=size file.zip test test the integrity of archived files suboptions: all [test everything in archive] freshen [test if newer than destination copy] update [test if newer or not in destination directory] e.g.: sfx.exe -test=all file.zip times preserve specified file date/time stamp suboptions: access [preserve accessed date/time stamp on extraction] modify [preserve modified date/time stamp on extraction] create [preserve created date/time stamp on extraction] all [preserve all date/time stamps on extraction] none [do not preserve date/time stamps on extraction] e.g.: sfx.exe -time=access,modify file.zip translate translate the end of line sequence for give operating system suboptions: DOS [convert to DOS style line endings] MAC [convert to MAC style line endings] unix [convert to unix style line endings] e.g.:sfx.exe -translate=unix version display SFX version and return appropriate value to the shell suboptions: major [return major version number] minor [return minor version number] step [return step or patch version number] e.g.: sfx.exe -ver=step volume restore the volume label when extracting e.g.: sfx.exe -vol file.zip warning prompt to continue after warning message e.g.: sfx.exe -warn file.zip

75

10 About Security, Certificates, and Encryption

This section discusses how to use SecureZIP for iSeries to secure your data. Elements that are required to make a SecureZIP for iSeries archive are discussed in detail. These elements, when selectively used, combine to create a SecureZIP for iSeries archive or allow the extraction of a file or files from a SecureZIP for iSeries created archive.

A series of commands and CLPs are provided to assist you in building and maintaining the SecureZIP certificate store. They come standard with SecureZIP for iSeries. The SecureZIP commands that are used to accomplish these tasks are shown in this chapter, along with notes and comments.

Keywords, Phrases, and Acronyms Used in This Chapter SecureZIP for iSeries introduces new terminology to users that are familiar with PKZIP. These expressions directly relate to the security features inherent in SecureZIP for iSeries.

• Public key certificate(s)

• Private key certificate(s)

• Data base profile (local certificate store)

• LDAP profile (networked certificate store)

• Password

• Recipient

• Master recipient (contingency recipient)

• Configuration profile

• Certificate store

• Certificate authority intermediate store

• Trusted root store

• Certificate revocation list (CRL) store

• Enterprise security configuration

• Common name

76

• Path

• Certificate configuration

• PING

• TCP/IP

• User certificate

• Certificate authority

• Recipient database

• Recipient searches

• Filename encryption

Accessing Public and Private Key Certificates SecureZIP for iSeries provides access to both public and private key certificates through a set of IFS files and a DB2 locator database when the parameter ENTPREC(*DB:...) or ENTPREC(*FILE:...) is requested.

In addition, ENTPREC(*LDAP:...) requests are resolved through configured network definitions.

Public Key Certificate Certificate-based encryption allows the exchange of encrypted data without the security risks of exchanging or retaining a password. This form of encryption uses a public-key digital certificate when creating an archive and it then uses a corresponding private-key certificate by the recipient to decrypt the archive. Digital certificates may be identified and selected by naming information, such as "common name" or an email address.

To do this SecureZIP for iSeries performs a process called digital enveloping using digital certificates when encrypting data for specified public key recipients. Access the Secure .ZIP Envelopes whitepaper at the PKWARE web site.

The public key certificate consists of the public portion of an asymmetric cryptographic key (the "public key"), together with identity information, such as a person's name, all of which is signed by a certificate authority (CA). The CA essentially guarantees that the public key belongs to the named entity.

Private Key Certificates To UNZIP a file that has been encrypted with a public-key certificate, the receiver must supply a matching private-key certificate. This is done by including ENTPREC parameter that specifies the location of the private-key certificate along with its associated access password. Note that this password is not used to encrypt a file but rather to access the private-key certificate.

ENTPREC parameters can be coded directly (up to 30 entries) or can point to the Inlist input stream file. One method is for each user to create an Inlist for their private key information and define the security such that only their user ID can read

77

this profile Inlist. A private-certificate Inlist designates a saved repository of the private key certificates.

Enterprise Security Configuration SecureZIP utilizes an enterprise security configuration file to define the enterprise policies. With the command PKCFGSEC, you can view the policies or make revisions to these policies. PKCFGSEC updates and views the SecureZIP security configuration file. This configuration file is where the enterprise security options and defaults reside. It is recommended that you define your standard enterprise options in a CL using the PKCFGSEC command. Then as changes occur or new versions are upgraded the CL can be run to reset the parameters. This will also help if you need to temporarily change one or more settings, as the CL provides a quick means to reset the configuration back to the enterprise setting.

It is suggested that a specific user ID (such as ZIPADMN), user or group be assigned to administrate the enterprise configuration. This can be accomplished by changing the security for the configuration file PKZCFG in the SecureZIP library with the EDTOBJAUT command. First *Public should be changed to use only the file PKZCFG; then set the administrator as the owner with security for changes. For example:

Edit Object Authority Object . . . . . . . : PKZCFG Owner . . . . . . . : ZIPADMN Library . . . . . : PKW810XXS Primary group . . . : *NONE Object type . . . . : *FILE ASP device . . . . . : *SYSBAS Type changes to current authorities, press Enter. Object secured by authorization list . . . . . . . . . . . . *NONE Object ----------Object----------- User Group Authority Opr Mgt Exist Alter Ref *PUBLIC *USE X ZIPADMN *ALL X X X X X

Contents of the Configuration Profile Below is a sample of the PKCFGSEC command. For more information about the command, see Chapter 13. Before running SecureZIP for iSeries, it is recommended that all parameters be reviewed and defined for your enterprise.

SecureZIP Secure Config 8.1 (PKCFGSEC) Type Processing . . . . . . . . *UPDATE *UPDATE, *VIEW ZIP Secure Settings: SecureZIP Active . . . . . *YES *NO, *YES, *SAME AES 3DES Keys . . . . . . . *YES *NO, *YES, *SAME Password . . . . . . . . . *NO *NO, *RQD, *SAME Recipient Secure . . . . . *NO *NO, *RQD, *SAME File Signing . . . . . . . *NO *NO, *SAME Archive Signing . . . . . *NO *NO, *SAME File Authentication . . . *NO *NO, *SAME Archive Authentication . . *NO *NO, *SAME File Name Encryption . . . *NO *NO, *RQD, *OPT, *SAME Strong Encryption: Lockdown Method . . . . . > AES *SAME, *NONE, AES, AES128...

78

Mode . . . . . . . . . . > BSAFE PKWARE, BSAFE, *SAME Hash . . . . . . . . . . > *SHA1 *SAME, *SHA1 Archive Password Specs: Min Length . . . . . . . . > 1 1-200, *SAME Max Length . . . . . . . . > 200 1-200, *SAME Hardening Options . . . . . > 0 *SAME, 0, 1, 2 Signing Settings: Signing Hash . . . . . . . . > *SHA1 *SAME, *SHA1, *MD5 Validate Level . . . . . > *VALIDATE Lockdown Filters . . . . > *NO *NO, *YES, *SAME Filters . . . . . . . . . > *ALL *SAME, *ALL, *NONE... + for more values Authenticate Filters: Validate Level . . . . . > *VALIDATE Lockdown Filters . . . . > *NO *NO, *YES, *SAME Filters . . . . . . . . . > *ALL *SAME, *ALL, *NONE... + for more values Encryption Filters: Validate Level . . . . . > *VALIDATE Lockdown Filters . . . . > *NO *NO, *YES, *SAME Filters . . . . . . . . . > *ALL *SAME, *ALL, *NONE... + for more values Decryption Filters: Validate Level . . . . . > *NONE *VALIDATE, *WARN, *NONE... Revocation Settings: CRL Type . . . . . > *NONE *STATICCRL, *NONE, *SAME Revoke Level . . . . . . *SAME *NONE, *SAME Certificate Validation Level: Cert. Best Fit . . . . . . . > *NONE *NONE, *LATESTVALID... Cert. Secure Type . . . . . > *NONE *NONE, *ENCRYPTION... Certificate DataBase Locator: Active? . . . . . . . . . . > *YES *NO, *YES, *SAME Store Type . . . . . . . . > *LIB *LIB, *SAME Sequence . . . . . . . . . > 0 0-9 Library . . . . . . . . . . > PKW81051S DB Library Search Mode . . . . . . . . > *EMAIL *EMAIL, *CN, *SAME Certificate PUBLIC Store: Store Type . . . . . . . . > *PATH *PATH, *SAME Sequence . . . . . . . . . > 1 0-9 Store Location . . . . . . > '/pkzshare/CStores/Public' Certificate PRIVATE Store: Store Type . . . . . . . . > *PATH *PATH, *SAME Sequence . . . . . . . . . > 0 0-9 Store Location . . . . . . > '/pkzshare/CStores/Private' Certificate CA Store: Store Type . . . . . . . . > *FILE *FILE, *SAME Sequence . . . . . . . . . > 0 0-9 Store Location . . . . . . > '/pkzshare/CStores/CA/pkwareCA.store' Certificate ROOT Store: Store Type . . . . . . . . > *FILE *FILE, *SAME Sequence . . . . . . . . . > 0 0-9 Store Location . . . . . . > '/pkzshare/CStores/Root/pkwareRT.store' Certificate CRL Store: Store Type . . . . . . . . > *FILE *FILE, *SAME Sequence . . . . . . . . . > 0 0-9 Store Location . . . . . . > '/pkzshare/CStores/CRL/pkwareCRL.store' Certificate Work Path: Path Location . . . . . . . > '/pkzshare/CStores/CTemp' Enterprise Encrypt Recipient: LookUp Type . . . . . . . . > *MBRSET *NONE, *DB, *LDAP, *FILE... Recipient . . . . . . . . . > 'pkwareCertAdmin04.cer' Required . . . . . . . . . . > *RQD *RQD, *OPT, *SAME LDAP Definitions: Nbr Active LDAPs . . . . . > 3 1-99, *NONE, *SAME Primary LDAP:

79

1 Network Name . . . . . . > '192.168.132.25' 1 Port . . . . . . . . . . > 389 1-9999 1 Sequence . . . . . . . . > 1 0-9 1 TimeOut . . . . . . . . . > 0 0-9999 1 Access User . . . . . . . > 'PKWAREADDEV\test' 1 Access Password . . . . . > 'xxxxxx' 1 Search Mode . . . . . . . > *EMAIL *EMAIL, *CN 1 Start Node . . . . . . . > 'cn=users,dc=pkwareaddev,dc=com' 1 Test . . . . . . . . . . > N N, Y Secondary LDAP: 2 Network Name . . . . . . > '192.168.115.15' 2 Port . . . . . . . . . . > 389 1-9999 2 Sequence . . . . . . . . > 2 0-9 2 TimeOut . . . . . . . . . > 0 0-9999 2 Access User . . . . . . . > 'cn=Jon Smith,ou=browndeer,o=pkware,c=US,cn= user,dc=cosmos,dc=pkware,dc=com' 2 Access Password . . . . . > 'xxxxxxx' 2 Search Mode . . . . . . . > *EMAIL *EMAIL, *CN 2 Start Node . . . . . . . > 'o=pkware,c=US,cn=user,dc=cosmos,dc=pkware,d=com' 2 Test . . . . . . . . . . > N N, Y Tertiary LDAP: 3 Network Name . . . . . . > '192.168.115.32' 3 Port . . . . . . . . . . > 4389 1-9999 3 Sequence . . . . . . . . > 3 0-9 3 TimeOut . . . . . . . . . > 0 0-9999 3 Access User . . . . . . . > '' 3 Access Password . . . . . > 'xxxxxx' 3 Search Mode . . . . . . . > *EMAIL *EMAIL, *CN 3 Start Node . . . . . . . > 'o=PKWARE' 3 Test . . . . . . . . . . > Y N, Y

File and Data Base (DB) (Local Certificate Store) During SecureZIP for iSeries processing that requires encryption intended for an ENTPREC, the associated public-key certificate(s) must be located. One way of designating which public-key recipients to include is through an IFS file or by using the DB to locate the recipients with the ENTPREC parameter. By using DB or LDAP, this allows for recipient selection based on name or email address through a configured database of certificates on the system that is executing SecureZIP for iSeries. The lookup type would be the type of recipient search that will be used for the recipient string.

1. *DB - The recipient string is defined to search using the certificate locator database to access the digital certificate.

2. *LDAP - The recipient string is defined to search using the LDAP server to access the digital certificate.

3. *FILE - The recipient string is defined to read a specific file in a specific path in the IFS in order to access the digital certificate.

80

4. *MBRSET - The recipient string is defined to read this specific file from the enterprise public certificate store to access the digital certificate.

5. *INLIST - The recipient string defines a specific file that will contain one to many recipients.

Your technical support staff is responsible for configuring the local certificate store and should provide you with information on which method they prefer.

LDAP Profile (Networked Certificate Store) During SecureZIP for iSeries processing that requires encryption intended for a recipient, the associated public-key certificate(s) must be located.

One way of designating which public-key recipients to include is through the LDAP interface to a directory server in the ENTPREC parameters. This allows for recipient selection based on name, email address or other installation-configured LDAP fields. One or more LDAP compliant servers may be configured for searching.

Your technical support staff is responsible for configuring the LDAP-compliant directory that stores certificates and will provide you with information on the enterprise approach for your facility.

Certificate Store Administration and Configuration

Access X.509 Public and Private Key Certificates SecureZIP for iSeries introduces new modules that utilize RSA’s BSAFE Cert-C Toolkit to access X.509 public and private key certificates. The access to the various certificate stores by this task is governed by various forms of the ENTPREC parameter, as well as by a suite of new configuration commands.

All local certificates are stored in a path of the IFS and the store paths are defined using the PKCFGSEC command. The other method of certificate access is through the LDAP. The first step of the startup is to define the public and private stores and their security. The next part is to define a procedure to maintain the certificates.

Local Certificate Store SecureZIP for iSeries provides access to both public and private key certificates through a set of local IFS paths which contain the certificate files. These paths are defined using the PKCFGSEC command.

Certificate Authority and Root Certificates Stores End entity certificates and their related keys are used for signing and authentication. They are created at the end of the trust hierarchy of certificate authorities. Each certificate is signed by its CA issuer and is identified in the “Issued By” field in the end certificate. In turn, a CA certificate can also be issued by a higher level CA. Such certificates are known as intermediate CA certificates. At the top of the issuing chain is a self-signed certificate known as the root.

81

SecureZIP for iSeries uses public-key certificates in PKCS#7 format as a store format. The intermediate CA certificates are maintained independently from the root certificates. These files are defined to SecureZIP in the PKCFGSEC with the CSCA and CSROOT parameters.

Certificate Revocation List Stores If a certificate revocation list (CRL) is to be used, the certificate revocation list store will contain all CRLs for revocation processing. The CRL store is separate from the CA store for more efficient certificate processing. The store is defined in PKCFGSEC with parameters CSCRL. To use the CRL, SecureZIP needs to know that a static CRL is used. This is defined with the REVKEP parameter in PKCFGSEC.

Local Certificate Locator Database SecureZIP for iSeries comes with one new physical file PKZCF1F and three logical files: PKZCF1LCN, PKZCF1LEM and PKZCF1LPH. These files are part of the certificate locator database used for certificate processing. These files are activated by changing the security settings using the PKCFGSEC command. To use these files, see Chapter 15.

This locator database allows access to the public and private certificates using the common name, email address or public hash key.

Here again, for security reasons, it is suggested that a specific user ID (such as ZIPADMN), user, or group be assigned to administrate the database. This can be accomplished by changing the security for the configuration file PKZCF1F and the logical files in the SecureZIP library with the EDTOBJAUT command. First change *Public to only *Use for the files, and then set the administrator as the owner with security for changes. For example:

Edit Object Authority Object . . . . . . . : PKZCF1F Owner . . . . . . . : ZIPADMN Library . . . . . : PKW810XXS Primary group . . . : *NONE Object type . . . . : *FILE ASP device . . . . . : *SYSBAS Type changes to current authorities, press Enter. Object secured by authorization list . . . . . . . . . . . . *NONE Object ----------Object----------- User Group Authority Opr Mgt Exist Alter Ref *PUBLIC *USE X ZIPADMN *ALL X X X X X

LDAP Certificate Store SecureZIP for iSeries also provides access to public key certificates located in an external LDAP (Lightweight Directory Access Protocol) server via a TCP/IP network connection.

Each LDAP server to be used should be defined with the PKCFGSEC command.

Each certificate store is described in detail in the following sections.

82

Usage Notes:

It is recommended that, as you define your enterprise configuration, you build it in a CL source. This will provide the ability to reset the configuration quickly if it gets changed or destroyed. One way is to copy the DFTCFGSEC member of QCLSRC in your zip library to a secure source file for your custom changes. Then update this custom configuration CL as you build your system.

Certificate Authority, Root Certificates and CRL Store Administration This section assists with allocating the components necessary to support the local DB and with administering the certificates in it.

The following stores are maintained by the utility PKSTORADM:

Intermediate Certificate Authority

A store of issuing certificates files associated with the end-entity certificates. These certificates are used to authenticate the validity of an end-entity digital signature on a receiving system. They are also included in a SecureZIP archive when a signing operation is performed.

Other system types may refer to this store as “CA”.

Trusted Root Certificate Authority

A store of issuing certificates that are classified as “self signed,” meaning that each one is at the top of a hierarchy of issuing CAs. These certificates are used to authenticate the validity of an end-entity digital signature on a receiving system. They are considered “trusted” by virtue of their installation on an authenticating system. They are included in a SecureZIP archive when a signing operation is performed.

Other system types may refer to this store as “ROOT”.

Certificate Revocation List

A store of certificate revocation lists published by each CA.

Other system types may refer to this store as “CRL”. First define the path and file name with PKCFGSEC parameters: CSCA (intermediate certificate authority), CSROOT (trusted root certificate authority), and CSCRL (certificate revocation list).

Packaged in the TSTCERTS archive are three empty initialized stores (pkwareCA.store, pkwareRT.store, and pkwareCRL.store) that can be restored to your directories. After restoring the store files, you can name the files anything that you want to match your definition in PKCFGSEC.

For example:

1. Create the store paths:

MD DIR('/myroot/pkware/CStore/CA') Certificate Authority Store MD DIR('/myroot/pkware/CStore/Root') Trusted Authority Root Store MD DIR('/myroot/pkware/CStore/CRL) Certificate Revocation List

83

2. Extract the initialized stores:

Extract initialized empty CA intermediate certificate store:

PKUNZIP ARCHIVE('PKW81051s/tstcerts/tstcerts') FILES('pkwareCA.store') TYPE(*EXTRACT) EXDIR('/myroot/pkware/CStore/CA’) DROPPATH(*ALL) TYPARCHFL(*DB) TYPFL2ZP(*IFS) CVTTYPE(*NONE)

Extract initialized empty trusted root store:

PKUNZIP ARCHIVE('PKW81051s/tstcerts/tstcerts') FILES('pkwareRT.store') TYPE(*EXTRACT) EXDIR('/myroot/pkware/CStore/Root’) DROPPATH(*ALL) TYPARCHFL(*DB) TYPFL2ZP(*IFS) CVTTYPE(*NONE)

Extract initialized empty revocation list store:

PKUNZIP ARCHIVE('PKW81051s/tstcerts/tstcerts') FILES('pkwareCRL.store') TYPE(*EXTRACT) EXDIR('/myroot/pkware/CStore/CRL') DROPPATH(*ALL) TYPARCHFL(*DB) TYPFL2ZP(*IFS) CVTTYPE(*NONE)

3. Change the security of the files and paths.

It is suggested that a specific user ID (such as ZIPADMN), user, or group be assigned to administrate the stores. This can be accomplished by changing the security for the paths and files created above with the CHGAUT and CHGOWN commands. First change *Public to only *Use for the files, and then set the administrator as the owner with security for changes.

For example changes for the Root Store path and file might be:

Change ownership to ZIPADMN:

CHGOWN OBJ('/myroot/pkware/CStores/Root/') NEWOWN(ZIPADMN) CHGOWN OBJ('/myroot/pkware/CStores/Root/pkwareRT.store')

NEWOWN(ZIPADMN)

Change *PUBLIC for use of root path and file:

CHGAUT OBJ('/myroot/pkware/CStores/Root') USER(*PUBLIC) DTAAUT(*R) OBJAUT(*NONE)

CHGAUT OBJ('/myroot/pkware/CStores/Root/pkwareRT.store') USER(*PUBLIC) DTAAUT(*R) OBJAUT(*NONE)

Change ZIPADMN for all security:

CHGAUT OBJ('/myroot/pkware/CStores/Root/pkwareRT.store') USER(ZIPADMN) DTAAUT(*RWX) OBJAUT(*ALL)

CHGAUT OBJ('/myroot/pkware/CStores/Root/pkwareRT.store') USER(ZIPADMN) DTAAUT(*RWX) OBJAUT(*ALL)

If any other users or groups are defined for the path or file remove them by using the WRKLNK command and displaying authority.

84

Display Authority Object . . . . . . . . . . . . : /myroot/pkware/CStores/Root/pkwareRT.store Owner . . . . . . . . . . . . : ZIPADMN Primary group . . . . . . . . : *NONE Authorization list . . . . . . : *NONE Data --Object Authorities-- User Authority Exist Mgt Alter Ref *PUBLIC *R ZIPADMN *RWX X X X X

At this point you can use the PKSTORADM command to import the trusted roots and the intermediate certificates.

It is very important that you control the addition of trusted roots to your root store since they will define the certificate chains to be trusted.

Local Certificate Store Administration This section assists with allocating the components necessary to support the local DB to administer the certificates within it.

Build Private and Public Store Paths This section describes the process to build the public and private certificate paths in the IFS.

The public store is a path in the IFS that contains files with X.509 public certificate files known as PEM files.

The private store is a path in the IFS that contains a file with X.509 public certificate and private key packaged as a file.

SecureZIP can work with certificates and keys in the following file formats:

Format Description

PEM Contains a single end-entity public-key certificate. It may be in Base-64 encoded (ASCII text with ASCII headers) or DER-encoded binary format.

Common file extensions: .pem, .cer, .key, .crt

PKCS#12 Contains a single end-entity private-key certificate (and its public key). By definition, it is in binary format.

Common file extensions: .pfx, .p12

PKCS#7

Not Supported for public and private keys

Contains one or more CA (and or Root) certificates

Common file extension: .p7b

For example:

85

1. Define the public and private stores paths with the PKCFGSEC command using the CSPUB and CSPRVT parameters.

2. Create the public and private store paths:

MD DIR('/myroot/pkware/CStore/Public') Public store path MD DIR('/myroot/pkware/CStore/Private') Private store path

Initialize and Build Certificate Locator Database: This section describes the process to build the certificate locator databases. The databases are distributed with product as empty files, but the DSS source is also distributed in case they ever need to be rebuilt. An easier way to rebuild the database is to clear the physical file member (CLRPFM).

1. Clear the file:

CLRPFM FILE(PKW81051S/PKZCF1F) MBR(*FIRST)

OR

Build the databases with the CRTCERTDB CL program. CRTCERTDB will create the “iSeries Certificate Locator” physical file PKZCF1F and its associated logical files:

• PKZCF1LCN “Certificate locator by CN (Common Name)”

• PKZCF1LEM “Certificate locator by EM (Email Address)”

• PKZCF1LFN “Certificate locator by FN (Friendly Name)”

• PKZCF1LPH “Certificate locator by Public Hash”.

The program will create the files in the target library parameter of the program such as Call CRTCERTDB ‘PKW81051S’.

2. Define the paths and places for the certificates in the proper directories.

3. By using the PKCFGSEC command, update the certificate store settings for the certificates and set the CERTDB settings for the certificate database locator.

4. Run the PKBLDCDB as many times as necessary to process your certificates in the IFS stores.

5. Run the PKQRYCDB to view the certificates in the locator database.

The following stores are maintained by the utility PKBLDCDB:

Store Description

Public

A store for end-entity certificates used to identify encryption recipients or for authentication of digital signatures. Certificate files in this store contain only public keys; they do not contain private keys. SecureZIP for iSeries represents these certificates held in the local certificate store through the ISPF interface as “CER” entries. Other system types may refer to this store as “Other People” or “Address Book”

86

Store Description

Private A store for end-entity certificate files with their respective private keys. Private keys are used to decrypt files or perform digital signing. SecureZIP for iSeries represents these certificates held in the local certificate store through the ISPF interface as “PFX” entries.

(Private keys in this store are encrypted using PKCS#8 format and PKCS#5 version 2.)

Other system types may refer to this store as “Personal” or “MY Store”

Directory Certificate Store Configuration - LDAP This section assists with defining the network connectivity to access certificate stores in an LDAP-compliant directory. Certificate stores are often located on an LDAP server. Please note that prior to using LDAP services to locate public key digital certificates for recipient processing, network connections must be defined.

Command settings will be kept in a LDAP SecureZIP for iSeries enterprise security configuration file.

To assist in entering the correct settings that are defined in the configuration file using the PKCFGSEC command, there is a LDAP test command (PKLDAPTST). This command verifies that the settings are correct and shows the type of response to expect. With PKLDAPTST, the LDAP connection parameters can be coded manually. However, the PKCFGSEC command has the ability to run the LDAP test to assist in properly formatting the LDAP parameters and to test connectivity to the desired LDAP server.

Testing the LDAP Connection For more information, see the PKLDAPTST command in Chapter 14.

The presence of a server can be established by using the PING and PKLDAPTST command:

SecureZIP LDAP Test 8.1 (PKLDAPTST) Type choices, press Enter. Action Type . . . . . . . . . . *SUMMARY *SUMMARY, *DETAIL Server Name or IP . . . . . . . > '192.168.132.25' Port Number . . . . . . . . . . 389 Character value Access User . . . . . . . . . . > 'PKWAREADDEV\test' Access Password . . . . . . . . Start Node . . . . . . . . . . . > 'cn=users,dc=pkwareaddev,dc=com' Search Filter . . . . . . . . . '(cn=*)(userCertificate=*)' Max Item . . . . . . . . . . . . > 100 Character value

Or

PKLDAPTST SNAME('192.168.132.25') USER('PKWAREADDEV\test') PASSWORD(‘xxxx’) STRNODE('cn=users,dc=pkwareaddev,dc=com') MAXI(100)

Sample results:

87

PKLDAPTEST LDAP Test Starting 2004/07/22 06:23:34 PKLDAPTESTT Parameters:Action<T> - Server<192.168.132.25> Port<389> - User<PKWAREADDEV\test> Password<6> - Start Node<cn=users,dc=pkwareaddev,dc=com> - Search Filter<(&(cn=*)(userCertificate=*))> - Max Items to Search<100> ,100 LDAP_intialTest - --LDAP init ..... elasp time 0.000000 seconds LDAP_intialTest - --SizeLimit=100 TimeLimit=0 LDAP_intialTest - --LDAP bind ..... elasp time 0.000000 seconds LDAP_intialTest - --LDAP Search ..... elasp time 0.000000 seconds LDAP_intialTest - --LDAP Search ...... 21 entries found LDAP_intialTest - --LDAP Attributes ..... elasp time 0.000000 seconds LDAP_intialTest - Total Entries=21 PKLDAPTESTT LDAP Testing Ending RC=0

When creating a configuration for an LDAP server at a new network address, it is recommended that a PING test be performed first using the PING command.

OPTION - PING The PING option will perform a "TSO PING" command to verify that the network address can be resolved and the associated IP address reached. Once completed, a BROWSE of the output will be automatically presented. Be aware that some network administrators may turn off PING response capabilities, so it is possible that the PING may time out even if the network name (e.g. www.pkware.com) can be resolved to an IP address.

PING '192.168.132.25'

Verifying connection to host system 192.168.132.25. PING reply 1 from 192.168.132.25 took 91 ms. 256 bytes. TTL 125. PING reply 2 from 192.168.132.25 took 22 ms. 256 bytes. TTL 125. PING reply 3 from 192.168.132.25 took 91 ms. 256 bytes. TTL 125. PING reply 4 from 192.168.132.25 took 20 ms. 256 bytes. TTL 125. PING reply 5 from 192.168.132.25 took 20 ms. 256 bytes. TTL 125. Round-trip (in milliseconds) min/avg/max = 20/48/91. Connection verification statistics: 5 of 5 successful (100 %).

Possible errors:

• The network address cannot be resolved by the domain name server (DNS).

TCP3202 Unknown host www.unknown-name.com

• Network services may be down along the routes to reach the IP address.

HOST unreachable

• The specified host may not be up, or is not accepting PING requests.

Timed out

Getting Started with PKWARE Test Digital Certificates Included with the SecureZIP library is an archive containing two public certificates, two corresponding PKCS#12 private keys files, a test public certificate with private key for CRL testing, one CRL file to apply, three initialized stores, and several samples Inlist files. See the $readme.txt to see content description.

88

These certificates are provided to assist in initial certificate testing and are not needed to run SecureZIP.

Note that the test certificates are not trusted certificates and were not issued by a trusted certificate authority. They should never be used for production or for securing any of your organization’s sensitive data. They are provided for testing only.

The archives in the distribution library (assuming PKW81051S) would be the file named TSTCERTS with the member called TSTCERTS.

PKUNZIP ARCHIVE('PKW81051s/tstcerts/tstcerts') SecureZIP(TM) for iSeries Compression Utility Version 8.1.0, 2005/03/08 Copyright. 1989-2005 PKWARE, Inc. All Rights Reserved. SecureZip(tm) is a trademark of PKWARE (R), Inc. SecureZIP(TM) for iSeries is running under Beta release B2 Archive: PKW810XXS/TSTCERTS(TSTCERTS) 17424 bytes 22 files Length Method Size Ratio Date Time CRC-32 Name -------- ------ ------- ----- ---- ---- ------ ---- 785 Defl:F 324 59% 03-08-05 07:29 6ca9e42e $readme.txt 654 Defl:F 489 25% 02-09-05 13:18 2d32433a crl1.crl 786 Defl:F 658 16% 12-27-04 13:18 4458cfef pktestdb3.crt 2106 Defl:F 2058 2% 12-27-04 13:18 1773a716 pktestdb3.p12 786 Defl:F 660 16% 12-27-04 13:17 6bc95df5 pktestdb4.crt 2106 Defl:F 2052 3% 12-27-04 13:18 ba20cadd pktestdb4.p12 2106 Defl:F 2055 2% 03-07-05 12:41 b7f957bb pktestdb9.pfx 3573 Defl:F 1882 47% 02-09-05 13:17 0c6cc373 pktica_ca.cer 3565 Defl:F 1878 47% 02-09-05 13:15 60f503e4 pkwareCA.crt 37 Defl:F 30 19% 02-17-05 11:48 274e6484 pkwareca.p7b 37 Defl:F 30 19% 02-17-05 11:48 274e6484 pkwarecrl.p7b 1192 Defl:F 691 42% 02-09-05 13:15 40f1ec95 pkwareroot.cer 37 Defl:F 30 19% 02-17-05 11:48 274e6484 pkwarert.p7b 49 Stored 49 0% 02-25-05 10:50 b5002c1b tstauth_db3.inlist 51 Stored 51 0% 01-10-05 12:14 3a6ddda4 tstauth_mb3.inlist 47 Stored 47 0% 02-25-05 10:50 18df8708 tstauth_mb4.inlist 52 Stored 52 0% 02-25-05 10:50 7c830a06 tstpriv_db4.inlist 45 Stored 45 0% 02-25-05 10:50 cddd548c tstpriv_mb3.inlist 78 Defl:F 52 33% 02-25-05 10:50 e6816f7e tstpubl_1.inlist 83 Defl:F 72 13% 02-25-05 10:51 f3e66e5b tstpubl_2.inlist 55 Stored 55 0% 02-25-05 10:51 d110fa75 tstsign_db3.inlist 51 Stored 51 0% 02-25-05 10:51 441dad6d tstsign_mb4.inlist -------- ------- ---- ------- 18281 13311 27% 22 files SecureUNZIP extracted 0 files .

The following steps can be automated for testing using the included CL program TSTCERTS. The source is located in the QCLSRC file of the distribution library. Before using the TSTCERTS CL program, make any modification required for your environment and then compile the CL program. The TSTCERTS program requires two external parameters. The first parameter is the SecureZIP library. The second parameter is the base path where the certificate store will reside (for example: ‘/myroot/pkware’). This base path must exist before running TSTCERTS.

Step 1: Define IFS Certificate Stores First you will need to decide where the certificate stores will be located in the IFS and then create the following folders in that path. After creating the paths, take time to set all the proper authorities for each path. If an administrator will be assigned, you can set the group ID as the owner. It is recommend that *PUBLIC should only

89

have read authority to the files once you enter production. Assuming that you will be creating the stores in the directory called ‘/myroot/pkware’, create the following directories in that base path:

MD DIR('/myroot/pkware/CStore') Be sure to define the folder security

MD DIR('/myroot/pkware/CStore/Public') Public Store MD DIR('/myroot/pkware/CStore/Private') Private Store MD DIR('/myroot/pkware/CStore/CA') Certificate Authority Store MD DIR('/myroot/pkware/CStore/Root') Trusted Authority Root

Store MD DIR('/myroot/pkware/CStore/CRL') Certificate Revocation List MD DIR('/myroot/pkware/CStore/CTemp') Admin Temp Work Area

MD DIR('/myroot/pkware/CStore/Testzips') For initial archives for

testing and inputs to admin MD DIR('/myroot/pkware/CStore/InList') Used for testing Inlist

samples

The contents can be deleted after the test is competed, but the enterprise configuration should be reviewed for production.

Note: if you need to start over and want to clear the certificate locator database for testing, you can clear the database with:

CLRPFM FILE(PKW81051S/PKZCF1F) MBR(*FIRST).

Caution should be taken to make sure you are clearing a test-only database.

Step 2: Extract Test Certificates, Inlist, Inputs, and Stores Extract public test certificates:

PKUNZIP ARCHIVE('PKW81051s/tstcerts/tstcerts') FILES('pktestdb3.crt' 'pktestdb4.crt’) TYPE(*EXTRACT) EXDIR('/myroot/pkware/CStore/Public') DROPPATH(*ALL) TYPARCHFL(*DB) TYPFL2ZP(*IFS) CVTTYPE(*NONE)

Extract private test certificates:

PKUNZIP ARCHIVE('PKW81051s/tstcerts/tstcerts') FILES('pktestdb3.p12' 'pktestdb4.p12' 'pktestdb9.pfx' ) TYPE(*EXTRACT) EXDIR('/myroot/pkware/CStore/Private') DROPPATH(*ALL) TYPARCHFL(*DB) TYPFL2ZP(*IFS) CVTTYPE(*NONE)

Extract initialized empty CA certificate intermediate store:

PKUNZIP ARCHIVE('PKW81051s/tstcerts/tstcerts') FILES('pkwareCA.store') TYPE(*EXTRACT) EXDIR('/myroot/pkware/CStore/CA') DROPPATH(*ALL) TYPARCHFL(*DB) TYPFL2ZP(*IFS) CVTTYPE(*NONE)

Extract initialized empty trusted root store:

PKUNZIP ARCHIVE('PKW81051s/tstcerts/tstcerts') FILES('pkwareRT.store') TYPE(*EXTRACT) EXDIR('/myroot/pkware/CStore/Root') DROPPATH(*ALL) TYPARCHFL(*DB) TYPFL2ZP(*IFS) CVTTYPE(*NONE)

Extract initialized empty revocation list store:

PKUNZIP ARCHIVE('PKW81051s/tstcerts/tstcerts') FILES('pkwareCRL.store') TYPE(*EXTRACT) EXDIR('/myroot/pkware/CStore/CRL')

90

DROPPATH(*ALL) TYPARCHFL(*DB) TYPFL2ZP(*IFS) CVTTYPE(*NONE)

Extract sample test Inlist files:

PKUNZIP ARCHIVE('PKW81051s/tstcerts/tstcerts') FILES('*inlist') TYPE(*EXTRACT) EXDIR('/myroot/pkware/CStore/InList’) DROPPATH(*ALL) TYPARCHFL(*DB) TYPFL2ZP(*IFS) CVTTYPE(*NONE)

Restore test inputted certs and CRL to Testzips area

PKUNZIP ARCHIVE('PKW81051s/tstcerts/tstcerts') FILES('pkwareCA.cer' 'pkwareRoot.cer' 'pktica_ca.crt' 'crl1.crl' ) TYPE(*EXTRACT) EXDIR('/myroot/pkware/CStore/Testzips') DROPPATH(*ALL) TYPARCHFL(*DB) TYPFL2ZP(*IFS) CVTTYPE(*NONE)

Step 3: Setup Security Configuration File with PKCFGSEC Command First, verify what the current settings in the security configuration with:

PKCFGSEC TYPE(*VIEW)

Next, update the certificate stores and activate the certificate locator database.

1. Activate signing and authentication with filename encryption optional.

PKCFGSEC TYPE(*Update) SECTYPE(*YES *YES *SAME *SAME *YES *YES *YES *YES *OPT)

2. Define all of the store paths and files with CSPUB, CSPRVT, CSCA, CSROOT, CSCRL.

3. Define the certificate database settings with CERTDB. Make certain that the correct library is specified or errors will occur later.

4. Define certificate policies for signing (SIGNPOL), encryption (ENCRYPOL), and authentication (AUTHPOL).

5. Define the static CRL settings with REVKEPOL.

6. We could define a contingency key or master recipient at this time with ENTPREC

PKCFGSEC TYPE(*Update) SECTYPE(*YES *YES *SAME *SAME *YES *YES *YES *YES *OPT) CERTDB(*YES *LIB 0 PKW81051S *EMAIL) CSPUB(*PATH 0 '/myroot/pkware/CStore/Public') CSPRVT(*PATH 0 '/myroot/pkware/CStore/Private') CSCA(*FILE 0 '/myroot/pkware/CStore/CA/pkwareCA.store') CSROOT(*FILE 0 '/myroot/pkware/CStore/ROOT/pkwareRT.store') CSCRL(*FILE 0 '/myroot/pkware/CStore/CRL/pkwareCRL.store') CWRKPATH('/myroot/pkware/CStore/CTemp') REVKEPOL(*STATICCRL *NONE) SIGNPOL(*SHA1 *VALIDATE *NO (*ALL)) AUTHPOL(*VALIDATE *NO (*ALL)) ENCRYPOL(*VALIDATE *NO (*ALL)) ENTPREC(*NONE) LDAPACTV(*NONE)

91

Step 4: Add Trusted Roots and Intermediate Certificates to the Certificate Stores. Using the PKSTORADM store administrator maintenance command, we should import all the trusted roots first, followed by all CA certificates.

But first we need to think about the security of our stores. Most installations will want to have a specific user, user ID, or group perform store maintenance and let the users of SecureZIP have only read access to the stores. It is suggested that *PUBLIC be only allowed to read the stores. For example, if we have a user ID of ZIPADMIN that is the only user that has the authority to do maintenance, then the paths and stores might have a sample authority setting as follows:

Object . . . . . . . . . . . . : /myroot/pkware/CStore/Root/pkwareRT.store Data --Object Authorities-- Opt User Authority Exist Mgt Alter Ref *PUBLIC *RX X ZIPADMIN *RWX X X X X

First you might want to verify all the stores to make sure they are OK and empty.

PKSTORADM RUNTYPE(*VERIFY) STYPE(*ALL)

PKSTORADM SecureZIP CA Store Administration starting------2005/03/10 12:10:19 ZPCA000I SUCCESS: CA Store '/myroot/pkware/CStore/CA/pkwareCA.store' verified successfully. 0 certificates found. ZPCA000I SUCCESS: Root Store '/myroot/pkware/CStore/ROOT/pkwareRT.store'verified successfully. 0 certificates found. ZPCA000I SUCCESS: CRL store '/myroot/pkware/CStore/CRL/pkwareCRL.store' successfully verified. 0 revocation lists found. PKSTORADM Store Admin ending------0 PKSTORADM Completed Successfully

Now add the PKWARE test trusted root certificate to the root store:

PKSTORADM RUNTYPE(*IMPORT) FTYPE(*CER) STYPE(*ROOT) FNAME('/myroot/pkware/CStore/Testzips/pkwareRoot.cer')

PKSTORADM SecureZIP CA Store Administration starting------2005/03/10 12:10:19 ZPCA000I SUCCESS: Added certificate to store '/myroot/pkware/CStore/Root/ pkwareRT.store'. DSN=/myroot/pkware/CStore/Testzips/pkwareRoot.cer;CER=1;F N=PKTESTDB Root;TP=A91CD312EFFEF51C8ABFEFD92C23FF67FBDBEBE3;SN=00;E=PKTESTDBR oot@nowhere.com;ROOT ZPCA000I SUCCESS: Saved certificate store '/myroot/pkware/CStore/Root/pkw areRT.store' to disk. ZPCA000I Added 1 of a possible 1 certificates to the ROOT store. ZPCA000I 0 certificates in the ROOT store before the Add command. ZPCA000I 1 certificates in the ROOT store after the Add command. PKSTORADM Store Admin ending------0

Now add the PKWARE test intermediate certificate authority certificate to the CA store:

92

PKSTORADM RUNTYPE(*IMPORT) FTYPE(*CER) STYPE(*CA) FNAME(‘/myroot/pkware/CStore/Testzips/pkwareCA.cer’)

PKSTORADM SecureZIP CA Store Administration starting------2005/03/10 12:12:36 ZPCA000I SUCCESS: Added certificate to store '/myroot/pkware/CStore/CA/pk wareCA.store'. DSN=/myroot/pkware/CStore/Testzips/pkwareCA.cer;CER=1;FN=PK WARE Test Intermediate Cert;TP=2B3C27C30067690EFB77A8A84DAB1D39A1368906;SN=01 ;E=PKTESTDBIC@nowhere.com;CA ZPCA000I SUCCESS: Saved certificate store '/myroot/pkware/CStore/CA/pkwar eCA.store' to disk. ZPCA000I Added 1 of a possible 1 certificates to the CA store. ZPCA000I 0 certificates in the CA store before the Add command. ZPCA000I 1 certificates in the CA store after the Add command. PKSTORADM Store Admin ending------0

Step 5: Build the Certificate Locator Database with PKBLDCDB First build the public keys. In this case, we can use the *DIRECTORY option since all the public certificates are in one folder. You can use your user ID for the new owner or the ZipAdmin. If you do not have proper authority, then you will receive an API error when the CHGAUT command is issued. The database is ok, but the authority of the file may not be what you intended.

PKBLDCDB MAINT(*UPDATE) MTYPE(*DIRECTORY) CTYPE(*PUBLIC) FNAME('/myroot/pkware/CStore/Public') DUPOPT(*REPLACE) LOGLVL(*LOG) OWNER(*NONE) PUBAUTH(*R (*OBJREF *OBJEXIST))

PKBLDCDB Update SecureZIP Cert DataBase starting------2004/07/23 10:47:15 Sample Authorty:<CHGAUT OBJ('FileObj') USER(*PUBLIC) DTAAUT(*R) OBJAUT(*OBJRE F *OBJEXIST )> PKBLDCDB Running Update Mode--Replace Duplicates--- PKBLDCDB Adding </myroot/pkware/CStore/Public/pktestdb3.crt> PKBLDCDB Adding </myroot/pkware/CStore/Public/pktestdb4.crt> PKBLDCDB Run Totals: Total Records Added =2 Total Records Updated =0 Total Duplicateds Found =0 Total Records In Error =0 Total Records Processed =2 PKBLDCDB Scan ending------

Usually when updating private certificates you will use the *FILE option since each private key will have a different password. The best practice is to have the individual to whom the certificate was issued run the PKBLDCDB command since, for security reasons, he or she should be the only one with access to the password used to export the certificate file.

PKBLDCDB MAINT(*UPDATE) MTYPE(*FILE) CTYPE(*PRIVATE) FNAME('/myroot/pkware/CStore/Private/pktestdb4.p12') DUPOPT(*REPLACE) PASSWORD('PKWARE') LOGLVL(*LOG) OWNER(*NONE) PUBAUTH(*R (*OBJREF *OBJEXIST))

PKBLDCDB Update SecureZIP Cert DataBase starting------2004/07/23 10:53:17 Sample Authorty:<CHGAUT OBJ('FileObj') USER(*PUBLIC) DTAAUT(*R) OBJAUT(*OBJRE F *OBJEXIST )> PKBLDCDB Running Update Mode--Replace Duplicates---

93

PKSCANCRT Private Cert will be processed (6) PKBLDCDB Adding </myroot/pkware/CStore/Private/pktestdb1.p12> PKBLDCDB Run Totals: Total Records Added =1 Total Records Updated =0 Total Duplicateds Found =0 Total Records In Error =0 Total Records Processed =1 PKBLDCDB Scan ending------

PKBLDCDB MAINT(*UPDATE) MTYPE(*FILE) CTYPE(*PRIVATE) FNAME('/myroot/pkware/CStore/Private/pktestdb3.p12') DUPOPT(*REPLACE) PASSWORD('PKWARE') LOGLVL(*LOG) OWNER(*NONE) PUBAUTH(*R (*OBJREF *OBJEXIST))

PKBLDCDB MAINT(*UPDATE) MTYPE(*FILE) CTYPE(*PRIVATE) FNAME('/myroot/pkware/CStore/Private/pktestdb9.pfx') DUPOPT(*REPLACE) PASSWORD('PKWARE') LOGLVL(*LOG) OWNER(*NONE) PUBAUTH(*R (*OBJREF *OBJEXIST))

Step 6: Compress File with Public Digital Certificates The first ZIP test will use both of the public certificates and 256-bit AES algorithm to encrypt and compress one file to an archive in the folder that was created earlier. This test will use the *MBRSET and *FILE types for the selection of the certificates.

PKZIP ARCHIVE('/myroot/pkware/CStore/Testzips/TestC01.zip') FILES('PKW81051s/$CONTACT') ADVCRYPT(AES256) TYPARCHFL(*IFS) TYPFL2ZP(*DB) ENTPREC((*MBRSET pktestdb3.crt) (*FILE '/myroot/pkware/CStore/Public/pktestdb4.crt'))

Scanning files in *DB for match ... Total Recipients processed 2 Archive Recipient List: CN=PKWARE Test4 EMail=PKTESTDB4@nowhere.com CN=PKWARE Test3 EMail=PKTESTDB3@nowhere.com Found 1 matching files Compressing PKW81051S/$CONTACT($CONTACT) in TEXT mode Add PKW81051.S/$CONTACT/$CONTACT -- Deflating (80%) encrypt(BSAFE AES 256 Key) SecureZIP Compressed 1 files in Archive /myroot/pkware/CStore/Testzips/TestC0 1.zip SecureZIP Completed Successfully

The second ZIP test will use both of the public certificates and AES256 algorithm to encrypt and compress one file to an archive in the folder. This test will use the *DB with email and common name for the selection of the certificates.

PKZIP ARCHIVE('/myroot/pkware/CStore/Testzips/TestC02.zip') FILES('PKW81051s/$CONTACT') ADVCRYPT(AES256) TYPARCHFL(*IFS) TYPFL2ZP(*DB) ENTPREC((*DB 'EM=PKTESTDB3@nowhere.com') (*DB 'CN=PKWARE Test4'))

Scanning files in *DB for match ... Total Recipients processed 2 Archive Recipient List: CN=PKWARE Test4 EMail=PKTESTDB4@nowhere.com CN=PKWARE Test3 EMail=PKTESTDB3@nowhere.com

94

Found 1 matching files Compressing PKW81051S/$CONTACT($CONTACT) in TEXT mode Updating:PKW81051.S/$CONTACT/$CONTACT Deflating (80%) encrypt(BSAFE AES 2 56Key) SecureZIP Compressed 1 files in Archive /myroot/pkware/CStore/Testzips/TestC0 2.zip SecureZIP Completed Successfully

Step 7: View Details of Archive By performing a PKUNZIP with TYPE(*VIEW) VIEWOPT(*ALL), you will see the recipients, and the number of recipients, that can be found in the certificate database. It will also list each recipient and show each common name and email address.

Archive: /myroot/pkware/CStore/Testzips/TestC01.zip 2259 bytes 1 file Archive Comment:"PKZIP for iSeries by PKWARE" Filename: PKW81051.S/$CONTACT/$CONTACT Detected File type: Text Encrypt=Strong Encrypted Created by: PKZIP for iSeries(tm) 8.1 Minimum to Extract: PKZIP 5.1 Or Greater Compression method: Deflated [Fast] Date and Time 2004 Jul 23 10:10:56 Compressed size: 1702 bytes Uncompressed size: 5451 bytes 32-bit CRC value (hex): f091572d Extended attributes: yes, [Length = 218] Strong Encryption AES 256 Key (BSAFE). Algorithm Key 256, Security type Certificate Key Number Certifcate Recipients 2 Recipient List: CN=PKWARE Test4, EM=PKTESTDB4@nowhere.com CN=PKWARE Test3, EM=PKTESTDB3@nowhere.com Record Length: 80 Lib Text Desc: SecureZIP for iSeries(tm) Lib-V8.1.0B File Text Desc: SecureZIP for iSeries(tm) Contact Information Mbr Text Desc: SecureZIP for iSeries(tm) Contact Information Source or Data: PF-DTA File Comment:"none" - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Found 1 file, 5451 bytes uncompressed, 1702 bytes compressed: 69% SecureUnZip extracted 0 files SecureUnZip Completed Successfully 1

Step 8: Decrypting File with Private Key Certificates In order to decrypt the file you will need to provide at least one valid private certificate with the password that matches a recipient on the archive.

PKUNZIP ARCHIVE('/myroot/pkware/CStore/Testzips/TestC01.zip') TYPE(*TEST) TYPARCHFL(*IFS) ENTPREC((*DB 'CN=PKWARE Test4' ('PKWARE')))

OR

ENTPREC((*MBRSET 'pktestdb3.crt' ('PKWARE'))) ENTPREC((*FILE '/myroot/pkware/CStore/Public/pktestdb4.crt' ('PKWARE'))) ENTPREC((*DB 'EM=PKTESTDB4@nowhere.com' ('PKWARE'))) ENTPREC((*INLIST

95

'/myroot/pkware/CStore/InList/tstpriv_mb3.inlist'))

Step 9: Using Input List File for ENTPREC Certificate List The encryption recipients parameter can read a file with a recipient list. This is activated by using the *INLIST followed by the file to use for the recipients list.

path/filename

Enter the file path and name of the file to read. The layout depends on which file system you want to read the file from.

Library File System: The format is "library/file(member)".

Integrated File System (IFS): The format is "path1/path2/../pathn/filename".

Usage Notes:

• For an Inlist that contains a password to open a private certificate, make sure that the security is sufficient to only allow the owner of the certificate to have read access. Otherwise this would leave a security hole where others could browse the password.

• The path/filename depends on the settings of the TYPLISTFL (*DB or *IFS) parameter.

• For more information on using list files see “Using List Files as Input” in Appendix E.

Each entry on a list file should begin with “{RECEPIENT=” and end with the character “}”. Each entry is separated by the “;” (semi-colon). The information for each recipient is the same as described in the ENTPREC parameter, except *INLIST is invalid for lookup type. If an entry is not required such as password just enter the separator.

Format: {RECEPIENT=Lookup Type;Recipient;Password;Required}

*...+....1....+....2....+....3....+....4....+....5....+....6.. {RECEPIENT=db;EM=robb.roy@pkware.com;;RQD} {RECEPIENT=file;/pkzshare/CStores/Public/suesmith04.cer;;OPT} {RECEPIENT=LDAP;EM=kevin.Goodguy@pkware.com;;OPT} {RECEPIENT=LDAP;EM=troy.theman@pkware.com;;OPT} ****** END OF DATA ******

The ENTPREC parameter would look like the following to process the ENTPREC Inlist:

ENTPREC( (*INLIST 'ATEST/INLIST(techsup1)' *N))

Test Inlist tstpriv_mb3.inlist:

....+....1....+....2....+....3....+....4....+....5.. ************Beginning of data************** {AUTHCHK=ARCHIVE;MBRSET;pktestdb3.pfx;PKWARE;RQD} ************End of Data********************

96

Test inlist tstpriv_db4.inlist:

....+....1....+....2....+....3....+....4....+....5. ************Beginning of data************** {RECIPIENT=DB;EM=PKTESTDB4@nowhere.com;PKWARE;RQD} ************End of Data********************

An example to decrypt a file that was encrypted with pktestdb3 public certificate.

PKUNZIP ARCHIVE('/myroot/pkware/CStore/Testzips/TestC02.zip') TYPE(*TEST) TYPARCHFL(*IFS) TYPLISTFL(*IFS) ENTPREC((*inlist '/myroot/pkware/CStore/InList/tstpriv_mb3.inlist'))

Digital Certificate Request List:Encryption Recipients Rqrd *MbrSet - pktestdb3.p12 Encryption Recipients List-----------1 processed: UNZIP Archive: /myroot/pkware/CStore/Testzips/TestC01.zip Searching Archive /myroot/pkware/CStore/Testzips/TestC01.zip for files to extract Testing: WSS810S/$CONTACT/$CONTACT WSS810S/$CONTACT/$CONTACT tested OK No errors detected in compressed data of /myroot/pkware/CStore/Testzips/TestC01.zip. SecureUNZIP Completed Successfully

Step 10: Sign Files and Archive with Private Keys Create an archive and sign the files in the archive by two signers and then sign the archive directory. Note that signing requires the private key.

PKZIP ARCHIVE('/myroot/pkware/CStore/Testzips/TestC03.zip') FILES('PKW81051s/$CONTACT') ADVCRYPT(AES256) TYPARCHFL(*IFS) TYPFL2ZP(*DB) ENTPREC((*DB 'EM=PKTESTDB3@nowhere.com') (*DB 'CN=PKWARE Test4')) SIGNERS((*FILE *MBRSET 'pktestdb3.p12' (PKWARE) ) (*ALL *MBRSET 'pktestdb4.p12' (PKWARE)) )

Scanning files in *DB for match ... 2 Encryption Recipients processed Encryption Recipients List: --CN=PKWARE Test3 EMail=PKTESTDB3@nowhere.com --CN=PKWARE Test4 EMail=PKTESTDB4@nowhere.com 2 File Signers processed File Signers List: --CN=PKWARE Test4 EMail=PKTESTDB4@nowhere.com --CN=PKWARE Test3 EMail=PKTESTDB3@nowhere.com 1 Archive Signer processed Archive Signer List: --CN=PKWARE Test4 EMail=PKTESTDB4@nowhere.com Found 1 matching files Compressing PKW810XXS/$CONTACT($CONTACT) in TEXT mode Add PKW810XX.S/$CONTACT/$CONTACT -- Deflating (80%) encrypt(BSAFE AES 256Key) SecureZIP Compressed 1 files in Archive /myroot/pkware/CStore/Testzips/TestC03.zip SecureZIP Completed Successfully

97

Step 11: Authenticate Signed Files and Archive When doing a basic view of the newly signed archive, notice that only the archive directory signatures are validated. To validate the signature of the files would require a TYPE(*TEST).

PKUNZIP ARCHIVE('/myroot/pkware/CStore/Testzips/TestC03.zip') TYPE(*VIEW) TYPARCHFL(*IFS) TYPFL2ZP(*DB) AUTHCHK((*ARCHIVE *MBRSET 'pktestdb4.crt')) AUTHPOL(*WARN (*ALL))

1 Archive Signer processed Archive: /myroot/pkware/CStore/Testzips/TestC03.zip 7053 bytes 1 file Length Method Size Ratio Date Time CRC-32 Name -------- ------ ------- ----- ---- ---- ------ ---- 5451 Defl:F 1702 69% 01-11-05 13:34 f091572d !PKW810XX.S/$CONTACT/$CONTACT -------- ------- ---- ------- 5451 1702 69% 1 file Archive has been Digitally Signed. Archive was signed by "PKWARE Test4" and verified SecureUNZIP extracted 0 files SecureUNZIP Completed Successfully

PKUNZIP ARCHIVE('/myroot/pkware/CStore/Testzips/TestC03.zip') TYPE(*VIEW) TYPARCHFL(*IFS) TYPFL2ZP(*DB) VIEWOPT(*ALL) AUTHPOL(*WARN *ARCHIVE (*SYSTEM))

Archive: /myroot/pkware/CStore/Testzips/TestC03.zip 6993 bytes 1 file Filename: PKW810XX.S/$CONTACT/$CONTACT Detected File type: Text Encrypt=Strong Encrypted Created by: PKZIP for iSeries(tm) 8.1 Zip Spec to Extract: 6.1 Or Greater Compression method: Deflated [Fast] Date and Time 2005 Jan 11 16:05:36 Compressed size: 1702 bytes Uncompressed size: 5451 bytes 32-bit CRC value (hex): f091572d Extended attributes: yes, [Length = 4598] Strong Encryption AES 256 Key (BSAFE). Algorithm Key 256, Security type Certificate Key Number Certifcate Recipients 2 Recipient List: CN=PKWARE Test3, EM=PKTESTDB3@nowhere.com CN=PKWARE Test4, EM=PKTESTDB4@nowhere.com Record Length: 80 Lib Text Desc: SecureZip for iSeries(tm) Lib-V8.1.0B File Text Desc: SecureZip for iSeries(tm) Contact Information Mbr Text Desc: SecureZip for iSeries(tm) Contact Information Source or Data: PF-DTA A subfield with ID 0x0014 (Certificate Store) and 3369 data bytes A subfield with ID 0x0016 (Archive Signature) and 245 data bytes File Signature: CN=PKWARE Test4; EM=PKTESTDB4@nowhere.com; S/N=04 File Signature: CN=PKWARE Test3; EM=PKTESTDB3@nowhere.com; S/N=03 File Comment:"none" - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Found 1 file, 5451 bytes uncompressed, 1702 bytes compressed: 69% Archive has been Digitally Signed. Archive was signed by "PKWARE Test4" and verified SecureUNZIP extracted 0 files SecureUNZIP Completed Successfully

98

Do a VIEWOPT(*SECURE) and you will notice that the internal archive store is displayed (see certificate listing). This store contains all public certificates of the signatories including the full chain of each signatory.

PKUNZIP ARCHIVE('/myroot/pkware/CStore/Testzips/TestC03.zip') TYPE(*VIEW) TYPARCHFL(*IFS) TYPFL2ZP(*DB) VIEWOPT(*SECURE) AUTHPOL(*WARN (*ALL))

Archive: /myroot/pkware/CStore/Testzips/TestC03.zip 6993 bytes 1 file Length Method Size Ratio Date Time CRC-32 Name -------- ------ ------- ----- ---- ---- ------ ---- 5451 Defl:F 1702 69% 01-11-05 16:05 AES256 !PKW810XX.S/$CONTACT/$CONTACT -------- ------- ---- ------- 5451 1702 69% 1 file Archive: /myroot/pkware/CStore/Testzips/TestC03.zip 6993 bytes 1 file Certificate Listing: #1:CN=PKWARE Test3; EM=PKTESTDB3@nowhere.com; #2:CN=PKWARE Test4; EM=PKTESTDB4@nowhere.com; #3:CN=PKTESTDB Root; EM=PKTESTDBRoot@nowhere.com; #4:CN=PKWARE Test Intermediate Cert; EM=PKTESTDBIC@nowhere.com; Archive has been Digitally Signed. Archive was signed by "PKWARE Test4" and verified SecureUNZIP extracted 0 files SecureUNZIP Completed Successfully

When the files in the archive are tested or extracted, the archive signature is validated first and then, after each file has been tested, the file’s signatures are tested. If no AUTHCHK parameter is entered, all signatures are validated.

PKUNZIP ARCHIVE('/myroot/pkware/CStore/Testzips/TestC03.zip') TYPE(*TEST) TYPARCHFL(*IFS) TYPFL2ZP(*DB) ENTPREC((*DB 'CN=PKWARE Test3' 'PKWARE'))

1 Encryption Recipients processed UNZIP Archive: /myroot/pkware/CStore/Testzips/TestC03.zip Searching Archive /myroot/pkware/CStore/Testzips/TestC03.zip for files to extract Archive was signed by "PKWARE Test4" and verified Testing: PKW810XX.S/$CONTACT/$CONTACT File was signed by "PKWARE Test4" and verified File was signed by "PKWARE Test3" and verified PKW810XX.S/$CONTACT/$CONTACT tested OK No errors detected in compressed data of /myroot/pkware/CStore/Testzips/TestC03.zip. SecureUNZIP Completed Successfully

99

Step 12: Sign Files and Archive with PK Test 9 Certificate Try signing an archive with the PKWARE test 9 certificate, which does not have an intermediate certificate in the CA store. The attempt will fail because of the trust settings.

PKZIP ARCHIVE('/myroot/pkware/CStore/Testzips/TestC04.zip') FILES('PKW81051s/$CONTACT') TYPARCHFL(*IFS) TYPFL2ZP(*DB) SIGNERS((*archive *MBRSET 'pktestdb9.pfx' (PKWARE) ) )

Scanning files in *DB for match ... Required Signer or Authenticator failed selection process Digital Certificate Request List:Archive Signer Rqrd *MbrSet Not Usable - pktestdb9.pfx Required Recipient<pktestdb9.pfx> Failed Archive Signer List-----------0 processed: CN=PKWARE Test9 EMail=PKTESTDB9@nowhere.com --Certificate Invalid:Certificate is Not Trusted; SecureZIP Compressed 0 files in Archive /myroot/pkware/CStore/Testzips/TestC04.zip SecureZIP Completed with Errors Press ENTER to end terminal session.

Step 13: Add CA to Make the Trust Valid and Then Sign Archive. If we now add the intermediate certificate that “PKWARE test 9” certificate uses, the PKZIP command will sign the archive.

Add new CA certificate to the CA store:

PKSTORADM RUNTYPE(*IMPORT) FTYPE(*CER) STYPE(*CA) FNAME('/myroot/pkware/CStore/Testzips/pktica_ca.crt')

ZPCA000I SUCCESS: Added certificate to store '/myroot/pkware/CStore/CA/pk wareCA.store'. DSN=/myroot/pkware/CStore/Testzips/pktica_ca.crt;CER=1;FN=P KWARE Test Intermediate Cert A;TP=C405A5BC36942149D5C212CB6C213C4F1FE893E6;SN =02;E=PKTESTDBICA@nowhere.com;CA ZPCA000I SUCCESS: Saved certificate store '/myroot/pkware/CStore/CA/pkwar eCA.store' to disk. ZPCA000I Added 1 of a possible 1 certificates to the CA store. ZPCA000I 1 certificates in the CA store before the Add command. ZPCA000I 2 certificates in the CA store after the Add command. PKSTORADM Store Admin ending------0 Press ENTER to end terminal session.

100

Run PKZIP to sign the archive with PK test certificate 9.

PKZIP ARCHIVE('/myroot/pkware/CStore/Testzips/TestC04.zip') FILES('PKW81051s/$CONTACT') TYPARCHFL(*IFS) TYPFL2ZP(*DB) SIGNERS((*archive *MBRSET 'pktestdb9.pfx' (PKWARE) ) )

Scanning files in *DB for match ... Digital Certificate Request List:Archive Signer Rqrd *MbrSet - pktestdb9.pfx Archive Signer List-----------1 processed: CN=PKWARE Test9 EMail=PKTESTDB9@nowhere.com Found 1 matching files Compressing PKW810XXS/$CONTACT($CONTACT) in TEXT mode Add PKW810XX.S/$CONTACT/$CONTACT -- Deflating (80%) SecureZIP Compressed 1 files in Archive /myroot/pkware/CStore/Testzips/Te stC04.zip SecureZIP Completed Successfully Press ENTER to end terminal session.

Run PKUNZIP to test the authentication for a specific authenticator.

PKUNZIP ARCHIVE('/myroot/pkware/CStore/Testzips/TestC04.zip') TYPARCHFL(*IFS) TYPFL2ZP(*DB) AUTHCHK((*ALL *MBRSET 'pktestdb9.pfx' (PKWARE) ))

Digital Certificate Request List:File Signers Rqrd *MbrSet - pktestdb9.pfx File Signers List-----------1 processed: Digital Certificate Request List:Archive Signer Rqrd *MbrSet - pktestdb9.pfx Archive Signer List-----------1 processed: Archive: /myroot/pkware/CStore/Testzips/TestC04.zip 4769 bytes 1 file Length Method Size Ratio Date Time CRC-32 Name -------- ------ ------- ----- ---- ---- ------ ---- 5451 Defl:F 1069 80% 03-08-05 07:38 f091572d PKW810XX.S/$CONTACT/$C ONTACT -------- ------- ---- ------- 5451 1069 80% 1 file Archive has been Digitally Signed. Archive was signed by "PKWARE Test9;" and verified SecureUNZIP extracted 0 files SecureUNZIP Completed Successfully

Step 14: Revoke PK Test 9 Certificate and Confirm Revocation Now apply the certificate revocation list to revoke the PKWARE test 9 certificate.

PKSTORADM RUNTYPE(*IMPORT) FTYPE(*CRL) STYPE(*CRL) FNAME('/myroot/pkware/CStore/Testzips/crl1.crl')

101

PKSTORADM SecureZIP CA Store Administration starting------2005/03/08 15:20:38 ZPCA000I SUCCESS: Added certificate '/myroot/pkware/CStore/Testzips/crl1. crl' to store '/myroot/pkware/CStore/CRL/pkwareCRL.store'. ZPCA000I SUCCESS: Saved certificate store '/myroot/pkware/CStore/CRL/pkwa reCRL.store' to disk. ZPCA000I Added 1 out of 1 certificates to the CRL store. ZPCA000I 0 entries in the CRL store before the Add command. ZPCA000I 1 entries in the CRL store after the Add command. PKSTORADM Store Admin ending------0 Press ENTER to end terminal session.

Run PKZIP to test the authentication and signing. The attempt will fail since the signing certificate was revoked.

PKZIP ARCHIVE('/myroot/pkware/CStore/Testzips/TestC04.zip') FILES('PKW81051s/$CONTACT') TYPARCHFL(*IFS) TYPFL2ZP(*DB) SIGNERS((*archive *MBRSET 'pktestdb9.pfx' (PKWARE) ) )

Scanning files in *DB for match ... Required Signer or Authenticator failed selection process Digital Certificate Request List:Archive Signer Rqrd *MbrSet Not Usable - pktestdb9.pfx Required Recipient<pktestdb9.pfx> Failed Archive Signer List-----------0 processed: CN=PKWARE Test9 EMail=PKTESTDB9@nowhere.com --Certificate Invalid:Certificate has been Revoked; Input Archive was found to be Digitally Signed. Archive Authentication check unsuccessful Archive was Signed by "PKWARE Test9;" but NOT verified. --Contents have not been altered --Certificate Invalid:Certificate has been Revoked; Run being terminated for Authentication failure SecureZIP Compressed 0 files in Archive /myroot/pkware/CStore/Testzips/Te stC04.zip SecureZIP Completed with Errorsy

Run PKUNZIP to test the authentication. The test will fail since the signing certificate was revoked. If we did not have the AUTHPOL (*SYSTEM *ALL), you would only see that archive was signed. The AUTHPOL is what activates the authentication

PKUNZIP ARCHIVE('/myroot/pkware/CStore/Testzips/TestC04.zip') TYPARCHFL(*IFS) TYPFL2ZP(*DB) AUTHCHK((*ALL *MBRSET 'pktestdb9.pfx' (PKWARE) )) AUTHPOL(*SYSTEM *ALL (*NOTREVOKED))

Digital Certificate Request List:File Signers Rqrd *MbrSet - pktestdb9.pfx File Signers List-----------1 processed: Digital Certificate Request List:Archive Signer Rqrd *MbrSet - pktestdb9.pfx Archive Signer List-----------1 processed: Archive: /myroot/pkware/CStore/Testzips/TestC04.zip 4769 bytes 1 file Length Method Size Ratio Date Time CRC-32 Name -------- ------ ------- ----- ---- ---- ------ ---- 5451 Defl:F 1069 80% 03-08-05 07:38 f091572d PKW810XX.S/$CONTACT/$C ONTACT

102

-------- ------- ---- ------- 5451 1069 80% 1 file Archive has been Digitally Signed. Archive Authentication check unsuccessful Archive was Signed by "PKWARE Test9;" but NOT verified. --Contents have not been altered --Certificate Invalid:Certificate has been Revoked; SecureUNZIP extracted 0 files SecureUNZIP Completed with Errors

Run PKUNZIP to test the authentication with a revoked signer but using AUTHPOL to ignore the revoked status of the signer.

PKUNZIP ARCHIVE('/myroot/pkware/CStore/Testzips/TestC04.zip') TYPARCHFL(*IFS) TYPFL2ZP(*DB) AUTHPOL(*SYSTEM *ALL (*NOTREVOKED))

Archive: /myroot/pkware/CStore/Testzips/TestC04.zip 4769 bytes 1 file Length Method Size Ratio Date Time CRC-32 Name -------- ------ ------- ----- ---- ---- ------ ---- 5451 Defl:F 1069 80% 03-08-05 07:38 f091572d PKW810XX.S/$CONTACT/$C ONTACT -------- ------- ---- ------- 5451 1069 80% 1 file Archive has been Digitally Signed. Archive was signed by "PKWARE Test9;" and verified SecureUNZIP extracted 0 files SecureUNZIP Completed Successfully

Filename Encryption

How SecureZIP Encrypts File Names SecureZIP for iSeries encrypts file names using your current settings for (strong) encryption method and algorithm. File names can be encrypted using either strong password encryption, a recipient list, or both. You must use one of the strong encryption methods. You cannot encrypt file names using traditional ADVCRYPT(ZIPSTD), which uses a 96-bit key.

Note: Encrypting names of files and folders in an archive encrypts and hides a good deal of other internal information about the archive as well. To encrypt file names, SecureZIP for iSeries encrypts the archive's central directory, where virtually all such metadata about the archive is stored.

Be aware, however, that archive comments are not encrypted even when you encrypt file names. Do not put sensitive information in an archive comment.

When SecureZIP Encrypts File Names With archives that do not already contain encrypted file names:

SecureZIP for iSeries encrypts file names whenever you update an archive requesting FNE(*YES): including Add, Freshen, Update, Delete and Copy.

103

SecureZIP for iSeries encrypts file names only when you provide encryption parameters such as PASSWORD and/or ENTPREC for recipients and set parameter FNE(*YES).

Encrypting File Names When You Update an Archive If you turn on the setting to encrypt file names and then update an archive that already contains no encrypted files with unencrypted file names, SecureZIP for iSeries encrypts all the filenames in the archive.

If the archive contains any files whose contents are already encrypted, SecureZIP for iSeries will bypass an attempt to add filename encryption.

If you update an archive that already contains files with encrypted file names, SecureZIP for iSeries uses the current ADVCRYPT setting to determine whether filenames should be encrypted in the output archive.

If FNE(*YES) is enabled when updating an archive already containing filename encryption, SecureZIP for iSeries encrypts the new archive directory using the same password or recipient list originally used to encrypt file names in the archive. Newly supplied values for PASSWORD or RECIPIENT are discarded. However, if a PASSWORD is used to access the input archive for the update process to begin, it must match the original password used to create the encrypted archive directory.

Note:

Once file names in an archive are encrypted, you cannot change the password or recipient list used.

You cannot change the encryption method on files that are already in an archive that contains encrypted file names.

Filename encryption is not compatible with GZIP and will not be used if requested.

Opening and Viewing an Archive that Has Encrypted File Names An archive that contains encrypted file names requires SecureZIP for iSeries 8.0 or later to open it. To view the filename encrypted archive encryption detail and not the archive's content, use TYPE(*VIEW) VIEWOPT(*FNEALL).

The version number is not a version of the SecureZIP for iSeries program but rather a version of the ZIP file format. Version 8.0 of the program uses features of the 6.20 ZIP file format specification (ZipSpec) that are not available in earlier versions. All preceding versions of the program used earlier versions of the ZipSpec.

When opening an archive, SecureZIP for iSeries automatically decrypts file names for anyone on a recipient list for the encrypted file names, (or the correct password if PASSWORD was specified when the archive was updated with ADVCRYPT).

If file names are encrypted using a password (with or without a recipient list), SecureZIP for iSeries requires the correct password when anyone who is not on the recipient list tries to open the archive. If the correct password is not entered, PKZIP does not open the archive.

104

Security Examples Below are examples of how to invoke SecureZIP for iSeries processing using PKZIP and PKUNZIP commands with sample output listings.

SecureZIP using Recipients or Combo When protection modes of "Recipient" or "Combo" are selected, recipients can be designated such that a password is not required to extract the data.

If a password is entered, the lines will be concatenated to create a single password string of up to 200 characters and each line must begin and end with a non-blank.

Each recipient is represented by a public-key x.509 digital certificate. The public-key certificates can be stored and accessed in one or more of the following locations:

• Individual data sets in an IFS path

• The local certificate store database as described by DB profile

• One or more network LDAP servers as described by LDAP Profile

Recipient designations:

1. ENTPREC( (*LDAP;CN=Joe Smith))

2. ENTPREC( (*file;'/PKZIP/CERTSTOR/PRIVATE/MAS2004';’abcdef’; RQD))

3. ENTPREC( (*db;EM=somebody@somewhere.com))

4. A. ENTPREC( (*MBRSET;MAS2004;’abcdef’;RQD))

B. ENTPREC( (*MBRSET;MAS2004;;RQD))

It is important to note the following:

• CN=Joe Smith may return more than one recipient digital certificate. The LDAP entry for Joe Smith may contain multiple certificates, such as one for each year of employment with the company, since certificates are frequently valid for only one year.

• A local IFS path has a certificate loaded into file MAS2004, which may represent a specific person's 2004 certificate. In this case, the RQD indicates that the certificate is required for processing to be performed. In addition, this certificate is a private key certificate, so the export password is necessary for the public key portion to be extracted from it.

• *db;EM= (or CN= for common name) may be used to locate a public key certificate from within the local certificate store database. Private key certificates may also be stored in the database, in which case the correct private key passwords are required to access them.

• *MBRSET demonstrates how to enter only the file name. The path will come from the store defined in the enterprise security configuration file. Since the 4A item has a password entered, the private store will be used. The 4B item contains no password therefore the public store will be used.

105

SecureZIP Encryption Using a Recipients List A. PKZIP ARCHIVE('/pkzshare/aV80Test/test010.zip') FILES('/pkzshare/aV80Test/recp/Test cases.txt') TYPARCHFL(*IFS) TYPFL2ZP(*IFS) STOREPATH(*NO) ADVCRYPT(AES256) PASSWORD(pkware12) VPASSWORD(pkware12) ENTPREC((*DB 'EM=Bill.Somebody@pkware.com' *N *RQD) (*FILE '/pkzshare/CStores/pkware_testcerts/pktestdb3.crt') (*MBRSET 'pktestdb3.crt'))

Notice there were three inputted recipient requests, and there were four recipients used for the archive.

First, the CN=PKWCADMIN was added because the enterprise security settings defined a master recipient that will be added when doing strong encryption.

Second, the EM=Bill.Somebody, found two certificates in the database locator.

Third, since the pktestdb3.crt file was found two times using two different access methods, we only used it once for the process.

Displayed output from example A.

Scanning files in *IFS for match ... Total Recipients processed 4 Archive Recipient List: CN=PKWARE Test3 EMail=PKTESTDB3@nowhere.com CN=PKWCADMIN EMail=none CN=BILL SOMEBODY EMAIL=BILL.SOMEBODY@PKWARE.COM CN=William Somebody EMail=bill.Somebody@pkware.com Found 1 matching files Compressing /pkzshare/aV80Test/recp/Test cases.txt in BINARY mode Add Test cases.txt -- Deflating (81%) encrypt(BSAFE AES 256Key) SecureZIP Compressed 1 files in Archive /pkzshare/aV80Test/test010.zip

Store

B. PKZIP ARCHIVE('/pkzshare/aV80Test/test011.zip') FILES('/pkzshare/aV80Test/recp/Test cases.txt') TYPARCHFL(*IFS) TYPFL2ZP(*IFS) STOREPATH(*NO) ADVCRYPT(AES256) PASSWORD(pkware12) VPASSWORD(pkware12) ENTPREC((*DB 'CN=Bill Somebody' *N *RQD) (*FILE '/pkzshare/CStores/pkware_testcerts/pktestdb3.crt') (*MBRSET 'pktestdb4.crt') )

In this example, notice the request is for CN= and not EM=. This resulted in only one certificate to process from this database request.

Displayed output from example B.

Scanning files in *IFS for match ... Total Recipients processed 4 Archive Recipient List: CN=PKWARE Test2 EMail=PKTESTDB3@nowhere.com CN=PKWARE Test1 EMail=PKTESTDB1@nowhere.com CN=PKWCADMIN EMail=none CN=Bill Somebody EMail=bill.somebody@pkware.com Found 1 matching files Compressing /pkzshare/aV80Test/recp/Test cases.txt in BINARY mode Add Test cases.txt -- Deflating (81%) encrypt(BSAFE AES 256Key) SecureZIP Compressed 1 files in Archive /pkzshare/aV80Test/test011.zip SecureZIP Completed Successfully

106

Store

C. PKZIP ARCHIVE('/pkzshare/aV80Test/test012.zip') FILES('/pkzshare/aV80Test/recp/Test cases.txt') TYPARCHFL(*IFS) TYPFL2ZP(*IFS) TYPLISTFL(*IFS) STOREPATH(*NO) ADVCRYPT(AES256) PASSWORD(pkware12) VPASSWORD(pkware12) ENTPREC((*DB 'CN=Bill Somebody' *N *RQD) (*INLIST '/inlist/tstpubl2.inlist'))

This example used the Inlist option to read in a list of recipients:

INLIST file '/inlist/tstpubl2.inlist': ************Beginning of data************** {RECIPIENT=DB;EM=PKTESTDB3@nowhere.com;;RQD} {RECIPIENT=DB;CN=PKWARE Test4;;OPT} ************End of Data********************

Displayed output from example C.

Scanning files in *IFS for match ... Total Recipients processed 4 Archive Recipient List: CN=PKWCADMIN EMail=none CN=Bill Somebody EMail=bill.Somebody@pkware.com CN=PKWARE Test3 EMail=PKTESTDB3@nowhere.com CN=PKWARE Test4 EMail=PKTESTDB4@nowhere.com Found 1 matching files Compressing /pkzshare/aV80Test/recp/Test cases.txt in BINARY mode Add Test cases.txt -- Deflating (81%) encrypt(BSAFE AES 256Key) SecureZIP Compressed 1 files in Archive /pkzshare/aV80Test/test012.zip SecureZIP Completed Successfully

SecureZIP Encryption using LDAP search for Recipients D. PKZIP ARCHIVE('/pkzshare/aV80Test/test013.zip') FILES('/pkzshare/aV80Test/recp/Test cases.txt') TYPARCHFL(*IFS) TYPFL2ZP(*IFS) TYPLISTFL(*IFS) STOREPATH(*NO) ADVCRYPT(AES256) ENTPREC((*LDAP ‘EM=bill.Somebody@pkware.com' *N *RQD))

Displayed output from example D.

Scanning files in *IFS for match ... Total Recipients processed 2 Archive Recipient List: CN=PKWCADMIN EMail=none CN=William Somebody EMail=bill.Somebody@pkware.com Found 1 matching files Compressing /pkzshare/aV80Test/recp/Test cases.txt in BINARY mode Add Test cases.txt -- Deflating (81%) encrypt(BSAFE AES 256Key) SecureZIP Compressed 1 files in Archive /pkzshare/aV80Test/test013.zip SecureZIP Completed Successfully

UNZIP Compressed File(s) from an Archive File Using Recipients Since we will be extracting/testing files that were encrypted with our public keys, we will need the private key to decrypt the file. Below are several examples with one

107

being correct and the others showing possible errors with bad certificates or wrong password for the private key.

Unzip Output using Recipients To decrypt a file with recipients, a valid password for the certificate is required. Below is a valid test of example A.

A PKUNZIP ARCHIVE('/pkzshare/aV80Test/test010.zip') TYPARCHFL(*IFS) TYPE(*TEST) ENTPREC((*MBRSET 'pktestdb3.p12' 'PKWARE') )

Displayed output from test of example A.

Total Recipients processed 1 UNZIP Archive: /pkzshare/aV80Test/test010.zip Searching Archive /pkzshare/aV80Test/test010.zip for files to extract Testing: Test cases.txt Test cases.txt tested OK No errors detected in compressed data of /pkzshare/aV80Test/test010.zip. SecureUNZIP Completed Successfully

B PKUNZIP ARCHIVE('/pkzshare/aV80Test/test010.zip') TYPARCHFL(*IFS) TYPE(*TEST) ENTPREC((*MBRSET 'pktestdb3.cer'))

Displayed output from test of example B.

Required Recipient failed selection process <pktestdb3.cer> Recipient Requires Password for Private Key Required Recipient<pktestdb3.cer> Failed

C PKUNZIP ARCHIVE('/pkzshare/aV80Test/test010.zip') TYPARCHFL(*IFS) TYPE(*TEST) ENTPREC((*MBRSET 'pktestdb1.p12' 'PKWAREXX'))

Displayed output from test example C with a bad password for the private key.

Required Recipient failed selection process Inputted Recipient Listing Rqrd *MbrSet Cert Open Failure pktestdb3.p12 Required Recipient<pktestdb3.p12> Failed

View the Contents of an Archive File When a file has been encrypted, one of the following indicators describing the strength of encryption is displayed before the file name.

A PKUNZIP ARCHIVE('/pkzshare/aV80Test/test013.zip') TYPARCHFL(*IFS) TYPE(*view)

Displayed output from example A.

Archive: /pkzshare/aV80Test/test010.zip 2024 bytes 1 file Length Method Size Ratio Date Time CRC-32 Name -------- ------ ------- ----- ---- ---- ------ ----

108

4234 Defl:F 1722 59% 03-23-04 14:04 11cc5542 !Test cases.txt -------- ------- ---- ------- 4234 1722 59% 1 file

Notice the “!” in front of the file in archive name. This indicates that this file is encrypted with strong encryption. A “+” would indicate that only 96-bit encryption was used.

View Detail Display The view detail option not only shows the encryption algorithm used to encrypt but will also display any certificate information that is available.

B PKUNZIP ARCHIVE('/pkzshare/aV80Test/test010.zip') TYPARCHFL(*IFS) TYPE(*view) VIEWOPT(*ALL)

Displayed output from example B.

Archive: /pkzshare/aV80Test/test010.zip 2024 bytes 1 file Filename: Test cases.txt Detected File type: Binary Encrypt=Strong Encrypted Created by: PKZIP for iSeries(tm) 8.1 Zip Spec to Extract: 6.1 Or Greater Compression method: Deflated [Fast] Date and Time 2004 Mar 23 14:04:06 Compressed size: 1722 bytes Uncompressed size: 4234 bytes 32-bit CRC value (hex): 11cc5542 Unix file attributes (100777 octal): -rwxrwxrwx MS-DOS file attributes (00 hex): none Extended attributes: yes, [Length = 138] Strong Encryption AES 256 Key (BSAFE). Algorithm Key 256, Security type Password and Certificate Key Number Certifcate Recipients 4 Recipient List: CN=PKWARE Test3, EM=PKTESTDB3@nowhere.com CN=PKWCADMIN, EM=(none) CN=Bill Somebody, EM=bill.Somebody@pkware.com CN=William Somebody, EM=bill.Somebody@pkware.com IFS: Creation Time Wed Mar 24 17:23:44 2004 IFS: Access Time Thu Sep 16 19:41:11 2004 IFS: Modification Time Tue Mar 23 19:04:06 2004 IFS: Code Page 1252 File Comment:"none" - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Found 1 file, 4234 bytes uncompressed, 1722 bytes compressed: 59%

C PKUNZIP ARCHIVE('/pkzshare/aV80Test/test013.zip') TYPARCHFL(*IFS) TYPE(*view) VIEWOPT(*ALL)

Displayed output from example C.

Archive: /pkzshare/aV80Test/test013.zip 1660 bytes 1 file Filename: Test cases.txt Detected File type: Binary Encrypt=Strong Encrypted Created by: PKZIP for iSeries(tm) 8.1 Zip Spec to Extract: 6.1 Or Greater Compression method: Deflated [Fast] Date and Time 2004 Mar 23 14:04:06 Compressed size: 1398 bytes Uncompressed size: 4234 bytes 32-bit CRC value (hex): 11cc5542 Unix file attributes (100777 octal): -rwxrwxrwx MS-DOS file attributes (00 hex): none

109

Extended attributes: yes, [Length = 98] Strong Encryption AES 256 Key (BSAFE). Algorithm Key 256, Security type Certificate Key Number Certifcate Recipients 2 Recipient List: CN=PKWCADMIN, EM=(none) CN=William Somebody, EM=bill.Somebody@pkware.com IFS: Creation Time Wed Mar 24 17:23:44 2004 IFS: Access Time Thu Sep 16 20:10:44 2004 IFS: Modification Time Tue Mar 23 19:04:06 2004 IFS: Code Page 1252 File Comment:"none" - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Found 1 file, 4234 bytes uncompressed, 1398 bytes compressed: 67% SecureUNZIP extracted 0 files

110

11 PKZIP Command

PKZIP Command Summary with Parameter Keyword Format If the OS/400 command prompt screen is to be used, the command format is simply: PKZIP. There also is a command PKZSPOOL which is the same command as PKZIP, but has the parameter TYPFL2ZP set to *SPL for spool files. The parameters are also re-sequenced to give preference to parameters dealing specifically with spool files.

The command prompt screen is displayed when Enter or PF4 is pressed. The parameter keywords are displayed on this screen, together with the available keyword options. The required options can be selected before PF4 is pressed to accept the selections. If the command and parameter keywords are entered together on the command line the required format is:

PKZIP keyword1(option) keyword2(option) . . . keywordn(option)

Keywords are demarcated by spaces. The keyword “ARCHIVE” is the only positional keyword where the keyword is not required. Whenever the word “path” is used, its meaning depends on the file system that is being used. If IFS is used, path refers to the open system true path type. If the library systems or *DB is used, path means library/file and then the file name refers to the member name.

TYPE( *ADD ) {*UPDATE} {*FRESHEN} {*MOVEA} {*MOVEF} {*MOVEU} {*DELETE}

ADVCRYPT( {ZIPSTD} ) {AES128} {AES192} {AES256} {3DES} {DES} {RC4_128}

ARCHIVE( Archive Zip File name with path )

ARCHTEXT( {*NONE} ) Archive File Text description

111

AUTHCHK( Authenticators ) Authenticate Type {*FILE}

{*ARCHIVE} {*ALL}

Lookup Type {*DB } {*LDAP} {*FILE} {*MBRSET} {*INLIST}

Recipient {Recipient String} Password (if Private) {Certificate password} Required {*RQD }

{*OPT} AUTHPOL ( Authenticate Filters: ) Validate Level { *SYSTEM } {*WARN } {*VALIDATE} Validate Level { *NONE } {*ARCHIVE } Filters {*SYSTEM } {*ALL} {*NONE} {*TAMPER} {*TRUSTED} {*EXPIRED} {*REVOKED} {*NOTAMPER} {*NOTTRUSTED} {*NOTEXPIRED} {*NOTREVOKED} COMPAT( {*NONE} )

{*PK400}

COMPRESS( {*FAST} ) {*MAX} {*STORE} {*TERSE)

CRTLIST( {*NONE} ) path/filename {*SIMULATE}

CVTDATA( External Pgm Conversion Extended Data)

CVTFLAG( {*NONE} ) External Pgm Conversion Flags

CVTTYPE( {*NONE} ) {*DROP} {*SUFFIX}

DATEAB( mmddyyyy )

DATETYPE( {*NO} ) {*BEFORE} {*AFTER}

DBSERVICE( ({*NO} ) {*YES)

DELIM ( ({CRLF} ) {CR } {LF } {LFCR }

112

DFTARCHREC( {132} ) {decimal number}

DIRNAMES( {*YES} ) {*NO}

DIRRECRS( {*NONE} ) {*FULL} {*NAMEONLY}

ENTPREC( Lookup Type; Recipient; Password; Required ) Lookup Type {*DB }

{*LDAP} {*FILE} {*MBRSET} {*INLIST}

Recipient {Recipient String} Password (if Private) {Certificate password} Required {*RQD }

{*OPT} ENCRYPOL ( Encryption Filters: ) Validate Level {*SYSTEM } {*WARN } {*VALIDATE} Filters {*SYSTEM } {*ALL} {*NONE} {*TRUSTED} {*EXPIRED} {*REVOKED} {*NOTTRUSTED} {*NOTEXPIRED} {*NOTREVOKED}

EXCLFILE( {*NONE} ) path/filename

EXCLUDE( file_specification 1, ) file_specification 2, file_specification n

EXTRAFLD( {*YES} ) {*NO} {*CENTRAL} {*LOCAL} {*BOTH same as *YES}

ERROPT( {*END} ) {*SKIP}

FILES( file_specification 1, ) file_specification 2, file_specification n

FILESTEXT( {*NO} ) {*ALL} {*NEW} {*UPDATE}

FILETYPE( {*TEXT} ) {*BINARY} {*EBCDIC} {*FIXTEXT} {*DETECT}

113

FNE( {*YES | *NO} ) {*YES | *NO}

FTRAN( {*INTERNAL} ) Member Name

GZIP( {*YES} ) {*NO}

IFSCDEPAGE( {*NO} ) Code-page

INCLFILE( {*NONE} ) path/filename

MSGTYPE( {*PRINT} ) {*SEND {*BOTH}

PASSWORD( Archive Password )

SELFXTRACT ( {*MAINTAIN} ) {*REMOVE} (WINDOWS} {AIX} {HP_UNIX} {SUN_UNIX} {LINUXINTEL}

SFUSER ( {*CURRENT} ) {user id 1} {user id 2} {user id 5)

SFQUEUE ( {*ALL} ) {Library/OUTQ }

SFFORM ( {*ALL} ) {*STD} {Spool File Form Type }

SFUSRDTA ( {*ALL} ) {Spool File User data}

SFSTATUS ( {*ALL} ) {*READY} (*HELD } {*CLOSED} {*SAVED } {*PENDING} {*DEFERRED}

SFJOBNAM ( {blanks } ) {*} {Job-name//Userr-Name/Job Number}

SFTARGET ( {*SPLF} ) {*TEXT} {*TEXT1} {*TEXT2} {*TEXTFC} {*PDF} {*PDFLETTER} {*PDFLEGAL}

114

SFTGFILE ( {*GEN1} ) {*GEN2} {*GEN1P} {path/filename }

SIGNERS( Signer ) Signing Type {*FILE}

{*ARCHIVE} {*ALL}

Lookup Type {*DB } {*LDAP} {*FILE} {*MBRSET} {*INLIST}

Recipient {Recipient String} Password (if Private) {Certificate password} Required {*RQD }

{*OPT} SIGNPOL ( Signing Filters: ) Validate Level {*SYSTEM } {*WARN } {*VALIDATE} Filters {*SYSTEM } {*ALL} {*NONE} {*TRUSTED} {*EXPIRED} {*REVOKED} {*NOTTRUSTED} {*NOTEXPIRED} {*NOTREVOKED}

STOREPATH( {*NO} ) {*YES}

SPLFILE ( {*ALL} ) {Spool File Name }

SPLNBR ( {*ALL} ) {*LAST} {Spool File Number 1-9999}

STOREPATH( {*NO} ) {*YES}

TMPPATH( {*CURRENT} ) Temporary Path

TRAN( {*INTERNAL} ) Member Name

TYPARCHFL( {*DB} ) {*IFS}

TYPFL2ZP( {*DB} ) {*IFS} {*IFS2} {*DBA} {*SPL}

TYPLISTFL( {*DB} ) {*IFS}

VERBOSE( {*NORMAL} ) {*NONE}

115

{*ALL} {*MAX}

VPASSWORD( Archive Verify Password )

116

PKZIP Command Keyword Details

TYPE

TYPE(ADD|DELETE|EXTRACT|FRESHEN|MOVEA|MOVEF|MOVEU|UPDATE |VIEW)

The TYPE keyword specifies the type of action PKZIP should perform on the ZIP archive.

The possible actions are:

*ADD The *ADD option is the default and adds a selection of files to the archive file. If an archive is already present, it will be written over by the new archive file.

*UPDATE The *UPDATE option updates files which are already in the archive file with a newer version and will also add newly selected files that are not present in the archive file.

*FRESHEN The *FRESHEN option updates ONLY the files which already exist in an archive file. If the date/time of the file is newer than the date/time of the file in the archive, the file will be compressed and replace the one in the archive.

*MOVEA The *MOVEA (Move and Add option) option performs the *ADD option, and upon completion of a successful PKZIP command, the actual file will be deleted.

*MOVEF The *MOVEF (Move and Freshen option) option performs the *FRESHEN option, and upon completion of a successful PKZIP command, the actual file will be deleted.

*MOVEU The *MOVEU (Move and Update option) option performs the *UPDATE option, and upon completion of a successful PKZIP command, the actual file will be deleted.

*DELETE The *DELETE option removes entries from the archive file based upon the selection of FILES and EXCLUDE parameters. The format of the FILES and EXCLUDE parameters should be in the format of the files as seen in the archive.

ADVCRYPT

ADVCRYPT(ZIPSTD|ASE128|AES192|AES256|DES|3DES|RC4_128 PKWARE|BSAFE)

When a ZIP action is requested to save a file in an archive, and a password is provided, SecureZIP for iSeries will use an encryption method to protect the data.

117

This command value specifies which algorithm to employ. There are two modes of encryption: RSA BSAFE and PKWARE. See Chapter 2.

Possible encryptions are:

ZIPSTD This algorithm is the original algorithm used in PKZIP 2.x products and is compatible with other PKZIP 2.04g products that support standard encryption. Unless the installation defaults module has been tailored differently, this is the default value for PKZIP for iSeries if you choose to encrypt a file.

*NONE No Encryption

AES128 Advanced Encryption Standard 128-bit key algorithm, also known as Rijndael.

AES192 Advanced Encryption Standard 192-bit key algorithm, also known as Rijndael.

AES256 Advanced Encryption Standard 256-bit key algorithm, also known as Rijndael. This is the default value for SecureZIP for iSeries.

DES Data Encryption Standard.

3DES Triple Data Encryption Standard.

RC4_128 RC4 is a stream cipher created by RSA.

Usage Notes:

PKUNZIP will detect automatically which encryption method was specified during the ZIP process and operate accordingly.

During a PKZIP (ZIP) run, only one encryption method may be specified, and that method will be used for each file that is operated on.

By executing PKZIP at different times, various files within the archive may be saved with differing levels (and types) of encryption. That is, some files may not be protected at all, while others may have different methods and/or passwords.

A “+” character is shown in a view to indicate standard encryption protection is used for a file.

A “!” character is shown in a View to indicate advanced encryption (AES) protection is used for a file.

ARCHIVE

ARCHIVE(archive ZIP file name with path)

Specifies the path/file name or the library/file name of the SecureZIP for iSeries archive to be processed. If the file exists, PKZIP will overwrite the file, otherwise PKZIP will create the file for you. Depending on which file system you choose, the path or library must exist. This is a required parameter.

The format depends on whether you will be using the archive file in the library file system, or the IFS (Integrated File System).

118

See parameter TYPARCHFL for file system type information.

Library File System Format is library/file(member). If member is omitted, it will be created with the file name. If the file is not found, it will be created with a default length specified in parameter DFTARCHREC (which has a default of 132). If you want to create a file manually to use a larger record length, create it with no members and with the parameter MAXMBRS with *NOMAX, or with a high excepted limit. If the Library is not specified, the file name will be searched using *LIBL. If the file name is not found, the file will be created in the users *CURLIB. If a library is specified and does not exist, PKZIP will create the library.

Integrated File System (IFS) Open system path followed by the archive file name. The path and file name can up to 256 characters and may contain embedded spaces.

ARCHTEXT

ARCHTEXT(*NONE| Archive File Text description)

Specifies text that will be stored in the archive as the archive's file comment.

*NONE No new archive comment will be stored.

*DEFAULT The default PKWARE comment will be stored.

*CLEAR Clear any comment that may be stored in an archive.

Archive File Text description Up to 255 characters that are stored as the archive's file comments.

AUTHCHK

Authenticator Certificates: File/Archive . . . . . . . *FILE *FILE, *ARCHIVE, *ALL LookUp Type . . . . . . . . *DB *DB, *LDAP, *FILE, *MBRSET... Authenticator . . . . . . . ______________________________ Password (If Private) . . . ______________________________ Required . . . . . . . . . . *RQD *RQD, *OPT + for more values _

Or

AUTHCHK((*FILE *MBRSET 'pkwareCertAdmin04.pfx' (password) *RQD)) AUTHCHK((*ALL *FILE '/pkzshare/CStores/public/pkwareCertAdmin04.cer' () *RQD)) AUTHCHK((*ARCHIVE *FILE '/pkzshare/CStores/public/pkwareCertAdmin04.cer' () *RQD)) AUTHCHK((*FILE *DB ‘EM=bill.somebody@pkware.com' () *OPT)) AUTHCHK((*FILE *INLIST 'ATEST/INLIST(ENGNEER1)' *N)

119

This parameter specifies that digital signature authentication processing should be performed for specific signers. Separate authentication processing may be specified for either the archive central directory or files by using multiple commands. Optionally, specific signers may be specified to authenticate against. This parameter is used in conjunction with the AUTHPOL parameters and its settings.

It is possible that more than one certificate may be returned for a single common name or email search. As a result, each one will be added to the list of validating sources.

When no specific certificates are requested, any signatories found in the archive are validated in accordance with the systems or current AUTHPOL Filters policy settings.

There are five options for AUTHCHK.

Authenticator Type File/Archive (*FILE |*ARCHIVE |*ALL)

This designates the type of authentication that is to be performed. Either ARCHIVE, FILE or ALL may be specified on each item, but by using ALL or archive with the *RQD option will result in error since the archive can only have one signatory. If the lookup type is *INLIST, then this option will be ignored and will pickup from the records in the inlist file.

• *FILE – The signed files will be authenticated with this authenticator.

• *ARCHIVE - The archive directory will be authenticated with this authenticator.

• *ALL – Both the signed files and the archive directory will be authenticated with this authenticator.

Lookup Type (*DB |*FILE |*LDAP |*MBRSET |*INLIST)

The lookup type would be the type of authenticator search to be used for the authenticator string to look up the public key.

• *DB - The authenticator string is defined to search using the certificate locator database to access the digital certificate.

• *FILE - The authenticator string is defined to read a specific file in a specific path in the IFS in order to access the digital certificate.

• *LDAP - The recipient string is defined to search using the LDAP server to access the digital certificate.

• *MBRSET - The authenticator string is defined to read this specific file from the enterprise public certificate store to access the digital certificate.

• *INLIST- The authenticator string defines a specific file that will contain one to many AUTHCHK. The TYPLISTFL parameter must specify the file type for the inlist.

Authenticator (The authenticator string name)

The authenticator string format depends on what was specified for the lookup type.

• If lookup type is *DB, the authenticator string will either be an email address or the common name of the certificate. This depends on the configuration setting in PKCFGSEC parameter CERTDB. To override the default selection

120

mode, you can prefix the string with EM= for email, or CN= for the common name.

For example:

AUTHCHK((*FILE *DB ‘bill.somebody@pkware.com' () *RQD) (*ARCHIVE *DB ‘CN=bill somebody' () *RQD) (FILE *DB ‘EM=bill.somebody@pkware.com' (password) *OPT))

• If lookup type is *FILE, the authenticator string is defined to read a specific file in a specific path of the IFS. This file should be a public key X.509 file or public key X.509 certificate with a private key file.

For example:

AUTHCHK((*ARCHIVE *FILE '/pkzshare/CStores/public/pkwareCertAdmin04.cer' () *RQD))

The digital certificate file ‘pkwareCertAdmin04.cer’ will be in the full path '/pkzshare/CStores/public’.

• If type is *LDAP, the authenticator string will either be an email address or the common name of the certificate depending on the search mode configuration setting in PKCFGSEC parameter LDAP. To override the default selection mode, you can prefix the string with EM= for email address, or CN= for the common name.

For example:

AUTHCHK ((*ARCHIVE *LDAP ‘bill.somebody@pkware.com' () *RQD) (*FILE *LDAP ‘CN=bill somebody' () *OPT) (*FILE *LDAP ‘EM=bill.somebody@pkware.com' () *RQD))

• If lookup type is *MBRSET, the authenticator string is defined to read a specific file from the public certificate store and/or the private certificate store of the IFS. This file should be a public key X.509 file or public key X.509 certificate with a private key file.

For example:

AUTHCHK((*ALL *MBRSET 'pkwareCertAdmin04.cer' () *RQD))

The digital certificate file ‘pkwareCertAdmin04.cer’ will be in the full path of the public certificate store defined in the enterprise security configuration public store (parameter CSPUB). If a password is included, the file is searched for in the enterprise security configuration private store (parameter CSPRIV).

• If lookup type is *INLIST, the authenticator string defines a full file name of an input list file that contains records of AUTHCHK shortcut parameters. The type of file will exist in the QSYS library file system if TYPLISTFL(*DB) is set and will be a path file name in the IFS if TYPLISTFL(*IFS) is set. The format of the AUTHCHK shortcut parameters are defined below in the *INLIST usage section.

Password

This designates the password that is required for a private key certificate with a private key (PKCS#12 file). When a value is specified, the target must be an X.509 PKCS#12 public key certificate with the private key.

121

The PASSWORD value may contain blanks and is delimited by the closing right parenthesis ")" of the signing command.

Required (*RQD|*OPT|*SAME)

If *RQD, then this authenticator must be found during the selection, and the certificate must be a valid certificate with a private key, or the ZIP/UNZIP run will fail.

Usage Notes:

Passwords are masked out in all output displays.

A local certificate store configuration is required to complete the TRUST processing of this command.

Processing is terminated if none of the requested certificates can be accessed, regardless of the “R” required flag. If multiple requests are made and at least one signature is found, processing continues normally.

For inlist that contains a password to open a private certificate, make sure that the security is sufficient to only allow the owner of the certificate to have read access. Otherwise this would leave a security hole where other users could browse the password.

*INLIST Usage:

If *INLIST is defined on the AUTHCHK parameter, then the authenticator filed will be a file that SecureZIP will read to include the authenticator. The format is very similar to the AUTHCHK parameter described above except that each line authenticator starts with “{AUTHCHK=” and is terminated by the “}” character, with the semi-colon “;” as a separator for each entry.

{AUTHCHK=Authenticator Type, Lookup Type; Authenticator; Password; Required}

Authenticator Type See Authenticator Type in AUTHCHK

Lookup Type See Lookup Type in AUTHCHK excluding the INLIST

Authenticator See Authenticator in AUTHCHK.

Password See Password in AUTHCHK.

Required See Required in AUTHCHK, but use RDQ for *RQD and OPT for *OPT.

Examples:

Sample 1: tstauth_db1.inlist. {AUTHCHK=FILE;DB;EM=PKTESTDB4@nowhere.com;;RQD}

Sample 2: tstauth_mb2.inlist. {AUTHCHK=ARCHIVE;MBRSET;pktestdb3.pfx;PKWARE;RQD}

122

Sample 3: tstauth_mb3.inlist. {AUTHCHK=ALL;MBRSET;pktestdb3.pfx;PKWARE;RQD}

AUTHPOL

Authenticate Filters: Validate Level . . . . . *SYSTEM *VALIDATE, *WARN, *NONE... Validate Type . . . . . *ARCHIVE *ARCHIVE, *NONE Filters . . . . . . . . . *SYSTEM *SYSTEM, *ALL, *NONE... + for more values

Or

AUTHPOL(*WARN *ARCHIVE (*SYSTEM) ) AUTHPOL(*WARN *FILE (*NOTTRUSTED) ) AUTHPOL(*SYSTEM *ALL (*ALL *NOTEXPIRED) )

This parameter defines the processing options and filters that should apply if a signed file or signed archive is encountered.

Validate Level (*VALIDATE |*WARN |*SYSTEM)

The validate level specifies the type of authentication processing that should take place if a file or archive is encountered. The default is *SYSTEM and, unless it is modified, SecureZIP will use the enterprise setting from PKCFSEC.

• *VALIDATE – Indicates that when authentication takes place and a failure occurs based on the filters, the run will be considered a failure and the message issued at the end will indicate one or more errors during the run.

• *WARN - Indicates that when authentication place and a failure occurs, the failure is only considered a warning. The messages at the end of the run will not consider any failed authentications as errors.

• *SYSTEM – Indicates the authentication processing that is set in the environmental setting will be used.

Validate Type (*ARCHIVE |*NONE)

The validate type specifies that archive authentication should take place if an archive has been signed. The default is *NONE and anything other than *NONE requires the Enhanced Encryption Feature..

• *ARCHIVE - Indicates that only a signed archive will be authenticated.

• *NONE - Indicates no authentication will take place even though a file or archive has been signed.

Filters (*SYSTEM |*ALL |*NONE |*TAMPER |*TRUSTED |*EXPIRED |*REVOKED |*NOTAMPER |*NOTTRUSTED |*NOTEXPIRED |*NOTREVOKED )

The authentication filter policies settings are defined in the enterprise security file supplied by the SecureZIP administrator (See PKCFGSEC). These global policy

123

settings can be revised with sub-parameter values. The variables are cumulative from the global setting.

• *SYSTEM – All filter policies are from the global settings.

• *ALL - This sub-parameter activates all levels of authentication. If followed by negating sub-levels, then all but those negating levels are activated. For example: *ALL NOTEXPIRED means that expired certificates will not cause an authentication error, but TRUST and TAMPERCHECK must both be satisfied.

• *NONE – Will negate all the policies.

• *TAMPER – This sub-parameter signifies that a verification of the data stream should be done against the digital signature.

• *TRUSTED – This sub-parameter signifies that the entire certificate authority chain must be validated. This includes locating the root (self-signed) certificate on the local system.

• *EXPIRED – This sub-parameter signifies that certificate date range validation should be performed on the certificates (including the certificate authority chain). Although the term “expired” is used, a certificate that has not yet reached its valid data range specification will fail.

• *REVOKED - A certificate owner may request that the issuing certificate authority declare a certificate to be revoked and thereby no longer consider that certificate to be valid. The authentication operation will fail if any of the certificates in the trust chain are found to have been revoked, or if the revocation status could not be determined

• *NOTAMPER – Negates the *TAMPER filter.

• *NOTTRUSTED – Negates the *TRUSTED filter.

• *NOTEXPIRED - Negates the *EXPIRED filter.

• *NOTREVOKED – Negates the *REVOKED filter.

COMPAT

COMPAT(*NONE|*PK400)

Specifies that PKZIP will create and store extended data field information in another supported format or previous version. At this time, only “PKZIP Version 4.0 for OS/400” is supported.

The allowable values are:

*NONE The extended data fields will be in SecureZIP for iSeries Versions 5.0 and above formats.

*PK400 The extended data fields will output to the archive in the format used by “PKZIP Version 4.0 for OS/400” product. This option should be used if the archive file will be extracted by “PKZIP Version 4.0 for OS/400” and the attributes are required to create the files. The files can be extracted without this option, but the files may have

124

to be manually created in order to have the proper attributes (such as record length and text descriptions).

COMPRESS

COMPRESS(*FAST|*SUPERFAST|*MAX|*STORE|*TERSE)

Specifies the compression method or level to be used during a run of PKZIP. This is used to specify the amount and speed of compression that is required for any updated files.

The allowable values are:

*FAST This selection provides ample compression at a fast rate.

*SUPERFAST This is the default selection. This will compress in the fastest time, but will compress the files by the least amount.

*MAX This level provides the maximum compression possible, but will also take the longest in time to process.

*NORMAL The normal compression level provides good compression amount at a reasonable speed.

*STORE No compression. Store will also be used if the other methods tried result in a file larger than the original.

*TERSE This selection provides a terse compression algorithm provided with the iSeries by IBM as an API. This is much faster but is less efficient than FASTEST, and can only be decompressed on the iSeries. Do not use this option if you wish to unzip the archive on another platform.

CRTLIST

CRTLIST(*NONE| path/filename | *SIMULATE)

Specifies that PKZIP will create an output file with a list of entries that would have been compressed based upon the selection criteria in the FILES and EXCLUDE parameters.

See parameter TYPLISTFL for file system type.

*NONE Default. No list file will be created.

path/filename Enter the file path and name of the file to create. The layout depends on which file system you want to create the file in.

Library File System: The format is "library/file(member)".

Integrated File System (IFS): The format is "path1/path2/../pathn/filename".

125

*SIMULATE Will simulate the file selection and show the selection as a printed or message list instead of writing to a list file.

CVTDATA

CVTDATA(External Program Conversion Extended Data)

Specifies the extended data that is passed to the external program CVTNAME. When CVTFLAG is not *NONE, the contents of the parameter are passed to provide extended flexibility in controlling how the iSeries names are stored in the archive. See Appendix D for more details on the external program.

External Program Conversion Extended Data Specify up to 255 bytes of unedited data which is passed to the exit program CVTNAME to assist in controlling the program logic.

CVTFLAG

CVTFLAG(*NONE| Conversion Flags)

Specifies the flags passed to the external program CVTNAME. These are used to control how the iSeries names are stored in the archive. See Appendix D for more details on the external program.

*NONE Conversion exit is not active.

Conversion Flags Specify a five-byte flag that is passed to the exit program CVTNAME to control the program logic. If the name passed back is blank, then conversion is referred back to the setting of the CVTTYPE parameter.

CVTTYPE

CVTTYPE(*NONE|*DROP|*SUFFIX)

Specifies how the iSeries library and file names are stored in the archive. Since the length of the library name, file name, and member name can each be up to 10 characters, and MS/DOS format requires a maximum of 8 characters with an optional extension, this option allows name compatibility.

The allowable values are:

*SUFFIX This forces any iSeries name with more than 8 characters to create a name of 8 characters and a period(.), followed by characters 9 and 10 to be considered an extension to suffix.

*NONE This leaves the iSeries name as the archive name.

*DROP This forces any iSeries name with more than 8 characters, to drop characters 9 thru 19.

126

DATEAB

DATEAB(mmddyyyy)

Used with DATETYPE parameter, DATEAB specifies the date to be used to compare with the files latest modification date for file selection. The format is mmddyyyy, where “mm” is a valid month (01-12), “dd” is valid day of the month, and “yyyy” is the four digits of the year (2001).

DATETYPE

DATETYPE(*NO|*BEFORE|*AFTER)

Specifies if PKZIP should select files based upon a file modification date.

The allowable values are:

*NO No date selection will take place.

*BEFORE Files with a modification date before the date in DATETYPE will be selected.

*AFTER Files with a modification date on or after the date in DATETYPE will be selected.

DBSERVICE

DBSERVICE (*NO|*YES)

Specifies if the iSeries special database extended file attributes describing the database file, fields and keys are to be store in the archives. This will force the option EXTRAFLD(*YES). The database will also be stored in binary mode. This mode can produce larger archive files.

The allowable values are:

*NO Does not store database extended services attributes.

*YES Stores the database extended service attributes in the archive file and treat non-SAVF as a database.

DFTARCHREC

DFTARCHREC(132|Record Length)

Specifies the record length to use when creating an archive file in the QSYS library system. If the TYPARCHFL parameter is *DB, and the archive file does not exist, the archive file will be created with the record length specified in this parameter.

Note: A large record length will leave a high residual number if only one byte is use in the last record.

The allowable values are:

127

132 Default is record length of 132 to match previous versions.

Record Length A decimal number from 50 to 32000.

DELIM

DELIM(CRLF |CR |LF |LFCR)

When compressing a text file (not binary), the DELIM parameter specifies what characters are to be appended at the end of records to serve as delimiters. The delimiter is removed from the record when it is decompressed.

The allowable values are:

CRLF This is the default selection. Specifies for SecureZIP for iSeries to use the default delimiter CR-LF (x’0D0A’) at the end of each text record.

CR Appends an ASCII carriage return (hex 0D).

LF Appends an ASCII line feed character (hex 0A).

LFCR Appends an ASCII line feed character (hex 0A0D).

Note that transfers of MS-DOS records uses a CRLF for a delimiter, while UNIX records use a LF.

DIRNAMES

DIRNAMES(*YES|*NO)

Specifies to store directories as an entry. This is valid only for files in IFS.

*YES Store the directories as entries in the archive.

*NO Do not store directories as an archive entry.

DIRRECRS

DIRRECRS(*NONE|*FULL|*NAMEONLY)

IFS only. Specifies whether to search recursively through directories for file selection, or only search the current, specified directory.

The allowable values are:

*NONE Search only the current, specified directory.

*FULL Search through all directories by starting with the current, specified directory for selected files. If *FULL is used, and * is for file selections, all files found in all directories below the current directory will be selected.

128

*NAMEONLY To be considered a hit, the full path and file name must match the selection statements exactly.

ENTPREC

Encryption Recipients : LookUp Type . . . . . . . . *DB *DB, *LDAP, *FILE... Recipient . . . . . . . . . ______________________________________ Password (If Private) . . . ______________________________________ Required . . . . . . . . . . *RQD *RQD, *OPT + for more values _

Or

ENTPREC((*MBRSET 'pkwareCertAdmin04.cer' () *RQD)) ENTPREC((*FILE '/pkzshare/CStores/public/pkwareCertAdmin04.cer' () *RQD)) ENTPREC((*FILE '/pkzshare/CStores/public/pkwareCertAdmin04.pfx' (‘mypassword’) *RQD)) ENTPREC((*DB ‘EM=bill.Somebody@pkware.com' () *RQD)) ENTPREC((*LDAP ‘EM=bill.Somebody@pkware.com' () *RQD)) ENTPREC((*INLIST 'ATEST/INLIST(ENGNEER1)' *N)

The encryption/decryption recipient parameter defines one to many Recipients which is to be included for the ZIP and UNZIP process. This parameter allows 1-4 types of certificate searches to take place along with providing the ability for an include file that may contain the recipients.

The specification of this recipient ENTPREC parameter, triggers encryption to take place during ZIP processing utilizing the found recipients along with any password that may be entered.

There are four entries for the ENTPREC parameter (lookup type, recipient, password, and required).

Lookup Type (*NONE |*DB |*LDAP |*FILE |*MBRSET |*SAME)

The Lookup type would be the type of recipient search that will be used for the recipient string.

• *DB - The recipient string is defined to search using the Certificate Locator Database to access the digital certificate.

• *LDAP - The recipient string is defined to search using the LDAP server to access the digital certificate.

• *FILE - The recipient string is defined to read a specific file in a specific path in the IFS in order to access the digital certificate.

• *MBRSET - The recipient string is defined to read this specific file from the enterprise public certificate store to access the digital certificate.

• *INLIST - The recipient string defines a specific file that will contain 1 to many recipients.

Recipient (The recipient string name)

The recipient string format depends on what was specified for the Lookup type.

129

• If type is *DB: The recipient string will either be an email address or the common name of the certificate. This depends on the configuration setting in PKCFGSEC parameter CERTDB. To override the default selection mode, you can prefix the string with EM= for email address or CN= for the common name.

For example:

ENTPREC((*DB ‘bill.Somebody@pkware.com' () *RQD) (*DB ‘CN=bill Somebody' () *RQD) (*DB ‘EM=bill.Somebody@pkware.com' () *RQD))

• If type is *LDAP: The recipient string will either be an email address or the common name of the certificate depending on the search mode configuration setting in PKCFGSEC parameter LDAP. To override the default selection mode, you can prefix the string with EM= for email address or CN= for the common name.

For example:

ENTPREC((*LDAP ‘bill.Somebody@pkware.com' () *RQD) (*LDAP ‘CN=bill Somebody' () *OPT) (*LDAP ‘EM=bill.Somebody@pkware.com' () *RQD))

• If type is *FILE: The recipient string is defined to read a specific file in a specific path of the IFS. This file should be public-key X.509 file or private-key X.509 certificate file.

For example:

ENTPREC((*FILE '/pkzshare/CStores/public/pkwareCertAdmin04.cer' () *RQD))

The digital certificate file ‘pkwareCertAdmin04.cer’ will be in the full path ‘/pkzshare/CStores/public’.

• If type is *MBRSET: The recipient string is defined to read a specific file from public certificate store / private certificate store of the IFS. This file should be public-key X.509 file or private-key X.509 certificate file.

For example:

ENTPREC((*MBRSET 'pkwareCertAdmin04.cer' () *RQD))

The digital certificate file ‘pkwareCertAdmin04.cer’ will be in the full path of the public certificate store defined in the Enterprise Security Configuration public store(parameter CSPUB). If a password was included, the file would be searched for in the Enterprise Security Configuration private store (parameter CSPRIV).

• If the type is *INLIST: The recipient string defines a full file name of an input list file that contains records of ENTPREC shortcut parameters. The type of file will in the QSYS library file system if TYPLISTFL(*DB) is set and will be a path file name in the IFS if TYPLISTFL(*IFS) is set. The format of the ENTPREC shortcut parameters are define below in the *INLIST usage section.

Password (Private Cert Password)

The password is required only if the certificate that is being selected is a private certificate. This option should be omitted if a public certificate will be utilized.

130

Required (*RQD|*OPT|*SAME)

If *RQD, then this recipient must be found during the selection, and the certificate must be valid, or the ZIP/UNZIP run will fail.

Usage Notes:

The ZIP process only requires a X.509 public-key format certificate to encrypt files. The UNZIP process requires X.509 private-key format certificate file to decrypt files and this will the input of a password.

For inlist that contains a password to open a private certificate, make sure that the security is sufficient to only allow the owner of the certificate to have read access. Otherwise this would leave a security hole where other users could browse the password.

*INLIST Usage:

If *INLIST is defined on the ENTPREC parameter, then the recipient field will be a file that SecureZIP will read to include recipients. The format is very similar to the ENTPREC parameter describe above except each line recipient starts with “{RECIPIENT=” and is terminated by the “}” character with the semi-colon “;” as a separator for each entry.

{RECIPIENT=Lookup Type; Recipient; Password; Required}

Lookup Type See Lookup Type in ENTREC excluding the INLIST

Recipient See Recipient in ENTREC.

Password See Password in ENTREC.

Required See Required in ENTREC, but use RDQ for *RQD and OPT for *OPT.

Examples:

{RECIPIENT=MBRSETEM; mypassword;RQD}

Sample 1: tstpriv_db4.inlist. {RECIPIENT=DB;EM=PKTESTDB4@nowhere.com;PKWARE;RQD}

Sample 2: tstpriv_mb3.inlist. {RECIPIENT=MBRSET;pktestdb3.pfx;PKWARE;RQD}

Sample 3: tstpubl1.inlist.

{RECIPIENT=MBRSET;pktestdb3.crt;;RQD} {RECIPIENT=MBRSET;pktestdb4.crt;;OPT}

131

Sample 4: tstpubl2.inlist.

{RECIPIENT=DB;EM=PKTESTDB3@nowhere.com;;RQD} {RECIPIENT=DB;CN=PKWARE Test4;;OPT}

ENCRYPOL

Encryption Filters: Validate Level . . . . . *SYSTEM *VALIDATE, *WARN, *NONE... Filters . . . . . . . . . *SYSTEM *SYSTEM, *ALL, *NONE... + for more values

Or

ENCRYPOL(*WARN (*SYSTEM) ) ENCRYPOL(*WARN (*ALL *NOTTRUSTED) ) ENCRYPOL(*SYSTEM (*ALL *NOTEXPIRED) )

This parameter defines the processing options and filters that should apply when the ENTPREC is used to encrypt files with certificate keys.

Validate Level (*VALIDATE |*WARN |*SYSTEM)

The validate level specifies the type of encryption certificate error processing that is used if certificates are specified in ENTPREC. If *SYSTEM is specified, the enterprise setting from PKCFSEC is used. If the enterprise setting is defined as lockdown, then this parameter cannot be revised and a warning will be issued if a change is detected.

• *SYSTEM - Indicates the authentication processing that is set in the environmental setting will be used.

• *VALIDATE – Indicates that when encryption with certificates (ENTPREC parm) takes place and a failure based on the filters occurs, the run will be considered a failure and the message issued at the end will indicate one or more errors during the run.

• *WARN - Indicates that when encryption with certificates (ENTPREC parm) takes place and a failure based on the filters occurs, the failure is only considered a warning. The messages at the end of the run will not consider any failed filters for encryption certificates as errors.

Filters (*SYSTEM |*ALL |*NONE |*TRUSTED |*EXPIRED |*REVOKED |*NOTTRUSTED |*NOTEXPIRED |*NOTREVOKED)

The ENTPREC certificate filter policies settings are defined in the enterprise security file supplied by the SecureZIP administrator (see PKCFGSEC). These global policy settings can be revised with sub-parameter values, but if the enterprise setting is defined as lockdown, this parameter cannot be revised and a warning will be issued if a change is detected. The variables are cumulative from the global setting.

• *SYSTEM – All filter policies are from the global settings.

132

• *ALL - This sub-parameter activates all levels of authentication. If followed by negating sub-levels, then all but those negating levels are activated. For example: *ALL, NOTEXPIRED means that expired certificates will not cause an authentication error, but TRUST and REVOKE must both be satisfied.

• *NONE – Will negate all the policies.

• *TRUSTED – This sub-parameter signifies that the entire certificate authority chain must be validated. This includes locating the root (“self-signed”) certificate on the local system.

• *EXPIRED – This sub-parameter signifies that certificate date range validation should be performed on the certificates (including the certificate authority chain). Although the term “expired” is used, a certificate that has not yet reached its valid data range specification will fail.

• *REVOKED - A certificate owner may request that the issuing certificate authority declare a certificate to be revoked and thereby no longer consider that certificate to be valid. The encryption certificate request will fail if any of the certificates in the trust chain are found to have been revoked or if the revocation status could not be determined.

• *NOTTRUSTED – Negates the *TRUSTED filter.

• *NOTEXPIRED - Negates the *EXPIRED filter.

• *NOTREVOKED – Negates the *REVOKED filter.

ERROPT

ERROPT(*END|*SKIP)

Specifies what action to take if an error occurs while processing (selecting or compressing) a spool file.

The allowable values are:

*END The PKZIP will end without completing the compression of the file. The archive is not updated.

*SKIP The program will skip the file with the input error and continue to process all other files to completion. Message AQZ0022 will be issued at the end to indicate that an error occurred.

EXCLFILE

EXCLFILE(*NONE| path/filename)

This parameter specifies the file containing the list of files to be excluded. This can be used with or without the EXCLUDE parameter. See parameter TYPLISTFL for file system type information.

*NONE No list file will be processed.

133

path/filename Enter the file path and name of the file to process. The layout depends on which file system you want the file created.

Library File System: The format is "library/file(member)".

Integrated File System (IFS): The format is "path1/path2/../pathn/filename".

EXCLUDE

EXCLUDE(file_specification1, file_specification2,... file_specification n )

Specifies the files and file specification patterns that will be excluded from the PKZIP run. One or more names can be specified. Each name should be in the OS/400 file system format, such as, QSYS is library/file(member) and IFS is directory/file, and can include wildcards “*” and “?.”

Note: If TYPE(*VIEW) is being used, then the format for these names is the MS/DOS format.

The PKZIP program can also exclude file specifications by using the list file parameter EXCLFILE with a list of names to exclude.

Please refer to Chapter 5 for details of file specification formatting.

The valid parameter values for the FILES keyword are as follows:

'file_specification1'

'file_specification2'

'file_specification n'

EXTRAFLD

EXTRAFLD(*YES|*NO)

Specifies if the basic SecureZIP for iSeries extended file attributes should be stored in the archive. Some basic file attributes are record size, library text description, file text description, etc.

The allowable values are:

*YES Store the basic normal iSeries file attributes. See Appendix K for more definitions. This is the default and will be the same as coding *BOTH.

*NO Do not store any extended attributes.

*CENTRAL Stores the basic normal iSeries file attributes in only the archive’s central directory. This will reduce the overall archive size by only storing the attributes in the Central.

*LOCAL Stores the basic normal iSeries file attributes in only the archive’s local directory. Warning: PKUNZIP only

134

utilizes the central directory for extended data attributes.

*BOTH Stores the basic normal iSeries file attributes in both the archive’s central directory and local directory.

Migration consideration: if the archive will be processed by an earlier release of PKZIP for OS/400™ and the attributes are required, then *BOTH should be coded.

FILES

FILES(file_specification1, file_specification2,... file_specification n)

Specifies the files and file specification patterns that will be selected in the PKZIP process. One or more names can be specified. Each name should be in the OS/400 file system format, such as, QSYS is library/file(member) and IFS is directory/file, and can include wildcard “*” and “?.” For the IFS, the path and file name can up to 256 characters and can contain embedded spaces.

Note: If TYPE(*VIEW) or TYPE(*DELETE) is being used, then the format for these names is the MS/DOS format.

The PKZIP program can also have file specifications selections to include by using the list file parameter INCLFILE with a list of names to select.

Files may also be excluded. See the EXCLUDE parameter.

Please refer to Chapter 5 for details of file specification formatting.

The valid parameter values for the FILES keyword are as follows:

'file_specification1'

'file_specification2'...

'file_specification n'

FILESTEXT

FILESTEXT(*NO|*ALL|*NEW|*UPDATE)

Specifies if PKZIP allows the editing (and the type of editing performed) of a file’s text comments that are stored in an archive.

The allowable values are:

*NO No comment editing (the default).

*ALL Add comments or edit comments for all files in the archive.

*NEW Add comments only for new files that are added to the archive.

135

*UPDATE Add or edit the comments of files that are added, updated, or freshened in the archive. Only file comments of files that are affected by a change are eligible for editing.

FILETYPE

FILETYPE(*BINARY|*DETECT|*EBCDIC|*FIXTEXT|*TEXT)

Specifies whether the files selected are treated as text or binary data. For text files added to an archive, trailing spaces in each line are removed, the text is converted to ASCII (based on the translation tables) by default, and a carriage return and line feed (CR/LF) are added to each line before the data is compressed into the archive. Binary files are not converted.

The default is *DETECT; where PKZIP attempts to make a determination based on the nature of the data itself. The program will read in a portion of the data, evaluate it, and determine the appropriate process.

Note: This will lower performance time. A message will display the type used when compressing.

Use of text file option is usually faster because PKZIP has to process less data than with *BINARY, but more processing may also take place to perform the translation.

If the file is a SAVF or a database file (with DBSERVICE(*YES)), then the file will be processed as binary regardless of what option is specified.

*BINARY Specifies that the files selected are binary files and no translation should be performed.

*DETECT The PKZIP program will try to determine the data type of text or binary.

*EBCDIC Specifies that the files selected are text files and leaves it in EBCDIC without performing any translation. This is good only if the files are to be used on an iSeries or IBM-type mainframe. If they will be unzipped to a PC file, then a translation from EBCDIC to ASCII is required.

*FIXTEXT Specifies that the files selected are text files with a fixed record length based on the iSeries file’s record length and translation will be performed using the translate tables specified in the TRAN option. This means the compressed file will contain records with trailing spaces followed by a CR and LF. This is only valid for QSYS library file types as files in the IFS do not contain a record length.

*TEXT Specifies that the files selected are text files and translation will be performed using the translate tables specified in the TRAN option.

136

FND

FNE(*YES|*NO *YES|*NO

File Name Encryption : Create FNE Archive . . . . . *NO *NO, *YES Overwrite In FNE . . . . . . *NO *NO, *YES

FNE(*NO *NO)

Specifies the activation and use of the file name encryption feature.

The first option controls the creation of an archive with file name encryption.

*NO Do not create the new/updated archive as filename-encrypted archive.

*YES Create the new or updated archive into a filename-encrypted archive. If the archive exist, then the security features will be defined by the inputted FnE archive. If no archive exist, the new filename-encrypted archive will use the encryption method define with ADVCRYPT parameter and the PASSWORD and/or ENTPREC parameters.

The second option controls the overwriting of a filename-encrypted input archive to remove the filename encryption. This option is used with the first option of *NO (do not create an filename-encrypted archive), and with an existing filename-encrypted archive is input for update. Coding this option to *NO indicates that you know that the input archive is filename-encrypted and you want overwrite it to produce an archive that is not filename-encrypted.

*NO Do not allow an existing filename-encrypted archive to be changed to a non-filename-encrypted archive.

*YES Allow an existing filename-encrypted archive to be changed to a non-filename-encrypted archive when archive is updated.

FTRAN

FTRAN(*INTERNAL| Member Name)

Specifies the translation table for use in translating "file names, comments, and password" from the iSeries EBCDIC character set to the character set used in the archive file (normally ASCII character set). A default internal table is predefined. See Appendix F for additional information.

*INTERNAL Use the predefined internal table for translation. Using this is initially faster because PKZIP does not have to parse the override table.

137

membername Specify the member name in the file PKZTABLES that will be parsed and used to translate "file names and comments" files to the archive character set. The member should have the exact format of member UKASCII in file PKZTABLES. See Appendix F for information on defining translation tables.

GZIP

GZIP(*YES|*NO)

If this option is set to *YES, PKZIP will create a compressed archive in the GZIP format. The GZIP format only allows for one file or member per archive and all text data is stored in ISO 8859- 1 (LATIN- 1) character set. The GZIP format is very different from the SecureZIP for iSeries archive format, a program that can process PKZIP® archives will not necessarily process a GZIP archive correctly. The GZIP archive created conforms to the GZIP specifications RFC1951 and RFC1952.

Do not use this option if the archive is to be unzipped on another platform where GZIP compatibility is not confirmed.

The allowable values are:

*YES The PKZIP program will create a compressed archive in the GZIP format.

*NO The PKZIP program will create an archive in the PKZIP® format. This is the default.

IFSCDEPAGE

IFSCDEPAGE(*NO| Code-Page)

If this option is set to *NO, PKZIP will read IFS files using the code page that is registered for the file. Otherwise, PKZIP will read IFS files with the specified code page.

This parameter also controls the spool file ASCII conversion for *TEST and *PDF documents. When *NO is specified for spool Files, the conversion will use code page 819.

The allowable values are:

*NO The PKZIP program will read IFS files with the code page registered for the file. If the file is a spool file, the code page 819 will be used. This is the default.

Code-Page The PKZIP program will read IFS files with the specified code page value. If the file is a spool file, it is the code page that a spool file will use for ASCII translation.

138

INCLFILE

INCLFILE(*NONE| path/filename)

This parameter specifies the file containing the list of files to be selected for inclusion. This can be used with or without the FILES parameter. See parameter TYPLISTFL for file system type information.

*NONE No Include list file will be processed. This is the default.

path/filename Enter the file path and name of the file to process. The layout depends on which file system you want to create the file in.

Library File System: The format is "library/file(member)".

Integrated File System (IFS): The format is "path1/path2/../pathn/filename".

MSGTYPE

MSGTYPE(*PRINT|*SEND|*BOTH)

Specifies where the display of messages and information should be shown. The PKZIP program has the ability to send messages that appear on the log and/or the ability to print to stdout and stderr. If working interactively, stdout and stderr will show upon the dynamic screen. If submitted via batch, you can override them to print in an OUTQ or build a CL and save them to an outfile.

*SEND Send the information to the log with send message commands.

*PRINT Send the information to stdout and stderr.

*BOTH Send the information to the log with send message commands and also to stdout and stderr.

PASSWORD

PASSWORD(Archive Password)

Specifies a password for files being added to an archive. This password may be up to 64 characters in length and is case sensitive. All files selected for archiving will be encrypted using the specified password.

Note: There is no way to extract the password used from the archive data. If the password is forgotten, the file will become inaccessible. If files in an archive need to have different passwords, PKZIP must be run for each password required.

Since the password is entered in EBCDIC, the translation table referenced in the FTRAN parameter is used to translate it to ASCII. Care should be take when using the FTRAN override and when using a password. To use password-protected files, the same FTRAN override option is required.

139

SELFXTRACT

SELFXTRACT (*MAINTAIN| WINDOWS| UNIX| LINUX| *REMOVE)

This licensed feature specifies the action to take concerning self extracting archives. The actions are to maintain the current archive as is, create the new archive with a self extracting preamble, or to remove the self extracting preamble if one exist in the archive.

The self extracting programs are held as binary entities in the SecureZIP for iSeries library in the file PKZIPSFX. The appropriate member is loaded and the executable data copied to the beginning of the archive as a preamble when requested.

The resulting archive can still be processed by SecureZIP for iSeries as a normal ZIP archive.

The allowable values are:

MAINTAIN If the current archive contains a self extracting preamble, it will be maintained at the beginning of the updated archive.

WINDOWS The Windows version of the self extracting preamble will be installed to archive. (Microsoft Windows 95 and later)

AIX The AIX version of the self extracting preamble will be installed to archive. (IBM AIX Version 4.0 and later)

HP_UNIX The HP UNIX version of the self extracting preamble will be installed to archive. (HP/UX Version 9.0 and later)

SUN_UNIX The Sun UNIX version of the self extracting preamble will be installed to archive. (Sun Solaris 2.3 (SunOS 53) and later)

LINUXINTEL The Linux version of the self extract preamble (if available) will be installed to archive. (LINUX Kernel 2.x for Intel Note:libc-5 must be installed on the target system.)

*REMOVE If the current archive contains a self extracting preamble, it will be removed.

SFUSER

SFUSER (*CURRENT|*ALL |User Name List)

Specifies the user names that created spool files that will be selected. This value is ignored if SFJOBNAM is coded.

The allowable values are:

*CURRENT Only files created by the user running this command are selected.

140

*ALL Files created by all users are selected.

User Name Specify up to 10 user names. Only files created by those users are selected.

SFQUEUE

SFQUEUE (*ALL |Name|*LIBS)

Specifies the output queue that will be searched for the spool file selections. If no OUTQ library is specified, it will default to *LIBL.

The allowable values are:

*ALL Files on any device-created or user-created output queue are selected.

OUTQ The OUTQ that will be searched.

OUTQ Library The library where the OUTQ resides. Defaults to *LIBL.

*LIBS *LIBS will search all OUTQ that exist in the specified OUTQ Library. If *LIBS is selected then the library cannot be blank, nor contain *LIBL nor *CURRENT.

SFFORM

SFFORM (*ALL | *STD| Form Type)

Specifies the spool file form type that is on the spool files that will be selected.

The allowable values are:

*ALL Files for all form types are selected.

*STD Only files that specify the standard form type are selected.

Form Type Only spool files with this specific form type will be selected.

SFUSRDTA

SFUSRDTA (*ALL| User Data)

The user data tag associated with the spool file to select.

The allowable values are:

*ALL Files with any user data tag specified are selected.

User Data Only spool files with this specific user data tag will be selected.

141

SFSTATUS

SFSTATUS (*ALL |*READY|*HELD|*CLOSED|*SAVED|*PENDING|*DEFERRED)

Specifies the statuses of the spool files to be selected. Up to four statuses can be selected for one run.

The allowable values are:

*ALL All spool file status will be considered for selection.

*READY Only spool files with a status of *READY will be selected.

*HELD Only spool files with a status of *HELD will be selected.

*CLOSED Only spool files with a status of *CLOSED will be selected.

*SAVED Only spool files with a status of *SAVED will be selected.

*PENDING Only spool files with a status of *PENDING will be selected.

*DEFERRED Only spool files with a status of *DEFERRED will be selected.

SFJOBNAM

SFJOBNAM(Blank|*|Spool File Jobname/User/Job Number)

Specifies the job name, user name, and job number that will be used to select spool files. If anything other than blanks is in SFJOBNAM parameter, it will be used as the primary selection criteria. If any of the three fields (job name, user name, and job number) are specified, then all three fields must be entered and be valid.

The allowable values are:

Blank This is the default selection. This will cause all other selection criteria to be used for spool files.

* The * will cause the current job-name/user-name/job number to be used to select spool files.

Job-name Specify the name of the job to be selected. If no job qualifier is given, all of the jobs currently in the system are searched for the simple job name.

User-Name Specify the name that identifies the user profile under which the job is run.

Job-Number Specify the job number assigned by the system.

SFTARGET

SFTARGET (*SPLF|*TEXT|*PDF|*TEXT1|*TEXT2)

Specifies the format of the file that will be stored in the archive.

142

The allowable values are:

*SPLF This is the default selection. This will compress the spool file in a spool file format with all of the spool file attributes. This format is only valid on an AS/400. If the archive is extracted, it will take on the latest spool file settings, such as, job name, user, job number, spool file number, etc. The suffix for this selection is SPLF. Parameter SFTGFILE is required to be *GEN1 for SFTARGET(*SPLF).

*TEXT The spool file will be saved in the archived as an ASCII text document. The suffix for this selection is .TXT. each new page will have a form feed control character.

*TEXT1 The spool file will be saved in the archived as an ASCII text document. The suffix for this selection is .TXT. Each new page will have a carriage control and line feed control characters.

*TEXT2 The spool file will be saved in the archived as an ASCII text document. The suffix for this selection is .TXT. Each page will have a carriage control and line feed control characters for blanks lines to fill out a page with the number lines required by the spool file attribute.

*TEXTFC The spool file will be saved in the archive as an ASCII Text document. The suffix for this selection is .TXT. Each new page will have a form feed control character.

*PDF The spool file will be saved in the archived as a PDF text document. The suffix for this selection is .PDF. The size will be adjusted based upon the width and length of the spool file.

*PDFLETTER The spool file will be saved in the archived as a PDF text document. The suffix for this selection is .PDF. The size will be adjusted based upon the width and length of the spool file.

*PDFLEGAL The spool file will be saved in the archived as a PDF text document. The suffix for this selection is .PDF. The size will be adjusted based upon the width and length of the spool file.

SFTGFILE

SFTGFILE (|*GEN1|*GEN2|*GEN1P|File Name)

Specifies the how the file name will be stored in the archive.

The allowable values are:

*GEN1 GEN1 is the default selection. This generates a very specific name using most of the spool file name attributes to form the file name so that it will not be

143

duplicated. *GEN1 is required if SFTRAGET is *SPLF. The name will be built as follows:

“Job-Name/User-Name/#Job-Number/Spool-File-Name/Fspool-File-Number.Suffix”

”MYJOB/BILLS#152681/INVOICE/F0021.SPLF”

The suffix is dependent on the SFTARGET setting.

*GEN1P *GEN1P generates the same file name as *GEN1 except instead of a '/' separator, *GEN1P will use a '.' as name separator.

*GEN2 *GEN2 uses the spool file name and appends the spool file number followed by the suffix that is depended on the SFTARGET setting. Caution should be taken in that a duplicate file name in the archive could be created. An example of GEN2 is a spool file INVOICE with spool file number of 21 that will be converted to a text file will generate a file name of INVOICE21.TXT.

File Name This parameter should only be used when selecting one specific spool file where you want a specific file name.

SPLFILE

SPLFILE (*ALL| Spool File Name)

Specifies the spool file name that will be selected. This parameter is used along with all the other spool file selection parameters to determine the spool files to select.

The allowable values are:

*ALL This is the default setting. *ALL indicates that spool file name is not important.

Spool File Name A specific spool file name that will be searched for and selected.

SPLNBR

SPLFILE (*ALL|*LAST| Spool File Number)

Specifies the number of the spool file from the job whose data records are to be selected. If *ALL is coded then all file numbers are considered. This parameter is only valid when the SFJOBNAM parameter or SPLFILE is used. This parameter is used along with all the other spool file selection parameters to determine the spool files to select.

The allowable values are:

*ALL This is the default setting. *ALL indicates that spool file number is not important.

*LAST The spooled file with the highest number is used.

144

Spool File Number A number 1-9999 to specify the number of the spooled file whose data records are to be selected.

SIGNERS

Signing Certificates : File/Archive . . . . . . . *FILE *FILE, *ARCHIVE, *ALL LookUp Type . . . . . . . . *DB *DB, *FILE, *MBRSET, *INLIST Signer . . . . . . . . . . . _____________________________________________ Password (If Private) . . . _________________________________________ Required . . . . . . . . . . *RQD *RQD, *OPT

Or

SIGNERS((*FILE *MBRSET 'pkwareCertAdmin04.pfx' (password) *RQD)) SIGNERS((*FILE *FILE '/pkzshare/CStores/private/pkwareCertAdmin04.pfx' (password) *RQD)) SIGNERS((*FILE *FILE '/pkzshare/CStores/private/pkwareCertAdmin04.pfx' (‘mypassword’) *RQD)) SIGNERS((*FILE *DB ‘EM=bill.somebody@pkware.com' (password) *RQD)) SIGNERS((*FILE *INLIST 'ATEST/INLIST(ENGNEER1)' *N)

This parameter identifies the public key certificate with private key that is to be used to digitally sign files to be added to the archive and/or the archive directory. Multiple signing certificates may be applied to the files but only one signer is allowed to sign the archive directory. Signing an archive by signing its central directory enables people who receive the archive to confirm that the archive as a whole is not changed. By contrast, signing only individual files in an archive enables people to confirm that the particular signed files are unchanged but leaves open the possibility that the archive has had files added or removed.

There are five options for SIGNERS.

Signing Type File/Archive (*FILE |*ARCHIVE |*ALL)

The File/Archive selection determines whether the files, archive or both are to be signed during the ZIP run. Only one signer can be specified for an archive. If the lookup type is *INLIST, then this option will be ignored and will pickup from the records in the inlist file.

• *FILE – All new files being compressed in the run will be signed by this private key and a signature entry will be added to the archive.

• *ARCHIVE – The archive directory will be signed by this private key and a signature entry will be added to the archive.

• *ALL – Both *FILE and *ARCHIVE for the signer will be used.

Lookup Type (*DB |*FILE |*MBRSET |*INLIST)

The lookup type would be the type of signer search that will be used for the signer string to lookup the private key.

• *DB - The signer string is defined to search using the Certificate Locator Database to access the digital certificate and private key.

145

• *FILE - The signer string is defined to read a specific file in a specific path in the IFS in order to access the digital certificate and private key.

• *MBRSET - The signer string is defined to read this specific file from the enterprise private certificate store to access the digital certificate and private key.

• *INLIST- The signer string defines a specific file that will contain one to many signers. The TYPLISTFL parameter must specify the file type for the inlist.

Signer (The signer string name)

The signer string format depends on what was specified for the lookup type.

• If lookup type is *DB, the signer string will either be an email address or the common name of the certificate. This depends on the configuration setting in PKCFGSEC parameter CERTDB. To override the default selection mode, you can prefix the string with EM= for email, or CN= for the common name.

For example:

SIGNERS((*FILE *DB ‘bill.somebody@pkware.com' (password) *RQD) (*ARCHIVE *DB ‘CN=bill somebody' (password) *RQD) (FILE *DB ‘EM=bill.somebody@pkware.com' (password) *OPT))

• If lookup type is *FILE, the signer string is defined to read a specific file in a specific path of the IFS. This file should be public key X.509 with the private key X.509 certificate file.

For example:

SIGNERS((*ARCHIVE *FILE '/pkzshare/CStores/private/pkwareCertAdmin04.pfx' (password) *RQD))

The digital certificate file with the private key ‘pkwareCertAdmin04.pfx’ will be in the full path '/pkzshare/CStores/private’.

• If lookup type is *MBRSET, the signer string is defined to read a specific file from the public certificate store and/or the private certificate store of the IFS. This file should be public key X.509 with the private key X.509 certificate file.

For example:

SIGNERS((*ALL *MBRSET 'pkwareCertAdmin04.pfx' (password) *RQD))

The digital certificate file ‘pkwareCertAdmin04.pfx’ will be in the full path of the private certificate store defined in the enterprise security configuration private store (parameter CSPRV). Since the password was included, the file will be searched for in the enterprise security configuration private store (parameter CSPRIV).

• If lookup type is *INLIST the signer string defines a full file name of an input list file that contains records of SIGNERS shortcut parameters. The type of file will exist in the QSYS library file system if TYPLISTFL(*DB) is set and will be a path file name in the IFS if TYPLISTFL(*IFS) is set. The format of the SIGNERS shortcut parameters are defined below in the *INLIST usage section.

146

Password

This designates the password that is required for a private key (PKCS#12 file). When a value is specified, the target must be an X.509 PKCS#12 private key certificate.

The PASSWORD value may contain blanks and is delimited by the closing right parenthesis ")" of the signing command.

Required (*RQD|*OPT|*SAME)

If *RQD then this signer MUST be found during the selection and the certificate MUST be a valid certificate with a private key or the run will fail.

Usage Notes:

A NULL file (binary file having zero bytes of data) will be signed. However, note that the digital signature is based on a fixed hash value.

The entire data stream of each file is run through the hash algorithm before compression or encryption. However, file text data is translated before hashing so that the receiving system is able to hash the identical stream after decryption/decompression.

The processor requirement for a file signature is directly related to the size of the file(s) being signed and/or authenticated (see SIGN_HASHALG). Therefore, when processing costs are a consideration, the decision whether to use SIGNERS to sign large files should be based on the business case. Sometimes signers for the archive may be more appropriate. (The directory size is proportional to the number of files in the archive, not the physical size of the file data.)

A separate signing operation is performed for each supplied certificate, for each file. Processor and elapsed time will be impacted in proportion to the number of signatories and files selected.

The number of file signatures that can be held for each file is constrained by a number of factors. These include EXTRAFLD(*YES) and DBSERVICE(*NO), the size of the signatures generated (based on the size of the certificate information), the number of certificates in the authenticating certificate authority chain, the number of different certificate authorities used in association with the signing certificates, if FNE(*YES) is specified, and the number of recipients for certificate-based encryption of files. For planning purposes, typical ZIP operations will support up to 10 file signatories as a rule, although more or fewer may be achieved in practice.

It is important that the password is entered in the correct case. Any variation in case or misspelling will result in a public key certificate access attempt (which will fail for a private key PKCS#12 certificate). Please note that passwords will be masked out in all output displays.

A local certificate store configuration is required to complete the processing of this command. Even when a direct FILE specification is made to locate the private key certificate, the CS and ROOT certificate store components must be accessible to complete the certificate signing chain within the archive. This information is required to complete authentication processing on the target system when the local certificate store on that system does not contain the certificate authority chain required to validate TRUST (see PKCFGSEC).

147

Processing will be terminated if none of the requested certificates can be accessed, regardless of the “R” required flag. If multiple requests are made and at least one signature is found, processing will continue normally.

Signed files are tolerated by prior releases of PKZIP and SecureZIP for iSeries but are not processed for authentication.

For inlist that contains a password to open a private certificate, make sure that the security is sufficient to only allow the owner of the certificate to have read access. Otherwise this would leave a security hole where others could browse the password.

*INLIST Usage:

If *INLIST is defined on the SIGNERS parameter, then the signer filed will be a file that SecureZIP will read to include the signer. The format is very similar to the SIGNERS parameter described above except each line signer starts with “{SIGNERS=” and is terminated by the “}” character with the semi-colon “;” as a separator for each entry.

{SIGNERS=Signing Type, Lookup Type; Signer; Password; Required}

Signing Type See Signing Type in SIGNERS

Lookup Type See Lookup Type in SIGNERS excluding the INLIST

Signer See Signer in SIGNERS.

Password See Password in SIGNERS.

Required See Required in SIGNERS, but use RDQ for *RQD and OPT for *OPT.

Examples:

Sample 1: tstsign_db1.inlist. {SIGNERS=File;DB;EM=PKTESTDB4@nowhere.com;PKWARE;RQD}

Sample 2: tstsign_mb2.inlist. {SIGNERS=ARCHIVE;MBRSET;pktestdb3.pfx;PKWARE;RQD}

SIGNPOL

Signing Filters: Validate Level . . . . . *SYSTEM *VALIDATE, *WARN, *NONE... Filters . . . . . . . . . *SYSTEM *SYSTEM, *ALL, *NONE... + for more values

Or

SIGNPOL(*WARN (*SYSTEM) ) SIGNPOL(*WARN (*ALL *NOTTRUSTED) ) SIGNPOL(*SYSTEM (*ALL *NOTEXPIRED) )

148

This parameter defines the processing options and filters that should take place if the SIGNERS parameter is used to define the file or archive signing certificates.

Validate Level (*VALIDATE |*WARN |*SYSTEM)

The validate level specifies the type of signing processing that should take place if the signer requests encounter an error. If *SYSTEM is specified, the enterprise setting from PKCFSEC is used. If the enterprise setting is defined as Lockdown, then this parameter cannot be revised and a warning will be issued if a change is detected.

• *SYSTEM - Indicates the authentication processing that is set in the environmental setting will be used.

• *VALIDATE - Indicates that when authentication takes place and a failure occurs based on the filters, the run will be considered a failure, and the message issued at the end will indicate one or more errors during the run.

• *WARN - Indicates that when authentication takes place and a failure occurs, the failure is only considered a warning. The messages at the end of the run will not consider any failed filters for signer certificates as errors.

Filters (*SYSTEM |*ALL |*NONE |*TRUSTED |*EXPIRED |*REVOKED |*NOTTRUSTED |*NOTEXPIRED |*NOTREVOKED)

The signing filter policies settings are defined in the enterprise security file supplied by the SecureZIP administrator (see PKCFGSEC). These global policy settings can be revised with sub-parameter values, but if the enterprise setting is defined as lockdown, this parameter cannot be revised and a warning will be issued if a change is detected. The variables are cumulative from the global setting. The setting of these filters defines what certificates are acceptable for signing.

• *SYSTEM - All filter policies are from the global settings.

• *ALL - This sub-parameter activates all levels of authentication. If followed by negating sub-levels, then all but those negating levels are activated. For example: *ALL, NOTEXPIRED means that expired certificates will not cause an authentication error, but TRUST and REVOKE must both be satisfied.

• *NONE - Will negate all the policies.

• *TRUSTED - Each end-entity certificate used in the signature must be traced back to a trusted root certificate. The CACA and CSROOT stores on the local system performing the authentication check will be accessed to determine if the entire certificate chain can be trusted. Although the root (“self-signed”) certificate may be included within the archive, it MUST also exist in the CSROOT store to complete the TRUSTED state.

• *EXPIRED - The digital certificates used to originally perform the signing operation contain internal date ranges of validity. The signer operation will fail if any of the certificates in the trust chain are not found to be within their stated data range. Note that an end-entity certificate may have expired at the time that the archive is being accessed, and NOTEXPIRED may be used to continue processing.

• *REVOKED - A certificate owner may request that the issuing certificate authority declare a certificate to be revoked and thereby no longer consider that certificate to be valid. The signer operation will fail if any of the

149

certificates in the trust chain are found to have been revoked or if the revocation status could not be determined.

• *NOTTRUSTED - Negates the *TRUSTED filter.

• *NOTEXPIRED - Negates the *EXPIRED filter.

• *NOTREVOKED - Negates the *REVOKED filter.

STOREPATH

STOREPATH(*NO|*YES)

Specifies whether to store the full path and file name in the archive, or to just save the file name. If the file is an IFS file type, the path is all directories, from the current directory, to the directory of the file. In the library system, the path is the library and the file name. The member name is considered to be the archive name.

The allowable values are:

*YES Store all paths and the filename in the PKZIP archive.

*NO Store only the filename in the PKZIP archive.

TMPPATH

TMPPATH(*CURRENT| pathname)

Specifies a directory or library/file in which to build the temporary archive file. While PKZIP is compressing data into an archive, a temporary archive file name is used. The temporary file name is a 10-character name with a prefix of “PZ” followed by a time stamp (PZtttttttt). If this option is *CURRENT, the temporary file is built in the same directory (for library file systems it is same library/file with temporary member) in which the new archive will be stored and is then renamed at the end of the run to the archive name. If an override path is specified, the temporary archive file is built into that specified path, and the file is then copied to its final archive path at the end of the run. The temporary file name and path type will be the same as specified for ARCHIVE. See parameter TYPARCHFL for file system type information. Special libraries (such as QTEMP) are used frequently.

*CURRENT Specifies that the current archive path will be used (see ARCHIVE) to build the temporary archive file PZxxxxxxxx.

pathname Specifies a path name (if using IFS such as /PKZIP/tempdir) or a library/file (if using the library system).

NOTE 1: When using the QSYS library file system and specifying “qtemp” as the TMPPATH, a dynamic file name and member name is created in the library qtemp. At the end of the run, the file and member are removed. If any other combination of names is used, then a dynamic member name is created and only the member is removed.

150

NOTE 2: When using the QSYS library file system and specifying a TMPPATH, there may be a slight performance degradation because the archive file will have to be copied from one library/file to another library/file. Otherwise, if *CURRENT is used, the file member name will only be renamed.

TRAN

TRAN(*INTERNAL| Member Name)

Specifies the translation table for use with translating data from the iSeries EBCDIC character set to the character set used in the archive file (normally the ASCII character set). A default internal table is predefined (see Appendix F).

*INTERNAL Use the predefined internal table for translation. Using this is initially faster because PKZIP does not have to parse the override table.

Member Name Specifies the member name in the file PKZTABLES that will be parsed and used to translate data files to the archive character set. The member should have the exact format of member UKASCII in file PKZTABLES (see Appendix F for information on defining translation tables).

TYPARCHFL

TYPARCHFL(*DB|*IFS)

Specifies the type of file system in which the archive file will exist (see parameters ARCHIVE and TMPPATH for additional information).

*DB Archive files are to be in the QSYS library file system.

*IFS Archive files are to be in the integrated files system (IFS).

TYPFL2ZP

TYPFL2ZP(*DB|*IFS)

Specifies the type of file system that contains files to be zipped. Reflected for files in parameters FILES and EXCLUDE.

*DB Files to be zipped are in the QSYS library file system.

*IFS Files to be zipped are in the IFS (integrated files system) - Case sensitive selection.

*IFS2 Files to be zipped are in the IFS (integrated files system) – Non-case-sensitive selection.

151

*DBA Files to be compressed are database files in the QSYS library file system with database mode "DBSERVICE(*YES)", and the records are to processed in arrival sequence. This is only pertinent for database files containing keys and when it is important to retain the arrival sequence of the data.

*SPL Files to be zipped are spool files.

TYPLISTFL

TYPLISTFL(*DB|*IFS)

Specifies the “type of files system” that will be used for the input list file and/or the output list file of selected items.

To use input list files, see parameters INCLFILE (file section list) or EXCLFILE (file exclude list). To create an output list file of the selected file items, see parameter CRTLIST.

*DB Files are in the QSYS library file system.

*IFS Files are in the IFS(integrated files system).

VERBOSE

VERBOSE(*NORMAL|*NONE| *ALL|*MAX )

Specifies how the detail will be displayed during a PKZIP run.

The allowable values are:

*NORMAL Displays most informative message to show PKZIP is processing.

*NONE Displays only major exception information.

*ALL Displays all messages.

*MAX Used only for debugging purposes.

VPASSWORD

VPASSWORD(Archive Verify Password)

Specifies a verification password against the entered password since the PASSWORD is not visible. This parameter is required for all encryption methods except ZIPSTD. VPASSWORD follows all the rules of PASSWORD and must match exactly to the archive password entered in PASSWORD parameter or the run will be terminated.

152

12 PKUNZIP Command

PKUNZIP Command Summary with Parameter Keyword Format If the OS/400 command prompt screen is to be used, the command format is simply: PKUNZIP.

The command prompt screen is displayed when ENTER or PF4 is pressed. The parameter keywords are displayed on this screen together with the available keyword options. The required options can be selected before PF4 is pressed to accept the selections. If the command and parameter keywords are entered together on the command line, the required format is:

PKUNZIP keyword1(option) keyword2(option) . . . keywordn(option)

Keywords are delimited by spaces. The keyword “ARCHIVE” is the only positional keyword where the keyword itself is not required. Whenever the word “path” is used, its meaning depends on the file system that is being used. If IFS is used, path refers to the openness true path type. If the library systems or *DB is used, path means library/file, and then the file name refers to the member name.

153

TYPE( *VIEW ) (*EXTRACT} {*NEWER} {*TEST}

ARCHIVE( Archive Zip File name with path )

AUTHCHK( Authenticators ) Authenticate Type {*FILE}

{*ARCHIVE} {*ALL}

Lookup Type {*DB } {*LDAP} {*FILE} {*MBRSET} {*INLIST}

Recipient {Recipient String} Password (if Private) {Certificate password} Required {*RQD }

{*OPT} AUTHPOL ( Authenticate Filters: ) Validate Level {*SYSTEM } {*WARN } {*VALIDATE} Validate Type {*NONE } {*ALL } {*ARCHIVE} {*FILE} Filters {*SYSTEM } {*ALL} {*NONE} {*TAMPER} {*TRUSTED} {*EXPIRED} {*REVOKED} {*NOTAMPER} {*NOTTRUSTED} {*NOTEXPIRED} {*NOTREVOKED} CRTLIST( {*NONE} )

path/filename

CVTDATA( External Pgm Conversion Extended Data)

CVTFLAG( {*NONE} ) External Pgm Conversion Flags

CVTTYPE( {*NONE} ) {*DROP} {*SUFFIX}

DFTDBRECLN( {132} ) {decimal number}

DROPPATH( {*NONE} ) {*ALL} {*LIB}

ENTPREC( Decryption Recipients ) Lookup Type {*DB }

{*LDAP} {*FILE}

154

{*MBRSET} {*INLIST}

Recipient {Recipient String} Password (if Private) {Certificate password} Required {*RQD }

{*OPT} EXCLFILE( {*NONE} )

path/filename

EXCLUDE( file_specification1, ) file_specification2, file_specificationn

EXDIR( {*CURRENT} ) path

FILES( file_specification1, ) file_specification2, file_specificationn

FILETYPE( {*TEXT} ) {*BINARY} {*EBCDIC} {*DETECT}

FTRAN( {*INTERNAL} ) Member Name

IFSCDEPAGE( {*NO} ) Code-page

INCLFILE( {*NONE} ) path/filename

MSGTYPE( {*PRINT} ) {*SEND} {*BOTH}

OVERWRITE( {*NO} ) {*YES} {*PROMPT}

PASSWORD( Archive Password )

SFQUEUE ( {*DFT} ) {Library/Outq }SPLUSRID (

SPLUSRID {*DFT} ) {User ID }

TRAN( {*INTERNAL} ) Member Name

TYPARCHFL( {*DB} ) {*IFS}

TYPFL2ZP( {*DB} ) {*IFS}

TYPLISTFL( {*DB} ) {*IFS}

VERBOSE( {*NORMAL} ) {*NONE}

155

{*ALL} {*MAX}

VIEWOPT( {*NORMAL} ) {*DETAIL} {*BRIEF} {*COMMENT } {*FNE} {*FNEALL}

VIEWSORT( {*ASIS} ) {*DATE} {*DATER} {*NAME} {*NAMER} {*PERCENT} {*PERCENTR} {*SIZE} {*SIZER}

156

PKUNZIP Command Keyword Details

TYPE

TYPE(*EXTRACT|*NEWER|*TEST |*VIEW)

The TYPE keyword specifies the type of action PKUNZIP should perform on the ZIP archive.

The possible actions are:

*VIEW Display output information about all files or selected files contained in an archive. This option is performed using PKUNZIP. The sequence (see *VIEWSORT) and type of list (*VIEWOPT) determines what information is displayed.

*EXTRACT Extracts files from the archive (please refer to the DROPPATH, CVTTYPE, TO, and EXDIR parameters for controlling the conversion of file names extracted from the archive).

*NEWER Extracts files in the archive that have a more recent date and time than the corresponding file on disk. If the files do not exist on disk, they will be extracted as newer. All other files will be skipped.

*TEST Tests the integrity of files in the archive by extracting files without writing the data. As each file is extracted, a CRC is calculated. At the end of the file the calculated CRC is compared against the stored CRC in the archive file header to confirm that the data has not been corrupted.

ARCHIVE

ARCHIVE(Archive Zip File name with path)

Specifies the path/file name or the library/file name of the PKUNZIP archive to be processed.

This is a required parameter.

The format depends on whether you will be using the archive file in the library file system or the IFS.

See parameter TYPARCHFL for file system type information.

Library File System: Format is library/file(member). If member is omitted, it will use the file name for the member.

157

Integrated File System (IFS): Open system path followed by the archive file name. The path and file name can up to 256 characters and may contain embedded spaces.

AUTHCHK

Authenticator Certificates: File/Archive . . . . . . . *FILE *FILE, *ARCHIVE, *ALL LookUp Type . . . . . . . . *DB *DB, *LDAP, *FILE, *MBRSET... Authenticator . . . . . . . ______________________________ Password (If Private) . . . ______________________________ Required . . . . . . . . . . *RQD *RQD, *OPT + for more values _

Or

AUTHCHK((*FILE *MBRSET 'pkwareCertAdmin04.pfx' (password) *RQD)) AUTHCHK((*ALL *FILE '/pkzshare/CStores/public/pkwareCertAdmin04.cer' () *RQD)) AUTHCHK((*ARCHIVE *FILE '/pkzshare/CStores/public/pkwareCertAdmin04.cer' () *RQD)) AUTHCHK((*FILE *DB ‘EM=bill.somebody@pkware.com' () *OPT)) AUTHCHK((*FILE *INLIST 'ATEST/INLIST(ENGNEER1)' *N)

This parameter specifies that digital signature authentication processing should be performed for specific signers. Separate authentication processing may be specified for either the archive central directory or files by using multiple commands. Optionally, specific signers may be specified to authenticate against. This parameter is used in conjunction with the AUTHPOL parameters and its settings.

It is possible that more than one certificate may be returned for a single common name or email search. As a result, each one will be added to the list of validating sources.

When no specific certificates are requested, any signatories found in the archive are validated in accordance with the systems or current AUTHPOL Filters policy settings.

There are five options for AUTHCHK.

Authenticator Type File/Archive (*FILE |*ARCHIVE |*ALL)

This designates the type of authentication that is to be performed. Either ARCHIVE, FILE or ALL may be specified on each item, but by using ALL or archive with the *RQD option will result in error since the archive can only have one signatory. If the lookup type is *INLIST, then this option will be ignored and will pickup from the records in the inlist file.

• *FILE – The signed files will be authenticated with this authenticator.

• *ARCHIVE - The archive directory will be authenticated with this authenticator.

• *ALL – Both the signed files and the archive directory will be authenticated with this authenticator.

Lookup Type (*DB |*FILE |*LDAP |*MBRSET |*INLIST)

The lookup type would be the type of authenticator search to be used for the authenticator string to look up the public key.

158

• *DB - The authenticator string is defined to search using the certificate locator database to access the digital certificate.

• *FILE - The authenticator string is defined to read a specific file in a specific path in the IFS in order to access the digital certificate.

• *LDAP - The recipient string is defined to search using the LDAP server to access the digital certificate.

• *MBRSET - The authenticator string is defined to read this specific file from the enterprise public certificate store to access the digital certificate.

• *INLIST- The authenticator string defines a specific file that will contain one to many AUTHCHK. The TYPLISTFL parameter must specify the file type for the inlist.

Authenticator (The authenticator string name)

The authenticator string format depends on what was specified for the lookup type.

• If lookup type is *DB, the authenticator string will either be an email address or the common name of the certificate. This depends on the configuration setting in PKCFGSEC parameter CERTDB. To override the default selection mode, you can prefix the string with EM= for email, or CN= for the common name.

For example:

AUTHCHK((*FILE *DB ‘bill.somebody@pkware.com' () *RQD) (*ARCHIVE *DB ‘CN=bill somebody' () *RQD) (FILE *DB ‘EM=bill.somebody@pkware.com' (password) *OPT))

• If lookup type is *FILE, the authenticator string is defined to read a specific file in a specific path of the IFS. This file should be a public key X.509 file or public key X.509 certificate with a private key file.

For example:

AUTHCHK((*ARCHIVE *FILE '/pkzshare/CStores/public/pkwareCertAdmin04.cer' () *RQD))

The digital certificate file ‘pkwareCertAdmin04.cer’ will be in the full path '/pkzshare/CStores/public’.

• If type is *LDAP, the authenticator string will either be an email address or the common name of the certificate depending on the search mode configuration setting in PKCFGSEC parameter LDAP. To override the default selection mode, you can prefix the string with EM= for email address, or CN= for the common name.

For example:

AUTHCHK ((*ARCHIVE *LDAP ‘bill.somebody@pkware.com' () *RQD) (*FILE *LDAP ‘CN=bill somebody' () *OPT) (*FILE *LDAP ‘EM=bill.somebody@pkware.com' () *RQD))

• If lookup type is *MBRSET, the authenticator string is defined to read a specific file from the public certificate store and/or the private certificate store of the IFS. This file should be a public key X.509 file or public key X.509 certificate with a private key file.

159

For example:

AUTHCHK((*ALL *MBRSET 'pkwareCertAdmin04.cer' () *RQD))

The digital certificate file ‘pkwareCertAdmin04.cer’ will be in the full path of the public certificate store defined in the enterprise security configuration public store (parameter CSPUB). If a password is included, the file is searched for in the enterprise security configuration private store (parameter CSPRIV).

• If lookup type is *INLIST, the authenticator string defines a full file name of an input list file that contains records of AUTHCHK shortcut parameters. The type of file will exist in the QSYS library file system if TYPLISTFL(*DB) is set and will be a path file name in the IFS if TYPLISTFL(*IFS) is set. The format of the AUTHCHK shortcut parameters are defined below in the *INLIST usage section.

Password

This designates the password that is required for a private key certificate with a private key (PKCS#12 file). When a value is specified, the target must be an X.509 PKCS#12 public key certificate with the private key.

The PASSWORD value may contain blanks and is delimited by the closing right parenthesis ")" of the signing command.

Required (*RQD|*OPT|*SAME)

If *RQD, then this authenticator must be found during the selection, and the certificate must be a valid certificate with a private key, or the ZIP/UNZIP run will fail.

Usage Notes:

Passwords are masked out in all output displays.

A local certificate store configuration is required to complete the TRUST processing of this command.

Processing is terminated if none of the requested certificates can be accessed, regardless of the “R” required flag. If multiple requests are made and at least one signature is found, processing continues normally.

For inlist that contains a password to open a private certificate, make sure that the security is sufficient to only allow the owner of the certificate to have read access. Otherwise this would leave a security hole where other users could browse the password.

*INLIST Usage:

If *INLIST is defined on the AUTHCHK parameter, then the authenticator filed will be a file that SecureZIP will read to include the authenticator. The format is very similar to the AUTHCHK parameter described above except that each line authenticator starts with “{AUTHCHK=” and is terminated by the “}” character, with the semi-colon “;” as a separator for each entry.

{AUTHCHK=Authenticator Type, Lookup Type; Authenticator; Password; Required}

160

Authenticator Type See Authenticator Type in AUTHCHK

Lookup Type See Lookup Type in AUTHCHK excluding the INLIST

Authenticator See Authenticator in AUTHCHK.

Password See Password in AUTHCHK.

Required See Required in AUTHCHK, but use RDQ for *RQD and OPT for *OPT.

Examples:

Sample 1: tstauth_db1.inlist. {AUTHCHK=FILE;DB;EM=PKTESTDB4@nowhere.com;;RQD}

Sample 2: tstauth_mb2.inlist. {AUTHCHK=ARCHIVE;MBRSET;pktestdb3.pfx;PKWARE;RQD}

Sample 3: tstauth_mb3.inlist. {AUTHCHK=ALL;MBRSET;pktestdb3.pfx;PKWARE;RQD}

AUTHPOL

Authenticate Filters: Validate Level . . . . . *SYSTEM *VALIDATE, *WARN, *NONE... Validate Type . . . . . *ARCHIVE *ARCHIVE, *NONE Filters . . . . . . . . . *SYSTEM *SYSTEM, *ALL, *NONE... + for more values

Or

AUTHPOL(*WARN *ARCHIVE (*SYSTEM) ) AUTHPOL(*WARN *FILE (*NOTTRUSTED) ) AUTHPOL(*SYSTEM *ALL (*ALL *NOTEXPIRED) )

This parameter defines the processing options and filters that should apply if a signed file or signed archive is encountered.

Validate Level (*VALIDATE |*WARN |*SYSTEM)

The validate level specifies the type of authentication processing that should take place if a file or archive is encountered. The default is *SYSTEM and, unless it is modified, SecureZIP will use the enterprise setting from PKCFSEC.

• *VALIDATE – Indicates that when authentication takes place and a failure occurs based on the filters, the run will be considered a failure and the message issued at the end will indicate one or more errors during the run.

• *WARN - Indicates that when authentication place and a failure occurs, the failure is only considered a warning. The messages at the end of the run will not consider any failed authentications as errors.

161

• *SYSTEM – Indicates the authentication processing that is set in the environmental setting will be used.

Validate Type (*ALL |*ARCHIVE |*FILE |*NONE)

The validate type specifies whether the file, archive, all or no authentication will take place if a file or archive has been signed. The default is *NONE, and anything other than *NONE requires the Enhanced Encryption module.

• *ALL - Indicates that authentication will take place for both files and/or the archive has been signed.

• *ARCHIVE - Indicates that only a signed archive will be authenticated.

• *FILE - Indicates that only the signed files will authenticated.

• *NONE - Indicates no authentication will take place even though a file or archive has been signed.

Filters (*SYSTEM |*ALL |*NONE |*TAMPER |*TRUSTED |*EXPIRED |*REVOKED |*NOTAMPER |*NOTTRUSTED |*NOTEXPIRED |*NOTREVOKED )

The authentication filter policies settings are defined in the enterprise security file supplied by the SecureZIP administrator (See PKCFGSEC). These global policy settings can be revised with sub-parameter values. The variables are cumulative from the global setting.

• *SYSTEM – All filter policies are from the global settings.

• *ALL - This sub-parameter activates all levels of authentication. If followed by negating sub-levels, then all but those negating levels are activated. For example: *ALL NOTEXPIRED means that expired certificates will not cause an authentication error, but TRUST and TAMPERCHECK must both be satisfied.

• *NONE – Will negate all the policies.

• *TAMPER – This sub-parameter signifies that a verification of the data stream should be done against the digital signature.

• *TRUSTED – This sub-parameter signifies that the entire certificate authority chain must be validated. This includes locating the root (self-signed) certificate on the local system.

• *EXPIRED – This sub-parameter signifies that certificate date range validation should be performed on the certificates (including the certificate authority chain). Although the term “expired” is used, a certificate that has not yet reached its valid data range specification will fail.

• *REVOKED - A certificate owner may request that the issuing certificate authority declare a certificate to be revoked and thereby no longer consider that certificate to be valid. The authentication operation will fail if any of the certificates in the trust chain are found to have been revoked, or if the revocation status could not be determined

• *NOTAMPER – Negates the *TAMPER filter.

• *NOTTRUSTED – Negates the *TRUSTED filter.

• *NOTEXPIRED - Negates the *EXPIRED filter.

• *NOTREVOKED – Negates the *REVOKED filter.

162

CRTLIST

CRTLIST(*NONE| path/filename )

Specifies that PKUNZIP will create an output file with a list of entries that will be compressed based upon the selection criteria in the FILES and EXCLUDE parameters. This parameter only works with the TYPE set to *VIEW.

See parameter TYPLISTFL for file system type information.

*NONE No list file will be created.

path/filename Enter the file path and name of the file to create. The layout depends on which file system you want to create the file in.

Library File System: The format is "library/file(member)".

Integrated File System (IFS): The format is "path1/path2/../pathn/filename".

CVTDATA

CVTDATA(External Program Conversion Extended Data)

Specifies the extended data that is passed to the external program CVTNAME. When CVTFLAG is not *NONE, the contents of the parameter are passed to provide extended flexibility in controlling how the iSeries names are stored in the archive. See Appendix D for more details on the external program.

External Program Conversion Extended Data Specify up to 255 bytes of unedited data which is passed to the exit program CVTNAME to assist in controlling the program logic.

CVTFLAG

CVTFLAG(*NONE|Conversion Flags)

Specifies the flags passed to the external program CVTNAME. These are used to control how the iSeries names are stored in the archive. See Appendix D for more details on the external program.

The allowable values are:

*NONE Conversion exit is not active.

Conversion Flags Specify a 5-byte flag that is passed to the exit program CVTNAME to control the program logic. If the name passed back is blank, then conversion is referred back to the setting of the CVTTYPE parameter.

163

CVTTYPE

CVTTYPE(*NONE|*DROP|*SUFFIX)

Specifies how the files names in the archive will be converted to a file name in the iSeries library, file, and Member format. In the iSeries QSYS library system, the length of each name in the QSYS format can only be up to 10 characters. In other platforms, the file name formats (including MS/DOS) may have an extension with a period (.) separator which is not valid in the iSeries DB name. The file names in some cases may even exceed the 10-character limit. This parameter gives control over the file name conversion process.

Note: The conversion of file names may result in duplicate file names on the iSeries system. In this case, the rules for overwriting the files are in effect for duplicates (see the OVERWRITE option). If this is the case, using specific file inclusion and exclusion with multiple runs may be required to extract all of the files.

The allowable values are:

*SUFFIX This forces the removal of the period(.) extension and stores name truncating characters over 10 characters.

*NAMEFILE The extensions are considered to be file names or treated as a slash (/).

*DROP Drops all characters after the period(.) extension separator, and stores the name truncating characters over 10.

DFTDBRECLN

DFTDBRECLN (132|Record Length)

Specifies the record length to use when creating a file in the QSYS library system. If TYPFL2ZP parameter is *DB, and the file being extracted does not exist nor does extended attribute for the record length exist, the file will be created with the record length specified in this parameter.

The allowable values are:

132 Default is record length of 132 to match previous versions.

Record Length A decimal number from 50 to 32000.

DROPPATH

DROPPATH(*NONE|{*ALL| *LIB)

Used to drop the path(s) or libraries of files that are stored in the archives, therefore only using the file names in the archive. This is used along with the keyword EXDIR where the default paths are defined when dropping the paths on files in the archive.

For example, if the file in the archive is “path1/path2/filename” (IFS) or “library/file/member” (QSYS), and if DROPPATH is *ALL, the file being extracted

164

would be “filename” or “member”. If *LIB was used, the file being extracted would be path1/filename” or “file/member”.

See “Example 1 - PKUNZIP Files to a New or Different Library” in Appendix B for an example of using EXDIR and DROPPATH together.

The allowable values are:

*NONE Do not remove paths and/or libraries in the archive.

*ALL Remove all paths that are stored in the archive, leaving only an IFS file name or member name.

*LIB Remove only the first path (which in most cases could be the library).

ENTPREC

Encryption Recipients : LookUp Type . . . . . . . . *DB *DB, *LDAP, *FILE... Recipient . . . . . . . . . ______________________________________ Password (If Private) . . . ______________________________________ Required . . . . . . . . . . *RQD *RQD, *OPT + for more values _

Or

ENTPREC((*MBRSET 'pkwareCertAdmin04.cer' () *RQD)) ENTPREC((*FILE '/pkzshare/CStores/public/pkwareCertAdmin04.cer' () *RQD)) ENTPREC((*FILE '/pkzshare/CStores/public/pkwareCertAdmin04.pfx' (‘mypassword’) *RQD)) ENTPREC((*DB ‘EM=bill.Somebody@pkware.com' () *RQD)) ENTPREC((*LDAP ‘EM=bill.Somebody@pkware.com' () *RQD)) ENTPREC((*INLIST 'ATEST/INLIST(ENGNEER1)' *N)

The encryption/decryption recipient parameter defines one to many recipients which is to be included for the ZIP and UNZIP process. This parameter allows 1-4 types of certificate searches to take place along with providing the ability for an include file that may contain the recipients.

The specification of this recipient ENTPREC parameter, triggers encryption to take place during ZIP processing utilizing the found recipients along with any password that may be entered.

There are four options.

Lookup Type (*NONE |*DB |*LDAP |*FILE |*MBRSET |*SAME)

The Lookup type would be the type of recipient search that will be used for the recipient string.

• *DB - The Recipient string is defined to search using the Certificate Locator Database to access the digital certificate.

• *LDAP - The recipient string is defined to search using the LDAP server to access the digital certificate.

165

• *FILE - The recipient string is defined to read a specific file in a specific path in the IFS in order to access the digital certificate.

• *MBRSET - The recipient string is defined to read this specific file from the enterprise public certificate store to access the digital certificate.

• *INLIST- The recipient string defines a specific file that will contain one to many recipients.

Recipient (The recipient string name)

The recipient string format depends on what was specified for the Lookup type.

• If type is *DB - The recipient string will either be an email address or the common name of the certificate. This depends on the configuration setting in PKCFGSEC parameter CERTDB. To override the default selection mode, you can prefix the string with EM= for email or CN= for the common name.

For example:

ENTPREC((*DB ‘bill.Somebody@pkware.com' () *RQD) (*DB ‘CN=bill Somebody' () *RQD) (*DB ‘EM=bill.Somebody@pkware.com' () *RQD))

• If type is *LDAP - The recipient string will either be an email address or the common name of the certificate depending on the search mode configuration setting in PKCFGSEC parameter LDAP. To override the default selection mode, you can prefix the string with EM= for email or CN= for the common name.

For example:

ENTPREC((*LDAP ‘bill.Somebody@pkware.com' () *RQD) (*LDAP ‘CN=bill Somebody' () *OPT) (*LDAP ‘EM=bill.Somebody@pkware.com' () *RQD))

• If type is *FILE - The recipient string is defined to read a specific file in a specific path of the IFS. This file should be Public-key X.509 file or private-key X.509 certificate file.

For example:

ENTPREC((*FILE '/pkzshare/CStores/public/pkwareCertAdmin04.cer' () *RQD))

The digital certificate file ‘pkwareCertAdmin04.cer’ will be in the full path '/pkzshare/CStores/public’.

• If type is *MBRSET - The recipient string is defined to read a specific file from public certificate store / private certificate store of the IFS. This file should be public-key X.509 file or private-key X.509 certificate file.

For example:

ENTPREC((*MBRSET 'pkwareCertAdmin04.cer' () *RQD))

The digital certificate file ‘pkwareCertAdmin04.cer’ will be in the full path of the public certificate store defined in the enterprise security configuration public store(parameter CSPUB). If a password was included, the file would be searched for in the enterprise security configuration private store (parameter CSPRIV).

• If type is *INLIST- The recipient string defines a full file name of an input list file that contains records of ENTPREC shortcut parameters. The type of file

166

will in the QSYS library file system if TYPLISTFL(*DB) is set and will be a path file name in the IFS if TYPLISTFL(*IFS) is set. The format of the ENTPREC shortcut parameters are define below in the *INLIST Usage section.

Password (Private Cert Password)

The password is only required if the certificate that is being selected is a private certificate. This option should be omitted if a public certificate will be utilized.

Required (*RQD|*OPT|*SAME)

If *RQD, then this recipient MUST be found during the selection and the certificate MUST be valid or the ZIP/UNZIP run will fail.

Usage Notes:

The ZIP process only requires a X.509 public-key format certificate to encrypt files. The UNZIP process requires X.509 private-key format certificate file to decrypt files and this will the input of a password.

For inlist that contains a password to open a private certificate, make sure that the security is sufficient to only allow the owner of the certificate to have read access. Otherwise this would leave a security hole where other users could browse the password.

*INLIST Usage:

If *INLIST is defined on the ENTPREC parameter, then the recipient filed will be a file that SecureZIP will read to include recipient. The format is very similar to the ENTPREC parameter describe above except each line recipient starts with “{RECIPIENT=” and is terminated by the “}” character with the semi-colon “;” as a separator for each entry.

{RECIPIENT=Lookup Type; Recipient; Password; Required}

Lookup Type See Lookup Type in ENTREC excluding the INLIST

Recipient See Recipient in ENTREC.

Password See Password in ENTREC.

Required See Required in ENTREC, but use RDQ for *RQD and OPT for *OPT.

Examples:

{RECIPIENT=MBRSE;EM; mypassword;RQD}

Sample 1: tstpriv_db4.inlist. {RECIPIENT=DB;EM=PKTESTDB4@nowhere.com;PKWARE;RQD}

Sample 2: tstpriv_mb3.inlist. {RECIPIENT=MBRSET;pktestdb3.pfx;PKWARE;RQD}

167

Sample 3: tstpubl.inlist.

{RECIPIENT=MBRSET;pktestdb3.crt;;RQD} {RECIPIENT=MBRSET;pktestdb4.crt;;OPT}

Sample 4: tstpubl2.inlist.

{RECIPIENT=DB;EM=PKTESTDB3@nowhere.com;;RQD} {RECIPIENT=DB;CN=PKWARE Test4;;OPT}

EXCLFILE

EXCLFILE(*NONE| path/filename)

This parameter specifies the file containing the list of files to be excluded. This can be used with or without the EXCLUDE parameter. See parameter TYPLISTFL for file system type information.

*NONE No list file will be processed.

path/filename Enter the file path and the name of the file to process. The layout depends on which file system you want the file created.

Library File System: The format is "library/file(member)".

Integrated File System (IFS): The format is "path1/path2/../pathn/filename".

EXCLUDE

EXCLUDE(file_specification1, file_specification2,... file_specification n )

Specifies the files and file specification patterns that will be excluded from the PKUNZIP run. One or more names can be specified. Each name should be in the OS/400 file system format, such as, QSYS is library/file(member) and IFS is directory/file, and can include wildcards “*” and “?”.

Note: If TYPE(*VIEW) is being used, then the format for these names is the MS/DOS format.

The PKUNZIP program can also exclude file specifications by using the list file parameter EXCLFILE with a list of names to exclude.

Please refer to Chapter 5 for details of file specification formatting.

The valid parameter values for the FILES keyword are as follows:

'file_specification 1'

'file_specification 2'...

'file_specification n'

168

EXDIR

EXDIR(*CURRENT| path)

If there are no paths stored in the archive file name, EXDIR specifies the default path to store the files being extracted. The path definition depends on the “file system type” in parameter TYPFL2ZP. This will happen when the files come from a PC or if the files were compressed with SecureZIP for iSeries using the STOREPATH(*NO) parameter.

If the “file system type” is IFS, EXDIR will be the paths defined for your iSeries open systems and the default path will be the current directory settings (issue the command DSPCURDIR to see the current directory settings).

If the “file system type” is the library file system, the path will be either a library or a library/filename. The default is *CURLIB/UNZIPPED and if the file UNZIPPED does not exist, then it is created with a record length of 132. It is best to create a default file with the record length of your choice, because if a text file is extracted with a record length greater than the file’s record length, the record will be truncated to fit the record length.

If EXDIR is coded with keyword MBR and the file system is the QSYS library system, PKUNZIP will use the member name for the file name. For example: EXDIR('newlib/MBR') and DROPPATH(*ALL) parameters are coded and the file name in archive is "mylib/myfile/mymbr", the file will be extract to the file "newlib/mymbr(mymbr)". This is only valid for TYPFL2ZP(*DB) files.

EXDIR is also used when the archive file is a GZIP archive and there is no file name stored in the archive. In this case, EXDIR becomes a required field.

*CURRENT Current directory for IFS or *CURLIB/UNZIPPED for the QSYS library file system.

path Enter the path or path/path/.. in which to extract. The layout depends on the file system in which the file is to be created.

Library File System: The format is "library/file".

Integrated File System (IFS): The format is "path1/path2/../pathn".

FILES

FILES(file_specification1, file_specification2,... file_specification n)

Specifies the files and file specification patterns that will be selected in the PKUNZIP process. One or more names can be specified. Each name should be in the OS/400 file system format, such as, QSYS is library/file(member), and IFS is directory/file, and can include wildcard “*” and “?”.

Note: If TYPE(*VIEW) is being used then the format for these names is the MS/DOS format.

The PKUNZIP program can also have file specification selections to include by using the list file parameter INCLFILE with a list of names to select.

169

Files may also be excluded. See the EXCLUDE parameter.

Please refer to Chapter 5 for details of file specification formatting.

The valid parameter values for the FILES keyword are as follows:

'file_specification 1'

'file_specification 2'

'file_specification n'

FILETYPE

FILETYPE(*TEXT|*BINARY|*EBCDIC|*DETECT)

Specifies whether the files selected are treated as text or binary data. For text files added to an archive, trailing spaces in each line are removed, the text is converted to ASCII (based on the translation tables) by default, and a carriage return and line feed (CR/LF) are added to each line before the data is compressed into the archive. Binary files are not converted at all.

There are attributes which indicate how a file was compressed (TEXT, BINARY, or a SAVF) in the archive headers. The default setting (and recommended) is *DETECT, which analyzes the header to determine the file type. To view the attribute settings of a file, use the VIEWOPT( *DETECT).

If the file is a SAVF, then it will be processed as BINARY, regardless of any option that you select.

*DETECT Uses the attribute setting that is stored in the archive to determine the file type.

*TEXT Specifies that the files selected are text files and translation will be performed using the translate tables specified in the TRAN option.

*BINARY Specifies that the files selected are binary files and no translation should be performed.

*EBCDIC Specifies that the files selected are text files and leaves it in EBCDIC without performing any translation. This is good only if the files are to be used on an iSeries or IBM-type mainframe. If they are unzipped to a PC file, then a translation from EBCDIC to ASCII is required.

FTRAN

FTRAN(*INTERNAL| Member Name )

Specifies the translation table for use with translating "file names, comments, and password" from the iSeries EBCDIC character set to the character set used in the archive file (normally ASCII character set). A default internal table is predefined. See Appendix F - Translation Tables for additional information.

170

*INTERNAL Use the predefined internal table for translation. Using this is initially faster because PKUNZIP does not have to parse the override table.

membername Specify the member name in the file PKZTABLES that will be parsed and used to translate "File names and comments" files to the archive character set. The member should have the exact format of member UKASCII in file PKZTABLES. See Appendix F for information on defining translation tables.

IFSCDEPAGE

IFSCDEPAGE(*NO | Code-Page)

If this option is set to *NO, PKUNZIP will write IFS files with the code page that is registered for the file, or will use the default job code page if no code page is set in the file attributes. Otherwise, PKUNZIP will write IFS files with the specified code page.

Note: If files are to be extracted to a case sensitive file system, the case sensitive format of file names must be used before they can be selected.

The allowable values are:

*NO The PKUNZIP program will read IFS files with the code page registered for the file. This is the default.

Code-Page The PKUNZIP program will write the IFS files with the specified code page value.

INCLFILE

INCLFILE(*NONE| path/filename)

This parameter specifies the file containing the list of files to be selected for including. This can be used with or without the FILES parameter. See parameter TYPLISTFL for file system type information.

*NONE No include list file will be processed. This is the default.

path/filename Enter the file path and name of the file to process. The layout depends on which file system you want the file created.

Library File System: The format is "library/file(member)".

Integrated File System (IFS): The format is "path1/path2/../pathn/filename".

171

MSGTYPE

MSGTYPE(*PRINT|*SEND|*BOTH)

Specifies where the display of messages and information should be shown. The PKUNZIP program can send messages which appear on the log, and also may print to stdout and stderr. If working interactively, stdout and stderr will display upon the dynamic screen. If submitted via batch, you can override them to print in an OUTQ, or you can build a CL and save them to an outfile.

*SEND Send the information to the log with send message commands.

*PRINT Send the information to stdout and stderr.

*BOTH Send the information to the log with send message commands and also to stdout and stderr.

OVERWRITE

OVERWRITE(*NO|*YES|*PROMPT}

Controls how PKUNZIP reacts to files that are being extracted and the file already exists. To help prevent accidental overwriting of files, the default is *PROMPT.

The allowable values are:

*YES Always overwrite files. If the file exists, the file will be overwritten with no message or prompting.

*NO Never overwrite files. If the file already exists then the archive file will be skipped and not extracted. This is the default.

*PROMPT When a file being extracted already exists, PKUNZIP will issue the warning message AQZ0262 and prompt the user for the required action.

PASSWORD

PASSWORD(Archive Password)

Specifies a password to be used for files that were added to the archive with a password. This password may be up to 64 characters in length and is case-sensitive. All files selected for archiving will be checked for encryption using the specified password. Files in the archive may have different passwords. If so, PKUNZIP must be run once for each password.

Since the password in entered in EBCDIC, the translation table referenced in the FTRAN parameter is used to translate it to ASCII. Care should be take when using the FTRAN override when using a password. To use password-protected files, the same FTRAN override option is required.

172

SFQUEUE

SFQUEUE (*DFT |Name)

Specifies the output queue that will be used as an override when extracting spool files. If no OUTQ library is specified, it will default to *LIBL.

The allowable values are:

*DFT The output queue that are in the spool file attributes will be used when extracting files.

OUTQ The specific OUTQ that will used when the spool file is extracted. It must be a valid output queue.

OUTQ Library The library where the OUTQ resides.

SPLUSRID

SPLUSRID (*DFT| User ID)

The user ID to use when extracting a spool file. If *DFT is used the user ID belonging to the spool file will be used when building the spool file.

The allowable values are:

*DFT Use user ID associated with spool file in the archive.

User ID Specify a valid user ID that the new extracted spool file will belong to. It must be a valid user ID on the OS/400.

Note on extracting Spool Files: To create or extract a spool file with PKUNZIP, the user must have *USE authority to the API QSPCRTSP. The normal setting for the API QSPCRTSP is authority PUBLIC(*EXCLUDE). The API authority is set this way so that system administrators can control the use of this API. This API has security implications because you can create a spooled file from the data of another spooled file. To allow user to extract spool files change the API authority on a need basis.

TRAN

TRAN(*INTERNAL| Member Name)

Specifies the translation table for use with translating data from the iSeries EBCDIC character set to the character set used in the archive file (normally the ASCII character set). A default internal table is predefined (see Appendix F).

*INTERNAL Use the predefined internal table for translation. Using this is initially faster because PKUNZIP does not have to parse the override table.

Member Name Specifies the member name in the file PKZTABLES that will be parsed and used to translate data files to the archive character set. The member should have the

173

exact format of member UKASCII in file PKZTABLES (see Appendix F for information on defining translation tables).

TYPARCHFL

TYPARCHFL(*DB|*IFS)

Specifies the type of file system in which the archive file will exist (see parameters ARCHIVE and TMPPATH for additional information).

*DB Archive files are to be in the QSYS library file system.

*IFS Archive files are to be in the integrated files system (IFS).

TYPFL2ZP

TYPFL2ZP(*DB|*IFS)

Specifies the type of file system that contains the files to be unzipped. Reflected for files in parameters FILES and EXCLUDE.

*DB Files to be unzipped are in the QSYS library file system.

*IFS Files to be unzipped are in the IFS (integrated files system).

TYPLISTFL

TYPLISTFL(*DB|*IFS)

Specifies the “type of files system” that will be used for the input list file and/or the output list file of selected items.

To use input list files, see parameters INCLFILE (file section list) or EXCLFILE (file exclude list). To create an output list file of the selected files items, see parameter CRTLIST.

*DB Files are in the QSYS library file system.

*IFS Files are in the IFS(integrated file system).

VERBOSE

VERBOSE(*NORMAL|*NONE| *ALL|*MAX )

Specifies how the detail will be displayed during a PKUNZIP run.

The allowable values are:

*NORMAL Displays most informative messages to show PKUNZIP is processing.

174

*NONE Displays only major exception information.

*ALL Displays all messages.

*MAX Used only for debugging purposes.

VIEWOPT

VIEWOPT(*NORMAL|*DETAIL|*BRIEF|*COMMENT|*FNE|*FNEALL)

Specifies the level of information produced when viewing the archive.

The allowable values are:

*NORMAL Shows the original file length, compression method, compressed size, compression ratio, file date and time, 32-bit CRC value, and file name for each file in the archive.

*DETAIL Shows very detailed technical information about each file in the archive. It will also show all extended attribute (extra data fields) information that was stored in the archive produced by PKZIP (only if the PKZIP keywords EXTRAFLD(*YES) or DBSERVICE(*YES) were specified).

*BRIEF Shows the original file length, file date and time, and file name for each file in the archive.

*COMMENT Same as the *NORMAL option, but also shows any file comments stored on a separate line after its details.

*FNE Shows the archive’s file name encryption properties.

*FNEALL Shows the archive’s file name encryption detail properties including the allowable recipients.

VIEWSORT

VIEWSORT(*ASIS|*DATE|*DATER|*NAME|*NAMER|*PERCENT|*PERCENTR| *SIZE|*SIZER))

Specifies the sequence of the viewing display.

The allowable values are:

*ASIS List the files in the sequence in which they are stored in the archive, such as, as is.

*DATE List the files in ascending order of the file’s date & time as stored in the archive.

*DATER List the files in descending order of the file’s date & time as stored in the archive.

*NAME List the files in ascending order of the file name as stored in the archive.

175

*NAMER List the files in descending order of the file name as stored in the archive.

*PERCENT List the files in ascending order of the compression percentage as stored in the archive.

*PERCENTR List the files in descending order of the compression percentage as stored in the archive.

*SIZE List the files in ascending order of the uncompressed file size as stored in the archive.

*SIZER List the files in descending order of the uncompressed file size as stored in the archive.

176

13 PKCFGSEC “Configure Security Parameters” Command

PKCFGSEC Command Summary with Parameter Keyword Format The PKCFGSEC command updates and views the SecureZIP security configuration file. This configuration file is where the enterprise security options and defaults reside.

Keywords are demarcated by spaces. In many case there are multiple entries for a parameter where each entry is again demarcated by spaces. For more information about the command process, reference the IBM home page for your version of the operating system.

Usage Notes It is recommended that you define your standard enterprise options in a CL using the PKCFGSEC command. Then as changes occur or new versions are upgraded the CL can be run to reset the parameters. This will also help if you need to temporarily change one or more settings, as the CL can provide a quick means to reset the configuration back to the enterprise setting.

TYPE ( ({*INSTALL} ) {IVIEW }

SECTYPE ( ZIP Secure Settings: ) SecureZIP Active {*SAME|*NO|*YES} AES 3DES Keys {*SAME|*NO|*YES } Password {*SAME|*NO|*RQD} Recipient Secure {*SAME|*NO|*RQD } File Signing1 {*SAME|*NO } Archive Signing11 {*SAME|*NO} File Authentication1 {*SAME|*NO } Archive Authentication1 {*SAME|*NO} File Name Encrypton {*SAME|*NO|*RQD| *OPT}

ADVCRYPT ( Freeze Method ) {*SAME } {*NONE } {AES} {AES128}

1 Not Active. Future Releases

177

{AES192} {AES256} {3DES } {DES } {RC4_128} {ADVANCE} Mode {*SAME } {BSAFE } {PKWARE} Hash {*SAME } {*SHA1 }

PASSWORD ( Min Length {1-200} ) Min Length {1-200} Hardening Options{0}1

SIGNPOL ( Signing Settings: ) Signing Hash {*SAME } {*SHA1} {*MD5} Validate Level {*SAME } {*VALIDATE} {*WARN } {*VALIDATELOCK} {*WARNLOCK} Lockdown {*SAME } {*NO} {*YES} Filters {*SAME } {*ALL} {*NONE} {*TRUSTED} {*EXPIRED} {*REVOKED} {*NOTTRUSTED} {*NOTEXPIRED} {*NOTREVOKED}

AUTHPOL ( Authenticate Filters: ) Validate Level {*SAME } {*NONE } {*VALIDATE} {*WARN } {*VALIDATELOCK} {*WARNLOCK} Lockdown {*SAME } {*NO} {*YES} Filters {*SAME } {*ALL} {*NONE} {*TAMPER} {*TRUSTED} {*EXPIRED} {*REVOKED} {*NOTAMPER} {*NOTTRUSTED} {*NOTEXPIRED} {*NOTREVOKED}

ENCRYPOL ( Encryption Filters: ) Validate Level {*SAME } {*VALIDATE} {*WARN } {*VALIDATELOCK} {*WARNLOCK} Lockdown {*SAME }

178

{*NO} {*YES} Filters {*SAME } {*ALL} {*NONE} {*TRUSTED} {*EXPIRED} {*REVOKED} {*NOTTRUSTED} {*NOTEXPIRED} {*NOTREVOKED}

DECRYPOL ( DecryptionFilters: ) 1 Validate Level {*SAME }

REVKEPOL ( Revocation Settings: ) CRL Type {*SAME } {*NONE } {*STATICCRL} Revoke Level {*SAME } 1 {*NONE}

CERTSELT ( Certificate Validation Level: ) Cert. Best Fit {*SAME } {*NONE } {*LATESTVALID} {*LASTVALID} {*FIRSTVALID} {*LATEST} {*LAST } {*FIRST } Cert. Secure Type{*SAME } 1 {*NONE } {*ENCRYPTION} {*SIGNING}

CERTDB (Certificate DataBase Locator: ) Active? {*SAME } {*YES } {*NO } Store Type {*SAME } {*NONE } {*LIB} Sequence {*SAME } {0-9 } Library {*SAME } {Library Name string } Search Mode {*SAME } {*EMAIL } {*CN}

CSPUB ( Certificate PUBLIC Store: ) Store Type {*SAME } {*NONE } {*PATH} Sequence {*SAME } {0-9 } Store Location {*SAME } {Path Name string }

CSPRVT ( Certificate PRIVATE Store: ) Store Type {*SAME } {*NONE } {*PATH} Sequence {*SAME }

179

{0-9 } Store Location {*SAME } {Path Name string }

CSCA ( Certificate CA Store: ) Store Type { *SAME } {*NONE } {*FILE} Sequence { *SAME } {0-9 } Store Location { *SAME } {Path/File Name string }

CSROOT ( Certificate ROOT Store: ) Store Type { *SAME } {*NONE } {*FILE} Sequence { *SAME } {0-9 } Store Location { *SAME } {Path/File Name string }

CSCRL ( Certificate CRL Store: ) Store Type { *SAME } {*NONE } {*FILE} Sequence { *SAME } {0-9 } Store Location { *SAME } {Path/File Name string }

CWRKPATH ( Certificate Work Path: ) Path Location { *SAME } {*NONE } {Path Name string }

ENTPREC ( Enterprise Encrypt Recipient: ) LookUp Type { *SAME } {*NONE} {*DB } {*LDAP } {*FILE } {*MBRSET } {*INLIST } Recipient {Recipient Name string } Required { *SAME } {*RQD } {*OPT }

LDAPACTV ( LDAP Definitions: ) Nbr Active LDAPs { *SAME } {Number of Active LDAPs }

180

LDAP1 (Primary LDAP: ) 1 Network Name { *SAME } {Network IP address or server Name } 1 Port {1-9999 } 1 Sequence {0-9 } 1 TimeOut {0-9999 } 1 Access User {LDAP User for Access } 1 Access Password {User Password } 1 Search Mode {*EMAIL } {*CN } 1 Start Node {Start Node Text String } 1 Test {N } {Y }

PKCFGSEC Command Keyword Details By using the *SAME as an option no changes will take place to the current security configuration file.

TYPE

TYPE(*UPDATE|*VIEW)

The type processing parameter indicates whether the security configuration should update the configuration file or view the current settings.

SECTYPE

ZIP Secure Settings: SecureZIP Active . . . . . *YES *NO, *YES, *SAME AES 3DES Keys . . . . . . . *YES *NO, *YES, *SAME Password . . . . . . . . . *NO *NO, *RQD, *SAME Recipient Secure . . . . . *NO *NO, *RQD, *SAME File Signing . . . . . . . *NO *NO, *SAME Archive Signing . . . . . *NO *NO, *SAME File Authentication . . . *NO *NO, *SAME Archive Authentication . . *NO *NO, *SAME File Name Encryption . . . *OPT *NO, *RQD, *OPT, *SAME

Or SECTYPE(*YES *YES *NO *NO *NO *NO *NO *OPT)

SECTYPE or PKZIP Secure Settings are the base security settings for ZIP and UNZIP processing and currently consist of six options:

SecureZIP Active (*NO|*YES|*SAME)

By setting this option to *YES activates the security configuration file. This is required to utilize the security features in SecureZIP. .

AES 3DES Keys (*NO|*YES|*SAME)

The purpose of this switch is to maintain compatibility with Windows (pre-XP) systems where the private key certificate was not imported with "Mark the private

181

key as exportable". This has importance when sharing AES-encrypted files with recipients. See the section on Windows compatibility for more information.

Password (*NO|*RQD|*SAME)

The Password option if coded *YES, will force the ZIP process to always require a password when compressing a file.

Recipient Secure (*NO|*RQD|*SAME)

The Recipient Secure option if coded *YES, will force the ZIP process to always require at least one valid recipient when compressing a file.

File Signing (*NO |*YES |*SAME)

Allows SecureZIP to digitally sign the files in the archive.

Archive Signing (*NO |*YES |*SAME)

Allows SecureZIP to Digitally sign the archive’s central directory.

File Authentication (*NO |*YES |*SAME)

Allows SecureZIP to authenticate the files in the archive that has been digitally signed.

Archive Authentication (*NO |*YES |*SAME)

Allows SecureZIP to authenticate the archive’s directory that has been digitally signed.

File Name Encryption (*NO |*RQD |*OPT |*SAME)

The file name encryption option allows the user to mask the names of files in the archive for added security.

*NO – The ZIP process is not allowed to create filename-encrypted archives (that is, FNE(*NO) is required).

*RQD – All ZIP runs must specify the FNE(*YES) to create filename-encrypted archives.

*OPT – Creating filename-encrypted archives is optional for ZIP runs (that is, FNE(*YES) is allowed in the ZIP jobs).

ADVCRYPT

Advance Encryption: Freeze Method . . . . . . > AES128 *SAME, *NONE, AES, AES128... Mode . . . . . . . . > BSAFE PKWARE, BSAFE, *SAME

Or ADVCRYPT(AES128 BSAFE )

182

The Advanced encryption parameter controls the enterprise settings for encryption when zipping or compressing files. There are the following option settings for ADVCRYPT:

Method (AES|AES128|AES192|AES256|3DES|DES RC4_128| Advance|*SAME|*NONE)

The Method option if coded other than *NONE, will force the ZIP process to always require the encryption algorithm selected. If AES is selected then all AES algorithms are allowed. If Advance is selected then encryption is required with any algorithm except ZIPSTD.

Mode (PKWARE|BSAFE |*SAME)

The advanced encryption mode selects which algorithm modes to use. PKWARE use the SecureZIP/PKZIP exclusive implementation of the AES. BSAFE use the SecureZIP/PKZIP implementation of the RSA Security, Inc. CERT-C for AES, 3DES, DES and RC4 128 key.

Hash (*SHA1 |*SAME)

A hash calculation is involved as part of the key manipulation for the encryption process. At this time only the SHA1 algorithm is supported.

Usage Notes

If the mode is MODE(PKWARE) and METHOD(*NONE) or ADVANCE, then if on the ZIP process the 3DES, DES, or RC4 is selected for the algorithm, the BSAFE implementation is used.

PASSWORD

Archive Password Specs: Min Length . . . . . . . . > 1 1-200, *SAME Max Length . . . . . . . . > 200 1-200, *SAME Hardening Options . . . . . > 0 *SAME, 0, 1, 2

Or PASSWORD(1 200 0) or PASSWORD(1 200)

The Password parameter defines the enterprise settings when the ZIP process provides a password. There are three options.

Min Length (1-200|*SAME)

The minimum length option is the enterprises required minimum length when a password is provided in the ZIP process. The default is 1. The windows version requires the minimum password length to be 8 or more.

Max Length (1-200|*SAME)

The maximum length option is the enterprises required maximum length when a password is provided in the ZIP process. The default is 200.

183

Hardening Options (0,1,2|*SAME)

The password hardening option is reserved for future releases of SecureZIP.

SIGNPOL

Signing Settings: Signing Hash . . . . . . . . *SAME *SAME, *SHA1, *MD5 Validate Level . . . . . *SAME Lockdown Filters . . . . *SAME *NO, *YES, *SAME Filters . . . . . . . . . *SAME *SAME, *ALL, *NONE... + for more values

Or

SIGNPOL (*SHA1 *WARN *NO (*ALL *NOTREVOKED) ) SIGNPOL (*SHA1 *VALIDATELOCK *YES (*ALL *REVOKED) )

When signing a file or archive, SIGNPOL will define the HASH ALGORITHM, the error validation levels, and the CERTIFICATE filters for the signers certificates selected.

Signing Hash (*SHA1 | *MD5 |*SAME)

Specifies the hashing algorithm that is used to generate a digital signature. It applies to the active Signing files and archives during a ZIP run.

Options:

*SHA1 The default algorithm generates a 20-byte hash value. This algorithm is supported by all SecureZIP products.

The information below is from FIPS 180-1:

This Standard specifies a Secure Hash Algorithm, SHA-1, for computing a condensed representation of a message or a data file. When a message of any length < 264 bits is input, the SHA-1 produces a 160-bit output called a message digest. The message digest can then be input to the Digital Signature Algorithm (DSA) which generates or verifies the signature for the message. Signing the message digest rather than the message often improves the efficiency of the process because the message digest is usually much smaller in size than the message. The same hash algorithm must be used by the verifier of a digital signature as was used by the creator of the digital signature.

The SHA-1 is called secure because it is computationally infeasible to find a message which corresponds to a given message digest, or to find two different messages which produce the same message digest. Any change to a message in transit will, with very high probability, result in a different message digest, and the signature will fail to verify.

*MD5 This algorithm generates a 16-byte hash value. It is included for compatibility with older releases of PKZIP on other platforms, which previously supported this algorithm.

184

Processing Notes

The entire data stream (archive central directory or file data) is run through the hash algorithm before compression or encryption. However, file text data is translated before hashing so that the receiving system is able to hash the identical stream after decryption/decompression.

During authentication operations, SecureZIP for iSeries will dynamically detect which algorithms had been used for signing and perform the necessary processing to validate the signature.

Validation Level (*VALIDATE | *WARN | *VALIDATELOCK | *WARNLOCK |*SAME)

The validation level defines the error level for failure, if an error occurs with the selection of a certificate for signing fails the filters.

Options:

*VALIDATE If an error occurs then the ZIP job will issue that a failure occurred and will not continue.

*WARN If an error occurs then the ZIP will continue and will not issue that an error occurred at the end of the ZIP process.

*VALIDATELOCK Same as *VALIDATE, but will also not allow a ZIP to run with an option for SIGNPOL other than what is defined for the enterprise system. A warning message will be issued and the run will continue using the enterprise settings.

*WARNLOCK Same as *WARN, but will also not allow a ZIP to run with an option for SIGNPOL other than what is defined for the enterprise system. A warning message will be issued and the run will continue using the enterprise settings.

Lockdown Filters (*NO | *YES | *SAME)

Provides the ability to lockdown the filters so they can not be changed at run time.

By specifying *YES, the enterprise settings will be in lockdown mode. If the SIGNPOL in the PKZIP command is other than *SYSTEM, a warning message will be issued and the enterprise settings will be used for the run.

Filters (*ALL | *NONE | * TRUSTED | *EXPIRED | *REVOKED | *NOTTRUSTED | *NOTEXPIRED | *NOTREVOKED |*SAME)

The signing filter defines the level of processing that Signing Files and Signing Archives certificate selection will perform during SECZIP execution.

Options:

*ALL *TRUSTED, *EXPIRED, and *REVOKED are used.

*NONE *NOTTRUSTED, *NOTEXPIRED, and *NOTREVOKED are used

185

*TRUSTED Each end-certificate used in the signature must be traced back to a trusted root certificate. The CSCA and CSROOT stores on the local system performing the authentication check will be accessed to determine if the entire certificate chain can be trusted. Although the Root (“self-signed”) certificate may be included within the archive, it MUST also exist in the CSROOT store to complete the TRUSTED state.

*EXPIRED The digital certificates used for the signing operation contains internal date ranges of validity. The certificate selection operation will fail if any of the certificates in the trust chain are not found to be within their stated data range. Note that an end-certificate may have expired at the time that the archive is being accessed, and NOTEXPIRED may be used to continue processing.

*REVOKED A certificate owner may request that the issuing certificate authority declare a certificate to be revoked and thereby no longer consider that certificate to be valid. The signing certificate selection operation will fail if any of the certificates in the trust chain are found to have been revoked or if the revocation status could not be determined.

*NOTTRUSTED *TRUSTED is not validated for signing certificates.

*NOTEXPIRED *EXPIRED is not validated for signing certificates.

*NOTREVOKED *REVOKED is not validated for signing certificates.

AUTHPOL

Authenticate Filters: Validate Level . . . . . *SAME Lockdown Filters . . . . *SAME *NO, *YES, *SAME Filters . . . . . . . . . *SAME *SAME, *ALL, *NONE... + for more values

Or:

AUTHPOL (*SHA1 *WARN *NO (*ALL *NOTREVOKED) ) AUTHPOL (*SHA1 *VALIDATELOCK *YES (*ALL *REVOKED) )

AUTHPOL defines the level of processing that authentication process will perform. AUTHPOL fully defines the signature authentication elements to be verified in both PKZIP and PKUNZIP. If not locked down the default settings may be changed by the SecureZIP run.

Validation Level (*VALIDATE | *WARN | *NONE | *VALIDATELOCK | *WARNLOCK |*SAME)

The validation level defines the error level for failure, if an error occurs with the selection of a certificate for authenticating fails the filters.

186

Options:

*VALIDATE If an error occurs, then the ZIP job will issue that a failure occurred and will not continue.

*WARN If an error occurs, then the ZIP will continue and will not issue that an error occurred at the end of the ZIP process.

*NONE If an error occurs then the ZIP will continue and will not issue that an error occurred at the end of the ZIP process.

*VALIDATELOCK Same as *VALIDATE, but will also not allow a ZIP to run with an option for AUTHPOL other than what is defined for the enterprise system. A warning message will be issued and the run will continue using the enterprise settings.

*WARNLOCK Same as *WARN, but will also not allow a ZIP to run with an option for AUTHPOL other than what is defined for the enterprise system. A warning message will be issued and the run will continue using the enterprise settings.

Lockdown Filters (*NO | *YES | *SAME)

Provides the ability to lockdown the filters so they can not be changed at run time.

By specifying *YES, the enterprise settings will be in lockdown mode. If the AUTHPOL in the PKZIP command is other than *SYSTEM, a warning message will be issued and the enterprise settings will be used for the run.

Filters (*ALL | *NONE | *TAMPER | *TRUSTED | *EXPIRED | *REVOKED | *NOTAMPER | *NOTTRUSTED | *NOTEXPIRED | *NOTREVOKED |*SAME)

The authentication filter defines the level of processing that authenticating Files and authenticating Archives certificate selection will perform during SECZIP execution.

Options:

*ALL *TAMPER, *TRUSTED, *EXPIRED, and *REVOKED are used.

*NONE *NOTAMPER, *NOTTRUSTED, *NOTEXPIRED, and *NOTREVOKED are used.

*TAMPER The signature associated with the archive or file(s) involved will be used to verify that the content has not been altered since the archive was built.

*TRUSTED Each end-certificate used in the signature must be traced back to a trusted root certificate. The CSCA and CSROOT stores on the local system performing the authentication check will be accessed to determine if the entire certificate chain can be trusted. Although the Root (“self-signed”) certificate may be included within the

187

archive, it MUST also exist in the CSROOT store to complete the TRUSTED state.

*EXPIRED The digital certificates used for the signing operation contains internal date ranges of validity. The certificate selection operation will fail if any of the certificates in the trust chain are not found to be within their stated data range. Note that an end-certificate may have expired at the time that the archive is being accessed, and NOTEXPIRED may be used to continue processing.

*REVOKED A certificate owner may request that the issuing certificate authority declare a certificate to be revoked and thereby no longer consider that certificate to be valid. The signing certificate selection operation will fail if any of the certificates in the trust chain are found to have been revoked or if the revocation status could not be determined.

*NOTAMPER The signature associated with the archive or file(s) involved will NOT verify.

*NOTTRUSTED *TRUSTED is not validated for signing certificates.

*NOTEXPIRED *EXPIRED is not validated for signing certificates.

*NOTREVOKED *REVOKED is not validated for signing certificates.

ENCRYPOL Encryption Filters: Validate Level . . . . . *SAME Lockdown Filters . . . . *SAME *NO, *YES, *SAME Filters . . . . . . . . . *SAME *SAME, *ALL, *NONE... + for more values

Or:

ENCRYPOL (*WARN *NO (*ALL *NOTREVOKED) ) ENCRYPOL (*VALIDATELOCK *YES (*ALL *REVOKED) )

When encrypting a file with digital certificate, the certificates must meet a certain standard. ENCRYPOL defines the error validation levels and the certificate filters for the encrypting certificates selected.

Validation Level (*VALIDATE | *WARN | *VALIDATELOCK | *WARNLOCK |*SAME)

The validation level defines the error level for failure, if an error occurs with the selection of a certificate for signing fails the filters.

Options:

*VALIDATE If an error occurs, then the ZIP job will issue that a failure occurred and will not continue.

*WARN If an error occurs, then the ZIP will continue and will not issue that an error occurred at the end of the ZIP process.

188

*VALIDATELOCK Same as *VALIDATE, but will also not allow a ZIP to run with an option for ENCRYPOL other than what is defined for the enterprise system. A warning message will be issued and the run will continue using the enterprise settings.

*WARNLOCK Same as *WARN, but will also not allow a ZIP to run with an option for ENCRYPOL other than what is defined for the enterprise system. A warning message will be issued and the run will continue using the enterprise settings.

Lockdown Filters (*NO | *YES | *SAME)

Provides the ability to lockdown the filters so they can not be changed at run time.

By specifying *YES, the enterprise settings will be in lockdown mode. If the ENCRYPOL in the PKZIP command is other than *SYSTEM, a warning message will be issued and the enterprise settings will be used for the run.

Filters (*ALL | *NONE | * TRUSTED | *EXPIRED | *REVOKED | *NOTTRUSTED | *NOTEXPIRED | *NOTREVOKED |*SAME)

The encryption filters defines the level of processing that encrypting certificate selection will perform during SECZIP execution.

Options:

*ALL *TRUSTED, *EXPIRED, and *REVOKED are used.

*NONE *NOTTRUSTED, *NOTEXPIRED, and *NOTREVOKED are used

*TRUSTED Each end-certificate used in the signature must be traced back to a trusted root certificate. The CSCA and CSROOT stores on the local system performing the authentication check will be accessed to determine if the entire certificate chain can be trusted. Although the Root (“self-signed”) certificate may be included within the archive, it MUST also exist in the CSROOT store to complete the TRUSTED state.

*EXPIRED The digital certificates used for the signing operation contains internal date ranges of validity. The certificate selection operation will fail if any of the certificates in the trust chain are not found to be within their stated data range. Note that an end-certificate may have expired at the time that the archive is being accessed, and NOTEXPIRED may be used to continue processing.

*REVOKED A certificate owner may request that the issuing certificate authority declare a certificate to be revoked and thereby no longer consider that certificate to be valid. The signing certificate selection operation will fail if any of the certificates in the trust chain are found to have been revoked or if the revocation status could not be determined.

189

*NOTTRUSTED *TRUSTED is not validated for encrypting certificates.

*NOTEXPIRED *EXPIRED is not validated for encrypting certificates.

*NOTREVOKED *REVOKED is not validated for encrypting certificates.

REVKEPOL Revocation Settings: CRL Type . . . . . *SAME *STATICCRL, *NONE, *SAME Revoke Level . . . . . . *SAME *SAME, *NONE

Or:

REVKEPOL (*SHA1 *WARN *NO (*ALL *NOTREVOKED) ) REVKEPOL (*SHA1 *VALIDATELOCK *YES (*ALL *REVOKED) )

REVKEPOL defines the type and level of CRL processing, if any, that will take place. Currently only a static CRL is available.

CRL Type (*STATICCRL | *NONE |*SAME)

Defines type CRL processing that will take place with certificate analysis.

Options:

*STATICCRL Specifies CRL processing only on a static store that is updated with the PKSTORADM command. The timeliness of updates depends on the customer’s policies and the updating of the CRL store. This option requires that the CRL must be defined.

*NONE No CRL processing check will take place. With the option *NONE , no certificates will ever have the revoke status.

Revoke Level (*NONE | *SAME)

Currently not used. Reserved for future use.

*NONE To be defined.

CERTSELT

Certificate Validation Level: Cert. Best Fit . . . . . . . > *NONE *NONE, *LATESTVALID... Cert. Secure Type . . . . . > *NONE *NONE, *ENCRYPTION...

Or CERTSELT(*NONE *NONE )

The certificate validation level defines how SecureZIP will select a digital certificate when there is more than one certificate available from an LDAP or database selection. There are two options.

190

Cert. Best Fit (*NONE|*LATESTVALID|*LASTVALID|*FIRSTVALID|*FIRST|*LAST|*LATEST|*SAME)

This command assists in restricting the number or type of certificates being used to represent a user or organization for each encrypted file.

When using LDAP or the database to locate public-key certificates for recipients, it is possible to locate more than one certificate for a target recipient. For example, if a user obtains a new certificate each year, then multiple certificates may represent that user within the LDAP. It may also be possible for a user to have certificates from multiple certificate authorities (e.g. Verisign, Thawte), or multiple certificates for different purposes (encryption vs. signing).

In any of the above conditions, a ZIP process may result in multiple recipient certificates being processed for the same target recipient (person or organization). Some organizations may desire to restrict the type or quantity of certificates being used for encryption. This can save processing resources and ZIP archive space.

Options:

*NONE No matching will be performed. Every certificate located in an LDAP server or database matching the search criteria will be added as a viable recipient.

*FIRST For each LDAP or database entry matching the search criteria, only the first certificate stored in that entry will be included, regardless of use type designated in the certificate or its valid date period. This use case depends on the certificate loading order used in the LDAP or database.

*LAST For each LDAP or database entry matching the search criteria, only the last certificate stored in that entry will be included, regardless of use type designated in the certificate or its valid date period. This use case depends on the certificate loading order used in the LDAP or Database.

*LATEST For each LDAP or database entry matching the search criteria, the most recent certificate stored in that entry will be included, regardless of use type designated in the certificate. Note that if multiple certificates are found within an LDAP entry, certificates with their validity period not yet starting will be excluded unless they are the only certificates within the entry. In that case, the first certificate found will be selected.

*FIRSTVALID For each LDAP or database entry matching the search criteria, the first certificate found with a use type set for encryption stored in that entry will be included, regardless of its valid date period. This use case depends on the certificate loading order used in the LDAP. If no entries are found with the use type set to encryption, then the first certificate found in the LDAP or database entry will be selected.

191

*LASTVALID For each LDAP or database entry matching the search criteria, the last certificate found with a use type set for encryption stored in that entry will be included, regardless of its valid date period. This use case depends on the certificate loading order used in the LDAP. If no entries are found with the use type set to encryption, then the first certificate found in the LDAP or database entry will be selected.

*LATESTVALID For each LDAP entry matching the search criteria, the most recent certificate found with a use type set for encryption also having the “best” date range for its validity period. This use case depends on the certificate loading order used in the LDAP. If no entries are found with the use type set to encryption, then the most recent certificate found in the LDAP entry will be selected. Note that if multiple certificates are found within an LDAP entry, certificates with their validity period not yet starting will be excluded unless they are the only certificates within the entry. In that case, the first certificate found will be selected.

Note: Regardless of the option selected, at least one certificate will be selected from an LDAP or database entry. Each certificate selected must be in valid X.509 public-key format.

Cert. Secure Type (*NONE| *ENCRYPTION| *SIGNING| |*SAME)

The certificate secure type forces the strict enforcement of digital certificate based upon on their purpose. An example would be if a certificate was for signing only and did not allow encryption then by specifying *ENCRYPTION, the certificate would not be valid.

CERTDB

Certificate DataBase Locator: Active? . . . . . . . . . . > *YES *NO, *YES, *SAME Store Type . . . . . . . . > *LIB *LIB, *SAME Sequence . . . . . . . . . > 0 0-9 Library . . . . . . . . . . > PKW81051S DB Library Search Mode . . . . . . . . > *EMAIL *EMAIL, *CN, *SAME

Or CERTDB(*YES *LIB 0 PKW81051S *EMAIL)

The certificate locator database parameter activates and defines the location and defaults of the certificate locator database files. There are five options.

Active? (*YES|*NO|*SAME)

To utilize the certificate locator database you must set this option to *YES. If this is *NO then all attempts to use the *DB option on recipients parameter in ZIP and UNZIP will fail.

192

Store Type (*LIB|*SAME)

The store type specifies what type of database store. At this time only *LIB for library is allowed.

Sequence (1-9*SAME)

The sequence defines the sequence of the database search when using the *SYSTEM option. This is reserved for future releases

Library (Library name|*SAME)

This defines where the database store exist and is used in combination with the “Store Type”. At this time only *LIB is allowed, so this option will define the library where the SecureZIP databases exist.

Search Mode Default (*EMAIL|*CN|*SAME)

The Search Mode default defines what type of search should be used when performing a database search and the search string prefix is not ‘CN=’ nor ‘EM=’. *EMAIL will use the email address contained in the certificate and *CN will use the common name of the certificate.

CSPUB

Certificate PUBLIC Store: Store Type . . . . . . . . > *PATH *PATH, *SAME Sequence . . . . . . . . . > 1 0-9 Store Location . . . . . . > '/pkzshare/CStores/public'

Or CSPUB(*PATH 1 '/pkzshare/CStores/public')

The certificate public store parameter defines the location and defaults for the public certificate store. A store location is required for certificate processing. Currently there are three options.

Store Type (*PATH|*SAME)

The store type specifies the type of store. At this time only *PATH is allowed and defines the “store Location” as a path in the integrated file system (IFS).

Sequence (1-9|*SAME)

The Sequence option defines the sequence of the public search when using the *SYSTEM option. This is reserved for future releases.

Store Location (location name|*SAME)

This defines the IFS path where the certificate store for individual public-key X.509 certificates resides on the local system.

193

CSPRVT

Certificate PRIVATE Store: Store Type . . . . . . . . > *PATH *PATH, *SAME Sequence . . . . . . . . . > 0 0-9 Store Location . . . . . . > '/pkzshare/CStores/private'

Or CSPRVT(*PATH 0 '/pkzshare/CStores/private')

The private certificate store parameter defines the location and defaults for the private certificate store. A store location is required for certificate processing. Currently there are three options.

Store Type (*PATH|*SAME)

The store type specifies the type of store. At this time only *PATH is allowed and defines the “Store Location” as a path in the IFS.

Sequence (1-9 |*SAME)

The Sequence defines the sequence of the private search when using the *SYSTEM option. This is reserved for future releases.

Store Location (location name|*SAME)

This defines the IFS path where the certificate store for individual private-key X.509 certificates resides on the local system.

Usage Notes

Private keys require a password to use or open.

CSCA

Certificate CA Store: Store Type . . . . . . . . > *FILE *FILE, *SAME Sequence . . . . . . . . . > 0 0-9 Store Location . . . . . . > '/pkzshare/CStores/CA/pkwareCA.store'

Or:

CSCA(*FILE 0 '/pkzshare/CStores/CA/ pkwareCA.store')

The certificate authority store parameter defines the location and defaults for the certificate authority store. A certificate authority store location is required to validate the certificate for trust and certificate revocation. Currently there are three options.

Store Type (*FILE|*SAME)

The store type specifies the type of store. At this time only *FILE is allowed to define the “Store Location” as a path/file in the IFS.

194

Sequence (1-9 |*SAME)

The Sequence defines the sequence of the private search when using the *SYSTEM option. This is reserved for future releases.

Store Location (location name|*SAME)

This defines the IFS full path and file name where the certificate authority store for public-key X.509 certificates reside on the local system. This store file is a file with a PKCS#7 format.

CSROOT

Certificate ROOT Store: Store Type . . . . . . . . > *FILE *FILE, *SAME Sequence . . . . . . . . . > 0 0-9 Store Location . . . . . . > '/pkzshare/CStores/Root/pkwareRoot.store'

Or CSROOT(*FILE 0 '/pkzshare/CStores/Root/ pkwareRoot.store')

The certificate root store parameter defines the location and defaults for the trusted root public store. A root store location is required to validate the certificate for trust and certificate revocation. Currently there are three options.

Store Type (*FILE|*SAME)

The store type specifies the type of store. At this time only *FILE is allowed to define the “Store Location” as a path/file in the IFS.

Sequence (1-9 |*SAME)

The sequence defines the sequence for the private search when using the *SYSTEM option. This is reserved for future releases.

Store Location (location name|*SAME)

This defines the IFS full path and file name where the trusted root public store for trusted root public-key X.509 certificates resides on the local system. This store file is a file with a PKCS#7 format.

CSCRL

Certificate CRL Store: Store Type . . . . . . . . > *FILE *FILE, *SAME Sequence . . . . . . . . . > 0 0-9 Store Location . . . . . . > '/pkzshare/CStores/CRL/pkwareCRL.store'

Or CSCRL(*FILE 0 '/pkzshare/CStores/ pkwareCRL.store')

The certificate CRL store parameter defines the location and defaults for the Certificate Revocation Store. A CRL store location is required to perform certificate revocation which is set in REVKEPOL parameter. Currently only a Static CRL is available and has three options.

195

Store Type (*FILE|*SAME)

The store type specifies the type of store. At this time only *FILE is allowed to define the “Store Location” as a path/file in the IFS.

Sequence (1-9 |*SAME)

The sequence defines the sequence of the private search when using the *SYSTEM option. This is reserved for future releases.

Store Location (location name|*SAME)

This defines the IFS full path and file name where the CRL (Certificate Revocation List) store resides on the local system. This store file is a file with a PKCS#7 format.

CWRKPATH

Certificate Work Path: Path Location . . . . . . > '/pkzshare/CStores/CTemp'

Or CWRKPATH ('/pkzshare/CStores/CTemp')

The certificate administration tools and certificate utility tools require the use of a temporary area in order to write temporary files during a process. CWRKPATH defines the path where the utilities can create and destroy temporary files. This area should give *PUBLIC full rights.

Path Location (Path name |*NONE |*SAME)

Specify the full path name for the certificate working path. If no changes are required, use *SAME. If the current path is to be cleared, use *NONE. Note by not defining a working path certain certificate utilities may operate correctly.

ENTPREC

Enterprise Encrypt Recipient: LookUp Type . . . . . . . . > *MBRSET *NONE, *DB, *LDAP, *FILE... Recipient . . . . . . . . . > 'pkwareCertAdmin04.cer' Required . . . . . . . . . . > *RQD *RQD *OPT, *SAME

Or ENTPREC(*MBRSET 'pkwareCertAdmin04.cer' *RQD)

The enterprise encrypt recipient (contingency key) parameter defines the enterprise or corporate defined recipient which should be included as a global or administrative access recipient. This enables the enterprise to decrypt and access the file(s) when other Recipients are no longer able or eligible.

The specification of this recipient does not trigger encryption to take place during ZIP processing in the same way as – ENTPREC parameter in the ZIP command. However, once strong encryption is specified, the value of this parameter is implicitly included in the run as if a - ENTPREC command had been invoked. This parameter follows the syntax of the ENTPREC in the PKZIP and PKUNZIP commands.

196

Currently there are three options.

Lookup Type (*NONE |*DB |*LDAP |*FILE |*MBRSET |*SAME)

The lookup type would be the type of recipient search that will be used for the recipient string.

• *NONE - Indicates no enterprise recipient is supplied.

• *DB - The recipient string is defined to search using the certificate locator database to access the enterprise certificate.

• *LDAP - The recipient string is defined to search using the LDAP server to access the enterprise certificate.

• *FILE - The recipient string is defined to search using a specific path and file in the IFS to access the enterprise certificate.

• *MBRSET - The recipient string is defined to search using a file in the enterprise public certificate store to access the enterprise certificate.

Recipient (The recipient file or name)

The common name (CN=) or email address (EM=) of the recipient(s). Also, the location on the Inlist file containing the recipient name(s).

Required (*RQD|*OPT|*SAME)

If *RQD, then anytime the ENTPREC is evoked in the PKZIP command, the recipient defined here is required for the ZIP process to complete successfully.

LDAPACTV

LDAP Definitions: Nbr Active LDAPs . . . . . > 3 1-3, *NONE, *SAME

Or LDAPACTV(3)

LDAPACTV define how many active LDAPS will be defined for SecureZIP. Currently the maximum is three.

LDAP1

Primary LDAP: 1 Network Name . . . . . . > '192.168.111.28' 1 Port . . . . . . . . . . > 389 1-9999 1 Sequence . . . . . . . . > 1 0-9 1 TimeOut . . . . . . . . . > 0 0-9999 1 Access User . . . . . . . > 'PKWAREADDEV\test' 1 Access Password . . . . . > 'xxxx' 1 Search Mode . . . . . . . > *EMAIL *EMAIL, *CN 1 Start Node . . . . . . . > 'cn=users,dc=pkwareaddev,dc=com'

197

1 Test . . . . . . . . . . > N N, Y

Or LDAP1('192.168.111.28' 389 1 0 'PKWAREADDEV\test' 'xxxx' *EMAIL 'cn=users,dc=pkwareaddev,dc=com' N)

The LDAP1, LDAP2 and LDAP3 parameters define from 1 to 3 LDAP server configurations. To access the LDAP, see your directory services administrator for the LDAP servers. Currently there are nine options for each LDAP.

Network Name (LDAP Server |*SAME)

The LDAP network name can be either the TCP/IP address of the LDAP server or if name resolution is supported this can be the server’s name.

Port (1-9999 |389)

Specifies the TCP port number the LDAP server is listening on. The standard LDAP port is 389, but each installation may vary, especially if it is a secured port.

Sequence (0-9|*SAME)

Specifies the search sequence of databases and LDAP servers. This is reserved for future releases.

Timeout (0-9999|*SAME)

Specifies the maximum number of seconds to wait for search results. 0 will use the default defined for the LDAP server.

Access User (Name of User|*SAME)

The distinguished name of the entry user that will be used to bind.

Access Password (Password |*SAME)

The credentials with which to authenticate the access user. Arbitrary credentials can be passed using this parameter. In most cases, this is the password for the access user.

Search Mode (*CN|*EMAIL|*SAME)

Specifies the default LDAP search mode that will be used if neither CN= nor EM= are prefixed on the recipient selection string.

Start Node (Distinguished name of where to start|*SAME)

Specifies the distinguished name of the entry at which to start the search (at what potion of the LDAP structure should the search begin)

Test (Y|N)

Specify whether to Test the current LDAP. By coding this option to a Y for YES, then after the command has updated the security configuration file, a verification test will

198

be performed for this LDAP. For more information on the results see the PKLDAPTST (Test LDAP) command.

LDAP Usage Notes:

Please be aware that the LDAP may not contain any encryption certificate validation policies. If the end user specifies only the LDAP, without a local CA and root stores for the environment, then the SecureZIP default validation settings of TRUSTED and REVOKED will be enforced for the run. This will cause the run to fail during validation of the trusted certificate path because there are no CA and Root certificates available for processing. If you wish to execute the SecureZIP with the LDAP only, then you will need to set your security environment policies or run policy for the authentication and encryption validation policies in the run for to exclude trust and revoke filters:

AUTHPOL(*WARN *NONE (*ALL *NOTTRUSTED *NOTREVOKED)) ENCRYPOL(*WARN (*ALL *NOTTRUSTED *NOTREVOKED))

Windows Compatibility When using BSAFE AES encryption with recipients, there is a cross-system compatibility issue to be addressed by the user community. Windows operating systems running pre-Win/XP may experience a decryption problem depending on the state of the private-key certificate on the workstation. During the Windows certificate import process, a dialog check-box "Mark the private key as exportable" may be selected. If this option was not selected, then Windows will not allow an AES encrypted file to be decrypted unless the master session key was wrapped with 3DES.

The security configuration parameter SECTYPE option "AES 3DES Keys" is introduced with RECIPIENT processing which allows the SecureZIP user to create AES-encrypted files that are compatible with older Windows workstations. When turned on, the MSK3DES flag is set in the NDH/DIB; indicating that the master session key information is protected with 3DES when recipients are specified.

PKZIP for Windows has a variance in processing between 6.0 and 7.x due to OAEP processing. PKZip for Windows 5.0 through 6.0 used OAEP processing. However, that was found to be incompatible with smartcards, so 6.1 and above began setting the NO_OAEP flag in the NDH/DIB flags and stopped creating OAEP encryption-mode files.

199

14 PKLDAPTST “LDAP Test” Command

PKLDAPTST Command Summary with Parameter Keyword Format PKLDAPTST is a utility command to assist in testing the LDAP servers that SecureZIP will use. This command is included to assist with the LDAP parameters and to verify LDAP access along with time access.

Keywords are demarcated by spaces. In many cases there are multiple entries for a parameter where each entry is again demarcated by spaces. For more information about command process reference the IBM Home page for your version of the operating system.

ACTION ( ({*SUMMARY} )

{*DETAILS }

SNAME ( Server Name or IP ) {Network IP address or server Name }

PORT ( Port Number ) {389 } {1-9999 }

USER ( Access User ) {LDAP User for Access }

PASSWORD ( Access Password ) {User Password }

STRNODE ( Start Node ) {Start Node Text String }

SEARCHFT ( Search Filter ) {'(cn=*)(userCertificate=*)'} { valid LDAP Search String }

200

MAXI ( Max Item ) {0-9999 }

PKLDAPTST Command Keyword Details

ACTION - Action Type

ACTION (*SUMMARY|*DETAILS)

Specifies how much to display.

*SUMMARY will show the times and the count of items returned.

*DETAILS will show the common name of all LDAP items selected.

SNAME - Server Name or IP

SNAME (LDAP Server)

The LDAP Server name can be either the TCP IP address of the LDAP server or if name resolution is supported this can be the server’s name.

PORT - Port Number

PORT (389 | 1-9999)

Specifies the TCP port number the LDAP server is listening on. The standard LDAP ports is 389 but each installation may vary, especially if it is a secured port.

USER - Access User

USER (Distinguish name of an authorized user for access)

Specifies the distinguished name of the entry user that will be used to bind the LDAP server.

201

PASSWORD - Access Password

PASSWORD (Password of the Access User if available)

Specifies the credentials with which to authenticate the access user. Arbitrary credentials can be passed using this parameter. In most cases, this is the password for the access user.

STRNODE - Start Node

STRNODE (Start Node Text String)

Specifies the distinguished name of the entry at which to start the search (at what potion of the LDAP structure should the search begin).

SEARCHFT - Search Filter

SEARCHFT ('(cn=*)(userCertificate=*)'| valid LDAP Search String)

Specifies the LDAP search string for the Test. The text must be a valid LDAP search string. The default string is '(CN=*)(userCertificate=*)', which will search for all common names that have a user certificate.

MAXI - Max Item

MAXI (100| 0-9999)

Specifies the maximum numbers of LDAP items to return for the test run. If this value exceeds the value defined for the LDAP server, it will take president over the MAXI value.

Sample Test:

SecureZIP LDAP Test 8.1 (PKLDAPTST) Type choices, press Enter. Action Type . . . . . . . . . . *SUMMARY *SUMMARY, *DETAIL Server Name or IP . . . . . . . > '192.168.132.25' Port Number . . . . . . . . . . 389 Character value Access User . . . . . . . . . . > 'PKWAREADDEV\test' Access Password . . . . . . . . Start Node . . . . . . . . . . . > 'cn=users,dc=pkwareaddev,dc=com' Search Filter . . . . . . . . . '(cn=*)(userCertificate=*)' Max Item . . . . . . . . . . . . > 100 Character value

Or:

PKLDAPTST SNAME('192.168.132.25') USER('PKWAREADDEV\test') PASSWORD() STRNODE('cn=users,dc=pkwareaddev,dc=com') MAXI(100)

202

Results:

PKLDAPTEST LDAP Test Starting 2004/07/22 06:23:34 PKLDAPTESTT Parameters:Action<T> - Server<192.168.132.25> Port<389> - User<PKWAREADDEV\test> Password<6> - Start Node<cn=users,dc=pkwareaddev,dc=com> - Search Filter<(&(cn=*)(userCertificate=*))> - Max Items to Search<100> ,100 LDAP_intialTest - --LDAP init ..... elasp time 0.000000 seconds LDAP_intialTest - --SizeLimit=100 TimeLimit=0 LDAP_intialTest - --LDAP bind ..... elasp time 0.000000 seconds LDAP_intialTest - --LDAP Search ..... elasp time 0.000000 seconds LDAP_intialTest - --LDAP Search ...... 21 entries found LDAP_intialTest - --LDAP Attributes ..... elasp time 0.000000 seconds LDAP_intialTest - Total Entries=21 PKLDAPTESTT LDAP Testing Ending RC=0

Or:

LDAP1('192.168.111.28' 389 1 0 'PKWAREADDEV\test' 'xxxx' *EMAIL'cn=users,dc=pkwareaddev,dc=com' N)

203

15 PKBLDCDB “Build Certificate Database” Command

PKBLDCDB Command Summary with Parameter Keyword Format PKBLDCDB is a utility command to build the certificate locator database files and set the security of the certificate file in the IFS.

NOTE: In order to use PKBLDCDB, the user must have the proper authority for the path/file and for the CHGAUT command.

Keywords are demarcated by spaces. In many cases there are multiple entries for a parameter where each entry is again demarcated by spaces. For more information about the command process, reference the IBM home page for your version of the operating system.

MAINT ( Processing Type )

{*UPDATE } {*TEST } {*VERIFY }

MTYPE ( Maint. Type ) {*FILE } {*DIRECTORY }

CTYPE ( Certificate Type ) {*PUBLIC } {*PRIVATE }

FNAME ( Path/File Name ) {Path and/or file name }

PASSWORD ( Cert Password ) {Certificate Private Key Password }

DUPOPT ( Replace Duplicates ) {*REPLACE} {*NOREPLACE}

204

LOGLVL ( Logging Level ) {*LOG } {*NOLOG } {*MAXLOG }

OWNER ( Cert. Owner ) {QPGMR } {*NONE } {Vaild User Id }

PUBAUTH ( PUBLIC Authority Settings: ) New data authorities {*SAME } {*RWX} {*RX} {*RW} {*WX} {*R } {*W } {*X } {*EXCLUDE} New object authorities {*SAME } {*ALL } {*OBJEXIST} {*OBJMGT} {*OBJALTER} {*OBJREF} {*NONE}

UIDAUTH ( New ID Authority Settings: ) New User ID {*CURRENT } {Valid User Id } New data authorities {*SAME } {*RWX} {*RX} {*RW} {*WX} {*R } {*W } {*X } {*EXCLUDE}

New object authorities {*SAME } {*ALL } {*OBJEXIST} {*OBJMGT} {*OBJALTER} {*OBJREF} {*NONE}

PKBLDCDB Command Keyword Details

MAINT - Processing Type

MAINT (*UPDATE |*TEST |*VERIFY)

The processing type determines the action that PKBLDCDB.

205

*UPDATE will update the certificate locator database.

*VERIFY will scan the certificate locator database and validate that all the files in the database still exist in their store. If the DUPOPT parameter is *REPLACE and the file in the database does not exist, that database record will be removed.

*TEST will simulate updating the certificate locator database, but will not perform any posting. This command is helpful to review for errors and/or counts.

MTYPE - Maintenance Type

MTYPE (*FILE|*DIRECTORY)

The maintenance type determines the type of path/file name in the parameter FNAME. If *FILE, then FNAME should be a specific certificate file (fully qualified path included). If *DIRECTORY, the FNAME should be the fully qualified path that will be scanned for the certificate file.

CTYPE - Certificate Type

CTYPE (*PUBLIC|*PRIVATE)

CTYPE specifies the type of certificates (private or public) will be processed in this run.

*PUBLIC specifies that only a public certificate should be processed. No password should be supplied.

*Private indicates that only private-key certificates should be processed and requires a password be entered.

FNAME - Path/File Name

FNAME (Path and/or file name )

The contents of FNAME contain the IFS file or directory that will be used to update the certificate locator database. To use a specific file, code MTYPE(*FILE) and enter the full path and file name of the specific certificate file. If MTYPE(*DIRECTORY), then enter the IFS fully qualified directory that PKBLDCDB will scan for certificates.

If you have all your public certificates in one store, it is easy to use *DIRECTORY to update the database in one run. For the most part, the private key processing will usually use *FILE for the run since private key certificates require a unique password.

If you want to use the path to the system store for public or private key certificates, and you want to enter only the file name, prefix the file name with {SP}. This inserts the appropriate system path for the path of the file name.

For example: FNAME('{SP}myfile.cer'). If CTYPE(*PUBLIC), the path of the enterprise store will be something like '/myroot/cstore/public/myfile.cer'.

206

PASSWORD - Certificate Password

PASSWORD (Certificate Private Key Password)

To access the contents of a private key certificate, processing requires the password assigned when the certificate was exported. When entering this password, note that it is used only to open the certificate to gather the database data and is not stored or saved. The certificate is not altered in any way.

DUPOPT - Replace Duplicates

DUPOPT (*REPLACE|*NOREPLACE)

The DUPOPT is used with MAINT(*UPDATE) and MAINT(*VERIFY). When using MAINT(*UPDATE), DUPOPT(*REPLACE) will replace the database entry with new data when a duplicate entry is encountered. *NOREPLACE will only occur if a duplicate was not found.

When using MAINT(*VERIFY) and a file in the certificate locator database cannot be found, PKBLCDB will remove the database entry for that file with DUPOPT(*REPLACE). With *NOREPLACE only an error message will be displayed.

LOGLVL - Logging Level

LOGLVL (*LOG|*NOLOG |*MAXLOG)

Specifies the level of logging (printing/viewing) during a PKBLDCDB run. LOGLVL(*NOLOG) will only show a minimal amount of information. LOGLVL(*MAXLOG) will show more details, with some of the detail useful only for problem determination.

OWNER - Cert. Owner

OWNER (*NONE | New Object Owner ID)

OWNER transfers object ownership for the IFS certificate files processed during a PKBLDCDB run from the current owner to the specified owner. The authority that other users have to the object does not change. Using *NONE will make no ownership changes.

Note: In order for this change to work, the user running PKBLDCDB must have the authority to execute the CHGOWN command and must have the authority to change the files ownership. Otherwise an error will occur. The database will be updated but the ownership will not be changed.

207

PUBAUTH - PUBLIC Authority Settings

PUBLIC Authority Settings: New data authorities . . . . . *SAME *SAME, *RWX, *RX, *RW, *WX... New object authorities . . . . *SAME *SAME, *ALL, *OBJEXIST... + for more values

New data authorities {*SAME |*RWX |*RX |*RW |*WX |*R |*W |*X |*EXCLUDE}

New object authorities {*SAME | *ALL | *OBJEXIST | *OBJMGT | *OBJALTER | *OBJREF | *NONE}

The PUBAUTH allows the PKBLDCDB run to change the PUBLIC authorities on the IFS files that are processed. By specifying “PUBAUTH(*SAME (*SAME))”, PKBLDCDB will not alter the file authority for PUBLIC.

The rules for the PUBAUTH parameter are the same as the CHGAUT command. For more information about changing PUBLIC authorities and the explanation of the data and object authorities, see the CHGAUT command.

Note: In order for this change work, the user running PKBLDCDB must have the authority to execute the CHGAUT command and must have the authority to change the IFS file authorities. Otherwise an error will occur. The database will be updated but the authorities will not be changed.

For details of the new data authorities and new object authorities, see the UIDAUTH parameter where the user would specify *PUBLIC.

UIDAUTH - New ID Authority Settings

New ID Authority Settings: New User ID . . . . . . . . . *NONE User Id, *CURRENT, *NONE New data authorities . . . . . *SAME *SAME, *NONE, *RWX, *RX... New object authorities . . . . *SAME *SAME, *NONE, *ALL... + for more values

New User ID {*NONE |*CURRENT | Valid User ID}

New data authorities {*SAME |*RWX |*RX |*RW |*WX |*R |*W |*X |*EXCLUDE}

New object authorities {*SAME | *ALL | *OBJEXIST | *OBJMGT | *OBJALTER | *OBJREF | *NONE}

The UIDAUTH allows the PKBLDCDB run to add/change a user’s authorities on the IFS files that are processed. Specifying UIDAUTH(*NONE) , no user authorities will be changed.

The rules for UIDAUTH parameter are the same as the CHGAUT command. For more information about changing object authorities and the explanation of the data and object authorities see the CHGAUT command.

Note: In order for this change work, the user running PKBLDCDB must have the authority to execute the CHGAUT command and must have the authority to change

208

the IFS file authorities. Otherwise an error will occur. The database will be updated but the authorities will not be changed.

UIDAUTH options are:

New User ID:

Specifies the user ID to whom authorities for the named file object are being given. If user ID is not *NONE, the authorities are given specifically to that user. The user ID must be a valid iSeries user ID. *CURRENT will use the ID of the user that is running the PKBLDCDB command.

New Data Authorities for the file:

Specifies the data authorities being given to the user specified in the new user ID parameter. If a value other than *SAME is specified, the value replaces any data authorities (*OBJOPR, *READ, *ADD, *UPD, *DLT, and *EXECUTE) that the user currently has to the objects.

The possible values are:

*SAME The user’s data authorities to the objects do not change.

*NONE The user does not have any of the data authorities to the objects.

*RWX The user is given *RWX authority to the objects. The user is given *RWX authority to perform all operations on the object except those limited to the owner or controlled by object existence, object management, object alter, and object reference authority. The user can change the object and perform basic functions on the object. *RWX authority provides object operational authority and all the data authorities.

*RX The user is given *RX authority to perform basic operations on the object, such as run a program or display the contents of a file. The user is prevented from changing the object. *RX authority provides object operational authority and read and execute authorities.

*RW The user is given *RW authority to view the contents of an object and change the contents of an object. *RW authority provides object operational authority and data read, add, update, and delete authorities.

*WX The user is given *WX authority to change the contents of an object and run a program or search a library or directory. *WX authority provides object operational authority and data add, update, delete, and execute authorities.

*R The user is given *R authority to view the contents of an object. *R authority provides object operational authority and data read authority.

209

*W The user is given *W authority to change the contents of an object. *W authority provides object operational authority and data add, update, and delete authorities.

*X The user is given *X authority to run a program or search a library or directory. *X authority provides object operational authority and data execute authority.

*EXCLUDE Exclude authority prevents the user from accessing the object.

New Object Authorities for the file(s):

Specifies the object authorities being given to the user specified in the user parameter. If a value other than *SAME is specified, the value replaces any object authorities (*OBJEXIST, *OBJMGT, *OBJALTER, and *OBJREF) that the user currently has to the objects.

The possible values are:

*SAME The user's object authorities to the objects do not change.

*NONE The user does not have any other object authorities (existence, management, alter, or reference). If *EXCLUDE or *AUTL is specified for the DTAAUT parameter, this value must be specified.

*ALL All of the other object authorities (existence, management, alter, and reference) are given to the users. Or specify up to four (4) of the following values:

*OBJEXIST The user is given object existence authority to the object.

*OBJMGT The user is given object management authority to the object.

*OBJALTER The user is given object alter authority to the object.

*OBJREF The user is given object reference authority to the object.

210

16 PKQRYCDB “Query Cert Database” Command

PKQRYCDB Command Summary with Parameter Keyword Format PKQRYCDB is a utility command to query the certificate locator database files or a certificate file in the IFS.

Keywords are demarcated by spaces. In many cases there are multiple entries for a parameter where each entry is again demarcated by spaces. For more information about the command process reference the IBM home page for your version of the operating system.

SecureZIP Query Cert Db 8.1 (PKQRYCDB) Type choices, press Enter. Processing Type . . . . . . . . *SUMMARY *SUMMARY, *LEVEL1, *ALL File Type . . . . . . . . . . . *DB *FILE, *DB, *P7B Certificate Type . . . . . . . . *ALL *PUBLIC, *PRIVATE, *ALL Selection Name . . . . . . . . . __________________________________________ _____________________________ Cert Password . . . . . . . . . Logging Level . . . . . . . . . *LOG *NOLOG, *LOG, *MAXLOG

PKQRYCDB Command Keyword Details

RUNTYPE - Processing Type

RUNTYPE (*SUMMARY|*LEVEL1 |*SELECT|*ALL)

The processing type determines the amount of details that PKQRYCDB will display. The possible type codes are:

*SUMMARY - Shows only one line per selected item and is based on the selection type (CN= or EM=)

*LEVEL1 - Displays the common name, email address and the certificate path and file name

211

*SELECT - Displays a display file of certificates based on the selection type. The items can be browsed or selected for a detail display of the certificates. If the certificate dates have expired, the dates will be highlighted.

*ALL - Displays a complete set of details for each certificate; could be 20-40 lines per file

FTYPE - File Type

FTYPE (*FILE| *DB | *P7B)

The file type determines the type of path/file name in the parameter FNAME.

If *DB is selected, PKQRYCDB will search the database based on the contents of the FNAME. For example, CN=Bill* will search for all certificates with a common name that starts with Bill regardless of upper case or lower case.

If *FILE is selected, then FNAME should be a very specific certificate file (full path included).

*P7B will read a specific file that should be in a P7B format. It will then do a detailed display for the contents of the P7B certificate store.

CTYPE - Certificate Type

CTYPE (*ALL| *PUBLIC | *PRIVATE)

CTYPE specifies the type of certificates, private or public, that will be processed in this run.

*ALL will process both public and private certificates.

*PUBLIC specifies that only public certificates should be processed. No password should be supplied.

*PRIVATE indicates that only private-key certificates should be processed and requires that a password be entered.

FNAME - File Name

FNAME (Path/File name)

If FTYPE is *DB, the FNAME contents will be the selection criteria for the certificate locator database. It should contain the prefix of the field to select, such as CN= for common name and EM= for email address. Selection is not case-sensitive. If the selection ends in an asterisk (*), a generic selection is made for all certificates starting with the selection criteria.

If FTYPE is *FILE, the contents of FNAME contains the IFS file that will used to query the certificate contents. Specify the full path and file name of the specific certificate file.

212

PASSWORD - Certificate Password

PASSWORD (Certificate Private Key Password)

Processing the private key certificate with RUNTYPE(*ALL) requires the password used when the certificate was exported to open and gather the contents. The password is used only to open the certificate to gather the database data; it is not stored or saved. The certificate is not altered in any way.

LOGLVL - Logging Level

LOGLVL (*LOG|*NOLOG |*MAXLOG)

Specifies the level of logging (printing/viewing) used during a PKQRYCDB run. LOGLVL(*NOLOG) shows only a minimal amount of information. LOGLVL(*MAXLOG) shows more details, with some of detail useful only for problem determination.

Sample Displays

Request RUNTYPE(*SUMMARY) to generate and display a report containing additional information about the certificate.

PKQRYCDB RUNTYPE(*SUMMARY) FNAME('cn=will*')

PKQRYCDB QUERY SecureZIP Cert DataBase starting------2004/11/16 07:37:28 PKQRYCDB Start Search Summary for <cn=will*> Public Key CN=William S. Somebody Public Key CN=William Somebody Public Key CN=William Somebody Private Key CN=William Somebody Public Key CN=William Somebody PKQRYCDB Run Totals: Total Records In Error =0 Total Records Processed =5 PKQRYCDB Scan ending------

Request RUNTYPE(*Level1) to generate and display a report containing additional information about the certificate.

PKQRYCDB RUNTYPE(*LEVEL1) FNAME('cn=will*')

213

PKQRYCDB QUERY SecureZIP Cert DataBase starting------2004/11/16 07:39:34 PKQRYCDB Start Search Level 1 for <cn=will*> Public Key CN=William S. Somebody EM=sombody@worldnet.att.net FN=William S. Somebody File </pkzshare/CStores/public/williamsSomebody.cer> Public Key CN=William Somebody EM=bill.Somebody@pkware.com FN=William Somebody File </pkzshare/CStores/public/billSomebody03.cer> Public Key CN=William Somebody EM=bill.Somebody@pkware.com FN=William Somebody File </pkzshare/CStores/public/bill_Somebody2003.cer> Private Key CN=William Somebody EM=bill.Somebody@pkware.com FN=William Somebody File </pkzshare/CStores/private/billSomebody03.pfx> Public Key CN=William Somebody EM=bSomebody@pkware.com FN=William Somebody File </pkzshare/CStores/public/billSomebody.cer> PKQRYCDB Run Totals: Total Records In Error =0 Total Records Processed =5 PKQRYCDB Scan ending------

Request RUNTYPE(*ALL) to generate and display a report containing additional information about the certificate.

PKQRYCDB RUNTYPE(*ALL) FTYPE(*FILE) FNAME('/pkzshare/CStores/public/billSomebody03.cer')

PKQRYCDB QUERY SecureZIP Cert DataBase starting------2004/11/16 07:43:50 --------------------------------------------------------- Public Key Found File </pkzshare/CStores/public/billSomebody03.cer> CN=William Somebody EM=bill.Somebody@pkware.com FN=William Somebody --- Certificate --- William Somebody Subject: O=VeriSign, Inc. OU=VeriSign Trust Network OU=www.verisign.com/repository/RPA Incorp. by Ref.,LIAB.LTD(c)98 OU=Persona Not Validated OU=Digital ID Class 1 - Microsoft Full Service CN=William Somebody E=bill.Somebody@pkware.com Issuer: O=VeriSign, Inc. OU=VeriSign Trust Network OU=www.verisign.com/repository/RPA Incorp. By Ref.,LIAB.LTD(c)98 CN=VeriSign Class 1 CA Individual Subscriber-Persona Not Validated SerialNumber: 3F55 2A91 2B5A 9F9B 46E0 D8A0 96DB DDAB NotBefore: Mon Jul 21 19:00:00 2003 NotAfter: Wed Jul 21 18:59:59 2004

214

SHA-1 Hash of Certificate: D5 CE FF A5 72 EF B6 53 EA 75 F7 CA 2E 01 85 7B 65 7C B8 E7 Public Key Hash: 6E 16 CF EF FA A0 99 25 2B 79 DE E6 23 C7 D7 42 80 82 F3 E4 End Entity PKQRYCDB Run Totals: Total Records In Error =0 Total Records Processed =1 PKQRYCDB Scan ending------

The following table explains the fields of the certificate details in the display.

Heading Description

Subject Information about the entity to whom the certificate was issued

Issuer Information about the entity that issued the certificate

SerialNumber Serial number of the certificate

NotBefore/NotAfter Date range for which the certificate is valid

SHA-1 Hash of Certificate The SHA-1 algorithm hash, or “thumbprint,” of the certificate

Public Key Hash The hash, or “thumbprint,” of the public key

Key Usage Key usage flags that determine how the certificate was intended to be used

The public key hash value is the prime key used in the local certificate store index.

The Issuer fields are composed of several x.509 subfields. The exact set varies. The following table describes some of the most commonly used.

Code Description

O Organization

OU Organizational Unit

CN Common Name

E or EM Email address

C Country

ST State or Province

L Locality or City The common name (CN) and email (E) fields can be searched to identify recipients.

215

17 PKSTORADM “Certificate Store Administration” Command

PKSTORADM Command Summary with Parameter Keyword Format PKSTORADM is a certificate store administration utility command to maintain the certificate authority (CA), trusted root, and certificate revocation list (CRL) stores. Before using this utility, define the three stores and their location with PKCFGSEC command.

X.509 certificates may be imported to the local certificate store through the SecureZIP local certificate store administration tool PKSTORADM. These certificates are frequently obtained through another platform and (binary) transferred to the operational iSeries system for installation.

Important Note: All X.509 certificates should be transferred to the local iSeries environment in binary mode with no translation.

When certificates are imported, you may either define which store a certificate should be placed in or let the certificate administration tool determine the appropriate store location based on the certificate type. You must tell the PKSTORADM what certificate file type and key type to import.

iSeries UPDATE authority (or equivalent) must be granted to the system administrator responsible for altering the certificate store.

PKSTORADM can import certificates to be added to your CA and/or to your TRUSTED ROOT STORES. It can also be used to import a CRL into your static CRL store. When building your stores, you should first install the trusted roots, followed by the CA certificates. Before importing a CRL file, its CA must be in the CA store.

Usage Notes

If a certificate is designated to be an end-entity certificate, it can be ignored, or a .cer file will be created in the public store path.

It’s important that only known trusted roots be allowed to be added to your trusted root store. You should install a certificate to your root store only when you have confirmed its authenticity. To do this, contact the certificate authority listed in the candidate root certificate file. If you install a certificate to your root without confirming its authenticity, you may be creating a security risk. Once you install the

216

certificate to your root store, SecureZIP will use it to complete future certificate trust chain validation processing associated with the certificate authority.

PKSTORADM uses the SecureZIP utility PKCAADMN and most of the message issued will be from that utility. Messages that start with prefix ZPCA are from the PKCAADMN utility and be found in the message section. If there are no error messages, AQZ0049 will be issued and can be monitored. If an error is encountered, the escape message AQZ0050 will be issued and can be monitored.

Keywords are demarcated by spaces. In many cases there are multiple entries for a parameter, with each entry again demarcated by spaces. For more information about the command process, refer to the IBM home page for your version of the operating system.

SecureZIP CA Store Admin 8.1 (PKSTORADM) Type choices, press Enter. Processing Type . . . . . . . . _________ *IMPORT, *LIST, *BROWSE... Preferred Store . . . . . . . . *CA, *ROOT, *CRL,*DETECT File Type . . . . . . . . . . . *CER *CER, *P7B, *CRL End Entities: Process End Entities? . . . . *NO *YES, *NO File Mode . . . . . . . . . . *UNIQUE *UNIQUE, *OVERWRITE Selection Name . . . . . . . . . ____________________________________________ Cert Password . . . . . . . . . ____________________________________________ Logging Level . . . . . . . . . *LOG *NOLOG, *LOG, *MAXLOG Temporary Controls . . . . . . . ____________ *SIMULATE

PKSTORADM Command Keyword Details

RUNTYPE - Processing Type

RUNTYPE (*IMPORT |* LIST |*BROWSE |*VERIFY |*DELETE |*INITIALIZE)

Specifies the processing type or action that PKSTORADM will perform:

*IMPORT Reads the input file (defined in the FNAME) with the file type (FTYPE) and add the certificates to the appropriate store defined with the preferred store STYPE.

*LIST Provides a complete, detailed listing of all the certificates in the store defined in the STYPE parameter. No updating takes place.

*BROWSE Provides a short display of all the certificates in the store defined in the STYPE parameter. No updating takes place.

*VERIFY Tests the store defined with the STYPE parameter and verifies the condition of your store. No updating takes place.

217

*DELETE Delete a certificate from either the CA or root store. First a browse list similar to the browse list for the short list will be displayed. Enter a ‘4’ for the option of the certificate to be deleted and press the ENTER key to display a confirmation message window. To complete the deletion, press F5 to delete or F12 to cancel. If *DETECT or *ALL is entered both stores will be displayed. Only one delete option of ‘4’ can be entered.

*INITIALIZE Clears and initializes the store defined in the STYPE parameter. For this command to work, you must also type the word ‘Initialize’ in the FNAME parameter. Note: Take care when using the option because it clears all of your store’s current content.

FTYPE - File Type

FTYPE (*CER | *P7B | *CRL)

Defines the format or package type that the input file contains:

Format Description

*CER (PEM) Contains a single public-key certificate. It may be in Base-64 encoded (ASCII text with ASCII headers) or DER-encoded binary format.

Common file extensions: .pem, .cer, .key

* P7B (PKCS#7)

Contains one or more CA (and or root) certificates or could also contain one or more CRL in a PKCS#7 format.

Common file extension: .p7b

*CRL Contains certificate revocation list in a CRL format issued by a certificate authority.

Common file extension: .crl

STYPE - Certificate Store

STYPE (*DETECT | *CA |*ROOT |*CRL)

STYPE specifies the type of certificates, private or public, to be processed in this run.

*DETECT Detect will try to determine which store the certificate will be imported into. If *DETECT is used with RUNTYPE(*LIST) or RUNTYPE(*VERIFY), it is assumed to perform on all stores.

*CA Certificate authority store defined in the CSCA parameter of PKCFGSEC.

*ROOT Trusted root store defined in the CSROOT parameter of PKCFGSEC.

218

*CRL Static CRL (Certificate Revocation List) store defined in the CSCRL parameter of PKCFGSEC.

ENDENTITY - End Entities End Entities: Process End Entities? . . . . *NO *YES, *NO File Mode . . . . . . . . . . *UNIQUE *UNIQUE, *OVERWRITE

Or ENDENTITY(*YES *OVERWRITE)

ENDENTITY specifies whether to automatically update end entity certificates when found through the PKBLDCDB process by building X.509 files in a DER-encoded binary format and placing the files in the public store path. The file name will be the name of the inputted file with a _EEx.cer suffixed at the end, where x is a sequence number. After adding you should run PKBLDCDB to record the latest public certificates.

Process End Entities? (*YES|*NO)

Specifies whether to build the end entity certificates in the public store path.

*YES If a p7b type file is being read that contains end entity certificates, the end entity certificates will have a file created for each certificate in the public store path, and a PKBLDCDB will be launched to update the database.

*NO Ignore end entity certificates.

File Mode? (*UNIQUE|*OVERWRITE)

Specifies action to take if a duplicate file is found in the public store path.

* UNIQUE If a file is being generated and a duplicate name is found in the public store path, then the number will be incremented until no duplicate is found.

*OVERWRITE If a duplicate file is found in the public store path, the file will be written over with the new file. If a duplicate is written over, then you should run a PKBLDCDB with *VERIFY to correct the locator database.

FNAME - File Name

FNAME (Path/File name)

FNAME is the inputted IFS path and file name that will be used to import with the RUNTYPE(*IMPORT). If you specify RUNTYPE(INITIALIZE), then you must enter ‘Initialize’ to initialize a store.

219

PASSWORD - Certificate Password

PASSWORD (Certificate Private Key Password)

Reserved for future use. To process password protected P7B files that may contain a private key.

LOGLVL - Logging Level

LOGLVL (*LOG|*NOLOG |*MAXLOG)

Specifies the level of logging (printing/viewing) used during a PKSTORADM run. LOGLVL(*NOLOG) shows a minimal amount of information. LOGLVL(*MAXLOG) shows more details, with some of detail useful only for problem determination.

CNTRLS - Logging Level

CNTRLS (*NONE |*SIMULATE )

Specifies special process controls for the run. At this time only *SIMULATE exits.

*NONE No special controls.

*SIMULATE Only valid with the RTYPE(*IMPORT). Simulates the run process and does not update the stores. Provides a way to see how and what would be added if an input file is added to the stores.

Sample Displays

The following example shows a simulation of adding an inputted CER type file to the root store.

PKSTORADM RUNTYPE(*IMPORT) FTYPE(*CER) STYPE(*ROOT) FNAME('/myroot/pkware/CStore/Testzips/pkwareRoot.cer') CNTRLS(*SIMULATE)

PKSTORADM SecureZIP CA Store Administration starting------2005/03/14 13:35:57 ZPCA000I SUCCESS: Added certificate to store '/myroot/pkware/CStore/Root/pkwareRT.store'. DSN=/myroot/pkware/CStore/Testzips/pkwareRoot.cer;CER=1;FN=PKTESTDB Root;TP=A91CD312EFFEF51C8ABFEFD92C23FF67FBDBEBE3;SN=00;E=PKTESTDBRoot@nowhere.com;ROOT ZPCA846W WARNING: Simulation Requested. Nothing will be saved to the store. ZPCA000I SUCCESS: Saved certificate store '/myroot/pkware/CStore/Root/pkwareRT.store' to disk. ZPCA000I Added 0 of a possible 1 certificates to the ROOT store. ZPCA000I 0 certificates in the ROOT store before the Add command. ZPCA000I 0 certificates in the ROOT store after the Add command. ZPCA846W WARNING: Simulation Requested. Nothing will be saved to the store. PKSTORADM Store Admin ending------0 PKSTORADM Completed Successfully

220

The following example shows adding an inputted CER type file to the root store. Since a CER type file only has one certificate, one of a possible one certificate(s) was added. Since the store was initially empty, the number of certificates in the store before adding was zero, and the number after the add is one.

PKSTORADM RUNTYPE(*IMPORT) FTYPE(*CER) STYPE(*ROOT) FNAME('/myroot/pkware/CStore/Testzips/pkwareRoot.cer')

PKSTORADM SecureZIP CA Store Administration starting------2005/03/14 13:47:55 ZPCA000I SUCCESS: Added certificate to store '/myroot/pkware/CStore/Root/ pkwareRT.store'. DSN=/myroot/pkware/CStore/Testzips/pkwareRoot.cer;CER=1;FN=PKTESTDB Root;TP=A91CD312EFFEF51C8ABFEFD92C23FF67FBDBEBE3;SN=00;E=PKTESTDBRoot@nowhere.com;ROOT ZPCA000I SUCCESS: Saved certificate store '/myroot/pkware/CStore/Root/pkwareRT.store' to disk. ZPCA000I Added 1 of a possible 1 certificates to the ROOT store. ZPCA000I 0 certificates in the ROOT store before the Add command. ZPCA000I 1 certificates in the ROOT store after the Add command. PKSTORADM Store Admin ending------0 PKSTORADM Completed Successfully

This example also adds a certificate, but this time the file is destined for the CA store.

PKSTORADM RUNTYPE(*IMPORT) FTYPE(*CER) STYPE(*CA) FNAME('/myroot/pkware/CStore/Testzips/pkwareCA.cer')

PKSTORADM SecureZIP CA Store Administration starting------2005/03/14 13:51:22 ZPCA000I SUCCESS: Added certificate to store '/myroot/pkware/CStore/CA/pkwareCA.store'. DSN=/myroot/pkware/CStore/Testzips/pkwareCA.cer;CER=1;FN=PKWARE Test Intermediate Cert;TP=2B3C27C30067690EFB77A8A84DAB1D39A1368906;SN=01;E=PKTESTDBIC@nowhere.com;CA ZPCA000I SUCCESS: Saved certificate store '/myroot/pkware/CStore/CA/pkwareCA.store' to disk. ZPCA000I Added 1 of a possible 1 certificates to the CA store. ZPCA000I 0 certificates in the CA store before the Add command. ZPCA000I 1 certificates in the CA store after the Add command. PKSTORADM Store Admin ending------0

This example shows the verification action. Since the store type is STYPE(*DETECT), it verifies all of the stores.

PKSTORADM RUNTYPE(*VERIFY) FTYPE(*CER) STYPE(*DETECT)

PKSTORADM SecureZIP CA Store Administration starting------2005/03/14 13:53:41 ZPCA000I SUCCESS: CA Store '/myroot/pkware/CStore/CA/pkwareCA.store' verified successfully. 1 certificates found. ZPCA000I SUCCESS: Root Store '/myroot/pkware/CStore/Root/pkwareRT.store' verified successfully. 1 certificates found.

221

ZPCA000I SUCCESS: CRL store '/myroot/pkware/CStore/CRL/pkwareCRL.store' successfully verified. 0 revocation lists found. PKSTORADM Store Admin ending------0

The following example does a detail list. Since the store type is STYPE(*DETECT), all of the stores are listed. The list can get quite lengthy but may be needed to verify your store contents.

PKSTORADM RUNTYPE(*LIST) FTYPE(*CER) STYPE(*DETECT)

PKSTORADM SecureZIP CA Store Administration starting------2005/03/14 13:57:38 CA Store -------- --- Certificate 1 --- PKWARE Test Intermediate Cert Subject: C=US S=Wisconsin L=Milwaukee O=PKWARE, Inc. OU=PKWARE, Inc. -- for test and evaluation purposes only CN=PKWARE Test Intermediate Cert E=PKTESTDBIC@nowhere.com Issuer: C=US S=Wisconsin L=Milwaukee O=PKWARE, Inc. OU=PKWARE, Inc. -- for test and evaluation purposes only CN=PKTESTDB Root E=PKTESTDBRoot@nowhere.com SerialNumber: 01 NotBefore: Mon Dec 20 08:54:09 2004 NotAfter: Sat Dec 14 08:54:09 2024 SHA-1 Hash of Certificate(Thumbprint): 2B 3C 27 C3 00 67 69 0E FB 77 A8 A8 4D AB 1D 39 A1 36 89 06 Public Key Hash: 72 C0 6D 05 C9 3E A9 6C 34 9C AD D0 8F 14 C0 8E 04 B0 E5 CF Certificate Authority --- Certificate 2 --- PKWARE Test Intermediate Cert A Subject: C=US S=Wisconsin L=Milwaukee O=PKWARE, Inc. OU=PKWARE, Inc. -- for test and evaluation purposes only CN=PKWARE Test Intermediate Cert A E=PKTESTDBICA@nowhere.com Issuer: C=US S=Wisconsin L=Milwaukee O=PKWARE, Inc. OU=PKWARE, Inc. -- for test and evaluation purposes only CN=PKTESTDB Root E=PKTESTDBRoot@nowhere.com SerialNumber:

222

02 NotBefore: Tue Feb 8 11:38:17 2005 NotAfter: Sun Dec 15 11:38:17 2024 SHA-1 Hash of Certificate(Thumbprint): C4 05 A5 BC 36 94 21 49 D5 C2 12 CB 6C 21 3C 4F 1F E8 93 E6 Public Key Hash: 08 3B E9 79 78 15 E7 BA E9 00 90 00 D5 AC 92 BD 83 7A 8D 57 Certificate Authority Root Store ---------- --- Certificate 1 --- PKTESTDB Root Subject: C=US S=Wisconsin L=Milwaukee O=PKWARE, Inc. OU=PKWARE, Inc. -- for test and evaluation purposes only CN=PKTESTDB Root E=PKTESTDBRoot@nowhere.com Issuer: C=US S=Wisconsin L=Milwaukee O=PKWARE, Inc. OU=PKWARE, Inc. -- for test and evaluation purposes only CN=PKTESTDB Root E=PKTESTDBRoot@nowhere.com SerialNumber: 00 NotBefore: Mon Dec 20 08:21:34 2004 NotAfter: Thu Dec 19 08:21:34 2024 SHA-1 Hash of Certificate(Thumbprint): A9 1C D3 12 EF FE F5 1C 8A BF EF D9 2C 23 FF 67 FB DB EB E3 Public Key Hash: 9A C2 BA 79 76 20 64 5E 12 79 D9 74 4C A8 59 66 71 E9 C2 DD Self Signed Certificate Authority CRL Store --------- PKSTORADM Store Admin ending------0

The following example adds a CRL to the CRL store.

PKSTORADM RUNTYPE(*IMPORT) FTYPE(*CRL) STYPE(*CRL) FNAME('/myroot/pkware/CStore/Testzips/crl1.crl')

PKSTORADM SecureZIP CA Store Administration starting------2005/03/14 14:16:48 ZPCA000I SUCCESS: Added certificate '/myroot/pkware/CStore/Testzips/crl1. crl' to store '/myroot/pkware/CStore/CRL/pkwareCRL.store'. ZPCA000I SUCCESS: Saved certificate store '/myroot/pkware/CStore/CRL/pkwa reCRL.store' to disk.

223

ZPCA000I Added 1 out of 1 certificates to the CRL store. ZPCA000I 0 entries in the CRL store before the Add command. ZPCA000I 1 entries in the CRL store after the Add command. PKSTORADM Store Admin ending------0 PKSTORADM Completed Successfully

The following example displays a CRL listing.

PKSTORADM RUNTYPE(*LIST) STYPE(*CRL)

PKSTORADM SecureZIP CA Store Administration starting------2005/03/14 14:20:59 CRL Store --------- --- CRL 1 --- PKWARE Test Intermediate Cert A Issuer: C=US;S=Wisconsin;L=Milwaukee;O=PKWARE, Inc.;OU=PKWARE, Inc. -- for test and evaluation purposes only;CN=PKWARE Test Intermediate Cert A;E=PKTESTDBICA@nowhere.com LastUpdate: Unknown NextUpdate: Unknown Revoked Serial Numbers (1): SerialNumber=01; IDHash=DA9F053EEF6684FC2BDF63962E24775EE81160ED; PKSTORADM Store Admin ending------0 PKSTORADM Completed Successfully

The following example demonstrates a *BROWSE display browse.

PKSTORADM RUNTYPE(*BROWSE) STYPE(*ALL)

3/23/05 08:17:01 Certificate Store Admin PKQCD01D Store Review Query Option Document CA 1 FN=Class 1 Public Primary Certification Authority CA 2 FN=Open Financial Exchange CA - Class 3,www.verisign.com/CPS Incor CA 3 FN=Open Financial Exchange CA - Class 3,www.verisign.com/CPS Incor CA 4 FN=PKWARE Test Intermediate Cert E CA 5 FN=VeriSign Class 2 CA - Individual Subscriber CA 6 FN=VeriSign Class 1 CA Individual Subscriber-Persona Not Validated CA 7 FN=Thawte Server CA CA 8 FN=VeriSign Class 1 CA Individual Subscriber-Persona Not Validated CA 9 FN=Thawte Premium Server CA CA 10 FN=PKWARE Test Intermediate Cert CA 11 FN=PKWARE Test Intermediate Cert A CA 12 FN=PKWARE Test Intermediate Cert F CA 13 FN=VeriSign, Inc.,VeriSign International Server CA - Class 3,www.v Root 1 FN=VeriSign Commercial Software Publishers CA Root 2 FN=VeriSign Individual Software Publishers CA + F3-Exit F9-Fold F12-Return

224

F9 to Unfold:

3/23/05 08:17:01 Certificate Store Admin PKQCD01D Store Review Query Option Document CA 1 FN=Class 1 Public Primary Certification Authority SN=00CDBA7F56F0DFE4BC54FE22ACB372AA55 CA 2 FN=Open Financial Exchange CA - Class 3,www.verisign.com/CPS Incor . By Ref.,LIAB. LTD. (c) 97 VeriSign SN=1E47DBE0434AFB7AE84ABEF2EC2C7A6F CA 3 FN=Open Financial Exchange CA - Class 3,www.verisign.com/CPS Incor . By Ref.,LIAB. LTD. (c) 97 VeriSign SN=5C1CD1200795F810DE576AC1FCCBF8C6410E0812 + F3-Exit F9-Fold F12-Return

The following example demonstrates the importing of certificates from a p7b file that has the end entity certificate with the full path of CA and root certificates. If the CA and root already exist, the number of certificates in the stores will not increase. Note the file created in the public store for the end entity certificate. See the message (End Entity File </pkzshare/CStores/public/carolineF2004_EE1.cer> created) where the suffix _EEx.cer was attached and the file written in the public store path. PKBLDCDB should now be run to add the certificate to the locator database. You should run with CNTRLS(*SIMULATE) first to make sure what you are adding to your CA and root stores is acceptable and trusted.

PKSTORADM RUNTYPE(*IMPORT) FTYPE(*P7B) STYPE(*DETECT) ENDENTITY(*YES *UNIQUE) FNAME('/pkzshare/cstores/Inputs/carolineF2004.p7b')

PKSTORADM SecureZIP CA Store Administration starting------2005/03/23 09:11:14 ZPCA000I SUCCESS: Added certificate to store '/pkzshare/CStores/Root/pkwareRT.store'. DSN=/pkzshare/cstores/Inputs/carolineF2004.p7b;CER=2;FN=Class 1 Publi c Primary Certification Authority;TP=90AEA26985FF14804C434952ECE9608477AF556F ;SN=00CDBA7F56F0DFE4BC54FE22ACB372AA55;ROOT ZPCA000I SUCCESS: Saved certificate store '/pkzshare/CStores/Root/pkwareRT.store' to disk. ZPCA000I SUCCESS: Added certificate to store '/pkzshare/CStores/CA/pkwareCA.store '. DSN=/pkzshare/cstores/Inputs/carolineF2004.p7b;CER=3;FN=VeriSign Class 1 CA I ndividual Subscriber-Persona Not Validated;TP=12519AE9CD777A560184F1FBD542152 22E95E71F;SN=0D8B4FEEAAD2185BF4756A9D29E17FFB;CA ZPCA000I SUCCESS: Saved certificate store '/pkzshare/CStores/CA/pkwareCA.store' t o disk. ZPCA000I Added 1 of a possible 3 certificates to the stores. ZPCA000I Added 0 certificates to the CA store. ZPCA000I 12 certificates in the CA store before the Add command. ZPCA000I 12 certificates in the CA store after the Add command. ZPCA000I Added 0 certificates to the ROOT store.

225

ZPCA000I 27 certificates in the ROOT store before the Add command. ZPCA000I 27 certificates in the ROOT store after the Add command. ZPCA000I 1 end entities written to the '/pkzshare/cstores/CWrkPath/SZdbfbecc7.tmp' output file. End Entity File </pkzshare/CStores/public/carolineF2004_EE1.cer> created. PKSTORADM Store Admin ending------0 PKSTORADM Completed Successfully

Now add the public certificate to the locator database with the PKBLDCDB command:

PKBLDCDB MAINT(*UPDATE) MTYPE(*FILE) CTYPE(*PUBLIC) FNAME('/pkzshare/CStores/public/carolineF2004_EE1.cer')

PKBLDCDB Update SecureZIP Cert DataBase starting------2005/03/23 09:32:25 PKBLDCDB Running Update Mode--Replace Duplicates--- PKBLDCDB Adding </pkzshare/CStores/public/carolineF2004_EE1.cer> PKBLDCDB Run Totals: Total Records Added =1 Total Records Updated =0 Total Duplicateds Found =0 Total Records In Error =0 Total Records Processed =1 PKBLDCDB Scan ending------ PKBLDCDB Completed Successfully

The following example demonstrates the certificate deletion process:

PKSTORADM RUNTYPE(*DELETE) STYPE(*CA)

3/23/05 08:23:02 Certificate Store Admin PKQCD01D Store Review Query Type option - Press Enter. ONLY 1 Delete Selection Valid 4-Delete Option Document CA 1 FN=Class 1 Public Primary Certification Authority CA 2 FN=Open Financial Exchange CA - Class 3,www.verisign.com/CPS Incor CA 3 FN=Open Financial Exchange CA - Class 3,www.verisign.com/CPS Incor CA 4 FN=PKWARE Test Intermediate Cert E CA 5 FN=VeriSign Class 2 CA - Individual Subscriber CA 6 FN=VeriSign Class 1 CA Individual Subscriber-Persona Not Validated CA 7 FN=Thawte Server CA CA 8 FN=VeriSign Class 1 CA Individual Subscriber-Persona Not Validated CA 9 FN=Thawte Premium Server CA CA 10 FN=PKWARE Test Intermediate Cert CA 11 FN=PKWARE Test Intermediate Cert A 4 CA 12 FN=PKWARE Test Intermediate Cert F CA 13 FN=VeriSign, Inc.,VeriSign International Server CA - Class 3,www.v + F3-Exit F9-Fold F12-Return

Enter 4 on the certificate line to delete, and press the ENTER key. This will cause the following window to appear for confirmation.

3/23/05 08:23:02 Certificate Store Admin PKQCD01D Store Review Query Type option - Press Enter. ONLY 1 Delete Selection Valid

226

4-D ...................................................................... Optio : Confirm Certificate to be deleted from CA Store : CA : Location: 12 : CA : FN= PKWARE Test Intermediate Cert F : or CA : SN= 01 : or CA : : CA : Note: : CA : Certificates that are issued by the certification : ed CA : authorities or any lower level certification authorities : CA : will no longer be trusted. Press PF5 to Continue with : ed CA : the deletions or PF12 to exit without deleting the : CA : certificate. : CA : Press F5 to Delete Certificate : 4 CA : Press PF12 to exit Without Delete : CA : F5=Delete F12=Cancel : .v : : :....................................................................: +

To delete the certificate, press the PF5 key.

PKSTORADM SecureZIP CA Store Administration starting------2005/03/23 08:30:18 ZPCA000I SUCCESS: Deleted certificate from store. ZPCA000I SUCCESS: Saved certificate store '/pkzshare/CStores/CA/pkwareCA.store' to disk. ZPCA000I Deleted 1 certificates from the CA store. ZPCA000I 13 certificates in the CA store before the Delete command. ZPCA000I 12 certificates in the CA store after the Delete command. Certificate Deleted From CA Store PKSTORADM Store Admin ending------0 PKSTORADM Completed Successfully

Message AQZ0528 is issued to the log for the deletion.

227

18 Processing with GZIP

Introduction to GZIP (GNU zip) GZIP (GNU zip) is a compression utility designed to use a different standard for handling compressed data in an archive. Its main advantages over other compression utilities are much better compression and freedom from patented algorithms. It has been adopted by the GNU project and is now relatively popular on the Internet. GZIP was written by Jean-Loup Gailly (jloup@gzip.org) and Mark Adler (the decompression code).

GZIP (GNU zip) utility program (available on a number of platforms including MVS, UNIX, and PC) can be used like SecureZIP for iSeries to compress and extract data. SecureZIP for iSeries in producing GZIP archives implements two GZIP standard specifications:

RFC 1952: GZIP file format specification Version 4.3, which documents the GZIP specifications and the format of a GZIP archive file.

RFC 1951: DEFLATE Compressed Data Format Specification Version 1.3, which documents the compression algorithm used by GZIP processing.

The RFC is a process to promote specifications and standards throughout the Internet community and can be found at www.faqs.org/rfcs. Both RFC 1952 and RFC 1951 specifications are platform-independent; therefore, data that was compressed on one platform, for example, UNIX, may be decompressed on another platform, for example, iSeries or MVS.

The one significant advantage of GZIP archive files over ZIP archive files is the ability to handle larger (greater than 4 GB) file sizes. The standard ZIP archive format restricts processing to uncompressed files that are less than 4 GB and cannot create an archive containing multiple files that would meet or exceed the 4 GB limit. These restrictions are due to the size of the specified fields (4 byte fields) that contain the file size information within the archive. The GZIP archive format (see RFC 1952) can process files of any size. This format does not maintain a 'directory’ of information for individual files and allows sizes to 'wrap' at 4 GB, so it does not suffer a size restriction.

228

GZIP Archive Files Used By SecureZIP for iSeries The term GZIP archive file is used to describe the file that holds data that has been compressed by one of the GZIP programs and meets the specifications of RFC 1952. At the end of the GZIP archive is a trailer that contains the file’s compressed size, uncompressed size, and a CRC value for the file (which is used to verify that the decompressed data is identical to the data that was originally compressed).

A GZIP archive file can be transferred from one platform to another and can be decompressed by a GZIP-compatible application which is running on that platform. The internal format of a GZIP archive is identical, no matter what platform compressed the file.

SecureZIP for iSeries (by default) creates new archives as members of PF-DTA files with 132-byte records. The archive file is given a text field of 'file created by PKZIP iSeries.' The archive member is given a text field of 'Member created by PKZIP iSeries.' If you wish to create your own archive (perhaps because a larger record size would be convenient), then you can do so, but consider the following:

When creating the file, do not create any members in it.

After creating the file, change the MAXMBRS parameter for the file from 1 to *NOMAX.

A GZIP archive holds files internally in either text or binary format, both of which are compatible with other platforms supported by GZIP. Because information held in a GZIP archive is defaulted for binary processing, SecureZIP for iSeries uses the parameter FILETYPE for text or binary processing. When transporting archives between machines that use different character sets for text, for example, EBCDIC and ASCII, the binary format may not be appropriate. Specifying that the file is to be compressed as FILETYPE(*TEXT) will allow SecureZIP for iSeries to perform EBCDIC-to-ASCII conversion, as required. Specifying FILETYPE(*TEXT) may also be useful when PKUNZIP is used on the iSeries to extract data that has been compressed on an ASCII system.

A GZIP archive is similar to a ZIP archive but normally only contains one compressed file or member. GZIP archives, like ZIP archives, use the Lempel-Ziv algorithm (inflate) to compress and decompress data. Unlike a ZIP archive, GZIP archives do not hold a lot of information in various information blocks throughout the archive. Instead, they contain only one information block at the beginning of the archive and locates size information at the end of the archive. Some GZIP text data, for example, file name and comments, use the ISO 8859-1 (LATIN-1) character set and therefore will be converted to and from LATIN-1 as required. When a GZIP archive is created, an information block is placed in the archive before the compressed version of the file. This information block includes the following information about the file:

229

• The compression method used on the file.

• The date and time of the last update to the file.

• A flag to indicate optional extended data exists (these fields are usually operating system-dependant and may be ignored if identification code is unrecognized).

• The name of the file that was compressed.

• An archive text comment.

• Compressed data followed by the GZIP trailer at the end of the archive. The trailer includes a CRC value and the original size of the uncompressed file.

Cross Platform Compatibility Since GZIP archive files adhere to RFC 1952, the files are compatible across all GZIP-supported platforms. If executable files and other platform-dependent objects are compressed on one platform and then decompressed on another, it is unlikely that they will work on the new platform. The same can be said about EBCDIC vs. ASCII. Because the extra information is platform dependent, most likely it will be ignored by another platform.

A major consideration for cross platform processing is when building the archive in the QSYS library file system you may end up with pad bytes at the end of the archive due to files have record lengths and the end of the archive will be padded to the record length. Some GZIP products cannot handle the extra pad bytes at the end of the archive. In this case, the archive should be stored in the IFS where the archive will be a true stream file with no pad bytes at the end of the archive.

GZIP Restrictions Filename encryption can not be used with GZIP.

Special Note on GZIP Passwords GZIP standard processing (RFC 1952) does not normally allow a password to be placed on a GZIP archive. SecureZIP for iSeries does allow this feature, but its use may cause compatibility issues with other platforms. PKZIP for MVS does use the same password standard, so GZIP archives with passwords can be exchanged between SecureZIP for iSeries , PKZIP for VSE, and PKZIP for MVS. Because GZIP archives that are created with a password with SecureZIP for iSeries or PKZIP for MVS™ are not part of the GZIP standards, these files will probably appear to be corrupt on other platforms.

Processing GZIP Archives SecureZIP for iSeries can create and extract information from GZIP format archives similar to how it can be used to create and extract information from a ZIP archive. The creation of a GZIP archive and other parameters is exactly like all other processes in SecureZIP for iSeries , including use of extended attributes. To create a GZIP archive file, code the parameter GZIP(*YES). The difference is that the

230

archive can only have one (1) file, and the archive cannot be updated. The PKUNZIP program will identify the GZIP archive and process it accordingly.

The following are the specific GZIP Restrictions that pertain to the PKZIP and PKUNZIP programs:

GZIP Compressing The code used by SecureZIP for iSeries follows the standards specified in the two applicable RFC's. Specifically, these are RFC 1952 (GZIP file format specification Version 4.3) and RFC 1951 (DEFLATE Compressed Data Format Specification Version 1.3). SecureZIP for iSeries should always be able to create a GZIP compatible compressed file and extract data from a GZIP compressed file where the GZIP utility matches these two specifications.

• Parameter COMPRESS(*NO) cannot be used because all GZIP archives must contain compressed data.

• Parameter COMPRESS(*TERSE) cannot be used because terse compression is a non-standard compression method for GZIP.

• Parameter FTRAN is not valid for GZIP because filenames have to be held in the ISO 8859-1(LATIN-1) character set.

• Parameter TYPE (type of processing to be performed) cannot be specified because *DELETE, *UPDATE, *FRESHEN, *MOVEF, or *MOVEU as a GZIP archive cannot be updated once created.

Only one file is supported per GZIP archive. When creating an archive, this means that only one file or member can be identified for inclusion in the archive.

If SecureZIP for iSeries is used to create and encrypt a GZIP archive using a password, other platforms may not be able to decrypt the data. The encryption algorithm used by SecureZIP for iSeries in a GZIP archive is similar to that used by PKZIP, but it is not supported as part of the specifications for GZIP.

Once an iSeries SAVF has been zipped into a GZIP archive, the archive will extract on another platform but will not be available as a SAVF. It will just be a binary file and of no use on another platform.

The file name stored in an archive created by SecureZIP for iSeries will typically contain library, file, and member names (directory components) which relate to the qualifiers of the original iSeries name. According to the GZIP specifications, the file name stored should be the original name of the file being compressed, with any directory components removed. Most GZIP utilities support directory components, and the default SecureZIP for iSeries processing will include library, file, and member names in the output file name. Note: It is not possible to create a GZIP archive using SecureZIP for iSeries that does not have the file name stored in the archive.

GZIP Extracting If a file name is present in the GZIP archive, it will be held in the ISO 8859-1 (LATIN-1) character set.

If there is no file name in the archive, one will use the default paths defined in the EXDIR parameter.

231

If there is more than one compressed file in the archive, only the first file can be processed.

When zipping a file into an archive, the archive cannot already exist. It is not possible to merge or update a GZIP archive.

VIEW processing may not show all of the details from the archive, since some information is not stored (or not stored in convenient locations) in the GZIP archive. For example, the compressed and uncompressed file sizes will typically be shown as zero.

To match the GZIP specifications, the time stored in the archive header will be in universal time format (seconds since 01/01/1970). Because of manipulation during processing, this time will have only a two-second accuracy (will always be divisible by 2) and therefore could be one second off from the original file time.

There is no standard iSeries method to set the creation date of a file. As a result, the time in the GZIP archive is ignored when creating the iSeries output file. It may be viewed by specifying the parameter TYPE(*VIEW).

Sample GZIP Processing

Compressing a file The following example shows how to compress a file into a GZIP archive. The PKZIP command is used to compress data into an archive. To select the GZIP format for the resulting archive, you must use the GZIP(*YES) option with the PKZIP command:

PKZIP ARCHIVE(‘MYLIB1/MYARCHFIL(GZ01)’) FILES('TESTLIB1/FILE1TXT') TYPE(*ADD) GZIP(*YES)

The command above will compress the text file TESTLIB1/FILE1TXT into the archive MYLIB1/MYARCHFIL(GZ01) in GZIP format. The archive must not already exist or an error message will be generated and the operation will fail.

The output from the above command should look like the following:

File MYARCHFIL created in library MYLIB1. SecureZIP for iSeries (tm) Data Compression Version 8.1, 2003/05/01 Copyright. 2004 PKWARE, Inc. All rights reserved. PKZIP (R) is a registered trademark of PKWARE (R), Inc. EVALUATION Running EVALUATION, Warning - This license will expire in 29 days on 2003/06/02 Contact your dealer with the following information Machine ID = 0107X8WT, Processor Group = P10 Scanning files for match ... File MYARCHFIL in library MYLIB1 with member GZ01 not found. Found 1 matching files Member GZ01 added to file MYARCHFIL in MYLIB1. Member GZ01 removed from file MYARCHFIL in MYLIB1. Member PZ3AF2447F added to file MYARCHFIL in MYLIB1. Compressing TESTLIB1/FILE1TXT(FILE1TXT) in TEXT mode Add TESTLIB1/FILE1TXT/FILE1TXT -- Deflating (31%) Member PZ3AF2447F renamed to member GZ01. Member GZ01 file MYARCHFIL in MYLIB1 changed. PKZIP Compressed 1 files in GZIP Archive MYLIB1/MYARCHFIL(GZ01) PKZIP Completed Successfully

232

19 Messages

SecureZIP for iSeries messages are broken down into three types. When using *VIEW type, all displays of the archive and files information use messages AQZ0800 thru AQZ0899. The licensing install and licensing validation use messages that start with AQZ9nnnn. All other messages start with AQZ0001 through AQZ0799.

There are two messages that are issued as escape messages, and because they are issued as an escape message, they can be monitored with the MONMSG command in CL programs. Escape messages indicates a condition causing PKZIP or PKUNZIP to end abnormally, without completing its work. By monitoring for escape messages, you can take corrective actions or clean up and end your procedure or program. To see the actual condition that may have caused the problem, you should review all previous messages from the job log. If PKZIP or PKUNZIP issues one of these escape messages, and the messages are not being monitored, then the iSeries will issue an inquiry message requiring a reply (normal iSeries processing).

The message numbers that are issued as escapes are:

• AQZ0022 - PKZIP completed with errors.

• AQZ0038 - PKUNZIP completed with errors.

There are four messages that are issued as completion message types and are also issued as a status message type. Because the messages are issued as a status type, they can be monitored with the MONMSG command in CL programs. The message numbers that are issued as status message types are:

• AQZ0012 - PKZIP ending with nothing to do for <&1>.

• AQZ0020 - PKZIP completed successfully.

• AQZ0024 - PKZIP completing with a warning. No files selected.

• AQZ0037 - PKUNZIP completed successfully.

EXAMPLE:

Msg ID | Severity | Code | | Message Text | | | AQZ0109-00: Compressing &1 in &2 mode

233

Explanation: Informational. Compressing has started for the file with a specified mode. The modes are: 1) SAVF, 2) DATABASE, 3) BINARY, 4) TEXT, and 5) Text in EBCDIC.

The message text &1 will be the file name and &2 will be the mode such as:

Compressing TESTLIB/TESTFILE(TESTFILE) in TEXT mode

Messages from Certificate Store Administration

From the PKSTORADM command, messages are displayed from the Certificate Store Administration program. These message all start with the prefix ZPCA followed by a three digit number with a suffix of E (Error), W (warning) or I (Informational). For example: “ZPCA815E Cannot Continue. Unable to close CA Store.”

See standard messages AQZ0049-00 "PKSTORADM Completed Successfully" and AQZ0050-40 "PKSTORADM Completed with Errors" for PKSTROADM-monitored completion messages.

234

AQZ0001 - AQZ0799 Messages

AQZ0001-00 PKZIP: &1 &2.

Explanation: This message is used in conjunction with other messages to provide extended information. See the following messages.

AQZ0002-40 Unexpected End of File: &1 &2.

Explanation: While reading an archive file in PKZIP, an unexpected end of file was encountered. The file may not have been created properly or copied to completion. Try running the TYPE(*TEST) to see it can identify more information and review all other messages.

AQZ0003-40 Archive file Structure Error: &1 &2.

Explanation: This message is associated with the previous message for exact cause. This indicates a major archive failure for PKZIP to process. Review all messages and run PKUNZIP with TYPE(*TEST) to see if there are more details. This may indicate that current archive is incomplete or corrupted.

AQZ0004-40 Out Of Memory: &1 &2.

Explanation: While trying to allocate memory in PKZIP or PKUNZIP, a failure occurred and no memory was granted. Check other messages in the job log for possible causes and refer to Appendix C about memory errors. If this continues, please contact the Product Services Division at 1-937-847-2687 for assistance.

AQZ0005-40 Logic Error: &1 &2.

Explanation: This message should never occur. If it does it may be due to a corrupted archive file. Please contact the Product Services Division at 1-937-847-2687 for assistance.

AQZ0006-40 Error opening temp archive file:<&1>.

Explanation: While trying to process PKZIP, a failure occurred while opening the temporary archive file<&1>. Review other messages with PKZIP and the iSeries for more details of why the failure occurred. Attributes used were=&2'.

235

AQZ0009-40 User interrupt or termination: &1 &2.

Explanation: PKZIP encountered a request to terminate. If it continues to be unknown, please contact the Product Services Division at 1-937-847-2687 for assistance.

AQZ0010-40 Error using temp file: &1 &2.

Explanation: While trying to process PKZIP, a failure occurred with the temporary archive file. Review other messages with PKZIP and the iSeries for more details of why the failure occurred.

AQZ0011-40 Read or Seek error: &1 &2.

Explanation: While reading an archive file in PKZIP, an unexpected error was encountered. The file may not have been created properly, or copied to completion. Try running the TYPE(*TEST) to see it can identify more information and review all other messages.

AQZ0012-40 PKZIP ending with Nothing to do for <&1>.

Explanation: PKZIP found no files to process. Review the FILES EXCLUDE keywords for the selections. This message can be monitored using MONMSG.

AQZ0013-40 Missing or empty archive file: &1 &2.

Explanation: An archive file to process *UPDATE, *FRESHEN, or *DELETE is empty. No TYPE was processed.

AQZ0014-40 Error writing to a file: &1 &2.

Explanation: An unexpected error was encountered while writing the archive file. PKZIP is terminated and the temporary archive file is corrupted. Review other PKZIP message and iSeries messages in order to interpret why this message occurred.

AQZ0015-40 Could not open to write: &1 &2.

Explanation: PKZIP could not create a list file or ARCHIVE file. PKZIP has terminated. Review iSeries messages for cause of error.

236

AQZ0018-40 Could not open a specified file to read: &1 &2.

Explanation: An archive, list, or extracted file could not be opened for reading. Review PKZIP messages and iSeries messages that occurred in run.

AQZ0019-00 PKZIP Compressed &1 files in Archive &2.

Explanation: &1 is the number of files that were compressed in this run of PKZIP storing them in the archive file &2.

AQZ0020-00 PKZIP Completed Successfully.

Explanation: PKZIP completed successfully. This message can be monitored using MONMSG.

AQZ0021-10 There are no files to select from: Zip ending.

Explanation: Either no files were selected with files parameters for all actions or no files qualified for selection with *FRESHEN or *UPDATE TYPE. Review archive and selection parameters.

AQZ0022-40 PKZIP Completed with Errors.

Explanation: See job log for previous errors messages. An error occurred that caused PKZIP to complete unsuccessfully. AQZ0022 message will be issued as an Escape message type. Escape messages indicate a condition causing PKZIP to end abnormally without completing its work. This message can be monitored using MONMSG.

AQZ0023-10 Invalid date {&1} for date select option &2.

Explanation: DATETYPE with *BEFORE or *AFTER was selected in PKZIP, but has an invalid date in DATEAB. Format must be mmddyyyy or yyyymmdd. The mm must be 1 thru 12. The dd must be 1 thru 31.

AQZ0024-00 PKZIP Completing with a Warning. No Files Selected for compression.

Explanation: PKZIP selected 0 files for compression and there were no other actions (such as *DELETE, archive comment update) to revise the archive. This message can be monitored using MONMSG.

237

AQZ0025-40 File name <&1> contains special characters.

Explanation: The file contains characters not valid for a file name.

AQZ0026-30 Invalid option(s) used with DELETE; ignored.

Explanation: This message should never occur. Please contact the Product Services Division at 1-937-847-2687 for assistance.

AQZ0027-30 Archive file is empty, cannot make it as old as latest entry.

Explanation: PKZIP run with archive file in the IFS file type. Cannot set date and time of the archive to latest time of files because the archive file is empty.

AQZ0028-30 Archive file has only directories, cannot make it as old as latest entry.

Explanation: PKZIP run with archive file in the IFS file type. Cannot set date and time of the archive to latest time of files. The archive file is OK.

AQZ0029-40 Name Not match: &1.

Explanation: A file in the FILES selection keyword could not be found or matched with a pattern. PKZIP will not process.

AQZ0030-00 Scanning files for match...

Explanation: Information only. The search has started for file selections.

AQZ0031-00 Found &1 matching files.

Explanation: Information only. The number of selection files that was found is considered for processing.

238

AQZ0032-00 Copying temp &1 to &2.

Explanation: Copies a temporary archive file to the requested archive name.

AQZ0034-00 Searching Archive &1 for files to extract.

Explanation: Informational only. PKUNZIP has started searching the archive for files that meet the selection and excluding parameters.

AQZ0035-00 Extracting file &1.

Explanation: Informational only. PKUNZIP is in the process of extracting file &1.

AQZ0036-00 PKUNZIP extracted &1 files.

Explanation: Informational only. PKUNZIP reports the number of files that were extracted in this run.

AQZ0037-00. PKUNZIP Completed Successfully.

Explanation: Informational only. PKUNZIP completed with no errors. This message can be monitored using MONMSG.

AQZ0038-40 PKUNZIP Completed with Errors.

Explanation: During a run of PKUNZIP, errors were encountered. Some processing may or may not have completed. Review the preceding messages for further details. AQZ0038 message will be issued as an escape message type. Escape messages indicates a condition causing PKUNZIP to end abnormally without completing its work. This message can be monitored using MONMSG.

AQZ0039-00 PKUNZIP found &1 file(s) in Error.

Explanation: The run of PKUNZIP found &1 files with some type of error resulting in these files not being processed. Consult the job log to discover why these files were in error.

239

AQZ0040-10 PKUNZIP skipped &1 file(s).

Explanation: PKUNZIP skipped the files due to target files already existing on the system and the parameter to OVERWRITE was set to *NO, which informs the system not to overwrite any file that already exists.

AQZ0041-00 Searching GZIP Archive &1 for files to extract.

Explanation: Informational only. PKZIP is searching for the files to process with GZIP option.

AQZ0042-00 Scanning Archive &1 for &2 files in archive.

Explanation: PKZIP is scanning the input archive for files. Informational only when VERBOSE is set. For large archive with tens of thousands of files it may take a while for this process.

AQZ0043-00. PKCFGSEC Completed Successfully.

Explanation: Informational only. PKCFGSEC completed with no errors. This message can be monitored using MONMSG.

AQZ0044-40 PKCFGSEC Completed with Errors.

Explanation: During a run of PKCFGSEC, errors were encountered. Some processing may or may not have completed. Review the preceding messages for further details. AQZ0044 message will be issued as an escape message type. Escape messages indicates a condition causing PKCFGSEC to end abnormally without completing its work. This message can be monitored using MONMSG.

AQZ0045-00. PKBLDCDB Completed Successfully.

Explanation: Informational only. PKBLDCDB completed with no errors. This message can be monitored using MONMSG.

AQZ0046-40 PKBLDCDB Completed with Errors.

Explanation: During a run of PKBLDCDB, errors were encountered. Some processing may or may not have completed. Review the preceding messages for further details. AQZ0046 message will be issued as an escape message type. Escape messages indicates a

240

condition causing PKBLDCDB to end abnormally without completing its work. This message can be monitored using MONMSG.

AQZ0047-00. PKBQRYCDB Completed Successfully.

Explanation: Informational only. PKBQRYCDB completed with no errors. This message can be monitored using MONMSG.

AQZ0048-40 PKBQRYCDB Completed with Errors.

Explanation: During a run of PKBQRYCDB, errors were encountered. Some processing may or may not have completed. Review the preceding messages for further details. AQZ0048 message will be issued as an escape message type. Escape messages indicates a condition causing PKBQRYCDB to end abnormally without completing its work. This message can be monitored using MONMSG.

AQZ0049-00 PKSTORADM Completed Successfully.

Explanation: Informational only. PKSTORADM completed with no errors. This message can be monitored using MONMSG.

AQZ0050-40 PKSTORADM Completed with Errors.

Explanation: During a run of PKSTORADM, errors were encountered. Some processing may or may not have completed. Review the preceding messages for further details. AQZ0050 message will be issued as an escape message type. Escape messages indicates a condition causing PKSTORADM to end abnormally without completing its work. This message can be monitored using MONMSG.

AQZ0051-00 End Entity File <&1> created.

Explanation: End Entity File certificate file was created. PKBLDCDB should be run to add the certificate data to locator database.

AQZ0097-10 Input Archive was found to be Digitally Signed..

Explanation: The archive was digitally signed. This PKZIP update will destroy the signature.

241

AQZ0101-00 Add &1 -- &2.

Explanation: Information providing the file and the type of compression method (deflate, terse, or store) along with the percent of compression.

AQZ0102-00 Freshening: &1 with &2.

Explanation: Informational: PKZIP running with TYPE(*FRESHEN) is processing the file with compression method (deflate, terse, or store) and the percent of compression.

AQZ0103-00 Updating: &1 with &2.

Explanation: Informational: PKZIP running with TYPE(*UPDATE) is processing file with compression method (deflate, terse, or store) and the percent of compression.

AQZ0104-00 Deleting: &1.

Explanation: Informational: Delete file &1 from the archive.

AQZ0105-00 Translating to ASCII.

Explanation: Informational with VERBOSE(*max) indicating that data will translated to ASCII.

AQZ0106-00 Zip diagnostic: &1 <&2>.

Explanation: File in the archive is up to date with date & time or the file in the archive is now missing. Only when Verbose(*max).

AQZ0107-40 Attempting to restore &1 to its previous state.

Explanation: A failure occurred while running PKZIP with an existing archive. An attempt is being made to set the archive to a previous state prior to the original processing start time.

242

AQZ0108-00 Excluding <&1>.

Explanation: In run PKZIP, a file found in the selection process was excluded due to a match excluding file parameter.

AQZ0109-00 Compressing &1 in &2 mode.

Explanation: Informational: Compressing has started for the file with a specified mode. The modes are: 1) SAVF, 2) DATABASE, 3) BINARY, 4) TEXT and 5) Text in EBCDIC.

AQZ0110-00 The Output List file <&1> is being created.

Explanation: Informational: to indicate that file &1 is being created, and will also be used to add list records selected in the run. See Keyword-CRTLIST for more details.

AQZ0111-00 &1 Records written to the Output List file &2.

Explanation: Informational: indicates that &1 records were outputted to the list file &2. See keyword-CRTLIST for more details.

AQZ0112-00 &1 records read from Include File &2.

Explanation: INCLFILE parameter was optioned in PKZIP or PKUNZIP. This message displays how many records were in the file.

AQZ0113-00 Include parameters supplied &1.

Explanation: Informational: How many include items found in FILES and INCLFILE.

AQZ0114-00 &1 records read from Exclude File &2.

Explanation: EXCLFILE parameter was optioned in PKZIP or PKUNZIP. This message displays how many records were in the file.

243

AQZ0115-00 Exclude parameters supplied &1.

Explanation: Informational: How many include items found in EXCLUDE and EXCLFILE.

AQZ0116-00 Zip diagnostic: &1cluding <&2>.

Explanation: Informational PKZIP: Display of file being included or excluded.

AQZ0117-00 File matches archive file – skipping.

Explanation: PKZIP running with a file selected, which is the current file, requested as the archive. This file is skipped from the selection process.

AQZ0118-40 Replace: cannot open &1.

Explanation: PKZIP is trying to copy the temporary archive file to the archive file. The archive file cannot be opened. Check the job log for messages as to why the open failed. If specifying parameter TMPPATH in the library file system, verify that both library and file name are specified (for example, MPPATH(‘MYLIB/TEMPARCH’).

AQZ0119-40 Fcopy: Write error.

Explanation: PKZIP is trying to copy the temporary archive e file to the archive file. The archive encountered an error while writing the new archive file. Check the job log for messages to determine why the write failed.

AQZ0120-40 Fatal: Incorrect compressed size - &1.

Explanation: A failure occurred while compressing. The size reported by the compression engine is different from the offset determined in the archive file. This should never happen. Please contact the Product Services Division at 1-937-847-2687 for assistance.

AQZ0121-00 Stats: &1 &2.

Explanation: Information in PKZIP with verbose on. Shows the size of the file being compressed and the size of the compressed file.

244

AQZ0122-00 Enter new Zip file Comment for file &1.

Explanation: FILESTEXT was set to edit a new comment for files being added to the archive. Enter the file’s comment and press the Enter key.

AQZ0123-00 Enter Zip file Comment for file &1.

Explanation: An unexpected error was encountered while writing the archive file. PKZIP is terminated, and the FILESTEXT was set to edit comments for files being added or updated to the archive. Enter the file's comment, and press the Enter key.

AQZ0124-00 Zip Info: &1 &2.

Explanation: Informational PKZIP files when processing with enhanced DEBUG options.

AQZ0125-00 Zip: reading &1.

Explanation: Informational PKZIP: reading the file & in the current archive. Only displays with Verbose(*MAX) during fix option. This option is not available at this time.

AQZ0126-00 Zip Info: &1 for &2.

Explanation: Informational PKZIP: Compression statistic of file &2. Only displays with Verbose(*MAX) during fix option. This option is not available at this time.

AQZ0127-00 Global settings are “No wildcard selection”, but FILES contains an *.

Explanation: The files parameter contains a wildcard selection <&1>, but the wildcard global setting is coded for NO wildcards selections. Correct and rerun or see your administrator for the PKZIP settings.

AQZ0129-40 Local header not found for &1.

Explanation: The current, loaded archive file is corrupted. The local header cannot be found for the compressed file &1. Processing of PKZIP will not continue. Review other messages. If file was created using PKZIP, please contact the Product Services Division at 1-937-847-2687 for assistance. If the file came from another source, review the creation of the file to verify if it was transferred properly to iSeries.

245

AQZ0130-00 Self Extracting code for &1 found in archive file.

Explanation: Informational PKZIP: Adjusting offsets in the archive file &1 for local headers. Only displays with Verbose(*max).

AQZ0131-00 Zip diagnostic: Deleting file &1.

Explanation: Informational PKZIP with TYPE(*DELETE): The file &1 was found in the archive and removed.

AQZ0132-00 Error in Deleting file &1.

Explanation: PKZIP with TYPE(*DELETE) could not delete the file &1 from the archive. Review job log and other message that occurred during the PKZIP run to determine the cause.

AQZ0133-40 Deleting directory &1 (if empty).

Explanation: PKZIP with TYPE(*DELETE) found a match and it was an empty directory. The directory is being removed from the archive file.

AQZ0134-00 Zip Info: &1 &2.

Explanation: Informational PKZIP about archive files when processing with enhanced debug turned on.

AQZ0135-10 Zero-length name for entry # &1.

Explanation: An error occurred reading the archive file for entry # &1. The name of the file has a zero length. If processing continues, unpredictable results may occur. The source of the archive file and its history of reaching it current state should be reviewed. Other files in the archive should be valid.

AQZ0136-00 Bad extended local header for.

Explanation: An archive file indicated it contained an extended local header. The header is corrupted. Processing will be terminated. Run PKUNZIP with TYPE(*View) and VIEWOPT(*Detail) to see if more information is available.

246

AQZ0137-10 Extended local header not found for &1.

Explanation: An archive indicated it contained an extended local header for file &1. The extended header could not be found nor processed. Run PKUNZIP with TYPE(*View) and VIEWOPT(*Detail) to see if more information is available.

AQZ0138-00 Missing end signature -- probably not a archive file (did you remember to use binary mode when you transferred it?).

Explanation: The archive file did not have an end signature, which usually indicates it is not an archive file or it is an incomplete archive file.

AQZ0139-00 Multiple disk information ignored.

Explanation: PKZIP and PKUNZIP do not support multiple disk functionality.

AQZ0140-00 Name lengths in local and central differ for &1.

Explanation: The archive file is corrupted. The name lengths of the file name in the local directory are different than the name length in the central directory.

AQZ0141-00 Names in local and central differ for &1.

Explanation: The archive file is corrupted. The file name & in the local directory is different than the file name in the central directory. This is an invalid archive. Contact the Product Services Division at 1-937-847-2687 for assistance.

AQZ0143-00 Rename failure: New archive file left as: &1.

Explanation: PKZIP is trying to rename the temporary name for a requested archive and has failed. Review the job log for cause. The archive file &1 is still valid but is saved using the temporary name. Rename the temporary file manually to the requested archive name.

AQZ0144-40 Rename failure: Tried to rename to &1.

Explanation: Part 2 of previous message AQZ0143-00.

247

AQZ0145-40 PKZIP could not open file for reading: &1.

Explanation: PKZIP could not open file &1 for reading to compress. Review the job log and other messages for cause.

AQZ0146-40 Archive file and directory with the same name: &1.

Explanation: PKZIP found a file and directory to be selected with the same name. &1 will be bypassed and the job terminated.

AQZ0147-00 will just copy entry over: &1.

Explanation: PKZIP will copy the archive over the current archive file &1.

AQZ0148-40 Archive file empty.

Explanation: PKZIP process ended with no files in the archive file. Review selection process and preceding messages. The archive is not valid and cannot be used to extract files.

AQZ0149-10 File is being skipped due to previous error.

Explanation: An error occurred processing file &1 and the parameter ERROPT was set to *SKIP the file.

AQZ0150-40 Archive File <&1> is not found or empty without ADD TYPE.

Explanation: PKZIP process is running without TYPE(*ADD); cannot find the specified archive file, or the archive file is empty. For Actions other than *ADD, a valid archive must exist.

AQZ0151-00 <&1> include pattern or file could not find a match in search path.

Explanation: The Include pattern in the FILES or INCLFILE could not find a match during the PKZIP run. Review selection parameters, the library list, or the current directory.

248

AQZ0152-20 Cannot have duplicate names in Zip Include.

Explanation: PKZIP found entries in the FILES or INCLFILE that result in duplicate entries. Correct and rerun.

AQZ0153-00 Duplicates: 1st=<&1>, 2nd=<&2>.

Explanation: Part 2 of message AQZ0152 showing the duplicate files.

AQZ0154-20 Cannot read Archive file <&1> for *FRESHEN or *UPDATE.

Explanation: PKZIP is running with TYPE *FRESHEN or *UPDATE and could not read the archive file. Review the job log for other messages to determine cause.

AQZ0155-30 No files found for <&1> in archive file for *DELETE TYPE.

Explanation: The file pattern specified for a PKZIP run with *DELETE found no files that matched in the archive.

AQZ0156-00 Searching for files to include...

Explanation: PKZIP searching for files that match entered file specifications.

AQZ0157-40 Library <&1> cannot not be found.

Explanation: PKZIP, in an attempt to find file selections, could not find a specified Library. Review selection criteria in FILES and INCLFILE. Run is terminated.

AQZ0158-40 File not found in Library &1.

Explanation: PKZIP, in an attempt to find file selections, could not find a specified file in a specific Library. Review selection criteria in FILES and INCLFILE. Run is terminated.

249

AQZ0160-40 SFX File &1 Cannot be opened. Run Terminated.

Explanation: SELFXTRACT was coded to build an archive with a self extracting preamble. While trying to open that SFX file &1, an error occurred. See previous detail job log for more details on the failure. Contact the Product Services Division at 1-937-847-2687 for assistance.

AQZ0161-40 Error occurred while reading SFX file &1.

Explanation: SELFXTRACT was coded to build an archive with a self extracting preamble. While trying to read that SFX file &1, an error occurred. See previous detail job log for more details on the failure. Contact the Product Services Division at 1-937-847-2687 for assistance.

AQZ0162-40 Error Occurred while copying SFX file &1 to archive file.

Explanation: SELFXTRACT was coded to build an archive with a self extracting preamble. While trying to copy SFX file &1 to the archive, an error occurred. See previous detail job log for more details on the failure. Contact the Product Services Division at 1-937-847-2687 for assistance.

AQZ0163-00 Self Extracting code <&1> was added to archive with &2 bytes

Explanation: SELFXTRACT(&1) was coded to build an archive with a self extracting preamble. This is informational only on the addition of the preamble &1 to the archive.

AQZ0164-00 Removing &1 bytes preamble code from Archive File &2.

Explanation: SELFXTRACT(*REMOVE) was coded to remove the self extracting preamble from the archive. This is informational only on the removal of the preamble.

AQZ0165-00 File &1 exceeds 4 Gig and PKZIP is not running with GZIP(*YES). File bypassed.

Explanation: PKZIP is trying to compress file &1 in a standard archive (parameter GZIP is *NO) and the sizes exceed 4 gigabytes. Use GZIP(YES) to compress.

250

AQZ0166-40 Self Extraction Creation cannot be performed with Encryption.

Explanation: SELFXTRACT was coded to create a self extracting archive with advanced encryption. Advanced encryption is not supported with self extracting archives.

AQZ0167-40 Self Extraction Creation cannot be performed with Large File Support.

Explanation: SELFXTRACT was coded to create a self extracting archive and it was determined that ZIP64 format will be required for large file support. ZIP64 large file support is not provided for self extracting archives.

AQZ0168-40 Self Extraction preamble &1 is not supported.

Explanation: SELFXTRACT was coded to create a self extracting archive with &1. It is not available on your current environment. The job will be terminated. Contact the Product Services Division at 1-937-847-2687 for assistance.

AQZ0169-00 Inputted Recipient Listing.

Explanation: Informational heading for ZIP and UNZIP. The recipient list that was inputted will follow.

AQZ0170-00 &1 &2.

Explanation: Informational. A message for each inputted recipient list when Verbose(*all). This will show the optional/required, lookup type, and lookup string.

Example: Rqrd *LDAP EM=robb.ervin@pkware.com Opt'l *File /pkzshare/CStores/public/suegantt04.cer

AQZ0171-00 Simulated List:&1.

Explanation: CRTLIST(*SIMLUATE) was specified to simulate the selection list with the ZIP process and each file selected is shown with this message.

251

AQZ0172-40 Recipient Processing Fail due to error code &1.

Explanation: An internal error occurred with certificate processing. This should not occur. The message detail contains diagnostic information of this occurrence. Please contact the Product Services Division at 1-937-847-2687 for assistance. Control data <&1>.

AQZ0173-00 No Private Certificate found for decryption.

Explanation: No valid private certificates were found. At least one private key required for decryption. Control data <&1>.

AQZ0174-40 Recipient Encryption process failed.

Explanation: An internal error occurred with recipient encryption processing. This should not occur. The message detail contains diagnostic information of this occurrence. Please contact the Product Services Division at 1-937-847-2687 for assistance. Control data <&1>.

AQZ0175-00 Required Recipient<&1> Failed.

Explanation: An inputted recipient was coded to be required, but either the recipient string could not be found or the certificate was invalid. Review the inputted recipient shown in the message

AQZ0176-40 Invalid &1 Store for Recipient Processing.

Explanation: Either the public store, private store or LDAP definitions in the configuration security file are invalid. Run PKCFGSEC *VIEW and review the store definitions.

AQZ0177-40 No Recipients were selected for Encryption process.

Explanation: Recipient encryption was requested, but no valid recipients were found. Review inputted recipients and verify their existence.

AQZ0178-40 Required Recipient failed selection process.

Explanation: Inputted recipient that was coded as “required” failed to be found or contained an invalid certificate.

252

AQZ0179-00 Total Recipients processed &1.

Explanation: Information only. Displays the total number of recipients that were selected for processing.

AQZ0180-40 <&1> Recipient Requires Password for Private Key.

Explanation: UNZIP recipients require a certificate password for each recipient. This is required to access the private key for decryption. Re-run with password for each recipients certificate.

AQZ0181-00 Could Not Process Recipient In File <&1>.

Explanation: While trying to parse an INLIST recipients file, an error was found. Review the format, separators, beginning character and ending character.

AQZ0182-00 Invalid Recipient InFile<&1> Record Nbr &2.

Explanation: While trying to parse an INLIST recipients file, an error was found. Review the format, separators, beginning character and ending character. This shows the record number that caused the error in the INLIST file.

AQZ0183-00 Archive Recipient List:

Explanation: Informational Heading. The recipient list messages AQZ0184 follows.

AQZ0184-00 CN=&1 EMail=&2.

Explanation: Informational. Each recipient that is included in the process will be listed showing the common name and email address.

AQZ0185-00 Certificate Database is not Active.

Explanation: A recipient was authorized to use the certificate locator database (*DB) but the certificate database is not set to active in the security configuration file. Use PKCFGSEC *VIEW to view settings. And then use PKCFGSEC to set the database settings.

253

AQZ0186-40 Security Configuration Turned Off to disallow Certifcate Processing.

Explanation: A recipient was coded in the ENTPREC parameter, but the security configuration file is either missing or is not active (ZIP Secure Settings/ SecureZIP Active=NO). Use PKCFGSEC *VIEW to view settings. Use PKCFGSEC to set it active.

AQZ0187-40 No Private Key(s) provided to perform Decryption.

Explanation: Recipients supplied for decryption, but there were no recipients with a password (for private keys) that was selected. To do decryption, at least one valid private key is required.

AQZ0188-40 Recipient INLIST file &1 cannot be opened.

Explanation: The recipient list contains a lookup type of *INLIST for Inlist file processing. The file string supplied could not be found or opened. Verify the file and the file system where it resides. See TYPLISTFL parameter.

AQZ0189-40 No Signers were selected for Digital Signing processing.

Explanation: Digital signing was requested, but no valid signers were found. Review inputted signers and verify existence of certificates.

AQZ0190-40 Signing Processing Fail due to error code &1.

Explanation: An Internal error occurred with certificate processing. This should not occur. The message detail contains diagnostic information of this occurrence. Please contact the Product Services Division at 1-937-847-2687 for assistance. Control data <&1>.

AQZ0191-40 More Than one (1) Archive Signer was submitted..

Explanation: Only one archive signer is permitted. Change the SIGNERS parameter and resubmit with one archive signer.

AQZ0192-40 Required Signer or Authenticator failed selection process.

Explanation: Inputted signer or authenticator that was coded as "Required" failed to be found or contained an invalid certificate.

254

AQZ0193-40 Authenticating processing Failed due to error code &1.

Explanation: T.

AQZ0194-40 Request for Specific Authenticator was not found.

Explanation: Post &1.

AQZ0195-40 File Authentication check unsuccessful.

Explanation: Based on the authentication filters, one or more archive authentications failed. Failure codes (&1).

AQZ0196-30 Archive Has been Tampered with: Archive Authentication has been removed.

Explanation: x.

AQZ0197-40 Archive Authentication check unsuccessful.

Explanation: Based on the authentication filters, one or more archive authentications failed. Failure Codes (&1).

AQZ0198-40 Request for Optional Authenticators were not found.

Explanation: Post &1.

AQZ0199-40 Run being terminated for Authentication failure.

Explanation: T.

AQZ0200-40 Signers Requires password.

Explanation: Control data <&1>.

255

AQZ0201-00 PKUNZIP Archive: &1.

Explanation: PKUNZIP Informational: Currently processing archive file &1.

AQZ0203-10 Caution: File name not matched: &1.

Explanation: PKUNZIP could not find the specified file name in the FILES and/or INCLFILE parameters. File is not extracted.

AQZ0204-10 Caution: Excluded file name not matched: &1.

Explanation: Based upon entered EXCLUDE and EXCLFILE parameters, PKUNZIP did not find any names to exclude. This is informational only.

AQZ0205-00 Please check that you have transferred or created the Archive File in the appropriate BINARY mode.

Explanation: PKUNZIP displays this message as a reminder of a common cause of an invalid archive file. This message appears with invalid archive messages.

AQZ0206-40 Archive name <&1> contains invalid characters.

Explanation: The archive name contains characters that are invalid and will cause the archive to fail to be created. Correct archive and execute the job again.

AQZ0208-00 Skipping: &1 unsupported compression method &2.

Explanation: PKUNZIP, while trying to extract file &1, found an unsupported compression method. The file is unable to be extracted. Run PKUNZIP with TYPE(*VIEW) and VIEWOPT(*Detail) for more information about the file and its compression method. This file is skipped in this extraction run

AQZ0209-40 Signing is not activated.

Explanation: The signing of files and/or archives are set to No in the enterprise configuration file. (See PKCFGSEC)..

256

AQZ0210-40 Authentication is not activated.

Explanation: The authentication of files and/or archives are set to No in the enterprise configuration file. (See PKCFGSEC)..

AQZ0211-00 &1 appears to use backslashes as path separators.

Explanation: The selection file &1 appears to have double \\ in the name for path separators. Run will continue processing with normal separators. Review results to verify.

AQZ0212-00 Error: Invalid response [&1].

Explanation: An Invalid response was received for a reply message. Review the reply message request for a valid response, and once located, enter a valid response.

AQZ0213-00 At least one error was detected in &1.

Explanation: PKUNZIP encountered at least one error while processing. Review job log for messages.

AQZ0214-00 Caution: Zero files tested in &1.

Explanation: PKUNZIP found no files to test while processing with TYPE(*TEST). Review job log for other messages and review selection criteria. Run PKUNZIP with TYPE(*VIEW) and VIEWOPT(*Detail) to verify archive file.

AQZ0215-00 Skipping: &1 unable to get password.

Explanation: PKUNZIP is processing file &1 and it is encrypted, but no password was entered for this run. Re-run PKUNZIP with a correct password for file &1. Processing continues with other files.

AQZ0216-00 Skipping: &1 incorrect password.

Explanation: PKUNZIP is trying to process file &1 that is encrypted, but the password entered for this run was incorrect for this file. Processing continues. Execute the job again with the correct password.

257

AQZ0217-00 &1 file(s) skipped because of incorrect password.

Explanation: During this run of PKUNZIP, &1 file(s) were not processed due to incorrect passwords or missing passwords.

AQZ0218-00 (May instead be incorrect password).

Explanation: Part 2 of message AQZ0226 to remind that the failure may be due to an incorrect password. Review to see if file is encrypted by running PKUNZIP with TYPE(*VIEW) and VIEWOPT(*Detail) for the file and verify that encryption is on for the file.

AQZ0219-00 No errors detected in compressed data of &1.

Explanation: PKUNZIP encountered errors with archive file &1 during run. Review job log for messages.

AQZ0220-00 No errors detected in &1 for &2 file(s) tested.

Explanation: PKUNZIP was run with TYPE(*TEST). No errors were found in testing the selected files in the archive file &2.

AQZ0221-00 &1 file(s) skipped because of unsupported compression or encoding.

Explanation: PKUNZIP encountered &1 files that were bypassed due to unsupported compression methods. Review the job log for details.

AQZ0224-00 Warning: &1 is probably truncated.

Explanation: While trying to extract file &1, some type of write error occurred, forcing an incomplete extraction. The file has probably been truncated. Review the job log for more information about why this message occurred.

AQZ0225-20 &1: Unknown compression method.

Explanation: Compression method number &2 was found in the archive for file &1. This compression is unknown and is not supported by this PKUNZIP version. PKUNZIP will skip this file and then will attempt to extract the next file within the archive.

258

AQZ0226-00 &1: Bad CRC &2.

Explanation: While extracting file &1, the CRC calculated for the file was not the same as the CRC stored in the archive for the file.

AQZ0227-00 &1: Compressed EA data missing (&2 bytes).

Explanation: In extracting file &1, it was identified to be created as an EF NTSD file. The EA data is missing and the file will be not be extracted.

AQZ0228-00 Field entry: EF block length (&1 bytes) exceeds remaining EF data (&2 bytes).

Explanation: Inconsistent extra field data was found, which will be ignored. The extracted file data should be valid.

AQZ0231-00 &1: Bad CRC for extended attributes.

Explanation: A bad CRC was found in the extended attributes for an archive created by an OS/2 system. Extended Attributes are ignored.

AQZ0232-00 &1: Unknown compression method for EAs (&2).

Explanation: An unknown compression method found for an archive created by an OS/2 system. File is not extracted. Run PKUNZIP with TYPE(*VIEW) and VIEWOPT(*ALL) to see archive details.

AQZ0234-00 &1 archive&2 successfully processed.

Explanation: Informational: &1 is the number of files that were processed successfully in the archives.

AQZ0235-00 &1 archive&2 had warnings but no fatal error.

Explanation: Informational: &1 is the number of files processed in the archives that issued a warning. Review job log for their warnings.

259

AQZ0236-00 &1 archive&2 had fatal errors.

Explanation: There were &1 files in the archives that had a fatal error and could not be processed. Review job log for messages of the files that failed.

AQZ0240-00 No Archive files found.

Explanation: While searching for an archive to extract from, no archive file was found. Review to see that the archive exists.

AQZ0241-00 Cannot find archive file internal end directory in one of &1 or &2%s.zip, and cannot find %s, period.

Explanation: The archive file may not be an archive or it may be corrupted.

AQZ0242-40 Cannot find archive file &1, &2.

Explanation: The archive file could not be found. Review command parameters.

AQZ0246-00 Note: &1 may be a plain executable, not an archive.

Explanation: The archive file &1 is not an archive. Either it is corrupted, or it could be an executable object.

AQZ0247-00 Warning [&1]: &2 extra bytes at beginning or within Archive File (attempting to process anyway).

Explanation: The archive &1 contains extra bytes within the archive. Will attempt continued extraction. Verify other messages within the job log and review source of archive file. If no failing message occurs, the extract file should be valid.

AQZ0250-00 Testing: &1.

Explanation: PKUNZIP Informational: TYPE(*TEST) is in the processing of testing file &1.

260

AQZ0251-00 Extracting: &1 &2.

Explanation: PKUNZIP Informational: TYPE(*EXTRACT) is in the process of extracting a stored file &1 with mode of empty, binary, text, text in EBCDIC, SAVF, or database file.

AQZ0252-00 Unshrinking: &1 &2.

Explanation: PKUNZIP Informational: TYPE(*EXTRACT) is in the process of extracting file &1 that was compressed with the shrink method, and with either a mode of empty, binary, text, text in EBCDIC, SAVF, or database file.

AQZ0253-00 Exploding: &1 &2.

Explanation: PKUNZIP Informational: TYPE(*EXTRACT) is in the process of extracting file &1 that was compressed with the implode method, with either a mode of empty, binary, text, text in EBCDIC, SAVF, or database file.

AQZ0254-00 Inflating: &1 &2.

Explanation: PKUNZIP Informational: TYPE(*EXTRACT) is in the process of extracting file &1 that was compressed with the Deflate method, with either a mode of empty, binary, text, text in EBCDIC, SAVF, or database file.

AQZ0255-10 Member <&1> truncated to 10 characters.

Explanation: The member name of a file being extracted exceeds the ten-character limitation for an iSeries file member name. The name is truncated to ten characters.

AQZ0256-10 Warning: Cannot set times for &1.

Explanation: After extracting a file to the integrated file system, PKUNZIP failed to reset the date and time from the archive file to the file extracted to IFS. The file data is correct.

AQZ0257-00 When Creating an out list file, TYPE must be *VIEW with *NORMAL view.

Explanation: PKUNZIP has keyword CRTLIST specified and can only be used with TYPE(*VIEW) and VIEWOPT(*NORMAL). Correct the TYPE value and execute the job again.

261

AQZ0258-10 Overriding Library <&1> is invalid.

Explanation: Parameter EXDIR was specified in PKUNZIP with TYPE(*EXTRACT) and TYPFL2ZP(*DB). The first path in EXDIR contains an invalid Library due to the name exceeding 10 characters. Run is aborted. Correct the command and execute the job again.

AQZ0259-00 Target file exists. Skipping &1.

Explanation: Warning: PKUNZIP was extracting file &1, but the file already exists. Parameter OVERWRITE was either set to *NO or it was set to *PROMPT and the response on the prompt was N.

AQZ0260-00 Target file newer. Skipping &1.

Explanation: Warning: PKUNZIP was extracting file &1 with TYPE(*NEWER). The current file is newer than the file in the archive and will be skipped.

AQZ0261-00 File: &1 tested OK.

Explanation: Informational: PKUNZIP with TYPE(*TEST) tested file &1 and found no problems.

AQZ0262-20 Warning! &1 already exists. Reply Y, N, A, R, y, n, or r.

Explanation: Y = Overwrite this file with the file extracted from the archive. N = The file will not be extracted from the archive. A = All files in the archive will be extracted and will overwrite any existing files of the same name. R = you will be prompted for a new file name. The default is N. If you wish to change this default then use the CHGMSGD command.

AQZ0263-00 Enter in the new File Name for &1.

Explanation: PKUNZIP issued message AQZ0262 for prompt for the over writing of file &1. The response received was "R" to rename the file. Enter in a valid name for the new file.

262

AQZ0264-20 Warning: EBCDIC Translation code x’15’ must convert to x’0a’ in &1(&2) override.

Explanation: Keyword TRAN (Data EBCDIC Translation Mbr) was selected with an override member. EBCDIC code x’15’ must translate to x’0A’ for iSeries EOL(end of line) character. Correct and execute the job again.

AQZ0265-00 Warning: The password has embedded blanks.

Explanation: A password was entered for PKZIP keyword PASSWORD() and was found to have blanks embedded. Some systems do not accept embedded blanks in the password. Run continues with the entered password.

AQZ0266-00 Tersing &1 in &2 mode.

Explanation: PKZIP Informational: File &1 is being compressed with the TERSE compression method with either a mode of empty, binary, text, text in EBCDIC, SAVF, or database file.

AQZ0267-00 unTersing &1 &2

Explanation: PKUNZIP Informational: TYPE(*EXTRACT) is in the process of extracting file &1 that was compressed by the TERSE method, with either a mode of empty, binary, text, text in EBCDIC, SAVF, or database file.

AQZ0268-10 Warning! Record length mismatch. Archived file record length = &1, output file record length = &2.

Explanation: PKUNZIP has detected that the output file and the file in the archive have different record lengths. PKUNZIP will still try to extract the data, but the format and appearance of the data is not guaranteed. Please consult the manual for more information.

AQZ0269-40 Password Failed Enterprise Security Settings.

Explanation: The security configuration defines the password settings, and the password entered does not conform to the enterprise settings. Do a PKCFGSEC *VIEW to view the Password configuration.

263

AQZ0270-40 Password does not match the Verify Password. Re-enter and try again.

Explanation: The password entered in the VPASSWORD parameter does not match than the password entered in the PASSWORD parameter or VPASSWORD is missing when advanced encryption was selected. The run will be terminated. Re-issue the command and verify both PASSWORD and VPASSWORD contains the same values.

AQZ0271-40 Compressed Size Invalid for Advance Encryption.

Explanation: File &1 requires advanced encryption but has an invalid compress size of &2. Do a PKUNZIP TYPE(*VIEW) VIEWOPTION(*DETAIL) for more information about file. extract or test will continue.

AQZ0272-40 Advance Encryption is invalid for GIZP Archive.

Explanation: PKZIP is running with GZIP(*YES) and the option ADVCRYPT is specifying advanced encryption (other than *NONE and ZIPSTD), GZIP only supports ZIP standard for iSeries and zSeries. Note: Standard GZIP on platforms other than iSeries and zSeries do not support encryption.

AQZ0273-40 Major Error Occurred with Advanced Encryption with New File size. Will Try to continue.

Explanation: PKUNZIP failed while extracting a file with invalid advanced encryption controls. The extracted size exceeds the uncompressed size &1 by &2 bytes. Contact the Product Services Division at 1-937-847-2687 for assistance.

AQZ0274-40 Encryption Method is not Supported.

Explanation: PKUNZIP cannot extract file due to the encryption method indicated on the archive. Perform PKZIP TYPE(*VIEW) VIEWOPT(*ALL) to check encryption method on message AQZ0872. Only valid encryption methods supported are: Zip standard, AES 128, AES 192, and AES 256.

AQZ0275-40 A File in the Archive coded for Adavnced Encryption was found to be Invalid.

Explanation: PKUNZIP was extracting a file coded as being archived with advanced encryption. The file is invalid due to invalid encryption data. Perform PKZIP TYPE(*VIEW) VIEWOPT(*ALL) and check other messages in the job log for possible causes. If this continues, please contact the Product Services Division at 1-937-847-2687 for assistance.

264

AQZ0276-40 Security Types Not Supported for file Archive.

Explanation: PKUNZIP could not extract file. archive indicates that it contains security types of certificate signature or combination password and signature. PKUNZIP only supports password only. Do a PKUNZIP TYPE(*VIEW) VIEWOPT(*DETAIL) to see security type.

AQZ0277-40 Security Settings Require a Password on ZIP processes.

Explanation: The security configuration states that all archives must have a password for encryption, but no password was entered in the PASSWORD parameter. See PKCFGSEC.

AQZ0278-40 Enterprise Security Requires at least one Recipient for Certificate processing.

Explanation: The security configuration states that all archives must have at least one recipient for encryption, but no recipients were entered. See “ZIP Secure Settings: Recipient Secure(*RQD)” in PKCFGSEC *VIEW.

AQZ0280-40 Only TYPE(*ADD) or TYPE(*MOVE) are valid with Spool Files selection.

Explanation: When parameter TYPFL2ZP(*SPL) is used for spool file selection, only *ADD and *MOVE are valid settings for the TYPE parameter. Correct and execute the job again.

AQZ0281-40 File Inlcudes and Excludes are invalid for Spool File selection.

Explanation: When parameter TYPFL2ZP(*SPL) is used for spool file selection, the INCLUDE and EXCLUDE parameters are not allowed. Correct and execute the job again.

AQZ0282-40 Input list file for file includes and excludes are invalid with Spool File Selection.

Explanation: When parameter TYPFL2ZP(*SPL) is used for spool file selection, the INCLFILE and EXCLFILE parameters for list input file includes and excludes are not allowed. Correct and execute the job again.

265

AQZ0283-40 Date selection (DATETYPE) with Before or After is Invalid with Spool File Selection.

Explanation: When parameter TYPFL2ZP(*SPL) is used for spool file selection, the DATETYPE must be *NONE. Correct and execute the job again.

AQZ0284-40 STOREPATH(*NO) is invalid with Spool Selection.

Explanation: When parameter TYPFL2ZP(*SPL) is used for spool file selection, the STOREPATH must be *YES. Correct and execute the job again.

AQZ0285-40 The Spooled File and/or Attributes cannot be retrieved. Error Code=&1 with &2.

Explanation: While trying to retrieve a Spool File or the spool file attributes, an error (code=&1 with &2) occurred. Job will be aborted. It may be that the spool file was being modified. Try to execute the job again. If problem persists, please contact the Product Services Division at 1-937-847-2687 for assistance.

AQZ0286-40 Job information cannot be retrieved. Job ending with Error Code (&1 - &2).

Explanation: Information about current job could not be retrieved. Job will be aborted. Try |re-running. If problem continues, please contact the Product Services Division at 1-937-847-2687 for assistance.

AQZ0287-40 Spool File Selection List could not generated. Job ending with Error Code (&1 - &2).

Explanation: While trying to select spool files for processing, the job has failed while generating a list of spool files. Try to execute the job again. If problem persists, please contact the Product Services Division at 1-937-847-2687 for assistance.

AQZ0288-40 Abnormal Error Occurred while processing Spool Files.

Explanation: While processing a spool file, an internal error occurred with error codes (&1 - &2). Try re-running. If problem continues, please contact the Product Services Division at 1-937-847-2687 for assistance.

266

AQZ0289-40 Failure occurred during creation of Spool File.

Explanation: While trying to create a spool during extraction, a failure occurred with error codes (&1 - &2). Try re-running. If problem continues, please contact the Product Services Division at 1-937-847-2687 for assistance.

AQZ0291-40 SFJOBNAM in the PKZIP command is incomplete or Invalid.

Explanation: If the Spool File Job Name is “*”, spool file job user and spool file job number must be blank. Otherwise all fields must contain valid name, user and number or they must all be blank. Correct and execute the job again.

AQZ0292-40 Error Occurred while transforming the spool file. Job is aborted.

Explanation: A major error has occurred while transforming a spool file to an ASCII file. Job is being aborted with exception code(&1-&2). Try to execute the job again. If this failure continues, please contact the Product Services Division at 1-937-847-2687 for assistance.

AQZ0293-40 Parameter SFTARGET(*SPLF) requires SFTGFILE(*GEN1). Correct and re_run.

Explanation: SFTGFILE must be coded as *GEN1 when requesting a target type of Spool File SFTARGET(*SPLF). Correct and execute the job again.

AQZ0294-40 Spoof File (&1) is &2 type print file and Convert Format is TEXT. File bypassed.

Explanation: Only spool file types *SCS, *IPDS and *AFP are valid for text conversion. &2 type cannot convert to TEXT format.

AQZ0295-10 Spool File &1 is being skipped due to being in OPEN Status.

Explanation: Spool files that are in an open status are not eligible for selection. File will be skipped.

267

AQZ0296-10 Spool File "&1" Exceeds Maximum allowed size.

Explanation: The spool file &1 exceeded the maximum allowed of &2. File will be either skipped or the job will end based on ERROPT settings.

AQZ0297-40 The Output Queue for Spool Files selection cannot be found.

Explanation: The output queue specified in parameter SFQUEUE is invalid or cannot be found in the libraries specified.

AQZ0298-40 Invalid Code Page for Spool File conversion.

Explanation: While trying to convert a spool file to ASCII text, it was found the code page was invalid. Review parameter IFSCDEPAGE for overrides. Error occurred while using page code from &1 to &2.

AQZ0299-40 Spool File Target File Cannot be named GEN1 nor GEN2 nor start with an *.

Explanation: Spool file parameter SFTGFILE cannot have file names GEN1 and GEN2. This is to prevent mistakes by leaving off the leading *. SFTGFILE cannot start with an * other than special names *GEN1, *GEN1P and *GEN2'.

AQZ0300-10 A Specific File name was specified in SFTGFILE, but more than 1 spool file was selected.

Explanation: When specifying a file name in SFTGFILE, only one spool file can be selected. Correct selections and re-run.

AQZ0301-40 Parameter SFTARGET(*SPLF) requires EXTRAFLD(*YES). Correct and re_run.

Explanation: In order to be able to extract a spool file, extended attributes are required.

AQZ0302-40 FILETYPE parameter must be (*DETECT) when compressing Spool Files.

Explanation: When parameter TYPFL2ZP(*SPL) is coded to compress spool files, the FILETYPE parameter must be (*DETECT).

268

AQZ0303-10 Warning: Only Local Extended Attributes was selected to store iSeries Extended Attributes.

Explanation: This is a warning that the extra data fields will be stored only in the local directory because of parameter EXTRADATA(*LOCAL). SecureZIP for iSeries will not utilize the extended attributes.

AQZ0304-30 SFJOBNAM(&1) Job cannot not be found or is invalid.

Explanation: The parameter SFJOBNAM(&1) for job selection of a spool file could not be found or is an invalid job. Correct and execute the job again.

AQZ0305-30 SPLNBR parameter is non-numeric or invalid.

Explanation: The SPLNBR must be either *ALL, *LAST, or it must be a numeric value from 1 thru 999999. Correct and execute the job again.

AQZ0306-40 SFQUEUE with *SEL has invalid Outq library reference.

Explanation: The SFQUEUE parameter has the *SEL for the OUTQ name, but the library is either blank, *LIBL, or *CURRENT. PKZIP will be aborted. Correct and execute the job again.

AQZ0306-40 SFQUEUE with *SEL has invalid Outq library reference.

Explanation: The SFQUEUE parameter has the *SEL for the OUTQ name, but the library is either blank, *LIBL, or *CURRENT. PKZIP will be aborted. Correct and execute the job again.

AQZ0307-00 The SIGNPOL validation is locked down at the enterprise level.

Explanation: Warning. The SIGNPOL validation is locked down at the enterprise setting, therefore parameters request are ignored.

AQZ0308-00 The AUTHPOL validation is locked down at the enterprise level.

Explanation: Warning. The AUTHPOL validation is locked down at the enterprise setting, therefore parameters request are ignored.

269

AQZ0309-00 The ENCRYPOL validation is locked down at the enterprise level.

Explanation: Warning. The ENCYRPOL validation is locked down at the enterprise setting, therefore parameters request are ignored.

AQZ0310-00 The SIGNPOL filters ared locked down at the enterprise level.

Explanation: Warning. The SIGNPOL filters are locked down at the enterprise setting, therefore parameters request are ignored.

AQZ0311-00 The AUTHPOL filters ared locked down at the enterprise level.

Explanation: Warning. The AUTHPOL filters are locked down at the enterprise setting, therefore parameters request are ignored.

AQZ0312-00 The ENCRYPOL filters ared locked down at the enterprise level.

Explanation: Warning. The ENCRYPOL filters are locked down at the enterprise setting, therefore parameters request are ignored.

AQZ0320-30 Insufficient authority to open secured Archive. Requires valid &1.

Explanation: The archive specified is a filename-encrypted archive that requires validation before it can be opened by a password and/or valid private key from a recipient.

AQZ0321-40 Problem Procssing FNE.

Explanation: An Internal error occurred with filename-encryption processing. This should not occur. The message detail contains diagnostic information of this occurrence. Please contact the Product Services Division at 1-937-847-2687 for assistance. Please provide the message details for support.

AQZ0322-40 FND Temporary File Failure.

Explanation: An Internal error occurred with the filename-encryption processing temporary file. The message detail contains diagnostic information of this occurrence. Please contact the Product Services Division at 1-937-847-2687 for assistance. Please provide the message details for support.

270

AQZ0324-00 Warning: FNE Input Archive being converted to Non-FNE.

Explanation: The archive currently specified is a filename-encrypted archive, and the filename encryption parameter is coded as “FNE(*NO *YES)”. This will convert the filename-encrypted archive to be a non-filename-encrypted archive. This is a warning only.

AQZ0325-40 FNE is Invalid with GZIP.

Explanation: Both GZIP(*YES) and FNE(*YES) was entered. Filename encryption is an invalid GZIP option.

AQZ0326-40 FNE Requires a Password and/or Recipients.

Explanation: FNE(*YES) was entered to create a filename-encrypted archive, but no password or recipients were entered.

AQZ0327-40 FNE Requires Strong Encryption Algorithm.

Explanation: FNE(*YES) was entered to create a filename-encrypted archive, but the parameter ADVCRYPT was *NONE or ZIPSTD. Filename encryption requires advanced encryption.

AQZ0328-30 Input Archive is FNE with FNE(*NO *NO). Requires FNE Overwrite *YES to convert to non-FNE.

Explanation: The archive currently specified is a filename-encrypted archive, but the filename encryption parameter was FNE(*NO *NO). This filename-encryption setting will not create a new filename-encrypted archive or overwrite an existing filename-encrypted archive. If the updated archive is to be filename-encrypted, the parameter should be FNE(*YES). If the updated archive should be a non-FnE, the parameter should be (*NO *YES).

AQZ0329-00 Warning FNE will force EXTRAFLD(*CENTRAL).

Explanation: The filename encryption parameter was *YES to create an FnE archive, but the extra field was either *LOCAL or *BOTH. SecureZIP will force EXTRAFLD(*CENTRAL).

271

AQZ0330-00 Warning:FNE archive found. Inputted Password and/or Recipients will be ignored.

Explanation: The archive currently specified is a filename-encrypted archive for updating. The archive will be updated with its current password and/or recipients. This is a warning that any new password or new recipients will be ignored.

AQZ0401-40 Memory allocation failure while processing Parameters &1 &2.

Explanation: A failure occurred while trying to allocate memory. Check other messages in the job log for possible causes and refer to Appendix C about memory errors. If this continues, please contact the Product Services Division at 1-937-847-2687 for assistance.

AQZ0402-40 I/O Error: &1.

Explanation: An I/O error occurred. This message will help describe a previous message. Review all messages in the job log to resolve the problem.

AQZ0403-40 Open error occurred on Translate table <&1>.

Explanation: While opening file &1, an open error occurred. Review FTRAN and TRAN keyword entries and messages in the job log to determine the cause of problem. Current run is terminated.

AQZ0404-40 Read Error while reading Translate table <&1>.

Explanation: While reading file &1, an error occurred. Review FTRAN and TRAN keyword entries and messages in the job log to determine the cause of the problem. Browse file &1 and review the data to ensure it follows the requirements of a translate table. The current run is terminated.

AQZ0405-40 Translate Table must have 256 entries. File <&1> found &2 entries.

Explanation: A translation table is required to have 256 entries. Browse file &1 and review the data to ensure it follows the requirements of a translate table. The current run is terminated.

272

AQZ0406-40 Internal Error. Should not occur "&1".

Explanation: If this error occurs, review to ensure you have a valid archive. Please contact the Product Services Division at 1-937-847-2687 for assistance. Current run is terminated.

AQZ0407-40 &1 file size changed while zipping.

Explanation: PKZIP has determined that the size of file &1 has changed while compressing. Size Information (&2). File should be compressed again.

AQZ0408-40 Compression of input file &1 failed. Could not read input file.

Explanation: A read error occurred while trying to compress input file &1. Review all job log messages to determine cause of read error. The job is terminated.

AQZ0409-40 Failure during user space creation &1.

Explanation: A failure occurred while using an API, which required a user space that failed. See message &2 in job log for which API and why the failure occurred. The job is terminated.

AQZ0410-40 API list command failure due error &1 &2.

Explanation: Review error message &1 for more information why API list command &2 failed. The job is terminated.

AQZ0411-40 File &1. is not a database.

Explanation: A list member API was issued for file &1. A return message, "CPF3C23," indicates this file is not a database file, which is allowed to have members. Review file &1 to ensure it is a valid file to compress. The job is terminated.

AQZ0412-00 API error &1. Get Member descriptions <&2>.

Explanation: While issuing a Get Member descriptions for file &2, error &1 occurred. Review message &1 for more information.

273

AQZ0413-00 API error &1. Database File descriptions <&2>.

Explanation: While retrieving the file descriptions for file &2, error &1 occurred. Review message &1 for more information.

AQZ0414-00 API error &1. Get Object descriptions <&2>.

Explanation: While retrieving object descriptions for file &2, error &1 occurred. Review message &1 for more information.

AQZ0415-00 API error &1. Change Object descriptions <&2>.

Explanation: While issuing a change to the object &2, error &1 occurred. Review message &1 for more information.

AQZ0416-00 API error &1. Process Command <&2>.

Explanation: While trying to process command &2, error &1 occurred. Review message &1 for more information. This may occur if the user does not have the proper authority for the command.

AQZ0417-40 Error writing List file &1.

Explanation: Keyword CRTLIST was specified and an error occurred while writing to file &1. Review all job log messages for more details. The job will be terminated.

AQZ0418-40 Error opening or closing list file &1.

Explanation: Keyword CRTLIST was specified and an error occurred while &2 was opening or closing file &1. Review all job log messages for more details. The job will be terminated.

AQZ0419-40 Cannot open file <&1> for Include selection.

Explanation: File &1 (specified in keyword INCLFILE) cannot be opened. See job log messages for more information. Verify that file &1 is a valid file for input to include selection. The job is terminated.

274

AQZ0420-40 Cannot open file <&1> for Exclude filtering.

Explanation: File &1 (specified in keyword EXCLFILE), cannot be opened. See job log messages for more information. Verify that file &1 is a valid file for input to exclude selection. The job is terminated.

AQZ0421-00 File <&1> failed while retrieving the members for the file. Review Job Log for previous message for details of failure.

Explanation: When trying to retrieve the members for file <&1> and record <&2>, the API failed. The job log will show more details in the previous messages. One cause may be the file was remote and could not be accessed.

AQZ0450-40 Did not find end-of-central-dir signature at end of central dir.

Explanation: While scanning an archive for proper archive signatures, the end of central directory signature could not be found. Ensure it is a valid archive or if the archive was sent via FTP; ensure binary was used.

AQZ0451-40 Expected central file header signature not found (file #&1).

Explanation: While scanning an archive for proper archive signatures, the expected central file header signature could not be found. The archive may be corrupted, or it was transferred from another source incorrectly.

AQZ0452-40 Attempt to seek before beginning of Archive file &1.

Explanation: While scanning the archive for valid information, an offset caused PKZIP to attempt seeking functions prior to the beginning of the archive. The archive may be corrupted.

AQZ0453-40 &1: Bad file comment length.

Explanation: The archive indicated that a comment existed for file &1. The length was zero, or the comment length was wrong. Run PKUNZIP with detail view for more information.

275

AQZ0454-40 Invalid option mixture - should never occur by using PKUNZIP Command.

Explanation: Please contact the Product Services Division at 1-937-847-2687 for assistance.

AQZ0455-40 Both Overwrite *NONE and *ALL specified; ignoring *ALL - This should never Occur.

Explanation: By using the PKUNZIP command this error should never occur. Please contact the Product Services Division at 1-937-847-2687 for assistance.

AQZ0456-40 &1: bad filename length in &2 directory.

Explanation: File &1 was found to have a bad file name length in the archive &2 directory. Processing will continue at the next entry. Try running PKUNZIP with VIEWOPT(*DETAIL) to gather more information. The archive may be corrupt.

AQZ0457-40 &1: Bad Extra data length in &2 directory.

Explanation: File &1 was found to have a bad extra data length in the archive &2 directory. Processing will continue at the next entry. Try running PKUNZIP with a detail view to gather more information. The archive may be corrupt.

AQZ0458-40 File # &1: Bad Archive File offset (&2): &3.

Explanation: PKUNZIP was trying to extract or test files in the archive. File number #1 in archive contained a bad offset length (&2).

AQZ0459-20 Length warning: &1 bytes [&2].

Explanation: Length Warning: Based on the local directory, the bytes required are less than the actual bytes used. Review the extracted file and ensure it is extracted correctly. Run PKUNZIP with view detail to check files sizes. The file is extracted and the process continues.

AQZ0460-40 Length Error: &1 bytes [&2].

Explanation: Length Failure: Based on the local directory, the bytes required are more than the actual bytes used. Review the extracted file and ensure it is extracted correctly. Run

276

PKUNZIP with view detail to check files sizes. The file is extracted and the process continues.

AQZ0461-40 Error: Not enough memory to Unshrink &1.

Explanation: While trying to allocate memory to Un-shrink file &1, an error occurred. All processing is terminated. Check other messages in the job log for possible causes and refer to Appendix C about memory errors. If this continues, please contact the Product Services Division at 1-937-847-2687 for assistance.

AQZ0462-40 File #&1: Bad local header.

Explanation: File in the archive with sequence number &1 has an invalid local directory header. File cannot be extracted or tested. The archive may be corrupt.

AQZ0463-40 (Attempting to re - compensate).

Explanation: An error occurred previously in the archive (see the message log). An attempt will be made to compensate for the error.

AQZ0464-40 Skipping: &1 %2 volume label.

Explanation: An archive created under another system has a volume label appearing in the archive. iSeries cannot process this request and will skip file &1.

AQZ0468-40 Invalid compressed data to &1 &2.

Explanation: While attempting to uncompress file &2 using method &1, it was determined that the compressed data was invalid or corrupt. Review the log for other messages to help diagnose the problem. Do a PKUNZIP with VIEWOPT(*DETAIL). Verify the source of the archive that is being processed to verify if it was created using a compression product from PKWARE, Inc. Please contact the Product Services Division at 1-937-847-2687 for assistance.

AQZ0469-40 Error: Not enough memory to &1 &2.

Explanation: While attempting to uncompress file &2 using method &1, PKUNZIP could not allocate enough memory to extract file. Check other messages in the job log for possible causes and refer to Appendix C about memory errors. If this continues, please contact the Product Services Division at 1-937-847-2687 for assistance.

277

AQZ0470-40 &1: Out of memory while inflating EAs.

Explanation: While extracting file &1, an allocation of memory failure occurred while trying to extract and file with extended attributes. This archive was created by another system type. Check other messages in the job log for possible causes and refer to Appendix C about memory errors. If this continues, please contact the Product Services Division at 1-937-847-2687 for assistance.

AQZ0471-40 &1: Unknown error on extended attributes.

Explanation: While extracting file &1, an unknown error occurred while trying to process the extended attributes data. This archive was created by another system type.

AQZ0472-40 Unsupported extra-field compression type (&1)—skipping.

Explanation: The extended data fields for file &1 was found, but it’s not recognized or it’s Invalid. The file will be skipped.

AQZ0473-00 Error: Cannot allocate unzip buffers.

Explanation: While starting to extract the file, PKUNZIP could not allocate enough memory for IO buffers within the file. Job will be terminated. Check other messages in the job log for possible causes and refer to Appendix C about memory errors. If this continues, please contact the Product Services Division at 1-937-847-2687 for assistance.

AQZ0475-40 Warning [&1]: Archive File is disk %u of a multi-disk archive and this is not the disk on which the central Archive File directory begins.

Explanation: The archive indicates that part of a multi-disk archive is invalid for PKUNZIP. Review the source of the archive and ensure the archive is made up of one file.

AQZ0476-30 Warning [&1]: End-of-central-directory record claims this is disk &2 attempting to process anyway.

Explanation: The central directory has a setting that indicates this is a multi-archive disk file. It will attempt to process file &1. Expect "errors" and warnings; true multi-part support does not exist.

278

AQZ0477-30 Warning [&1]: Archive File claims to be last disk of a multi-part archive; attempting to process anyway.

Explanation: Expect errors and warnings, as true multi-part support does not exist.

AQZ0478-30 Error [&1]: Missing &2 bytes in Archive file (attempting to process anyway).

Explanation: While extracting files from archive file &1 with PKUNZIP, it was found to have &2 bytes missing according to the directories. PKUNZIP will continue attempting to extract the files and will complete the process.

AQZ0479-30 Error [&1]: NULL central directory offset (attempting to process anyway).

Explanation: While extracting from archive file &1, an error was found in the central directory offset. PKUNZIP will try to compensate and continue the process.

AQZ0480-30 Warning [&1]: Archive File is empty.

Explanation: PKUNZIP found that the archive file &1 is empty and that there is nothing to process.

AQZ0481-30 Error [&1]: Start of central directory not found; Archive file is corrupt.

Explanation: PKUNZIP could not find the start of the central directory in archive file &1. archive file is corrupt and the job will be terminated.

AQZ0482-30 Warning[&1]: Reported length of central directory IS &2 bytes too long. Compensating...

Explanation: PKUNZIP found that the length of the central directory of the archive is too long by &2 bytes. PKUNZIP will try to compensate and continue.

AQZ0483-40 End-of-central-directory signature not found in archive &1.

Explanation: An End-of-central-directory signature not found. Either the file &1 is not an archive file or it constitutes one disk of a multi-part archive. In the later case, the central directory and archive file comment will be found on the last disk(s) of this archive.

279

AQZ0484-00 Caution: Archive file &1 comment will be truncated.

Explanation: While displaying the archive file comment, it was truncated due to excess length. This affects only the displayed information, not the data itself.

AQZ0485-30 Error: Cannot delete old &1.

Explanation: Cannot delete file &1 on IFS system file type. See the job message log for more information.

AQZ0486-30 Error: PKZIP cannot open Archive File [ &1 ].

Explanation: Archive file &1 cannot be opened for reading in PKZIP. See the job message log for more information.

AQZ0487-30 Error: Cannot create &1.

Explanation: PKUNZIP was trying to create file &1 for extraction, but the create process failed. The file was not extracted. See the job message log for create failure.

AQZ0488-40 Error: Archive file &1 read error.

Explanation: PKUNZIP received a file error while reading archive file &1. Job is terminated. See the job message log for explanation of the error.

AQZ0489-10 Warning: Filename too long -- truncating.

Explanation: The file name length (including path) found in the archive exceeds the length of 255 bytes allowed in PKUNZIP. File name is truncated.

AQZ0490-10 Warning: Extra field too long (&1). Ignoring.

Explanation: The extended attribute is too long for PKUNZIP to allocate memory. The attributes will be ignored.

280

AQZ0491-40 Error: More than &1 simultaneous threads. Some threads are probably not calling DESTROYTHREAD().

Explanation: Internal error. This should not occur. Please contact the Product Services Division at 1-937-847-2687 for assistance.

AQZ0492-40 Error: Could not find global pointer in table Maybe somebody accidentally called DESTROYTHREAD() twice.

Explanation: Internal error. This should not occur. Please contact the Product Services Division at 1-937-847-2687 for assistance.

AQZ0493-40 Error: Global pointer in table does not match pointer passed as parameter.

Explanation: Internal error. This should not occur. Please contact the Product Services Division at 1-937-847-2687 for assistance.

AQZ0494-00 Warning: Cannot set UID &1 and/or GID %d for &2.

Explanation: After extracting a file successfully, PKUNZIP could change the UID attributes for a file in the integrated file system to the UID in the archive settings. See the job log for more information.

AQZ0495-00 Warning: Cannot set modification, access times for &1.

Explanation: After extracting a file successfully, PKUNZIP could change the modification time and the access time for a file in the integrated file system to the time that is stored within the archives. Times are left as the time extracted. See the job log for more Information.

AQZ0496-00 Warning: Cannot set permissions for &1.

Explanation: After extracting a file successfully, PKUNZIP could not set the authority permissions for the file in the integrated file system. File has job user as owner. See the job log for more information.

281

AQZ0498-40 &1: Write error was encountered while extracting.

Explanation: While extracting and writing file &1, an error occurred. It could be the allowable disk allocation for a user, a job, or a file. See the job log for more information. The current extracted file is incomplete.

AQZ0499-50 Archive file probably corrupt (&1).

Explanation: A Handler signal occurred in PKUNZIP, which indicates an internal error occurred, or the archive file is corrupt. Please contact the Product Services Division at 1-937-847-2687 for assistance with the archive file and the job log.

AQZ0501-20 Warning: Cannot allocate wildcard buffers.

Explanation: PKUNZIP could not allocate memory resources in the integrated file system wildcard buffers. Cannot select files. Check other messages in the job log for possible causes, and refer to Appendix C about memory errors. If problem persists, please contact the Product Services Division at 1-937-847-2687 for assistance.

AQZ0502-00 Creating directory: &1.

Explanation: Information only: PKUNZIP created directory &1 in the integrated file system.

AQZ0503-30 Mapname: Conversion of &1 failed.

Explanation: PKUNZIP failed while converting (mapping) the internal file &1 name to an iSeries external file name. Check the log to see if file was extracted successfully.

AQZ0504-20 Checkdir: Cannot create extraction directory &1.

Explanation: PKUNZIP failed while trying to create directory &1 in the integrated file system required extracting file.

AQZ0505-10 Warning: Cannot set UID &1 for &2.

Explanation: After extracting a file successfully, PKUNZIP could not change the UID attributes for a file in integrated file system to the UID in the archive settings. See the job log for more Information.

282

AQZ0506-10 Checkdir warning: Path too long; truncating &1.

Explanation: The path name in the archive file is longer than the 255 bytes permitted by the integrated file system. The path will be truncated for file extraction.

AQZ0508-10 Checkdir error: &1 exists but is not directory: unable to process.

Explanation: PKUNZIP was extracting a file to the integrated file system where the archive file name indicated it is a directory, but the file already exists and is not a directory. A default path will be used.

AQZ0509-10 Checkdir error: Cannot create &1 unable to process &2.

Explanation: PKUNZIP could not create directory &1 in the integrated files system. A default directory is used. See the JOB LOG For information about the failure.

AQZ0510-10 Checkdir error: Path too long: &1.

Explanation: PKUNZIP determined that the path of file to extract exceeded 255 bytes. The file will use default path.

AQZ0511-40 Failure to create file <&1> in Library <&2>.

Explanation: PKUNZIP was issuing a CRTPF command for a file that was using default settings before extracting and an error occur in the CRTPF command. See the job log for more information. The files are not extracted.

AQZ0512-40 Failure to create SAVF <&1> in Library <&2>.

Explanation: PKUNZIP was issuing a CRTSAVF command to create file &1 for extracting and the create process failed. See the job log for more information. The files are not extracted.

AQZ0513-10 Warning! Line &1 has been truncated.

Explanation: When writing a text file, the length of the line exceeded the record length of the output file and the line was truncated. Use an output file with the correct record length.

283

AQZ0514-30 Failure in creating Library &1 for Archive.

Explanation: PKUNZIP was trying to extract a file to library &1 and the library did not exist. PKUNZIP failed when trying to create the Library. For more information see the job log. This may be a security issue. The file is not extracted.

AQZ0515-40 PKZIP Failure in file read request. Request bytes &1.

Explanation: While trying to read a selected file for compression, PKZIP experienced an error where the size of the data read failed the request. View the job log to see if any messages pertain to the file. The file being used may cause this. The job will be terminated and the archive will be corrupted.

AQZ0516-40 Could not allocate Memory for Terse extraction. PKUNZIP is ending immediately.

Explanation: PKZIP was compressing the file with compression type *TERSE, but could not allocate memory for the TERSE buffers. Check other messages in the job log for possible causes and refer to Appendix C about memory errors. If the problem persists, please contact the Product Services Division at 1-937-847-2687 for assistance.

AQZ0517-40 Terse Extraction Failure. Work buffers are too small.

Explanation: PKUNZIP could not complete an extraction of a file compressed in TERSE mode because the buffers were too small. This should not occur for an archive created with this release. Please contact the Product Services Division at 1-937-847-2687 for assistance.

AQZ0518-00 Warning! File &1 has associated triggers.

Explanation: PKZIP has detected that the database file being zipped has trigger programs associated with it. PKZIP does not store trigger program information in the archive. See Appendix K for more information. This message only appears when compressing database files. If you want to preserve the trigger information, first save the file and trigger programs to a SAVF and then add the SAVF to the archive.

AQZ0519-00 Warning! File &1 has associated constraints.

Explanation: PKZIP has detected that the database file being zipped has constraints associated with it. PKZIP does not store constraint information in the archive. See Appendix K for more information. This message appears only when compressing database files.

284

If you wish constraint information to be preserved, first save the file to a SAVF and then add to the archive.

AQZ0520-00 Warning! File &1 uses an alternative collating sequence.

Explanation: The file being compressed uses an alternative collating sequence (the ALTSEQ keyword was specified in the DDS for the file). PKZIP does not store alternative collating table information in an archive. When unzipped, the file will not have the same access path. This message only appears when compressing database files. If you want to preserve the alternate sort order, first save the file in a SAVE and then add to the archive.

AQZ0521-00 Warning! File &1 has NULL capable fields.

Explanation: PKZIP has detected that one or more fields in the file are NULL capable. PKZIP will translate NULL numeric fields as zeros and NULL character fields as blanks. See Appendix K for more information. This message only appears when compressing database files. If you want to preserve NULL fields, first save the file in a SAVF and then add the SAVF to the archive.

AQZ0522-00 Database process selected but missing DB extended data record - File &1.

Explanation: Indicates that database attributes are present to create a database, but the database extended attributes could not be found. The archive may be corrupt. PKZIP will try to create file with default settings.

AQZ0523-00 Failure building DDS source to gen database - File &1.

Explanation: While building the DDS source for creating file &1, an error occurred in routine build_ddssrc with number &2. See the job log for other messages. Please contact the Product Services Division at 1-937-847-2687 for assistance.

AQZ0525-00 Warning! File &1 has Public Authorization List.

Explanation: PKZIP has detected that the database file being zipped has a public authorization list associated with it. PKZIP does not store public authorization list information in the archive. See Appendix K for more information. This message only appears when compressing database files. When extracting the file, it is up to the user to provide information about a public authorization list. If you wish to preserve public authorization list information, first save the file to a SAVF and then add the file to the archive.

285

AQZ0526-30 Extended attributes exceed 64K

Explanation: The extended attributes for the file being compressed exceeded the maximum length that can be accommodated in a PKZIP archive. Action: Either compress the file with DBSERVICES(*NO) or first save the file in the save file and then add to the archive.

AQZ0527-10 Warning: Text Record too long for buffers. Text Record length=&1. Buffer Length=&2

Explanation: A text record length exceeded the maximum supported buffer length of &2. Record is truncated. File extract should be reviewed for completeness. Probable cause: the file does not contain proper carriage return or line feed characters.

AQZ0528-00 Certificate Deleted From &1 Store.

Explanation: Cert <&2> Deleted from &1 Store. Where &1 will be the store CA or Root. &2 is the certificate data that was deleted. Part 1 is the index number. Part 2 is the Serial Number of the certificate. Part 3 is the friendly name of the certificate. For example: “Cert <12;01;PKWARE Test Intermediate Cert F;> Deleted from CA Store”

AQZ0600-00 Archive &1 Identified as a GZIP archive.

Explanation: PKZIP was run, specifying existing archive &1 and that the archive is identified as a GZIP archive. GZIP archive files cannot be updated.

AQZ0601-40 Option GZIP cannot zip to an existing archive.

Explanation: PKZIP GZIP(*YES) parameter has been specified and the archive indicated on the PKZIP command already exists. A GZIP archive cannot be updated; you can only compress in GZIP format to a new archive. Specify an archive name that is not in use.

AQZ0602-40 Option GZIP only allows 1 file per archive.

Explanation: GZIP processing has identified more than one file to include in the archive, but only one file is allowed per GZIP archive. Specify a file name or wildcard combination that identifies only one file or be more specific and specify the library, the file, and the member names.

286

AQZ0603-40 Invalid TYPE used with GZIP. TYPE(*ADD,*MOVEA,*VIEW) is only valid option for GZIP.

Explanation: A PKZIP TYPE other than *ADD, *MOVEA or *VIEW was specified with option GZIP(*YES). This is an invalid combination. The job will be terminated.

AQZ0604-00 PKZIP Compressed &1 files in GZIP Archive &2.

Explanation: &1 is the number of files that were compressed in this run of PKZIP, storing them in the GZIP archive File &2.

AQZ0605-40 GZIP cannot allocate memory for GZIP extraction.

Explanation: PKUNZIP was trying to extract the file from an archive identified as a GZIP archive, but could not allocate memory. The job is terminated. Check other messages in the job log for possible causes and refer to Appendix C about memory errors. If this continues, please contact the Product Services Division at 1-937-847-2687 for assistance.

AQZ0606-40 GZIP Archive File &1 probably corrupt.

Explanation: PKUNZIP was trying to extract from archive file &1, and it was identified as a GZIP archive. It was determined that it could be corrupt based on the setting in the header or trailer.

AQZ0607-40 Cannot Use compress(*STORE or *TERSE) with GZIP.

Explanation: GZIP parameter *YES cannot be used when COMPRESS parameter is set to *STORE or *TERSE.

AQZ0608-40 GZIP *YES cannot be used with FTRAN table.

Explanation: FTRAN table override cannot be used with option GZIP(*YES) due to compliance issues.

AQZ0609-00 Warning! GZIP Archive has non-compliant Flag settings.

Explanation: The archive being processed has reserve bits in the flag byte set. This may indicate the presence of new fields or options in the archive that prevent the file being extracted from being extracted correctly.

287

AQZ0610-40 GZIP Archive &1 contains no filename and Default Path was not specified.

Explanation: The GZIP archive that is being extracted does not contain a file name. To get a file name, use EXDIR keyword and enter a path and filename. If you are using the IFS, use path/filename. For the library file system, use library/filename.

AQZ0611-40 TEXTEDIT parameter is invalid with GZIP(*YES).

Explanation: GZIP archives do not support file comments. TEXTEDIT must be *NO.

288

AQZ0800 - AQZ0899 *VIEW Display Messages

AQZ0800-00 Filename: &1.

Explanation: Displays the archive file name being viewed or processed.

AQZ0801-00 Archive Comment: "&1".

Explanation: Displays the archive comment (if one exists) when TYPE(*VIEW) is used with parameters *NORMAL, *DETAIL, *COMMENT for keyword VIEWOPT( ).

AQZ0802-00 Length, Date, Time, Name.

Explanation: This message will appear at the top of the file information listing when the option VIEWOPT(*BRIEF) is used with TYPE(*VIEW).

AQZ0803-00 -------- ---- ---- ----

Explanation: This message will appear after message AQZ0802 for the file information listing when the option VIEWOPT(*BRIEF) is used with TYPE(*VIEW).

AQZ0804-00 &1 &2 &3.

Explanation: File information listing when the option VIEWOPT(*BRIEF) is used with TYPE(*VIEW). Length=uncompressed size, modifications Date and time of file, and the filename.

AQZ0805-00 -------- -------

Explanation: This message will appear after the brief file information listing as a separator when the option VIEWOPT(*BRIEF) is used with TYPE(*VIEW).

289

AQZ0806-00 &1 &2 file&3.

Explanation: This message is the totals for file information listing when the option VIEWOPT(*BRIEF) is used with TYPE(*VIEW). Total: Uncompressed size=&1, and Number of files in listing=&2.

AQZ0807-00 File Comment: "&1".

Explanation: Displays the file comment text when the option VIEWOPT(*COMMENT or *DETAIL) is used with TYPE(*VIEW).

AQZ0808-00 Length, Method, Size, Ratio, Date, Time, CRC-32, Name.

Explanation: This message displays the first heading in the file information listing when any of the parameters *DETAIL, *COMMENT, or *NORMAL is used with the VIEWOPT() option.

AQZ0809-00 -------- ------ ------- ----- ---- ---- ------ ----

Explanation: This message displays the second heading in the file information listing when any of the parameters *DETAIL, *COMMENT, or *NORMAL is used with the VIEWOPT() option.

AQZ0810-00 &1 &2 &3 &4 &5 &6 &7 &8.

Explanation: This message displays the file attributes in the file information listing when any of the parameters *DETAIL, *COMMENT, or *NORMAL is used with the VIEWOPT( ) option. Uncompressed file length=&1, compression method used=&2, compressed size=&3, compression ratio=&4, file date/ Time=&5, CRC-32=&6, for the file name &7.

AQZ0811-00 -------- ------- ---- -------

Explanation: This message displays the totals separator in the file information listing when any of the parameters *DETAIL, *COMMENT, or *NORMAL is used with the VIEWOPT( ) option.

AQZ0812-00 &1 &2 &3 &4 file&5.

Explanation: This message displays the totals in the file information listing when any of the parameters *DETAIL, *COMMENT, or *NORMAL is used with the VIEWOPT( )

290

option. Total uncompressed size=&1, total compressed size=&2, for &3 number files in listing.

AQZ0813-00 archive: &1 &2 bytes &3 file&4.

Explanation: Archive statistics for archive File &1, is &2 bytes is length with &3 files in archive. Information with TYPE(*VIEW) and VIEWOPT(*DETAIL).

AQZ0814-00 Created by: &1 &2.

Explanation: Displays the PKZIP operating system and the PKZIP algorithm version which the file was added to the archive. Information with TYPE(*VIEW) and VIEWOPT(*DETAIL).

AQZ0816-00 Minimum file system compatibility required: &1 &2.

Explanation: Information with TYPE(*VIEW) and VIEWOPT(*DETAIL) and only with debug option on. Shows detail operating system (&1) with version (&2).

AQZ0817-00 Zip Spec to Extract: &1.

Explanation: Displays the minimum version of the PKZIP specification required to extract the file from the archive. Information with TYPE(*VIEW) and VIEWOPT(*DETAIL).

AQZ0818-00 Compression method: &1 &2.

Explanation: Displays the compression method used to compress the file. Information with TYPE(*VIEW) and VIEWOPT(*DETAIL).

AQZ0821-00 Extended local header: &1.

Explanation: Shows the setting of the general-purpose bit to indicate an extended local header exists. Information with TYPE(*VIEW) and VIEWOPT(*DETAIL).

AQZ0822-00 Date and Time &1.

Explanation: Displays the modification date mm-dd-yyyy and time hh:mm of files attributes Information with TYPE(*VIEW) and VIEWOPT(*DETAIL).

291

AQZ0823-00 32-bit CRC value (hex): &1.

Explanation: Displays the value of the cyclical redundancy check (CRC) of a file in the archive. Information with TYPE(*VIEW) and VIEWOPT(*DETAIL).

AQZ0824-00 Compressed size: &1 bytes.

Explanation: Displays the compressed size of a file in the archive. Information with TYPE(*VIEW) and VIEWOPT(*DETAIL).

AQZ0825-00 Uncompressed size: &1 bytes.

Explanation: Displays the Uncompressed size of a file in the archive. Information with TYPE(*VIEW) and VIEWOPT(*DETAIL).

AQZ0826-00 Length of filename: &1 bytes.

Explanation: Displays the length of the file name of a file in the archive. Information with TYPE(*VIEW) and VIEWOPT(*DETAIL).

AQZ0827-00 Length of extra field: &1 bytes.

Explanation: Displays the length of the extended data field in the archive. Information with TYPE(*VIEW) and VIEWOPT(*DETAIL).

AQZ0828-00 Length of file comment: &1 characters.

Explanation: Displays the Length of a file comment if it exists in the archive. Information with TYPE(*VIEW) and VIEWOPT(*DETAIL).

AQZ0829-00 Size of sliding dictionary (implosion): &1K.

Explanation: Displays the size of the sliding dictionary that was used to compress a file in the archive with the implode compression method. Information with TYPE(*VIEW) and VIEWOPT(*DETAIL).

292

AQZ0830-00 Number of Shannon-Fano trees (implosion): &1.

Explanation: Displays the number of Shannon-Fano trees that were used to compress a file in the archive with an implode compression method. Information with TYPE(*VIEW) and VIEWOPT(*DETAIL).

AQZ0831-00 Detected File type: &1 &2.

Explanation: Based on internal attributes; displays the file type that was detected for a file in the archive. The Types are: binary, text, text in EBCDIC, SAVF, UNKNOWN. Information with TYPE(*VIEW) and VIEWOPT(*DETAIL).

AQZ0834-10 Caution: Archive File comment truncated.

Explanation: The archive file comment exceeded the buffer size and will be truncated. This is only a warning that affects the display of the comment. Information with TYPE(*VIEW) and VIEWOPT(*DETAIL).

AQZ0835-00 Unknown Extended Attribute TAG &1 with length of &2.

Explanation: An unknown extended attribute key was found; PKUNZIP does not handle this, and it will be bypassed. Information with TYPE(*VIEW) and VIEWOPT(*DETAIL).

AQZ0836-00 Extended attributes: &1, [Length = &2].

Explanation: If extended attributes are stored in the archive for this file, then [Yes] is displayed, otherwise, [No] is displayed. The size of these extended attributes are &2 bytes. Information with TYPE(*VIEW) and VIEWOPT(*DETAIL).

AQZ0837-00 A sub field with ID &1 with a length of &2 bytes.

Explanation: This is only used in DEBUG mode only. Information with TYPE(*VIEW) and VIEWOPT(*DETAIL).

AQZ0838-00 - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Explanation: Displays a View file separator for reading purposes. Information with TYPE(*VIEW) and VIEWOPT(*DETAIL).

293

AQZ0839-00 Found &1 file&2, &3 bytes uncompressed, &4 bytes compressed: &5.

Explanation: Displays the total number of files found in the archive (&1). Displays the total bytes uncompressed(&3) and the total bytes compressed(&4) for the archive. Information with TYPE(*VIEW) and VIEWOPT(*DETAIL).

AQZ0840-00 IFS: Code Page &1.

Explanation: Displays the code page of an IFS file in the archive. Information with TYPE(*VIEW) and VIEWOPT(*DETAIL).

AQZ0841-00 IFS: Creation Time &1.

Explanation: Displays the creation date and time of an IFS file in the archive. Information with TYPE(*VIEW) and VIEWOPT(*DETAIL).

AQZ0842-00 IFS: Access Time &1.

Explanation: Displays the last access date and time of an IFS file in the archive. Information with TYPE(*VIEW) and VIEWOPT(*DETAIL).

AQZ0843-00 IFS: Modification Time &1.

Explanation: Displays the last modification date and time of an IFS file in the archive. Information with TYPE(*VIEW) and VIEWOPT(*DETAIL).

AQZ0844-00 Lib Text Desc: &1.

Explanation: Displays the text associated with a library that contains the file that has been stored within the archive. Information with TYPE(*VIEW) and VIEWOPT(*DETAIL).

AQZ0845-00 File Text Desc: &1.

Explanation: Displays the text associated with a file that has been stored within the archive. Information with TYPE(*VIEW) and VIEWOPT(*DETAIL).

294

AQZ0846-00 Mbr Text Desc: &1.

Explanation: Displays the text associated with the member of the file that has been stored in the archive. Information with TYPE(*VIEW) and VIEWOPT(*DETAIL).

AQZ0847-00 Record Length: &1.

Explanation: Displays the record length of the file in the archive. Information with TYPE(*VIEW) and VIEWOPT(*DETAIL).

AQZ0848-00 Source or Data: &1.

Explanation: Displays whether the file stored in the archive is a PF-DTA file or is a PF-SRC file type. Information with TYPE(*VIEW) and VIEWOPT(*DETAIL).

AQZ0849-00 Source Type: &1.

Explanation: Displays the source type, for example, CLP, RPG, CMD, etc., for a PF-SRC member. Displays Information with TYPE(*VIEW) and VIEWOPT(*DETAIL).

AQZ0850-00 Unknown Database type: &1.

Explanation: The extended data field specifying the file is a database or is not invalid. Database options ignored. Information with TYPE(*VIEW) and VIEWOPT(*DETAIL).

AQZ0851-00 Database File Attributes-.

Explanation: This indicates that a file contains database file attributes in the archive. Information with TYPE(*VIEW) and VIEWOPT(*DETAIL).

AQZ0852-00 AUT(&1) MAXMBRS(&2) DLTPCT(&3) SIZE(&4 &5 &6) ALLOCATE(&7) CONTIG(&8) LVLCHK(&9) REUSEDLT(&10) Access path type: &11.

Explanation: Displays Database File Attributes:- File Authority: &1 Maximum no. members in file: &2 Max % deleted records in file: &3 Initial size of member: &4 Size of increment: &5 Max no. increments: &6. Information with TYPE(*VIEW) and VIEWOPT(*DETAIL).

295

AQZ0853-00 Format Name(&1) No. Flds(&2) No. Key Flds(&3).

Explanation: Displays Database File Field Format Attributes: - File Format Name: &1 Number of fields in format:

&2 No. key fields in format: &3 Information with TYPE(*VIEW) and VIEWOPT(*DETAIL).

AQZ0854-00 -Field descriptions:-

Explanation: Displays that a heading of Field descriptions will follow. Information with TYPE(*VIEW) and VIEWOPT(*DETAIL).

AQZ0855-00 Num, Name, Width Gen. U D N V K CCSID.

Explanation: DB Field Format Attributes: Num Field Number Name Internal Field name Width Field width (Number of digits/characters) Gen. Decimal Pos./Allocated Length/Time or Date format

U Usage (B = Both, I = Input, O = Output, N = Neither D Field Data type N Null field capable indicator V Variable length field indicator K Key Field indicator CCSID CCSID of field (N/A numeric fields). Information with TYPE(*VIEW)/VIEWOPT

AQZ0856-00 ----- ---------- ----- ----- - - - - - -----

Explanation: Displays heading separator for the field description details. Information with TYPE(*VIEW) and VIEWOPT(*DETAIL).

AQZ0857-00 &1 &2 &3 &4 &5 &6 &7 &8 &9 &10.

Explanation: This field has the following attributes:

&1 Num: Field Number &2 Name: Internal Field name &3 Width: Field width &4 General: &5 U: Usage &6 D: Field Data type &7 N: Null capable &8 V: Variable length field &9 K: Key Field &10 CCSID: CCSID of field Information with TYPE(*VIEW) and VIEWOPT(*DETAIL).

296

AQZ0858-00 Text: &1.

Explanation: Displays the text description for this field: &1. Information with TYPE(*VIEW) and VIEWOPT(*DETAIL).

AQZ0859-00 Alias: &1.

Explanation: Displays the alternative field name (alias) for this field: &1. Information with TYPE(*VIEW) and VIEWOPT(*DETAIL).

AQZ0860-00 Default: &1.

Explanation: Displays the default value for the field is: &1. Information with TYPE(*VIEW) and VIEWOPT(*DETAIL).

AQZ0861-00 Col Heading 1: &1.

Explanation: Displays the First column heading for the field is: &1. Information with TYPE(*VIEW) and VIEWOPT(*DETAIL).

AQZ0862-00 Col Heading 2: &1.

Explanation: Displays the second column heading for the field is: &1. Information with TYPE(*VIEW) and VIEWOPT(*DETAIL).

AQZ0863-00 Col Heading 3: &1.

Explanation: Displays the third column heading for the field is: &1. Information with TYPE(*VIEW) and VIEWOPT(*DETAIL).

AQZ0864-00 MAINT(&1) RECOVER(&2) FRCACCPTH(&3) ACCPTHSIZ(&4) Order: &5

Explanation: Displays the keyed access path attributes: - Order = Duplicate key sorting order. Information with TYPE(*VIEW) and VIEWOPT(*DETAIL).

297

AQZ0865-00 File text: &1.

Explanation: Displays the text associated with the file that has been stored in the archive. Information with TYPE(*VIEW) and VIEWOPT(*DETAIL).

AQZ0866-00 Archive identified as a GZIP archive.

Explanation: Archive identified as a GZIP archive. Information with TYPE(*VIEW) and VIEWOPT(*DETAIL).

AQZ0867-00 VMS file attributes (&1 octal): 2.

Explanation: If present for a file in the archive, displays VMS file attributes. Information with TYPE(*VIEW) and VIEWOPT(*DETAIL).

AQZ0868-00 Amiga file attributes (&1 octal): &2.

Explanation: If present for a file in the archive, displays Amiga file attributes. Information with TYPE(*VIEW) and VIEWOPT(*DETAIL).

AQZ0869-00 Unix file attributes (&1 octal): &2.

Explanation: If present for a file in the archive, displays UNIX file attributes. Information with TYPE(*VIEW) and VIEWOPT(*DETAIL).

AQZ0870-00 Non-MSDOS external file attributes: &1 hex.

Explanation: If present for a file in the archive, displays non-MSDOS external file attributes. Information with TYPE(*VIEW) and VIEWOPT(*DETAIL).

AQZ0871-00 MS-DOS file attributes (&1 hex): &2.

Explanation: If present for a file in the archive, displays MS-DOS file attributes. Information with TYPE(*VIEW) and VIEWOPT(*DETAIL).

298

AQZ0872-00 Advanced Encryption &1. &2.

Explanation: Displays the advanced encryption method the file was archived. Information with TYPE(*VIEW) and VIEWOPT(*DETAIL).

AQZ0873-00 Algorithm Key &1, Security type &2.

Explanation: Displays the Advanced encryption algorithm key text description and the security type (password, certificate signature, or combination password with signature) that was used to encrypt the file. Information with TYPE(*VIEW) and VIEWOPT(*DETAIL).

AQZ0874-00 Spool File Type: &1, Target File:&2, (CdPg=&3), Nbr Of pages(&4).

Explanation: Displays the spool file type, the target format file type, and the number of pages in the spool file. If the target is Text or PDF then (CdPg=&3) will be displayed to show the code page that was used to translate the EBCDIC to ASCII.

AQZ0875-00 SPLF Desc: &1.

Explanation: Displays the spool file name attributes with / separation with format: “Job-Name/User-Name/#Job-Number/Spool-File-Name/Fspool-File-Number.Suffix”.

AQZ0876-00 OS390 File Type &1

Explanation: Z390 MVS or VSE extended attributes.

AQZ0877-00 OS390 Record Format

Explanation: Z390 MVS or VSE extended attributes.

AQZ0878-00 OS390 Block Size &1

Explanation: Z390 MVS or VSE extended attributes.

299

AQZ0879-00 OS390 VSAM Record Size &1

Explanation: Z390 MVS or VSE extended attributes.

AQZ0880-00 OS390 VSAM Max Record Size &1

Explanation: Z390 MVS or VSE extended attributes.

AQZ0881-00 OS390 VSAM Cluster Name &1

Explanation: Z390 MVS or VSE extended attributes.

AQZ0882-00 OS390 VSAM Data Name &1

Explanation: Z390 MVS or VSE extended attributes.

AQZ0883-00 OS390 VSAM Index Name &1

Explanation: Z390 MVS or VSE extended attributes.

AQZ0884-00 ZIP64 Extended Information: Uncompressed size=&1; Compressed Size=&2

Explanation: Extended data to support large files. Original uncompressed size=&1; Compressed size=&2; Offset=&3.

AQZ0885-00 ZIP 64 Large File Support Found

Explanation: PKZIP was able to support large format files for this archive

AQZ0886-00 Archive has been Digitally Signed.

Explanation: The archive contains a digital signature for security purpose.

300

AQZ0887-00 Spool File OUTQ(&1) and User(&2)

Explanation: Displays the OUTQ that the spool file was compressed from and the user ID of the spool file.

AQZ0888-00 Number Certifcate Recipients &1.

Explanation: VIEWOPT(*ALL) option: Displays the number recipients found for the file in archive.

AQZ0889-00 Recipient List:

Explanation: VIEWOPT(*ALL) option: Header for recipient list in the messages aqz0890 following.

AQZ0890-00 CN=&1, EM=&2.

Explanation: VIEWOPT(*ALL) option: The common name and email address for each recipient found for the file in archive.

AQZ0891-00 Archive is FnE (File Name Encrypted).

Explanation: View information that the archive is a filename-encrypted archive.

AQZ0892-00 Archive is created as FNE &1.

Explanation: Informational only. Shows that the archive created is filename-encrypted and shows the compression and encryption used.

AQZ0893-00 File Signature: CN=&1; EM=&2; S/N=&3.

Explanation: Informational only. Shows informational data of the signature that is used to signed the file or archive. CN- Common name, EM-Email, and S/N- Serial Number.

AQZ0900-00 Archive is Non FNE Archive. Nothing to View.

Explanation: VIEWOPT(*FNE) or VIEWOPT(*FNEALL) requested, but the archive is not filename-encrypted.

301

AQZ0901-00 FNE: Encryption Type (&1) with Algo (&2).

Explanation: VIEWOPT(*FNE) or VIEWOPT(*FNEALL) requested for a filename-encrypted archive. This message shows the encryption type and algorithm used for the archive. Example “FNE: Encryption Type (Password and Recipients) with Algo (AES 256 Key) “.

AQZ0902-00 FNE: Compression &1 percent.

Explanation: VIEWOPT(*FNE) or VIEWOPT(*FNEALL) requested for FnE archive. This message shows the compression (if any exist) used for the archive. Example “FNE: Compression 0 percent “.

AQZ0903-00 FNE: Hashing Algo &1 with hash length &2.

Explanation: VIEWOPT(*FNE) or VIEWOPT(*FNEALL) requested for a filename-encrypted archive. This message shows the hash method used for the archive. Example “FNE: Hashing Algo CRC32 with hash length 4 “.

AQZ0904-00 FNE Contains &1 Recipients.

Explanation: VIEWOPT(*FNE) or VIEWOPT(*FNEALL) requested for a filename-encrypted archive. This message shows the number of recipients used for the FnE.

AQZ0905-00 FNE Recp #&1:&2.

Explanation: VIEWOPT(*FNEALL) requested for a filename-encrypted archive. This message shows the each FnE’s recipient Common Name and Email. Example “FNE Recp #2:CN=PKWARE Test3; EM=PKTESTDB3@nowhere.com;”.

AQZ0906-00 FNE : &1.

Explanation: VIEWOPT(*FNEALL) and VERBOSE(*ALL) requested for a filename-encrypted archive. This message shows the valid certificate dates for each recipient of a filename-encrypted archive. Example “FNE Recp #2:CN=PKWARE Test3; EM=PKTESTDB3@nowhere.com;”.

302

AQZ8xxx Configuration Messages

AQZ8003-00 SecureZIP Config Updated Successfully.

Explanation: PKCFGSEC had no errors while updating the enterprise configuration file. The “PKZCFG” file was updated.

AQZ8004-00 SecureZIP Config Updated Failed.

Explanation: PKCFGSEC encountered errors while updating the enterprise configuration file. The “PKZCFG” file has not been updated

AQZ8005-40 Could not create Config file - aborting.

Explanation: While running PKCFGSEC, the configuration file “PKZCFG” was not found. Therefore PKCFGSEC tried to create the file but the creation failed. Review the job log for messages on why the create failed.

AQZ8006-40 Could not Write Config file - aborting.

Explanation: While running PKCFGSEC, the configuration file “PKZCFG” is trying to be updated but failed. Review job log for messages on why update failed.

AQZ8007-40 Could not Copy Config file - aborting.

Explanation: Review the job log for messages on why the copy failed.

AQZ8008-40 Could open Confiuration File.

Explanation: The opening of configuration file “PKZCFG” has failed. Review the job log for messages on why update failed.

AQZ8009-40 Parameter &1 Path/File does not exist. <&2>.

Explanation: The File or Path for parameter &1 does not exist. Correct file/path or create the path/file and re-run. No updates will take place.

303

AQZ8010-40 The Library &1 in the parameters CERTDB does not exist.

Explanation: The Library for parameter CERTDB does not exist. Correct Parameter for the library where the Certificate Locator Database is located and re-run. No updates will take place.

AQZ8200-00 SecureZIP Security Administration.

Explanation: PKCFGSEC informational. Main heading.

AQZ8201-00 ZIP Secure Settings:

Explanation: PKCFGSEC informational. Subsection heading for ZIP secure settings.

AQZ8202-00 SecureZIP Active . . . . . .&1.

Explanation: PKCFGSEC informational. Security configuration setting for ZIP secure settings. See PKCFGSEC for explanation.

AQZ8203-00 Password . . . . . . . . .&1.

Explanation: PKCFGSEC informational. Security configuration setting for ZIP secure password setting. See PKCFGSEC for explanation.

AQZ8204-00 Recipient Secure . . . . .&1.

Explanation: PKCFGSEC informational. Security configuration setting for ZIP secure recipient secure setting. See PKCFGSEC for explanation.

AQZ8205-00 File Signing . . . . . . .&1.

Explanation: PKCFGSEC informational. Security configuration setting for ZIP secure file signing setting. See PKCFGSEC for explanation.

304

AQZ8206-00 Archive Signing . . . . .&1.

Explanation: PKCFGSEC informational. Security configuration setting for ZIP secure archive signing setting. See PKCFGSEC for explanation.

AQZ8207-00 File Authentication . . .&1.

Explanation: PKCFGSEC informational. Security configuration setting for zip secure file authentication setting. See PKCFGSEC for explanation..

AQZ8208-00 Archive Authentication . .&1.

Explanation: PKCFGSEC informational. Security configuration setting for ZIP secure archive authentication setting. See PKCFGSEC for explanation.

AQZ8209-00 Advance Encryption:

Explanation: PKCFGSEC informational. Security configuration setting for advance encryption. See PKCFGSEC for explanation.

AQZ8210-00 Frozen Method &.

Explanation: PKCFGSEC informational. Security configuration setting for advance encryption. See PKCFGSEC for explanation.

AQZ8211-00 Frozen Mode &1.

Explanation: PKCFGSEC informational. Security configuration setting for ADVANCE ENCRYPTION. See PKCFGSEC for explanation.

AQZ8212-00 Archive Password Specs:

Explanation: PKCFGSEC informational. Security configuration setting for archive password specifications. See PKCFGSEC for explanation.

305

AQZ8213-00 Min Length . . . . . . . .&1.

Explanation: PKCFGSEC informational. Security configuration setting for archive password specifications. See PKCFGSEC for explanation.

AQZ8214-00 Max Length . . . . . . . .&1

Explanation: PKCFGSEC informational. Security configuration setting for archive password specifications. See PKCFGSEC for explanation.

AQZ8215-00 Hardening Options . . . . .&1.

Explanation: PKCFGSEC informational. Security configuration setting for archive password specifications. See PKCFGSEC for explanation.

AQZ8216-00 Certificate PUBLIC Store:

Explanation: PKCFGSEC informational. Security configuration setting for certificate public store. See PKCFGSEC for explanation.

AQZ8217-00 Certificate PRIVATE Store:

Explanation: PKCFGSEC informational. Security configuration setting for certificate private store. See PKCFGSEC for explanation.

AQZ8218-00 Certificate CA Store:

Explanation: PKCFGSEC informational. Security configuration setting for certificate authority (CA) store. See PKCFGSEC for explanation.

AQZ8219-00 Certificate ROOT Store:

Explanation: PKCFGSEC informational. Security configuration setting for certificate ROOT store. See PKCFGSEC for explanation.

306

AQZ8220-00 Store&1 Location=&2.

Explanation: PKCFGSEC informational. Security configuration setting for store of group. See PKCFGSEC for explanation.

AQZ8221-00 Enterprise Encrypt Recipient:

Explanation: PKCFGSEC informational. Security configuration setting for enterprise encrypt recipient. See PKCFGSEC for explanation.

AQZ8222-00 Store Type(&1) Select="&2".

Explanation: PKCFGSEC informational. Security configuration setting for enterprise encrypt recipient. See PKCFGSEC for explanation.

AQZ8223-00 (&1)- Recipient &2.

Explanation: PKCFGSEC informational. Security configuration setting for enterprise encrypt Recipient. See PKCFGSEC for explanation.

AQZ8224-00 Enterprise Certificate Database.

Explanation: PKCFGSEC informational. Security configuration setting for enterprise certificate database. See PKCFGSEC for explanation.

AQZ8225-00 Active . . . . . . . . . .&.

Explanation: PKCFGSEC informational. Security configuration setting for enterprise certificate database. See PKCFGSEC for explanation.

AQZ8226-00 Search Mode . . . . . . . &1.

Explanation: PKCFGSEC informational. Security configuration setting for enterprise certificate database. See PKCFGSEC for explanation.

307

AQZ8227-00 File Name Encryption . .&1.

Explanation: PKCFGSEC informational. Security configuration setting for ZIP secure settings. See PKCFGSEC for explanation.

AQZ8228-00 Signing

Explanation: PKCFGSEC informational. Heading for Digital Signing settings.

AQZ8229-00 Hash . . . . . . . . .&1.

Explanation: PKCFGSEC informational. The hashing method used when performing digital signing. Either SHA1 or MD5.

AQZ8230-00 Configuration File &1.

Explanation: PKCFGSEC informational. Shows the actual configuration file used in PKCFGSEC.

AQZ8231-00 Updated date/time =&1.

Explanation: PKCFGSEC informational. Displays the date and time the configuration file was last updated.

AQZ8232-00 Authentication.

Explanation: PKCFGSEC informational. Heading for Authentication settings.

AQZ8233-00 Check . . . . . . . . .&1.

Explanation: PKCFGSEC informational. Defines the level of authentication or CRL. If None, no authentication will take place even if the files or archive have been signed. Warning will issue warning messages on any failures and Authenticate will stop processing on failures.

308

AQZ8234-00 Filters . . . . . . . .&1.

Explanation: PKCFGSEC informational. Describes the filters used for authentication.

AQZ8235-00 Encryption:.

Explanation: PKCFGSEC informational. Heading for Encryption certificate settings.

AQZ8236-00 Decryption:.

Explanation: PKCFGSEC informational. Heading for Decryption:certificate settings.

AQZ8237-00 Certificate CRL Store:

Explanation: PKCFGSEC informational. Security configuration setting for certificate CRL (certificate Revocation List) store. See PKCFGSEC for explanation.

AQZ8238-00 Revocation:.

Explanation: PKCFGSEC informational. Heading for Revocation processing settings.

AQZ8239-00 CRL Type. . . . . . . .&1.

Explanation: Define if CRL exist and the type of CRL store processing. At this time only Static CRL stores are supported.

AQZ8297-00 Certificate Validation Level:

Explanation: PKCFGSEC informational. Security configuration setting for certificate validation level. See PKCFGSEC for explanation.

AQZ8298-00 Best Fit: . . . . . . . . .&1.

Explanation: PKCFGSEC informational. Security configuration setting for certificate validation level. See PKCFGSEC for explanation.

309

AQZ8299-00 Type Select . . . . . . . .&1.

Explanation: PKCFGSEC informational. Security configuration setting for certificate validation level. See PKCFGSEC for explanation.

AQZ8300-00 LDAP Definitions:

Explanation: PKCFGSEC informational. Security configuration setting for LDAP definitions. See PKCFGSEC for explanation.

AQZ8301-00 Nbr Of Active . . . . . .&1.

Explanation: PKCFGSEC informational. Security configuration setting for the number of active LDAPs. See PKCFGSEC for explanation.

AQZ8302-00 LDAP nbr &1:

Explanation: PKCFGSEC informational. Security configuration setting for LDAP definitions. See PKCFGSEC for explanation.

AQZ8303-00 Network Name . . . . . . .&1.

Explanation: PKCFGSEC informational. Security configuration setting for LDAP definitions. See PKCFGSEC for explanation.

AQZ8304-00 Network Name . . . . . . .&1.

Explanation: PKCFGSEC informational. Security configuration setting for LDAP definitions. See PKCFGSEC for explanation.

AQZ8305-00 Port . . . . . . . . . . .&1.

Explanation: PKCFGSEC informational. Security configuration setting for LDAP definitions. See PKCFGSEC for explanation.

310

AQZ8306-00 Access User . . . . . . . .&1.

Explanation: PKCFGSEC informational. Security configuration setting for LDAP definitions. See PKCFGSEC for explanation.

AQZ8307-00 Access Password . . . . . .&1.

Explanation: PKCFGSEC informational. Security configuration setting for LDAP definitions. See PKCFGSEC for explanation.

AQZ8308-00 Search Mode . . . . . . . .&1.

Explanation: PKCFGSEC informational. Security configuration setting for LDAP definitions. See PKCFGSEC for explanation.

AQZ8309-00 Start Node . . . . . . . .&1.

Explanation: PKCFGSEC informational. Security configuration setting for LDAP definitions. See PKCFGSEC for explanation.

AQZ8310-00 3DES Compatability . . . .&1.

Explanation: PKCFGSEC informational. Security configuration setting for SecureZIP for 3DES compatibility setting. See PKCFGSEC for explanation.

AQZ8311-00 Time Out. . . . . . . . .&1.

Explanation: PKCFGSEC informational. Security configuration setting for LDAP definitions. See PKCFGSEC for explanation.

AQZ8312-00 Sequence. . . . . . . . . .&1.

Explanation: PKCFGSEC informational. Security configuration setting for LDAP definitions. See PKCFGSEC for explanation.

311

AQZ9xxx LICENSE Messages

AQZ9000-00 SecureZIP for iSeries (TM) Compression Utility Version &1, &2.

Explanation: Displays the Version &1 of SecureZIP for iSeries with version release date of &2.

AQZ9001-00 SecureZIP for iSeries (tm) running under Beta release &1.

Explanation: Displays if PKZIP is running under an Alpha or a Beta Release.

AQZ9002-00 PKZIP is being terminated due license validation failure.

Explanation: PKZIP could not validate the license. Obtain proper licensing keys from PKWARE, Inc., and run INSTPKLIC.

AQZ9003-00 Machine ID = &1, Processor Group = &2.

Explanation: Displays the machine CPU serial number and the processor group information.

AQZ9004-00 EVALUATION Running.

Explanation: PKZIP is running under demo and in evaluation mode. a license key needs to be obtained.

AQZ9005-00 Enterprise Registered.

Explanation: SecureZIP for iSeries is licensed with enterprise registered.

AQZ9006-00 Registered.

Explanation: SecureZIP for iSeries has been registered with a valid license key.

312

AQZ9007-00 Copyright. 2004 PKWARE, Inc. All Rights Reserved.

Explanation: SecureZIP for iSeries banner lines. Displays when PKZIP or PKUNZIP starts.

AQZ9008-00 THIS LICENSE HAS EXPIRED. To renew your license.

Explanation: During PKZIP start up processing, it was determined that your license has expired. See following messages on how to update your licenses.

AQZ9009-00 Contact your dealer with the following information.

Explanation: Informing that the next message provides information required to obtain a license update.

AQZ9010-00 Make sure you have run the Install License program INSTPKLIC.

Explanation: A problem has occurred when trying to open and process the licensing. This is probably due to not running the install license program.

AQZ9011-50 Could not open License file for <&1> -aborting &2.

Explanation: PKZIP or PKUNZIP could not open the license file. Job will terminate. This is probably due to not running the install program.

AQZ9012-50 Could not read License file base for <&1>, Length returned =&2.

Explanation: An error occurred while reading the PKZIP licensing file. Review the job log for more details. Job will be terminated.

AQZ9013-50 Could not read License file Feature for <&1>, Length returned =&2.

Explanation: An error occurred while reading the PKZIP licensing file. Review the job log for more details. Job is being terminated.

313

AQZ9014-00 &1, Warning - This license will expire in &2 days on &3.

Explanation: A warning that your license will expire soon. Contact your supplier to obtain a new license.

AQZ9015-00 UNREGISTERED Copy Running,

Explanation: SecureZIP for iSeries is running without a valid license. It will run temporarily for 30 days. Contact your supplier to obtain a new license with your serial number and processor group.

AQZ9016-00 Unregistered Hardware Found Exception. &1 Grace days allowed.

Explanation: Serial number and/or processor group was not found for SecureZIP for iSeries. A temporary license will be granted for &1 days. Contact your supplier to obtain a new license with your serial number and processor group.

AQZ9017-00 PKZIP (R) is a registered trademark of PKWARE (R), Inc.

Explanation: Trademark notes.

AQZ9018-40 Beta Release Has Expired Contact PKWARE, Inc. for Final Beta Release.

Explanation: You are running a Beta Version of SecureZIP for iSeries that has expired. Contact PKWARE, Inc., for a newer version of SecureZIP for iSeries.

AQZ9021-00 SecureZip(tm) is a trademark of PKWARE (R), Inc.

Explanation: Trademark.

AQZ9050-50 Could not create License file - aborting.

Explanation: While running INSTPKLIC, the licensing did not exist, so one needed to be created. An error occurred and INSTPKLIC could not be created. See the job log for more detailed information. Job will be terminated.

314

AQZ9051-50 Could not open License file for update-aborting.

Explanation: SecureZIP for iSeries could not open the license file for updating. Job will terminate. See the job log for details.

AQZ9052-50 Could write License file for update-aborting.

Explanation: SecureZIP for iSeries could not write to the license file with updates. Job will terminate. See the job log for details.

AQZ9054-50 Input File <&1> cannot be open for input.

Explanation: The PKZIP License Install program could not open the "Library/File(member)" - &1 input file that contains the licensing update keys. Job is terminated. See the job log for details.

AQZ9055-50 Error Reading Input Control file <&1>.

Explanation: The PKZIP License Install program could not read the "Library/File(member)" - &1 input file that contains the licensing update keys. Job is terminated. See the job log for details.

AQZ9056-00 &1 Evaluation set to expire in &2 days on &3.

Explanation: Feature Code &1 has been set for evaluation and will expire in &2 days on the date of &3.

AQZ9057-00 Nbr of Feature Control Records Type-&1 was &2.

Explanation: The total of inputted feature control records with type &1 was processed. This is only with debug turned on.

AQZ9058-00 Rec - &1 &2.

Explanation: Displays detail input control records being processed by INSTPKLIC (includes * comments).

315

AQZ9059-00 License File &1 Updated successfully.

Explanation: The PKZIP license file &1 was updated successfully with supplied control records.

AQZ9060-50 License file NOT Updated.

Explanation: Due to errors wile running the license install program, the license file was not updated. Review the job log for previous message, which indicates why the file was not updated.

AQZ9061-40 Error found in processing input parameters.

Explanation: Errors were found while processing the input control records in the license install program. License file was not updated. Review the job log for previous message, which indicates why the file was not updated.

AQZ9062-40 More than 1 control code 55 record, Run terminated.

Explanation: Only one customer control record beginning with 55 is allowed in the license control Program. Job will be terminated. Review Input Control file for control records.

AQZ9063-40 Control Record 55 must be 1st non-comment record.

Explanation: The first control record (non-comment) in the license control input file must the customer control record beginning with 55. Job will be terminated.

AQZ9064-40 Invalid Feature Code <&1> in Position 1 & 2.

Explanation: In positions 1 and 2 of the license control record is the feature code. The license install program found the invalid feature code of &1. The license file will not be updated. (See “Licensed Product Features” in Chapter 4).

AQZ9065-40 Invalid Date <&1> on record &2.

Explanation: An invalid feature date on control record number &2 was found. Date must be YYYYMMDD format with valid month and day. The license file will not be updated.

316

AQZ9066-40 An error has occurred in validating the Customer Number &1 - Contact your Dealer.

Explanation: The customer number &1 was found to be invalid. Contact your salesperson or reseller for correct codes. The license file will not be updated.

AQZ9067-40 An error has occurred in validating the License - Contact Your Dealer.

Explanation: The validation of the license was found to be Invalid. Contact your salesperson or reseller for correct codes. The license file will not be updated.

AQZ9068-40 An error has occurred in validating the License. Contact Your Dealer.

Explanation: The validation of the license was found to be Invalid. Contact your salesperson or reseller for correct codes. The license file will not be updated.

AQZ9069-40 Customer name cannot be blank for Control 55.

Explanation: In the customer control record (starts with 55), the customer name should contain the Customers name in positions 23 thru 72 and must not be blank.

AQZ9070-40 Duplicate hardware<%s> found for Feature %2.

Explanation: Only one unique hardware (serial number and processor group) is allowed per feature code. The license file will not be updated.

AQZ9071-40 Embedded blanks in hardware <&1> for feature &2.

Explanation: The hardware codes (serial number and processor group) must all be non-blank characters. The license file will not be updated.

AQZ9072-40 Max hardware exceeded &2 for Feature &2.

Explanation: All hardware available entries are in use. There is no room to add another hardware entry for the product. Contact your salesperson or reseller.

317

AQZ9073-40 &1 Request to setup DEMO rejected. DEMO is already running.

Explanation: A request in the License install program to setup a demo license was issued, but a demo is currently active. A demo request cannot be run until current demo expires. The license file is not updated.

AQZ9074-40 Cannot do VIEW option until file has been Installed.

Explanation: A request in the license Install program to view the current license setting was issued, but the VIEW option cannot be used until one valid install is processed.

AQZ9075-40 Invalid or Missing Member Name.

Explanation: Special characters or a blank member name was submitted in the command INSTPKLIC for parameter INMBR.

AQZ9076-40 Feature Code &1 is invalid for Customer Number &2.

Explanation: The customer number &2 on the input control record is invalid for the specified feature code &1. Contact your salesperson or reseller for correct codes. The license file will not be updated.

AQZ9077-40 License Keys have invalid version setting.

Explanation: The version of the keys entered is a mismatch to SecureZIP for iSeries version. Review input file for keys.

AQZ9078-40 SecureZip Control Record 57 must be 1st non-comment record.

Explanation: The first control record (non-comment) in the license control input file must the customer control record beginning with 57. Job will be terminated.

AQZ9079-00 *********************************************

Explanation: Displays a print separator for INSTPKLIC viewing.

318

AQZ9080-00 A License Report requested on &1 from CPU Serial# &2.

Explanation: The licensing Install program was run with TYPE(*VIEW), and the report of the current status of the license will be following for this CPU.

AQZ9081-00 &1 Product Licensed to Customer # &2 -&3.

Explanation: Displays the version, customer number and customer name currently on license file. Information of INSTPKLIC with TYPE(*VIEW).

AQZ9082-00 &1-DEMO with &2 Days remaining (&3).

Explanation: Displays the hardware &1 is running as a demo and has &2 days remaining. Information of INSTPKLIC with TYPE(*VIEW).

AQZ9083-00 Enterprise Licensed. All Products Features are available on all CPUs. Expiration Date is &1.

Explanation: Display that all CPUs are being run with the enterprise license; also displays the expiration date. Information of INSTPKLIC with TYPE(*VIEW).

AQZ9084-00 &1 Licensed --Expires &2 for processors:.

Explanation: Displays the feature codes (&1) and their expiration date(&2) that is associated with the current license file. Information of INSTPKLIC with TYPE(*VIEW).

AQZ9085-00 Serial# &1 Processor Type &2.

Explanation: Displays the list of hardware that is active under the feature code (AQZ90084). Information of INSTPKLIC with TYPE(*VIEW).

AQZ9086-00 Serial# &1 is Not Licensed. Use Of The Product will CEASE in &2 days (&3).

Explanation: Displays the hardware that is not currently licensed for the above feature code (AQZ9084) and display when it will expire. Information of INSTPKLIC with TYPE(*VIEW).

319

AQZ9087-00 Contact PKWARE, Inc. for Licensing.

Explanation: Informational message to contact your support technician for licensing update. Please contact the Product Services Division at 1-937-847-2687 for assistance.

AQZ9100-40 !!!PZ Base Module is not licensed for this Serial Number. Run will not be processed.

Explanation: The !!!PZ base module could not be validated. Obtain proper licensing keys from your salesperson or reseller and run INSTPKLIC. See Message AQZ9087 for more contact information.

AQZ9101-40 Compression Feature is not licensed for this Serial Number. Run will not be processed.

Explanation: PKZIP could not validate the compression license feature. Obtain proper licensing keys from your salesperson or reseller and run INSTPKLIC. See Message AQZ9087 for more contact information.

AQZ9102-40 Decompression Feature is not licensed for this Serial Number. Run will not be processed.

Explanation: PKZIP could not validate the decompression license feature. Obtain proper licensing keys from your salesperson or reseller and run INSTPKLIC. See Message AQZ9087 for contact information.

AQZ9103-40 GZIP Feature is not licensed for this Serial Number. Run will not be processed.

Explanation: PKZIP could not validate the GZIP license feature. Obtain proper licensing keys from your salesperson or reseller and run INSTPKLIC. See Message AQZ9087 for more contact information.

AQZ9104-40 Directory Integration Feature is not licensed for this Serial Number. Run will not be processed.

Explanation: PKZIP could not validate the directory integration (LDAP) license feature. Obtain proper licensing keys from your salesperson or reseller and run INSTPKLIC. See Message AQZ9087 for more contact information.

320

AQZ9105-40 Advance Encryption Feature is not licensed for this Serial Number. Run will not be processed.

Explanation: PKZIP could not validate the advance encryption license feature. Obtain proper licensing keys from your salesperson or reseller and run INSTPKLIC. See Message AQZ9087 for more contact information.

AQZ9106-40 Spool File Feature is not licensed for this Serial Number. Run will not be processed.

Explanation: PKZIP could not validate the spool file license feature. Obtain proper licensing keys from your salesperson or reseller and run INSTPKLIC. See Message AQZ9087 for more contact information.

AQZ9107-40 Beta Release Has Expired Contact PKWARE, Inc. for Final Beta Release.

Explanation: You are running a beta version of SecureZIP for iSeries that has expired. Contact PKWARE, Inc., for a newer version of SecureZIP for iSeries.

AQZ9109-00 Self Extraction Support Feature is not licensed for this Serial Number. Run will not be processed.

Explanation: PKZIP could not validate the self extraction support feature. Obtain proper licensing keys from your salesperson or reseller and run INSTPKLIC. See Message AQZ9087 for more contact information.

AQZ9110-40 Advance Encryption Feature is not licensed for this Serial Number. Authentication will not take place.

Explanation: The AUTHPOL was set to authenticate either the archive or file, But Advance Encryption Feature is not licensed. The AUTHPOL will now be set to *NONE.

321

ZPCA801x – ZPCA899x Messages These messages relate to certificate store administration.

ZPCA801E Invalid parameter value for Preferred Certificate Store. Value = %s..

Explanation: The PKCAADMN utility expects one of the following value for the Preferred Certificate Store parameter:

CA - Certificate Authority Store RT - Root Store CR - Certificate Revocation List Store BG - Best Guess or DETECT (PKCAADMN attempts to select the storebased on the

input certificate constraints.) %s Shows the value that the PKCAADMN utility received for the Preferred Certificate

Store parameter. Response: The PKCAADMN utility will be unable to proceed without a properly specified

Preferred Certificate Store parameter. Program execution will terminate.

Determine the origin of the incorrect value and change to one of the correct input values listed above.

ZPCA802E ZPCA802E Invalid parameter value for Action. Value = %s.

Explanation: The PKCAADMN utility expects one of the following value for the Action parameter: - Add certificate to a store D - Delete a certificate from a store V - Verify the integrity of a store S - Short list of a store's contents L - Long list of a store's contents I - Initialize a certificate store B - Browse a certificate file's contents

%s Shows the value that the PKCAADMN utility received for the Action parameter.

Response: The PKCAADMN utility will be unable to proceed without a properly specified Action parameter. Program execution will terminate. Determine the origin of the incorrect value and change to one of the correct input values listed above.

ZPCA803E Invalid parameter value for Certificate File Type. Value = %s.

Explanation: The PKCAADMN utility expects one of the following value for the Certificate File Type parameter:

CER - .cer Certificate File (also called a PEM file) P7B - PKCS #7 Certificate File CRL - .crl Certificate Revocation List File

%s Shows the value that the PKCAADMN utility received for the Certificate File Type parameter.

Response: The PKCAADMN utility will be unable to proceed without a properly specified Certificate File Type parameter. Program execution will terminate. Determine the

322

origin of the incorrect value and change to one of the correct input values listed above.

ZPCA804E Cert Wrap initialization failed.

Explanation: The PKCAADMN relies on the Cert Wrap modules to process certificate files and stores. Without the proper execution of these modules, the PKCAADMN cannot function. If initialization of Cert Wrap cannot be completed, the PKCAADMN program cannot continue.

Response: The PKCAADMN utility will be unable to proceed without Cert Wrap initialization. Program execution will terminate. Contact PKWARE Technical Support to determine the origin of the Cert Wrap failure.

ZPCA805E Open certificate store failed. Store '%s1' type incompatible with certificate '%s2' type.

Explanation: When performing an add to store operation, the PKCAADMN utility requires that the type of the certificate match the type of the store that the certificate is being added to. In the case of the CA store, this means the certificate must have the certificate authority constraint.* For the root store, the certificate must be self signed.

%s1 Shows the value that the PKCAADMN utility received for the certificate store.

%s2 Shows the value that the PKCAADMN utility received the certificate file.

Response: The PKCAADMN utility will be unable to proceed with the add command without the certificate store type and the certificate file type matching. Program execution will terminate. Determine the origin of the type mismatch and change the certificate store and/or certificate file values so that the certificate and store types match and reattempt the add command.

ZPCA806E The certificate store '%s' was not opened.

Explanation: While attempting to open the certificate store file, the PKCAADMN program was unable to open the file. %s Shows the value that the PKCAADMN utility received for the certificate store.

Response: The PKCAADMN utility will be unable to proceed with the command without a valid certificate store being specified. Program execution will terminate. Verify that the correct file name was passed to PKCAADMN for the certificate store name and reattempt the command.

323

ZPCA807E Memory allocation error.

Explanation: The PKCAADMN program was unable to allocate storage space.

Response: The PKCAADMN utility will be unable to proceed without the ability to allocate memory for storage. Program execution will terminate. Contact PKWARE Technical Support to determine the origin of the memory allocation error.

ZPCA808E Failed to read from certificate store '%s'.

Explanation: The PKCAADMN program was unable to read from the specified certificate store file. %s Shows the value that the PKCAADMN utility received for the certificate store.

Response: The PKCAADMN utility was able to open the specified certificate store file. However, the program was unable read from the file. Program execution will terminate. Verify that the file is indeed a valid certificate store file and attempt the command again.

ZPCA809E Failed to read the entire file '%s'. Expected %d1, read %d2.

Explanation: The PKCAADMN program was unable to read all of the data from the specified certificate store file. %s Shows the value that the PKCAADMN utility received for the certificate store. %d1 Shows the expected data size to be read from the certificate store file. %d2 Shows the actual data size read from the certificate store file.

Response: The PKCAADMN utility was able to open the specified certificate store file and read from it successfully. However, the program was unable to read all the expected data from the file. Program execution will terminate. Verify that the file is indeed a valid certificate store file and attempt the command again.

ZPCA810E Failed to build certificate store '%s'.

Explanation: The PKCAADMN program was unable take the data from the file and form a certificate store in memory. %s Shows the value that the PKCAADMN utility received for the certificate store.

Response: The PKCAADMN utility was able to open the specified certificate store file and read all the data from it successfully. However, the program was unable to use the data from the file to form a valid certificate data structure in memory. Program execution will terminate. Verify that the file is indeed a valid certificate store file and attempt the command again.

ZPCA811E Cert Wrap failed to open '%s'. CW Error = 0X%X.

Explanation: The PKCAADMN program was unable take the data from the certificate file and form a certificate data object in memory. %s Shows the value that the PKCAADMN utility

324

received for the certificate file. %X Shows the hexadecimal value the Cert Wrap module returned upon failure to process the certificate file.

Response: The PKCAADMN utility was able to open the specified certificate file and read all the data from it successfully. However, the program was unable to use the data from the file to form a valid certificate data structure in memory. Program execution will terminate. Verify that the file is indeed a valid certificate file and attempt the command again.

ZPCA812E Cert Wrap failed to add '%s'. CW Error = 0X%X.

Explanation: The PKCAADMN program was unable to add the specified certificate file to the certificate store. %s Shows the value that the PKCAADMN utility received for the certificate file. %X Shows the hexadecimal value the Cert Wrap module returned upon failure to add the certificate file to the certificate store.

Response: The PKCAADMN utility was able to open the specified certificate file and process the data. However, the utility failed to add to certificate to the store. Program execution will terminate. Verify that the file is indeed a valid certificate file and attempt the command again.

ZPCA813E Cert Wrap failed to free certificate context. CW Error = 0X%X.

Explanation: The PKCAADMN program was unable to release the system resources allocated by the Cert Wrap modules during program execution. %X Shows the hexadecimal value the Cert Wrap module returned upon failure to free the certificate context.

Response: The PKCAADMN utility was unable to release the system resources allocated by the Cert Wrap modules during program execution. This is indicative of an internal program error. Program execution will terminate. Contact PKWARE Technical Support to determine the resolution of the program error.

ZPCA814E Cannot continue. Unable to close root store.

Explanation: The PKCAADMN program was unable to close the root store. The program allocates system resources associated with the root store and was unable to free those resources after use.

Response: The PKCAADMN utility was unable return the root store resources back to the operating system after use. The program cannot recover from this state and the program execution will terminate. It is possible that the certificate store is corrupt in some way. Verify that the root store is valid. If the root store proves valid, contact PKWARE Technical Support to determine the source of the failure.

325

ZPCA815E Cannot continue. Unable to close CA store.

Explanation: The PKCAADMN program was unable to close the CA store. The program allocates system resources associated with the CA store and was unable to free those resources after use.

Response: The PKCAADMN utility was unable return the CA store resources back to the operating system after use. The program cannot recover from this state and the program execution will terminate. It is possible that the certificate store is corrupt in some way. Verify that the CA store is valid. If the CA store proves valid, contact PKWARE Technical Support to determine the source of the failure.

ZPCA816E Cannot continue. Unable to save certificate store.

Explanation: The PKCAADMN program was unable to save the certificate store. The program write the certificate store back to disk to complete the operation and was unable to do so.

Response: The PKCAADMN utility was unable write the certificate store back to disk. The program cannot recover from this state and the program execution will terminate. It is possible that the certificate store is corrupt in some way. Verify that the certificate store is valid. If the store proves valid, verify that the utility has write access to the disk in question and reattempt the operation.*

ZPCA817E Failed to write to certificate store '%s'.

Explanation: The PKCAADMN program was unable to write to the specified certificate store file. %s Shows the value that the PKCAADMN utility received for the certificate store.

Response: The PKCAADMN utility was able to open the specified certificate store file. However, the program was unable write to the file. Program execution will terminate. Verify that the file is indeed a valid certificate store file and attempt the command again.

ZPCA818E Failed to write the entire file '%s'. Expected %d1, wrote %d2.

Explanation: The PKCAADMN program was unable to write all of the data to the specified certificate store file. %s Shows the value that the PKCAADMN utility received for the certificate store. %d1 Shows the expected data size to be written to the certificate store file. %d2 Shows the actual data size written to the certificate store file.

Response: The PKCAADMN utility was able to open the specified certificate store file and wrote to it successfully. However, the program was unable to write all the expected data to the file. Program execution will terminate. Verify that the file is indeed a valid certificate store file and attempt the command again.

326

ZPCA819E Cannot continue. Nothing found to save to the certificate store.

Explanation: The PKCAADMN program found nothing to write to the specified certificate store file.

Response: The PKCAADMN utility was able to open the specified certificate store file but found nothing to write. This is an unrecoverable program state and the program execution will terminate. Verify that the file is indeed a valid certificate store file and attempt the command again.

ZPCA820E Cannot continue. Unable to close the certificate store.

Explanation: The PKCAADMN program was unable to close the certificate store. The program allocates system resources associated with the certificate store and was unable to free those resources after use.

Response: The PKCAADMN utility was unable return the root store resources back to the operating system after use. The program cannot recover from this state and the program execution will terminate. It is possible that the certificate store is corrupt in some way. Verify that the root store is valid. If the root store proves valid, contact PKWARE Technical Support to determine the source of the failure.

ZPCA821E Cannot continue. Unable to close certificate revocation list store.

Explanation: The PKCAADMN program was unable to close the certificate revocation list store. The program allocates system resources associated with the certificate revocation list store and was unable to free those resources after use.

Response: The PKCAADMN utility was unable return the certificate revocation list store resources back to the operating system after use. The program cannot recover from this state and the program execution will terminate. It is possible that the certificate store is corrupt in some way. Verify that the certificate revocation list store is valid. If the certificate revocation list store proves valid, contact PKWARE Technical Support to determine the source of the failure.

ZPCA822E Cannot continue. Unhandled certificate file type.

Explanation: The PKCAADMN utility received a certificate file type that the program does not know how to process.

Response: The PKCAADMN utility will be unable to proceed without a properly specified certificate file type parameter. Program execution will terminate. This is an error internal to the program. Contact PKWARE Technical Support to resolve this issue.

327

ZPCA823E Cannot continue. Unable to retrieve certificate name from the store.

Explanation: The PKCAADMN utility must match the certificate name specified for deletion with the certificate name found in the certificate store. The program was unable to read the certificate name from the certificate store.

Response: The PKCAADMN utility will be unable to proceed without properly reading the certificate name from the store. Program execution will terminate. The certificate store in question may be invalid. Verify the integrity of the certificate store and try the command again.

ZPCA824E Cannot continue. Delete certificate failed.

Explanation: The PKCAADMN utility was unable to delete the certificate from the certificate store.

Response: The PKCAADMN utility will be unable to proceed past this point in the deletion process and program execution will terminate. This is an error internal to the program. The program was able to identify the certificate to be deleted in the certificate store but the deletion failed. Contact PKWARE Technical Support to resolve this issue.

ZPCA825E Delete certificate failed. Match was not found in the specified store.

Explanation: The PKCAADMN utility must match the certificate specified in the input parameters with a certificate in the specified certificate store in order to perform the deletion process. This match failed.

Response: The PKCAADMN utility will be unable to proceed without properly matching the certificate specified for deletion with an entry in the certificate store. Program execution will terminate. The certificate store in question may not contain the specified certificate. Verify the certificate store contents and try the command again.

ZPCA826E Serial number must be in hexadecimal notation.

Explanation: The PKCAADMN utility must match the certificate serial number to an entry in the certificate store. The provided serial number was not in proper hexadecimal notation.

Response: The PKCAADMN utility will be unable to proceed without properly matching the certificate specified for deletion with an entry in the certificate store. Program execution will terminate. The serial number may have been improperly entered in the PKCAADMN utility. Verify the serial number parameter and try the command again.

ZPCA827E Certificate store verification failed.

Explanation: The PKCAADMN utility was unable to verify the specified certificate store.

328

Response: The PKCAADMN utility failed to verify the store for a specific reason. Look to the previous errors associated with this error in the listing to determine the exact cause of the verify command failure. Investigate the previous errors in the listing to determine the root cause of the verify failure.

ZPCA828E Must specify root, CA or CRL store to initialize.

Explanation: The PKCAADMN utility was to continue with the certificate store initialization due to an invalid store type.

Response: The PKCAADMN utility will be unable to proceed past this point in the initialization process and program execution will terminate. This is an error internal to the program. Contact PKWARE Technical Support to resolve this issue.

ZPCA829E Certificate store initialization failed.

Explanation: The PKCAADMN utility was unable to initialize the specified certificate store.

Response: The PKCAADMN utility failed to initialize the store for a specific reason. Look to the previous errors associated with this error in the listing to determine the exact cause of the initialization command failure. Investigate the previous errors in the listing to determine the root cause of the initialization failure.

ZPCA830E The end entity file '%s' was not opened.

Explanation: The PKCAADMN program was unable to open the specified end entity output file. %s Shows the value that the PKCAADMN utility received for the output file.

Response: The PKCAADMN utility was unable to open the specified end entity output file. The program cannot recover from this situation and the program execution will terminate. Verify that the file name is indeed a valid and attempt the command again.

ZPCA831E Could not retrieve certificate property from store.

Explanation: The PKCAADMN utility must retrieve certificate properties from the certificate store and could not.

Response: The PKCAADMN utility will be unable to proceed past this point in the end entity output process and program execution will terminate. This is an error internal to the program. Contact PKWARE Technical Support to resolve this issue.

329

ZPCA832E Cannot continue. Unable to make CRL from file '%s'.

Explanation: The PKCAADMN utility must create a certificate revocation list data structure from the input file but was unable to. %s Shows the value that the PKCAADMN utility received for the certificate revocation list.

Response: The PKCAADMN utility will be unable to proceed past this point in the certificate revocation list add process and program execution will terminate. It is possible that the input file is not a valid certificate revocation list file. Verify the input file attempt the command again.

ZPCA833W Cannot verify CRL issuer '%s' with CA Store. Trying Root Store.

Explanation: The PKCAADMN utility must verify the certificate revocation list data issuer to be sure the revocation list is valid. The program was unable to find the CRL issuer in the CA store. %s The issuer name for the certificate revocation list in question.

Response: The PKCAADMN utility will also look in the root store for the issuer before abandoning the CRL add process. The utility will also check the root store for the CRL issuer. This is only a warning message and will not hinder the CRL add process unless the CRL issuer is not found in the root store either.

ZPCA834W Cannot verify CRL issuer with root store.

Explanation: The PKCAADMN utility must verify the certificate revocation list data issuer to be sure the revocation list is valid. The program was unable to find the CRL issuer in the root store.

Response: The PKCAADMN utility will also look in the CA store for the issuer before abandoning the CRL add process. The utility will also check the CA store for the CRL issuer. This is only a warning message and will not hinder the CRL add process unless the CRL issuer is not found in the CA store either.

ZPCA835E Cannot continue. Unable to verify CRL issuer.

Explanation: The PKCAADMN utility must verify the certificate revocation list data issuer to be sure the revocation list is valid. The program was unable to find the CRL issuer in the root store or the CA store.

Response: The PKCAADMN utility has checked both the root and the CA stores for the CRL issuer and was unsuccessful. The program cannot continue with the CRL add without verifying the issuer and the program execution will terminate. Verify the contents of the root and/or CA stores to be sure that the issuer for the CRL in question is present in one of the stores and attempt the command again.

330

ZPCA836E Cannot continue. Unable to add CRL to store.

Explanation: The PKCAADMN utility was unable to add the CRL file to the certificate revocation list store.

Response: The PKCAADMN utility cannot continue the add process past this point and the program execution will terminate. Verify the certificate revocation list store is valid and attempt the command again.

ZPCA837E Cert Wrap failed to free CRL context. CW Error = 0X%X.

Explanation: The PKCAADMN program was unable to release the system resources allocated by the Cert Wrap modules during program execution. %X Shows the hexadecimal value the Cert Wrap module returned upon failure to free the CRL context.

Response: The PKCAADMN utility was unable to release the system resources allocated by the Cert Wrap modules during program execution. This is indicative of an internal program error. Program execution will terminate. Contact PKWARE Technical Support to determine the resolution of the program error.

ZPCA838E Cannot continue. Unable to get information from CRL.

Explanation: The PKCAADMN program was unable to retrieve information from the certificate revocation list data structure.

Response: The PKCAADMN utility was unable to retrieve information from the certificate revocation list data structure. This is indicative of an internal program error. Program execution will terminate. Contact PKWARE Technical Support to determine the resolution of the program error.

ZPCA839E Cannot continue. Unable to get name from CRL.

Explanation: The PKCAADMN program was unable to retrieve the CRL name from the certificate revocation list data structure.

Response: The PKCAADMN utility was unable to retrieve the CRL name from the certificate revocation list data structure. This is indicative of an internal program error. Program execution will terminate. Contact PKWARE Technical Support to determine the resolution of the program error.

ZPCA840E Delete CRL failed. Match was not found in the CA or Root store.

Explanation: The PKCAADMN program was unable to find the CRL issuer in the CA or root stores. The CRL delete is unable to proceed in this situation.

331

Response: The PKCAADMN utility was unable to retrieve the CRL issuer from the root or CA stores. The program cannot recover from this situation and the program execution will terminate. Verify the contents of the CA and/or root stores and attempt the command again.

ZPCA841E Delete CRL failed. Unable to find the CRL in the store.

Explanation: The PKCAADMN program was unable to find the specified CRL in the certificate revocation list store. The CRL delete command is unable to proceed in this situation.

Response: The PKCAADMN utility was unable to find the CRL in the certificate revocation list store. The program cannot recover from this situation and the program execution will terminate. Verify the contents of the certificate revocation list store and attempt the command again.

ZPCA842E Delete CRL failed. Unable to remove the CRL from the store.

Explanation: The PKCAADMN program was unable to delete the specified CRL entry from the certificate revocation list store.

Response: This error is indicative of an internal program error. The program execution will terminate. Contact PKWARE Technical Support to determine the resolution of the program error.

ZPCA843E The store file '%s' was empty. Please try a valid certificate store.

Explanation: The PKCAADMN program was passed the name of an empty file in place of a certificate store. %s Shows the value that the PKCAADMN utility received for the certificate store.

Response: The PKCAADMN utility is unable to proceed without properly specified certificate stores. The program cannot recover from this situation and the program execution will terminate. Verify the certificate store file names and attempt the command again.

ZPCA844E Certificate type could not be determined.

Explanation: The PKCAADMN program was unable to determine the type of the certificate to be add.

Response: The PKCAADMN utility is unable to proceed without properly the type of the certificate being added as this type determines which store the certificate should be placed in. The program cannot recover from this situation and the program execution will terminate. Verify the origin of the input file and be sure it is a valid certificate file and try the command again.

332

ZPCA845E Invalid type specified for '%s' for Browse. Only CER and P7B types are valid.

Explanation: The PKCAADMN program was unable to browse a file of the specified file type. %s Shows the value that the PKCAADMN utility received for the certificate file.

Response: The PKCAADMN utility was able to browse the specified certificate file type. Program execution will terminate. Verify the type of the certificate file in question and attempt the command again.

ZPCA846W Simulation Requested. Nothing will be saved to the store.

Explanation: The PKCAADMN utility has been given a simulate add command via the flag settings. Due to the simulation, nothing was saved to the certificate store.

Response: The PKCAADMN utility successfully ran the add command to completion, however nothing was saved to the certificate store. This is expected behavior for the simulated add command and this message is presented only as a reminder. If a simulate add was requested, no user action is required. However, if a simulation was not desired, change the flags so that a simulation will not occur and attempt the command again.

ZPCA847W Simulation Requested. The end entity was not saved.

Explanation: The PKCAADMN utility has been given a simulate add command via the flag settings. Due to the simulation, the end entity was not saved to the output file.

Response: The PKCAADMN utility successfully ran the add command to completion, however nothing was saved to the output file. This is expected behavior for the simulated add command and this message is presented only as a reminder. If a simulate add was requested, no user action is required. However, if a simulation was not desired, change the flags so that a simulation will not occur and attempt the command again.

ZPCA848W End entity not saved as file was not specified.

Explanation: The PKCAADMN utility could not save the end entity to disk as no output file was specified in the input parameters to the PKCAADMN program.

Response: The PKCAADMN utility successfully ran the add command to completion, however nothing was saved as the output file was not specified. If this was the desired command, no user action is required. However, if the end entity output was needed, change the input parameters so that a valid output file is specified and attempt the command again.

333

ZPCA849E Cannot continue. Unable to determine certificate store count.

Explanation: The PKCAADMN utility was not able to determine the number of certificates in the certificate store.

Response: The PKCAADMN utility successfully opened the certificate store but was unable to get a count of the number of certificates in that store. The program can not continue if this situation occurs. This error could be indicative of an invalid store. Run a validate command against the store in question to determine that it is not corrupt. If the validate command is successful, this could be indicative of an internal program error. In this case, contact PKWARE Technical Support to resolve this problem.

ZPCA850E Cannot continue. Unable to determine certificate file count.

Explanation: The PKCAADMN utility was not able to determine the number of certificates in the specified input file.

Response: The PKCAADMN utility successfully opened the input file but was unable to get a count of the number of certificates in that file. The program can not continue if this situation occurs. This error could be indicative of an invalid input file. Verify the source of the input file in question to determine that it is not corrupt. If necessary, export and/or transfer the input file to the system again ensure file integrity. If this fails to resolve the problem with the file, contact PKWARE Technical Support to resolve this problem.

ZPCA851E Cannot continue. Unable to determine CRL store count.

Explanation: The PKCAADMN utility was not able to determine the number of certificate revocation list entries in the CRL store.

Response: The PKCAADMN utility successfully opened the CRL store but unable to get a count of the number of certificate revocation list entries in that store. The program can not continue if this situation occurs. This error could be indicative of an invalid store. Run a validate command against the store in question to determine that it is not corrupt. If the validate command is successful, this could be indicative of an internal program error. In this case, contact PKWARE Technical Support to resolve this problem.

ZPCA852E Cannot continue. Unable to determine CRL file count.

Explanation: The PKCAADMN utility was not able to determine the number of certificate revocation list entries were contained in the specified input file.

Response: The PKCAADMN utility successfully opened the input file but was unable to get a count of the number of certificate revocation list entries in that file. The program can not continue if this situation occurs. This error could be indicative of an invalid input file. Verify the source of the input file in question to determine that it is not corrupt. If necessary, export and/or transfer the input file to the system again ensure file integrity. If this fails to resolve the problem with the file, contact PKWARE Technical Support to resolve this problem.

334

ZPCA853E Add operation was not completed due to newer CRL entry in the CRL store.

Explanation: The PKCAADMN utility was unable to complete the Add command due to the fact that there was a newer copy of the input certificate revocation list already in the CRL store.

Response: The PKCAADMN utility will not permit an older certificate revocation list to overwrite a newer one already present in the CRL store. The program will terminate in this case. This error could be indicative of an invalid input file. Verify the source of the input file in question to determine that it is not corrupt. If necessary, export and/or transfer the input file to the system again ensure the newest available certificate revocation list is being added to the CRL store.

ZPCA854E Add operation was not completed due to newer certificate entry in the store.

Explanation: The PKCAADMN utility was unable to complete the Add command due to the fact that there was a newer copy of the input certificate already in the certificate store.

Response: The PKCAADMN utility will not permit an older certificate to overwrite a newer one already present in the certificate store. The program will terminate in this case. This error could be indicative of an invalid input file. Verify the source of the input file in question to determine that it is not corrupt. If necessary, export and/or transfer the input file to the system again ensure the newest available certificate is being added to the certificate store.

335

A Performance Considerations

This appendix lists a few performance considerations when running SecureZIP for iSeries. Most performance related issues can be controlled by the PKZIP/PKUNZIP parameters. However, it should be noted that PKZIP data compression is CPU intensive by its very nature, and that PKZIP/PKUNZIP parameters can only help to a limited degree. Therefore, it should be expected that a reasonable amount of CPU resources will be needed for such operations.

Interactive Performance When compressing large size files, PKZIP will sometimes use as much CPU resources as the system will allow. With this in mind, processing very large files may perform best as a submitted job. However, some iSeries environments have constraints on running interactive jobs. If those interactive jobs run for a long time and use a high amount of CPU resources, the system will slow down and may issue the message CPI1479 "Interactive activity approaching capacity of installed feature." In this case, review the details of this message. This usually means that the interactive systems are using more resources than the iSeries was configured to use.

Compression Type Performance Selecting a compression method is one way to get the smallest compressed file with the relationship to the CPU usage and run times. Sometimes, to get the best results, you may have to run several tests with the data to balance the compression ratio to the length of the run time. Running with *MAX will usually get the best compression ratio but will also run the longest. In most of our test cases, *MAX would run 30%-40% longer than *NORMAL and might only gain less than 1% better ratio. This is why we recommend using SUPERFAST (the default) unless your testing implies otherwise.

To minimize the overhead needed to ZIP, the best thing (and the easiest) is to select a compression method other than *MAX. PKZIP’s default compression method is SUPERFAST.

When using the compression method of Maximum, you are only compressing the data by another 1-8% over a job that might use the SUPERFAST compression method. The archive file size change is minimal. However, the time difference

336

between a maximum and a SUPERFAST job can be measured in hours if the file is big enough!

You may read more about the compression levels by prompting the Compression Level parameter (F1).

Compression Level . . . . . . . *SUPERFAST *FAST, *NORMAL, *MAX...

Data Type Selection Getting the best performance from your iSeries machine with regards to a PKZIP job can truly depend on the parameters you have selected for the job. In many cases, the compressed size of a file depends on the type of data (Binary vs. Text), and the compression type selected. Text will usually compress more since it has a higher probability of repeated characters.

Knowing the target platform of the data will help you resolve how PKZIP is to treat the data during the compression process. However, PKZIP treatment of data defaults to *DETECT. *DETECT means that PKZIP will scan the data (up to 97% of the input file) to determine whether the data that it is going to compress should be treated as TEXT or BINARY. This can be an especially painful process if you are selecting large files for compression. However, to get around the scanning overhead, if you know you are sending the archive or ZIP file to a PC or to a UNIX machine, you know that the data will need to be converted to TEXT (or ASCII). Therefore, you should select file Types(*TEXT). If the data is targeted for another iSeries machine, then you should select *BINARY. *DETECT should only be used when you do not know the nature of the data.

You may read more about the data types by prompting the file Types parameter (F1).

File Types . . . . . . . . . . . *DETECT *DETECT *TEXT *BINARY ....

Archive Placement (IFS or in a Library) For best performance try to store the archives in the IFS. By placing the archive in the IFS instead of in a library/file reduces the overall CPU usage and in some cases can reduce the run times as much as 30%-40%.

It is recommended when using the ZIP process for large files that the ZIP archive be stored in the IFS. This method provides the best performance and makes the most efficient use of storage space for both ZIP archives and ZIP temporary files.

ZIP64 Processing Considerations When processing very large files or high volumes of files, the processing characteristics of PKZIP may vary depending on the phase of processing involved. Some common processing phases and their run-time characteristics are:

• ZIP file selection: When selecting a very large number of files through many directories and/or libraries, the initial selection requires IO time and memory per file to analyze and manage each of the file’s properties. The more files to

337

select, the more memory and initial startup overhead. Each site will have to discover their practical limits based on their environments and resources.

• Archive directory read processing: When updating an existing archive that contains a very large number of files, time and memory again are used to manage the archives and its directory. Or when using PKUNZIP to view the files, the more files in the archive, the more memory that is required and the more time that is involved when sorting the files in archive properties before displaying or printing the contents.

• Archive updating: When updating a large archive with large file sizes, there will be overhead to copy the files from the previous archive, before adding or updating new files to the archive. For example, if you have a 10 GB archive with 5 files that are each compressed, down to 2 GB, overhead will be required to copy the compressed files from the old archive to the new archive. This is another reason for storing the archive in the IFS, which can help reduce resources rather than storing the archive in a file in a library.

• When compressing large size files, PKZIP will sometimes use as much CPU as the system will allow. With this in mind, processing very large files may perform best as a submitted job. Some iSeries systems have constraints on running interactively, and if interactive jobs run a long time and use high amounts of CPU resources, their system will start slowing down and may issue the message CPI1479 "Interactive activity approaching capacity of installed feature." In this case they should review the details of this message, which usually means that their interactive systems are using more resources than the iSeries was configured to use.

Encryption Performance When using advanced encryption versus no encryption, there will be a slight increase in the overall size of the archive that contains the AES overhead (approximately 300 bytes per file in archive). The increase in size will be same whether you use AES 128, AES 192, or AES 256.

AES 256 being the most secure encryption algorithm, will also consume the most CPU usage. AES 128 on average could use around 9% more CPU than running with no encryption. AES 256 averages about 3.4% more usage when compared with AES 128 (or around 12.5% versus no encryption).

Extended Attributes Selections The extended attributes naturally contribute some overhead to the archive but it is minimal, unless you are compressing a database file in the QSYS library file system with the parameter DBSERVICE(*YES). This size then depends on the definitions of the database (fields, headings, etc), but also is very important in rebuilding a DB2 database where it does not exist.

These extended attributes can be stored in two places, called the local header and central header directories. SecureZIP for iSeries 8.1 and other current PKWARE products now only use the extended attributes from the central directory. PKZIP for OS/400 5.5 required some of the attributes in the local header.

338

To help reduce the archive overhead the parameter EXTRAFLD in PKZIP has been expanded to select where you want to store the attributes. By using EXTRAFLD(*Central), you reduce the size of each file in the archive by the size of the extended attributes. Caution: If the attributes are required on another iSeries not running on 8.0 or above, use the option EXTRAFLD(*BOTH) or EXTRAFLD(*YES).

339

B Examples

Example 1 - PKUNZIP Files to a New or Different Library To extract the files in the archive to a new library. An example of the files in the archives are:

PKUNZIP ARCHIVE('atest/qz/tstchg') Archive: ATEST/QZ(TSTCHG) 88572 bytes 6 files Length Method Size Ratio Date Time CRC-32 Name -------- ------ ------- ----- ---- ---- ------ ---- 259 Defl:F 178 01-16-01 08:24 b5dbf80c TESTLIB1/BEN/BEESON 449664 Defl:F 48720 01-16-01 14:46 94c7506c TESTLIB1/MYSPLFTM.P/AQZIP123.4X 205693 Defl:F 29687 01-16-01 14:46 e2473ea4 TESTLIB1/MYSPLFTM.P/LISTDBOB.X 27488 Defl:F 6771 01-16-01 14:46 c264817a TESTLIB1/MYSPLFTM.P/QPRINT1X 3352 Defl:F 800 01-16-01 14:46 3e485445 TESTLIB1/MYSPLFTM.P/T4RSTLIB.XY 256 Stored 256 01-16-01 15:22 29058c73 TESTLIB1/TEST1/HEX -------- ------- --- ------- 686712 86412 6 files

To extract to a new library, use the keyword EXDIR and DROPPATH

PKUNZIP ARCHIVE('atest/qz/tstchg') TYPE(*EXTRACT) EXDIR(mynewlib) DROPPATH(*LIB) PKUNZIP Archive: ATEST/QZ(TSTCHG) Searching Archive ATEST/QZ(TSTCHG) for files to extract Extracting file TESTLIB1/BEN/BEESON NOTE path Library MYNEWLIB created. NOTE Library created File BEN created in library MYNEWLIB. Member BEESON added to file BEN in MYNEWLIB. Member BEESON file BEN in MYNEWLIB changed. Inflating: MYNEWLIB/BEN(BEESON) Text NOTE new path Extracting file TESTLIB1/MYSPLFTM.P/AQZIP123.4X File MYSPLFTMP created in library MYNEWLIB. Member AQZIP1234X added to file MYSPLFTMP in MYNEWLIB. Member AQZIP1234X file MYSPLFTMP in MYNEWLIB changed. Inflating: MYNEWLIB/MYSPLFTMP(AQZIP1234X) Text

Since the library mynewlib did not exist, it was created.

340

Example 2 - CLP with Override for Stdout and Stderr to an OUTQ The following is an example of overriding the PKZIP and PKUNZIP program output, and then redirecting the output to an OUTQ. This also provides an example of using mixed file systems, such as having the archive file in the IFS and selecting files from the QSYS library file system.

ZIPEXPL01: PGM PARM(&OUTQ) /* Program: ZIPEXPL01 Example */ /*****************************************************************/ /* Abstract: This is a example CL program has on parameter for */ /* the OUTQ for the processing of SecureZIP for iSeries. If it is */ /* *none or *NONE no overriding to QPRINT will take place. */ /* 1. Will add the SecureZIP for iSeries Library to Library List */ /* If it is already part of LIBL then note so as to not */ /* remove at the end. */ /* 2. Set the Current Library (only required if parameters of */ /* PKZIP leaves out the Library and a default is needed) */ /* 3. An example of setting the current directory is IFS */ /* 4. Check input OUTQ. If none keep processing */ /* 5. Override the Stdout and Stderr to input outq */ /* This is where PKZIP will send messages when the */ /* MSGTYPE is (*PRINT) or (*BOTH). */ /* 6. Run Test01 of PKZIP */ /* 7. Run Test02 of PKZIP with archive in IFS */ /* 8. Run Test03 of PKZIP with IFS system */ /* 9. Run Test04 of PKUNZIP to view archive */ /* 10. If the PKZIP Library was not present at the beginning */ /* remove it from *LIBL. */ /* */ /*****************************************************************/ OUTQ: DCL VAR(&OUTQ) TYPE(*CHAR) LEN(10) PKZIPLIB: DCL VAR(&PKZIPLIB) TYPE(*CHAR) LEN(10) + VALUE(PKW81051S) /* if PKZIP library is in Libl do not remove it at the end */ LIBLCHG: DCL VAR(&LIBLCHG) TYPE(*CHAR) LEN(1) VALUE('Y') CURLIB: DCL VAR(&CURLIB) TYPE(*CHAR) LEN(10) VALUE(MYLIB) ZIPDIR: DCL VAR(&ZIPDIR) TYPE(*CHAR) LEN(10) + VALUE('/mydir') /* Add the SecureZIP for iSeries library to library List */ ADDLIBLE LIB(&PKZIPLIB) MONMSG MSGID(CPF2103) EXEC(CHGVAR VAR(&LIBLCHG) + VALUE('N')) /* Set Current Directory to MYLIB */ /*(not Required for this test Just an example)*/ CHGCURLIB CURLIB(&CURLIB) /* Set Current Directory to zip */ /*(not Required for this test Just an example)*/ CD DIR(&zipdir) /* Check input outq to see overides required */ CHKOUTQ: IF COND((&OUTQ *EQ '*none') *OR (&OUTQ *EQ + '*NONE')) THEN(GOTO CMDLBL(NOOUTQ)) /* change Stdout and Stderr to my outq */ OVRPRTF FILE(STDOUT) TOFILE(*LIBL/QSYSPRT) OUTQ(&OUTQ) OVRPRTF FILE(STDERR) TOFILE(*LIBL/QSYSPRT) OUTQ(&OUTQ) NOOUTQ: /* Test basic PKZIP */ TEST01: PKZIP ARCHIVE('ATEST/PKZ2(MYSL04)') + FILES('TESTLIB/MYSPLF(*ALL)') + EXCLUDE('TESTLIB/MYSPLF(Q*)') /* Test basic PKZIP with archive in IFS and print only messages */

341

TEST02: PKZIP ARCHIVE('/mydir /tmpsave/itest01') + FILES('TESTLIB/TEST') FILETYPE(*BINARY) + TYPARCHFL(*IFS) MSGTYPE(*PRINT) /* Test PKZIP with all files in IFS */ TEST03: PKZIP ARCHIVE('/mydir/tmpsave/itest02.zip') + FILES('/mydir/test1/basetest') + TYPARCHFL(*IFS) TYPFL2ZP(*IFS) /* Test PKUNZIP view of archive from test02 */ TEST04: PKUNZIP ARCHIVE('/mydir/tmpsave/itest01') + TYPARCHFL(*IFS) MSGTYPE(*PRINT) /* If PKZIP Library was added to LIBL then remove it */ ENDPGM: IF COND(&LIBLCHG *EQ 'Y') THEN(RMVLIBLE + LIB(&PKZIPLIB)) ENDPGM

Example 3 - Creating an Archive in Personal Folders (QDLS) The following is an example of creating and processing the archive in the Document library Services file system (QDLS). First, assume a folder in QDLS with a name of MYFOLDER where the archives will be stored. To view the folders, issue the command WRKLNK '/QDLS/*' (you could use WRKDOC and WRKFLR, but WRKLNK is better to use since PKZIP will be using /QDLS).

Work with Object Links Directory . . . . : /qdls Type options, press Enter. 3=Copy 4=Remove 5=Next level 7=Rename 8=Display attribu 11=Change current directory ... Opt Object link Type Attribute Text . FLR .. FLR MYFOLDER FLR QBKBOOKS FLR

Run the PKZIP command:

PKZIP ARCHIVE('/QDLS/MYFOLDER/MYARCH1.ZIP') FILES('testlib/ben') TYPARCHFL(*IFS)

The suffix .ZIP was added to help identify the file as an archive file.

SecureZIP for iSeries (tm) Compression Utility Version 8.1, 2003/08/21 Copyright. 2004. PKWARE, Inc. All Rights Reserved. PKZIP is a registered trademark of PKWARE, Inc. EVALUATION Running EVALUATION, Warning - This license will expire in 29 days on 2003/09/20 Contact your dealer with the following information Machine ID = , Processor Group = P05 Scanning files for match ... Found 1 matching files Compressing TESTLIB/BEN(BEESON) in TEXT mode Add TESTLIB/BEN/BEESON -- Deflating (32%) PKZIP Compressed 1 files in Archive /QDLS/MYFOLDER/MYARCH1.ZIP PKZIP Completed Successfully Press ENTER to end terminal session.

342

To see the file in the folders, run WRKLNK '/QDLS/MYFOLDER/*'

Work with Object Links Directory . . . . : /QDLS/MYFOLDER Type options, press Enter. 3=Copy 4=Remove 5=Next level 7=Rename 8=Display attributes 11=Change current directory ... Opt Object link Type Attribute Text . FLR .. FLR MYARCH1.ZIP DOC

Next, to view the contents, run:

PKUNZIP ARCHIVE('/QDLS/MYFOLDER/MYARCH1.ZIP') TYPARCHFL(*IFS)

SecureZIP for iSeries (tm) Compression Utility Version 8.16

2003/08/21 Copyright. 2004. PKWARE, Inc. All Rights Reserved. PKZIP is a registered trademark of PKWARE, Inc. Archive: /QDLS/MYFOLDER/MYARCH1.ZIP 551 bytes 1 file Length Method Size Ratio Date Time CRC-32 Name -------- ------ ------- ----- ---- ---- ------ ---- 259 Defl:F 177 32% 11-27-00 15:32 b5dbf80c TESTLIB/BEN/BEESON -------- ------- ---- ------- 259 177 32% 1 file PKUNZIP extracted 0 files PKUNZIP Completed Successfully Press ENTER to end terminal session.

Example 4 - Processing Archive on a CD (QOPT) The following is an example of processing an archive that exists on a CD and using PKUNZIP to view or extract. Because the archive file is on a CD, and the file system QOPT controls the CD, this archive basically exists in the IFS.

First, check and ensure the archive is on the CD by doing a WRKLNK (you can use WRKOPTDIR, but using WRKLNK will show the actual paths required). Remember, the volume of the CD is also a directory in QOPT file system. If the file names are longer than eight characters, the file name will be changed, much like you see in DOS systems. It will contain a tilda (~) followed by a number for files found with excessive name lengths.

WRKLNK ‘/QOPT/*’

Work with Object Links Directory . . . . : /QOPT Type options, press Enter. 3=Copy 4=Remove 5=Next level 7=Rename 8=Display attributes 11=Change current directory ... Opt Object link Type Attribute Text MYTESTLABEL DDIR

343

The above screen shows that the volume label of the CD is “MYTESTLABEL”. Using the “5” for the next level option, you can navigate through the directories. You will then see the files and directories on the root of the CD. For example:

Work with Object Links Directory . . . . : /QOPT/MYTESTLABEL Type options, press Enter. 3=Copy 4=Remove 5=Next level 7=Rename 8=Display attributes 11=Change current directory ... Opt Object link Type Attribute Text ARCHIVE.ZIP DSTMF GZIPPW.GAR DSTMF OS_400~3.DOC DSTMF PKZCVT~2.DOC DSTMF PKW80~1.SAV DSTMF PKW80~1.ZIP DSTMF

To view the archive PKW80~1.ZIP (which is really the long name PKW81051S.ZIP) contents, use PKUNZIP with *VIEW.

Use the command:

PKUNZIP ARCHIVE('/QOPT/MYTESTLABEL/PKW80~1.ZIP') TYPARCHFL(*IFS) TYPE(*VIEW)

SecureZIP for iSeries (tm) Compression Utility Version 8.1, 2003/08/22 Copyright. 2004. PKWARE, Inc. All Rights Reserved. PKZIP (R) is a registered trademark of PKWARE (R), Inc. Archive: /QOPT/MYTESTLABEL/PKW80~1.ZIP 1373026 bytes 1 file Length Method Size Ratio Date Time CRC-32 Name -------- ------ ------- ----- ---- ---- ------ ---- 6044544 Defl:N 1372902 77% 08-16-01 21:17 d73f09cf PKW81051S.sav -------- ------- ---- ------- 6044544 1372902 77% 1 file PKUNZIP extracted 0 files PKUNZIP Completed Successfully

Example 5 - Compressing files from a CD (QOPT) Using the document (.DOC) files on the CD shown in Example 4, we can compress the files and store them in the archive in my archive library ATEST under the file V509 archives with an archive file member named CDTEST01.

PKZIP ARCHIVE('atest/v509/cdtest01') FILES('/QOPT/MYTESTLABEL/OS_400~3.DOC' '/QOPT/MYTESTLABEL/PKZCVT~2.DOC') TYPFL2ZP(*IFS)

SecureZIP for iSeries (tm) Compression Utility Version 8.1, 2003/08/22 Copyright. 2004. PKWARE, Inc. All Rights Reserved. PKZIP (R) is a registered trademark of PKWARE (R), Inc. Scanning files for match ... Found 2 matching files Compressing /QOPT/MYTESTLABEL/OS_400~3.DOC in BINARY mode Add /QOPT/MYTESTLABEL/OS_400~3.DOC -- Deflating (77%) Compressing /QOPT/MYTESTLABEL/PKZCVT~2.DOC in BINARY mode Add /QOPT/MYTESTLABEL/PKZCVT~2.DOC -- Deflating (79%) PKZIP Compressed 2 files in Archive ATEST/V509(CDTEST01)

344

PKZIP Completed Successfully

Because you would not be able to extract them to the CD, you may want to use the parameter STOREPATH(*NO) so that only file names OS_400~3.DOC and PKZCVT~2.DOC are stored in the archive.

Example 6 - Compressing CL with MSG Checking The following brief example demonstrates using PKZIP in a CL passing the archive’s library, file, and member as variables and then monitoring for errors from the PKZIP run.

ZIPEXPL03: PGM PARM(&ZIPLIB &ZIPFILE &ZIPMBR) /* Program: ZIPEXPL03 Example */ /*****************************************************************/ /* Abstract: This is a example CL program that has 3 paramters */ /* that specifies the archive's Library, File and Member. */ /* 1. Will add the SecureZIP for iSeries Library to Library List */ /* If it is already part of LIBL then note so as to not */ /* remove at the end. */ /* 2. Build the archive file namefor PKZIP by concatenating */ /* the inputted library, file and member names. */ /* 3. Compress all files in TESTLIB with PKZIP Command */ /* 4. Monitor for error messages from PKZIP. */ /* If errors send message. */ /* 5. If the PKZIP Library was not present at the beginning */ /* remove it from *LIBL. */ /* */ /*****************************************************************/ /* &PKZIPLIB contains the current PKZIP library */ DCL VAR(&PKZIPLIB) TYPE(*CHAR) LEN(10) + VALUE(PKW81051S) /* if PKZIP library is in Libl do not remove it at the end */ DCL VAR(&LIBLCHG) TYPE(*CHAR) LEN(1) VALUE('Y') /* &ZIPLIB is Library where archive will be stored */ DCL VAR(&ZIPLIB) TYPE(*CHAR) LEN(10) /* &ZIPFILE is File for the archive */ DCL VAR(&ZIPFILE) TYPE(*CHAR) LEN(10) /* &ZIPMBR is Member of the archive file */ DCL VAR(&ZIPMBR) TYPE(*CHAR) LEN(10) /* Archive file for PKZIP built with concatenation */ DCL VAR(&ZARCHF) TYPE(*CHAR) LEN(36) /* Add the SecureZIP for iSeries library to library List */ ADDLIBLE LIB(&PKZIPLIB) MONMSG MSGID(CPF2103) EXEC(CHGVAR VAR(&LIBLCHG) + VALUE('N')) /*Concatenate the libraries, files and members for PKZIP of the archive*/ CHGVAR VAR(&ZARCHF) VALUE(&ZIPLIB *TCAT '/' *TCAT + &ZIPFILE *TCAT '/' *TCAT &ZIPMBR) /* Compress all files in the library TESTLIB and */ /* store them in the archive specified in the */ /* calling of the CLP program */ /* If messages AQZ0022 "PKZIP Completed with Errors." */ /* or AQZ0012 "PKZIP ending with Nothing to do" */ /* are returned */ /* from PKZIP, send message indicating an error */ /* Occured. */ PKZIP ARCHIVE(&ZARCHF) FILES('TESTLIB/*all(*all)') + COMPRESS(*NORMAL) ARCHTEXT('This the text + of the archive for example 3') MONMSG MSGID(AQZ0022) EXEC(SNDPGMMSG MSG('PKZIP + Ended with MONMSG for AQZ0022'))

345

MONMSG MSGID(AQZ0012) EXEC(SNDPGMMSG MSG('PKZIP + Ended with MONMSG for AQZ0012')) /* If PKZIP Library was added to LIBL then remove it */ ENDPGM: IF COND(&LIBLCHG *EQ 'Y') THEN(RMVLIBLE + LIB(&PKZIPLIB)) EOJ: ENDPGM

Example 7 – Compressing Spool Files Samples The following are several samples demonstrating the selection of spool file for compression.

Sample 1: Select a specific spool file (MYSPLFFILE) for the specific job (jobname-WSSSPL, User-WSS and job number 11) in all output queues (the default of SFQUEUE) and convert the spool file to a PDF format SFTARGET(*PDFLETTER) to fit a letter format. store the archive in the IFS with TYPARCHFL(*IFS) .

PKZSPOOL ARCHIVE('/pkzshare/bills/splftest01.zip') TYPARCHFL(*IFS) SPLFILE(MYSPLFILE) SFUSER(*ALL) SFJOBNAM(11/WSS/WSSSPL) SFTARGET(*PDFLETTER) SFTGFILE(*GEN1P)

Sample 2: Select all spool files belonging to users WSS and TAIT (SPLUSERID) that resides in the OUTQ QPRINTS (SFQUEUE) and compress them as spool files with SFTARGET(*SPLF). This might be done to save the spool files for later review since this OUTQ is purged on a regular basis.

PKZSPOOL ARCHIVE('/pkzshare/bills/splftest02.zip') TYPARCHFL(*IFS) SFUSER(WSS TAIT) SFQUEUE(QPRINTS) SFTARGET(*SPLF) SFTGFILE(*GEN1)

Sample 3: Using the archive from Sample 2, we want to restore or extract the spool files in order to print them again. Except in this case we want them to belong to the user MAS with SPLUSERID and place the spool files in the OUTQ MASQ (SFQUEUE) located in the library DEVPLIB.

PKUNZIP ARCHIVE('/pkzshare/bills/splftest02.zip') TYPARCHFL(*IFS) TYPE(*EXTRACT) SPLUSRID(MAS) SFQUEUE(DEVPLIB/MASQ)

Sample 4: Select the spool file QPRINTS (SPLFILE), spool file number 17 (SPLNBR), user MAS (SFUSER) and convert the file to a TEXT file with SFTARGET(*TEXTFC). In this case, the file is needed to read into a PC program and the user wants the ANSI control characters in position 1 of each line.

PKZSPOOL ARCHIVE('/pkzshare/bills/splftest04.zip') TYPARCHFL(*IFS) SPLFILE(QPRINTS) SFUSER(MAS) SPLNBR(17) SFTARGET(*TEXTFC) SFTGFILE(*GEN1P)

Sample 5: Now we want to extract the text file created in Sample 4 to one of our shared drives areas ('/PKZSHARE/PCFILES') that our PCs can access. In this case the normal extraction would identify the file as a text file and would convert it to EBCDIC. Since the file will be used by a PC program that is expecting the data to be in ASCII, we will have to extract the file as binary since the internal file is already in

346

ASCII. By specifying FILETYPE(*BINARY), this ensures that no translation of the data takes place.

PKUNZIP ARCHIVE('/pkzshare/bills/splftest04.zip') TYPARCHFL(*IFS) TYPFL2ZP(*IFS) TYPE(*EXTRACT) FILETYPE(*BINARY) EXDIR('/PKZSHARE/PCFILES') DROPPATH(*ALL)

Example 8 – PKZSPOOL The Last Spool File of Current Job The following brief CLP example demonstrates using PKZSPOOL to compress to a PDF, only the last spool file that was written out by the current job.

ZIPEXPL07: PGM /* Program: ZIPEXPL07 Example */ /*****************************************************************/ /* Abstract: This is an example CL program that perform several */ /* task that prints reports. Then compresses only the LAST */ /* spool file created to a PDF file in a archive */ /* */ /*****************************************************************/ /* display the properties of the files start with "i" in QIBM folder */ DSPLNK OBJ('/QIBM/i*') OUTPUT(*PRINT) + DETAIL(*EXTENDED) DSPOPT(*ALL) /* display all libraries that start with Q and print */ DSPOBJD OBJ(*LIBL/Q*) OBJTYPE(*LIB) DETAIL(*BASIC) + OUTPUT(*PRINT) /* Compress the ONLY the last spool file created to a PDF file */ PKZSPOOL ARCHIVE('/pkzshare/bills/PKZdata1.zip') + SFJOBNAM(*) SPLNBR(*LAST) + SFTARGET(*PDFLETTER) SFTGFILE(*GEN1P) + TYPARCHFL(*IFS) ENDOFJOB: ENDPGM

Example 9 - CL to Compress All Spool Files for a Job to a PDF The following brief example demonstrates using PKZIP in a CL to pass the archive’s library, file, and member as variables and then monitor for errors from the PKZIP run.

ZIPEXPL08: PGM /* Program: ZIPEXPL08 Example */ /*****************************************************************/ /* Abstract: This is an example CL program that perform several */ /* task that prints reports. Then submits a job at the end of */ /* the job that will compress all spool files to PDF files. The */ /* reason the job was submitted was to also compress the job log */ /* to a PDF */ /* */ /*****************************************************************/ /* Current Job Name */ DCL VAR(&MYJOBNM) TYPE(*CHAR) LEN(10) VALUE(' ') /* Current Job User */

347

DCL VAR(&MYJUSER) TYPE(*CHAR) LEN(10) VALUE(' ') /* Current Job Number */ DCL VAR(&MYJNBR) TYPE(*CHAR) LEN(10) + VALUE('000000') /* retrieve the job name, user, and job number for later use */ RTVJOBA JOB(&MYJOBNM) USER(&MYJUSER) NBR(&MYJNBR) /* this job to get a full job log */ CHGJOB LOG(4 00 *SECLVL) LOGCLPGM(*YES) /* display the properties of the files start with c in my folder */ DSPLNK OBJ('/pkzshare/bills/c*') OUTPUT(*PRINT) + DETAIL(*EXTENDED) DSPOPT(*ALL) DSPAUT OBJ('/pkzshare/BILLS') OUTPUT(*PRINT) /* create an archive with one file */ PKZIP ARCHIVE('/pkzshare/bills/PKZtest1.zip') + FILES('/pkzshare/bills/chartest2.zip') + TYPARCHFL(*IFS) TYPFL2ZP(*IFS) STOREPATH(*NO) /* display detail attributes for the new archive created */ DSPLNK OBJ('/pkzshare/bills/PKZtest1*') OUTPUT(*PRINT) + DETAIL(*EXTENDED) DSPOPT(*ALL) /* submit a job to create all spool Files including the job log into a */ /* PDF file and place them in archive PKZdata1 */ SBMJOB CMD(PKZSPOOL + ARCHIVE('/pkzshare/bills/PKZdata1.zip') + SFJOBNAM(&MYJNBR/&MYJUSER/&MYJOBNM) + SFTARGET(*PDFLETTER) SFTGFILE(*GEN1P) + TYPARCHFL(*IFS)) JOB(&MYJOBNM) + INLLIBL(*CURRENT) ENDOFJOB: ENDPGM

348

C Memory Errors

In some rare cases, SecureZIP for iSeries may experience a memory error condition. While running SecureZIP for iSeries the program allocates memory for sorts, buffers, and other storage requirements. There are diagnostic checks in the system to validate memory requests. If a request fails, the job will terminate and send a message to the message queue indicating a memory allocation failure. Some systems limit the memory allocation for certain user/jobs which may cause this problem. In some cases, programs can have what are called “memory leaks” where memory is never freed. Signing off or ending the job will free the allocated memory. If a message indicates that a memory allocation error occurred, retrieve the failed job log and contact the Product Services Division at 1-937-847-2687 for assistance.

349

D External Name Conversion Program CVTNAME

SecureZIP for iSeries provides an exit that calls a compiled CLP program named CVTNAME. PKZIP can change the names of iSeries file names to a ZIPPED file name to be used in the archive. PKUNZIP can change a ZIPPED file name in an archive to an iSeries file name. This is activated by using the parameter CVTFLAG and not setting the parameter to *NONE. SecureZIP for iSeries will call the first CVTNAME program found in the library list.

SecureZIP for iSeries will call the program and pass three fields to CVTNAME and will expect a return field. The first field passed is a 256-byte field that contains the input name (in PKZIP, it is the iSeries name, and in PKUNZIP, it is the ZIPPED name in the archive) that can be changed. The second field passed is a 5-byte field that can be used to help code specific logic to control the name change process. The third field is up to 256 bytes of extended data from the command to provide more flexibility in controlling the conversion of file names.

The program will return up to 256 bytes of a file name that will be used as the output name in the archive.

The exit can be divided into different conversion routines by assigning each routine a five-character name, which is passed in as the CVTFLAG parameter value. This routine works for both the PKZIP and PKUNZIP programs, but normally you will need a different conversion routine or CVTFLAG for archiving or extraction. When the CVTNAME returns, the returned name should either hold the new name, or remain blank to indicate that the default conversion rules should be used.

Note: The PKZIP and PKUNZIP programs perform no validity checking on the name that is passed back and assumes that the name is valid and unique. If the name is not valid or unique, open errors or missing files may occur.

For PKZIP, the name exit receives the OS/400 file name and the returned name is the name that will be used for the file name in the archive. Ensure that names returned are unique; otherwise, only the first of the duplicated files will be compressed.

For PKUNZIP, the CVTNAME exit receives the name of the file that is in the archive and expects to return the name of a file on the OS/400 as ‘library/file(member)’. If this is invalid, then file open errors will occur. If they are valid but did not exist before, PKUNZIP will create the library, file, and member.

In the supplied library, there is a sample CVTNAME CLP that contains logic for the following flags:

350

• If the flag is *400, there is no conversion taking place, and the input name is passed back as a new name.

• If the flag is O4MS, the program will convert an iSeries file name “library/file(member)” to a MS-DOS name with ‘/’ (such as “library/file/member”).

• If the flag is MSO4, the program will take a MS-DOS file name “/dir1/dir2/dir3/name.xxx” and make it an iSeries name (such as “dir2/dir3{namexxx)”) where dir2 will be the library, dir3 will be a file name, and namexxx will be up to a 10-byte character member name.

• If the flag is *MSD, the program will convert an iSeries file name "library/file(member)" to a MS-DOS name with suffix .TXT to the file "library/file.TXT".

• If the flag is *MSM, the program will convert an iSeries file name "library/file(member)" to an MS-DOS name with a suffix .TXT added to the member name, such as "library/file/member.TXT".

• If the flag is *IFS, the program will format a file name "library/file(member)" for the iSeries QSYS.LIB integrated file system. For example "/QSYS.LIB/LIBRARY.LIB/FILE.FILE/MEMBER.MBR".

• If the flag is SPLF1, the program will take a spool file name "jobname/useriud/jobnumber/splfname/splfnbr.suffix" and build each in it own DCL field. Then taking the first 10 bytes of the CVTDATA passed from the command will build a new name that looks like “CVTDATA.splfnbr.suffix”.

• Of course the correct flag should be used with the appropriate file system.

Changes can be made to CVTNAME to fit the customer’s site requirements. The use of (and changes to) the CVTNAME program is the customer’s responsibility.

The following is an example of the CVTNAME CLP source code included in the SecureZIP for iSeries library:

Sample CVTNAME

/* Program: CVTNAME Sample VERSION 8.1.0 */ /*****************************************************************/ /* Abstract: This is a sample CL program that can be used by */ /* SecureZIP for iSeries product as an exit program to change the */ /* names from iSeries to an archive name and visa versus. */ /* There are 4 parameters: */ /* 1. The input name that is supplied by PKZIP or PKUNZIP */ /* to this program to analyze (up 255 bytes). */ /* 2. The Name that this program can change and passes back */ /* to the calling programs to use (up to 255 bytes). */ /* If this is passed back with the 1st position blank, */ /* PKZIP/PKUNZIP will revert back to settings of the */ /* CVTTYPE parameter. */ /* 3. A 5 byte field that represents a control field or */ /* or flags, that controls how CVTNAME should process the */ /* name. */ /* 4. A 255 byte field that is user defined in the command to*/ /* provide more information to assist controlling the */ /* logic in processing the name. For Example it may */ /* time stamp prefix of the file names */ /* */ /* This sample CVTNAME CLP has three flags accepted: */

351

/* */ /* 1. If the flag is *400 there are no conversion taking */ /* place and the input name is passed back as new name. */ /* 2. If the flag is O4MS, the program will convert an */ /* iSeries name "library/file(member)" to a MS-DOS */ /* name with '/' such as "library/file/member". */ /* 3. If the flag is MSO4, the program will take a MS-DOS */ /* file name "/dir1/dir2/dir3/name.xxx" and make it an */ /* iSeries name such as "dir2/dir3{namexxx)" where dir2 */ /* will be the library, dir3 will be a file name and */ /* namexxx will be up to a 10 byte character */ /* member name. */ /* 4. If the flag is *MSD, the program will convert an */ /* iSeries file name "library/file(member)" to a MS-DOS */ /* name with suffix .TXT to the file "library/file.TXT". */ /* 5. If the flag is *MSM, the program will convert an */ /* iSeries file name "library/file(member)" to a MS-DOS */ /* name with suffix .TXT to the member name */ /* such as "library/file/member.TXT". */ /* 6. If the flag is *MST, the program will convert an */ /* iSeries file name "library/file(member)" to a MS-DOS */ /* name with suffix .TXT to the member name only */ /* such as "member.TXT". */ /* 7. If the flag is *IFS, the program will format a */ /* file name "library/file(member)" formatted for the */ /* iSeries QSYS.LIB Integrated File System. for example */ /* "/QSYS.LIB/LIBRARY.LIB/FILE.FILE/MEMBER.MBR" */ /* */ /* 8. If the flag is SPLF1, the program will format a */ /* spool file name formated as: */ /* "jobname/useriud/jobnumber/splfname/splfnbr.suffix" */ /* and rebuild a new name with data from the CVTDATA */ /* parameter. */ /* */ /* */ /*NOTE: PKZIP and PKUNZIP performs no validity checking on the */ /* name that is passed back and assumes that the name is valid */ /* and unique. If the name is not valid or unique, open errors */ /* or missing files may occur. */ /* */ /* */ /*****************************************************************/ CVTNAME: PGM PARM(&INNAME &OUTNAME &CVTFLAGS &CVTDATA) /* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */ /* Parameter Program Variables */ /* Input Name that is used examine for change */ INNAME: DCL VAR(&INNAME) TYPE(*CHAR) LEN(256) /* Changed name that is passed back to SecureZIP for iSeries */ OUTNAME: DCL VAR(&OUTNAME) TYPE(*CHAR) LEN(256) /* Flags from SecureZIP for iSeries for controlling logic flow */ CVTFLAGS: DCL VAR(&CVTFLAGS) TYPE(*CHAR) LEN(5) /* data from PKZIP command for controlling logic flow */ CVTDATA: DCL VAR(&CVTDATA) TYPE(*CHAR) LEN(256) /* */ /* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */ /* Program Variables */ /* iSeries QSYS file name represented like "libnm/filenm(mbrnm)" */ LIBNM: DCL VAR(&LIBNM) TYPE(*CHAR) LEN(10) /* Library + Name */ FILENM: DCL VAR(&FILENM) TYPE(*CHAR) LEN(10) /* File + name */ MBRNM: DCL VAR(&MBRNM) TYPE(*CHAR) LEN(10) /* Member + name */ DCL VAR(&IDX) TYPE(*DEC) LEN(3) DCL VAR(&IDXPRV) TYPE(*DEC) LEN(3) DCL VAR(&LEN) TYPE(*DEC) LEN(3) /* DCL VAR(&MSGVAR) TYPE(*CHAR) LEN(300) */ /* DCL VAR(&MUVAR) TYPE(*CHAR) LEN(6) VALUE('..OUT=') */ /* Spool file name represented like */ /* "JOBNAM/USERID/JOBNBR/SPLFNAM/SPLFNBR.SPLSUFIX" */

352

JOBNAM: DCL VAR(&JOBNAM) TYPE(*CHAR) LEN(10) /* Job + Name */ USERID: DCL VAR(&USERID) TYPE(*CHAR) LEN(10) /* User + Id */ JOBNBR: DCL VAR(&JOBNBR) TYPE(*CHAR) LEN(7) /* Job + Number */ SPLFNAM: DCL VAR(&SPLFNAM) TYPE(*CHAR) LEN(10) /* Spool + File name */ SPLFNBR: DCL VAR(&SPLFNBR) TYPE(*CHAR) LEN(5) /* Spool + File Number */ SPLSUFIX: DCL VAR(&SPLSUFIX) TYPE(*CHAR) LEN(4) /* + Suffix */ /* blank out name uncase no hit */ CHGVAR VAR(&OUTNAME) VALUE(' ') /* */ /* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */ /* Flag set to *400 */ IF COND(&CVTFLAGS *EQ '*400') THEN(DO) CHGVAR VAR(&OUTNAME) VALUE(&INNAME) GOTO CMDLBL(ENDCHG) ENDDO /* */ /* * * * * * * * * * * * ** * * * * * * * * * * * * * * * * * * * */ /* Flag set to O4MS */ /* Change iSeries Library/File(Member) to */ /* MSDOS library/File/Member */ O4MS: IF COND((&CVTFLAGS *EQ 'O4MS') *OR (&CVTFLAGS + *EQ '*MSD') *OR (&CVTFLAGS *EQ '*MSM') + *OR (&CVTFLAGS *EQ '*MST') + *OR (&CVTFLAGS *EQ '*IFS')) + THEN(DO) CHGVAR VAR(&IDX) VALUE(0) CHGVAR VAR(&IDXPRV) VALUE(1) /* Find a Library Note:max length must be 11 */ DOLIB1: CHGVAR VAR(&IDX) VALUE(&IDX + 1) IF COND(%SST(&INNAME &IDX 1) *NE '/') + THEN(GOTO CMDLBL(DOLIB1)) CHGVAR VAR(&LEN) VALUE(&IDX - &IDXPRV) IF COND(&LEN > 10) + THEN(CHGVAR VAR(&LEN) VALUE(10)) CHGVAR VAR(&LIBNM) VALUE(%SST(&INNAME &IDXPRV &LEN)) /* Find a File Note:max length must be 11 */ CHGVAR VAR(&IDXPRV) VALUE(&IDX + 1) DOFILE1: CHGVAR VAR(&IDX) VALUE(&IDX + 1) IF COND(%SST(&INNAME &IDX 1) *NE '(') + THEN(GOTO CMDLBL(DOFILE1)) CHGVAR VAR(&LEN) VALUE(&IDX - &IDXPRV) IF COND(&LEN > 10) + THEN(CHGVAR VAR(&LEN) VALUE(10)) CHGVAR VAR(&FILENM) VALUE(%SST(&INNAME &IDXPRV &LEN)) /* Find a Member Note:max length must be 11 */ CHGVAR VAR(&IDXPRV) VALUE(&IDX + 1) DOMBR1: CHGVAR VAR(&IDX) VALUE(&IDX + 1) IF COND(%SST(&INNAME &IDX 1) *NE ')') + THEN(GOTO CMDLBL(DOMBR1)) CHGVAR VAR(&LEN) VALUE(&IDX - &IDXPRV) IF COND(&LEN > 10) + THEN(CHGVAR VAR(&LEN) VALUE(10)) CHGVAR VAR(&MBRNM) VALUE(%SST(&INNAME &IDXPRV &LEN)) CHGVAR VAR(&OUTNAME) VALUE(&INNAME) /* Save the new name lib/file/mbr */ DOOUT1: AMSD: IF (&CVTFLAGS *EQ '*MSD') + DO CHGVAR VAR(&OUTNAME) VALUE(&LIBNM *TCAT '/' + *TCAT &FILENM *TCAT '.TXT ') GOTO CMDLBL(ENDCHG) ENDDO

353

AMSM: IF (&CVTFLAGS *EQ '*MSM') + DO CHGVAR VAR(&OUTNAME) VALUE(&LIBNM *TCAT '/' + *TCAT &FILENM *TCAT '/' *TCAT &MBRNM + *TCAT '.TXT ') GOTO CMDLBL(ENDCHG) ENDDO AMST: IF (&CVTFLAGS *EQ '*MST') + DO CHGVAR VAR(&OUTNAME) VALUE(&MBRNM + *TCAT '.TXT ') GOTO CMDLBL(ENDCHG) ENDDO AIFS: IF (&CVTFLAGS *EQ '*IFS') + DO CHGVAR VAR(&OUTNAME) VALUE('/QSYS.LIB/' *TCAT + &LIBNM *TCAT '.LIB/' *TCAT &FILENM *TCAT + '.FILE/' *TCAT &MBRNM *TCAT '.MBR') GOTO CMDLBL(ENDCHG) ENDDO CHGVAR VAR(&OUTNAME) VALUE(&LIBNM *TCAT '/' + *TCAT &FILENM *TCAT '/' + *TCAT &MBRNM *TCAT ' ') ENDO4MS: GOTO CMDLBL(ENDCHG) ENDDO /* end of O4MS do flag */ /* */ /* * * * * * * * * * * * ** * * * * * * * * * * * * * * * * * * * */ /* Flag set to MSO4 */ /* Change a MSDOS file /dir1/dir2/../dirn/file.xxx to */ /* dir2/dirn(filexxx) iSeries file */ MSO4: IF COND(&CVTFLAGS *EQ 'MSO4') THEN(DO) CHGVAR VAR(&IDX) VALUE(0) CHGVAR VAR(&IDXPRV) VALUE(1) CHGVAR VAR(&LIBNM) VALUE(' ') CHGVAR VAR(&FILENM) VALUE(' ') CHGVAR VAR(&MBRNM) VALUE(' ') /* first find 1st blank and work backwards */ FINDLST2: CHGVAR VAR(&IDX) VALUE(&IDX + 1) if COND(&IDX *GT 250) THEN(GOTO CMDLBL(ENDCHG)) IF COND(%SST(&INNAME &IDX 1) *NE ' ') + THEN(GOTO CMDLBL(FINDLST2)) /* Find a Member Note:max length must be 11 */ CHGVAR VAR(&IDXPRV) VALUE(&IDX - 1) DOMBR2: CHGVAR VAR(&IDX) VALUE(&IDX - 1) IF COND(&IDX *LT 1) THEN(GOTO CMDLBL(ENDCHG)) IF COND(%SST(&INNAME &IDX 1) *NE '/') + THEN(GOTO CMDLBL(DOMBR2)) CHGVAR VAR(&LEN) VALUE(&IDXPRV - &IDX) IF COND(&LEN > 11) + THEN(CHGVAR VAR(&LEN) VALUE(11)) CHGVAR VAR(&IDXPRV) VALUE(&IDX - 1) CHGVAR VAR(&MBRNM) VALUE(%SST(&INNAME &IDXPRV &LEN)) /* REMOVE . IF ANY AND FORCE LENGTH TO 10 */ /* Find a File Note:max length must be 10 */ DOFILE2: CHGVAR VAR(&IDX) VALUE(&IDX - 1) IF COND(&IDX *LT 1) THEN(GOTO CMDLBL(SETNAME2)) IF COND(%SST(&INNAME &IDX 1) *NE '/') + THEN(GOTO CMDLBL(DOFILE2)) CHGVAR VAR(&LEN) VALUE(&IDXPRV - &IDX) IF COND(&LEN > 11) + THEN(CHGVAR VAR(&LEN) VALUE(11)) CHGVAR VAR(&IDXPRV) VALUE(&IDX - 1) CHGVAR VAR(&FILENM) VALUE(%SST(&INNAME &IDXPRV &LEN)) /* Find a Library Note:max length must be 10 */ DOLIB2: CHGVAR VAR(&IDX) VALUE(&IDX - 1) IF COND(&IDX *LT 1) THEN(GOTO CMDLBL(ENDCHG))

354

IF COND(%SST(&INNAME &IDX 1) *NE '/') + THEN(GOTO CMDLBL(DOLIB2)) CHGVAR VAR(&LEN) VALUE(&IDXPRV - &IDX) IF COND(&LEN > 11) + THEN(CHGVAR VAR(&LEN) VALUE(11)) CHGVAR VAR(&IDXPRV) VALUE(&IDX - 1) CHGVAR VAR(&LIBNM) VALUE(%SST(&INNAME &IDXPRV &LEN)) /* Save the new name lib/file/mbr */ SETNAME2: IF COND(&LIBNM *NE ' ') THEN(DO) CHGVAR VAR(&LIBNM) VALUE(&LIBNM *TCAT '/') ENDDO IF COND(&FILENM *NE ' ') THEN(DO) CHGVAR VAR(&FILENM) VALUE(&FILENM *TCAT '/') ENDDO CHGVAR VAR(&OUTNAME) VALUE(&LIBNM *TCAT &FILENM + *TCAT &MBRNM *TCAT ' ') ENDMSO4: GOTO CMDLBL(ENDCHG) ENDDO /* end of O4MS do flag */ /* */ /* * * * * * * * * * * * ** * * * * * * * * * * * * * * * * * * * */ /* Flag set to SPLF1 Sample */ /* Change "jobname/useriud/jobnumber/splfname/splfnbr.suffix" */ /* and build new name with 10 bytes of the CVTDATA field */ /* with a '.' separator followed by splfnbr.suffix */ /* for CVTDATA.splfnbr.suffix */ /* all fields from the Spool File passed file name are built */ /* care should be taken not to build duplicate file names in */ /* Archive */ /* * * * * * * * * * * * ** * * * * * * * * * * * * * * * * * * * */ SPLF1: IF COND((&CVTFLAGS *EQ 'SPLF1')) + THEN(DO) CHGVAR VAR(&IDX) VALUE(0) CHGVAR VAR(&IDXPRV) VALUE(1) /* Find a Jobname Note:max length must be 10 */ JOBNAM1: CHGVAR VAR(&IDX) VALUE(&IDX + 1) IF COND(%SST(&INNAME &IDX 1) *NE '/') THEN(GOTO + CMDLBL(JOBNAM1)) CHGVAR VAR(&LEN) VALUE(&IDX - &IDXPRV) IF COND(&LEN > 10) + THEN(CHGVAR VAR(&LEN) VALUE(10)) CHGVAR VAR(&JOBNAM) VALUE(%SST(&INNAME &IDXPRV &LEN)) /* Find a User ID Note:max length must be 10 */ CHGVAR VAR(&IDXPRV) VALUE(&IDX + 1) USERID1: CHGVAR VAR(&IDX) VALUE(&IDX + 1) IF COND(%SST(&INNAME &IDX 1) *NE '/') + THEN(GOTO CMDLBL(USERID1)) CHGVAR VAR(&LEN) VALUE(&IDX - &IDXPRV) IF COND(&LEN > 10) + THEN(CHGVAR VAR(&LEN) VALUE(10)) CHGVAR VAR(&USERID) VALUE(%SST(&INNAME &IDXPRV &LEN)) /* Find a Job Number Note:max length must be 6 */ CHGVAR VAR(&IDXPRV) VALUE(&IDX + 1) JOBNBR1: CHGVAR VAR(&IDX) VALUE(&IDX + 1) IF COND(%SST(&INNAME &IDX 1) *NE '/') + THEN(GOTO CMDLBL(JOBNBR1)) CHGVAR VAR(&LEN) VALUE(&IDX - &IDXPRV) IF COND(&LEN > 7) + THEN(CHGVAR VAR(&LEN) VALUE(7)) CHGVAR VAR(&JOBNBR) VALUE(%SST(&INNAME &IDXPRV &LEN)) /* Find a SPLF Name Note:max length must be 10 */ CHGVAR VAR(&IDXPRV) VALUE(&IDX + 1) SPLFNAM1: CHGVAR VAR(&IDX) VALUE(&IDX + 1) IF COND(%SST(&INNAME &IDX 1) *NE '/') +

355

THEN(GOTO CMDLBL(SPLFNAM1)) CHGVAR VAR(&LEN) VALUE(&IDX - &IDXPRV) IF COND(&LEN > 10) + THEN(CHGVAR VAR(&LEN) VALUE(10)) CHGVAR VAR(&SPLFNAM) VALUE(%SST(&INNAME &IDXPRV &LEN)) /* Find a SPLF nbr Note:max length must be 5 */ CHGVAR VAR(&IDXPRV) VALUE(&IDX + 1) SPLFNBR1: CHGVAR VAR(&IDX) VALUE(&IDX + 1) IF COND(%SST(&INNAME &IDX 1) *NE '.') + THEN(GOTO CMDLBL(SPLFNBR1)) CHGVAR VAR(&LEN) VALUE(&IDX - &IDXPRV) IF COND(&LEN > 5) + THEN(CHGVAR VAR(&LEN) VALUE(5)) CHGVAR VAR(&SPLFNBR) VALUE(%SST(&INNAME &IDXPRV &LEN)) /* Find a Suffix Note:max length must be 4 */ CHGVAR VAR(&IDXPRV) VALUE(&IDX + 1) SPLSUFIX1: CHGVAR VAR(&IDX) VALUE(&IDX + 1) IF COND(%SST(&INNAME &IDX 1) *NE ' ') + THEN(GOTO CMDLBL(SPLSUFIX1)) CHGVAR VAR(&LEN) VALUE(&IDX - &IDXPRV) IF COND(&LEN > 4) + THEN(CHGVAR VAR(&LEN) VALUE(4)) CHGVAR VAR(&SPLSUFIX) VALUE(%SST(&INNAME &IDXPRV &LEN)) /* Set CVTDATA Note:max length must be 4 */ CHGVAR VAR(&IDX) VALUE(0) CVTDATA1: CHGVAR VAR(&IDX) VALUE(&IDX + 1) IF COND(%SST(&CVTDATA &IDX 1) *NE ' ') + THEN(GOTO CMDLBL(CVTDATA1)) CHGVAR VAR(&LEN) VALUE(&IDX) IF COND(&LEN > 10) + THEN(CHGVAR VAR(&LEN) VALUE(10)) CHGVAR VAR(&LIBNM) VALUE(%SST(&CVTDATA 1 &LEN)) IF COND(&LEN > 1) + THEN(CHGVAR VAR(%SST(&CVTDATA &LEN 1)) + VALUE('.')) /* Save the new name lib/file/mbr */ CHGVAR VAR(&OUTNAME) VALUE(&LIBNM *TCAT &SPLFNBR + *TCAT '.' *TCAT &SPLSUFIX *TCAT ' ') ENDSPLF1: GOTO CMDLBL(ENDCHG) ENDDO /* end of SPLF1 do flag */ /* */ ENDERR: CHGVAR VAR(&OUTNAME) VALUE(' ') /* */ /* * * * * * * * * * * * ** * * * * * * * * * * * * * * * * * * * */ /* End of CVTNAME for return */ ENDCHG: /* CHGVAR VAR(&MSGVAR) VALUE(&INNAME *BCAT &MUVAR + */ /* *BCAT &OUTNAME) */ /* SNDPGMMSG MSGID(AQZ0000) MSGF(*LIBL/PKZIPMSG) */ /* MSGDTA(&MSGVAR) TOPGMQ(*PRV) */ /* DMPCLPGM CL dump of variable to help debug */ ENDEXIT: ENDPGM

356

E List Files

The list file capabilities provided in the PKZIP and PKUNZIP commands can be a powerful tool for maintaining detailed selection criteria and to exclude files. PKZIP and PKUNZIP commands also allow creating a list of files that are located in a particular archive.

Creating List Files Both PKZIP and PKUNZIP can create a text format file of file names that meet criteria entered within the FILES and EXCLUDE parameters. In PKZIP, the output files contain the names of all files in the OS/400 format, depending on if the files are from the QSYS file system or IFS. The PKUNZIP program will produce a list of names in the format of the archive. To create an output list file, place the output file name in the parameter CRTLIST(). The default value is CRTLIST(*NONE).

Depending on the value of the TYPLISTFL parameter, the output file can be put in either the QSYS file system or IFS.

TYPLISTFL(*DB): When the file system is QSYS, the output file will create a physical file (PF-DTA) with a record length of 132. For the file format in CRTLIST, you can use any of the following formats: library/file, library/file(member), file, or file(member). When a member is not entered, the member name will be the same as the file name. You should use the utility that your organization uses to edit data files.

TYPLISTFL(*IFS): When using the IFS, the output file will create a stream file (*STMF object type). Most organization uses EDTF. For the file format in CRTLIST, you can use any of the following formats: file, file.suffix, dir1/file, dir1/dir2/../dirn/file, /dir1., etc. When the path does not start with ‘/’, then the path starts in your current directory (relative path).

When creating a file manually, follow the creation attributes described above.

Using List Files as Input Both PKZIP and PKUNZIP programs can use list file parameters for both selections of files (INCLFILE(‘file name’)) and/or the excluding of file (EXCLFILE(‘file name’). They can also use an inlist file for the encryption recipient ENTPREC. The file name of

357

parameters depends on the setting of TYPLISTFL (*DB or *IFS) and should follow the guidelines in “Creating List Files,” above.

When using PKZIP, the format of files in the list file should be in the format of the iSeries files that will be processed. See the parameters FILES and EXCLUDE for specifications.

When using PKUNZIP, the format of the files in the list file should be in the format of the archive. See the parameters FILES and EXCLUDE for specifications.

PKUNZIP also has an option to create a list file in expanded mode, which will create the date and time along with the file names. This is accomplished by having a ‘>’ character being the in the first position of the CRTLIST parameter. See the two examples below.

Create normal list file: PKUNZIP ARCHIVE('atest/V800/listf') CRTLIST('atest/listfile(demo)')

Edit File: ATEST/LISTFILE(DEMO) Record : 1 of 4 by 8 Column : 1 132 by 74 CMD ....+....1....+....2....+....3....+....4....+....5....+....6....+....7....+ ************Beginning of data************** TESTLIB/MYFILE/MYMBR TESTLIB/MYFILEGE.R/MYMBR TESTLIB/MYFILETE.XT/MYMBR TESTLIB/MYFILE27.3/MYMBR ************End of Data********************

Create an expanded list file: PKUNZIP ARCHIVE('atest/V800/listf') CRTLIST('>atest/listfile(demo)')

Edit File: ATEST/LISTFILE(DEMO) Record : 1 of 4 by 8 Column : 1 132 by 74 CMD ....+....1....+....2....+....3....+....4....+....5....+....6....+....7....+ ************Beginning of data************** DT(05-20-03 16:16) TESTLIB/MYFILE/MYMBR DT(02-14-03 16:44) TESTLIB/MYFILEGE.R/MYMBR DT(02-14-03 16:44) TESTLIB/MYFILETE.XT/MYMBR DT(02-14-03 16:44) TESTLIB/MYFILE27.3/MYMBR ************End of Data********************

358

F Translation Tables

Text files (such as program source code) are usually held within an archive using the ASCII character set for compatibility with other versions of PKZIP. For these to be usable on OS/400, they must be converted to the IBM EBCDIC character set. SecureZIP for iSeries uses one of two possible internal translation tables, which should be suitable for most customers. These translation table members are used by parameters FTRAN and TRAN in both the PKZIP and PKUNZIP programs. Included (as part of the distribution) are a series of override translation tables. Some users may wish to define their own table.

The override translation tables included are stored as source members in file PKZTABLES SecureZIP for iSeries resources tables. By referencing the members in parameters TRAN and FTRAN, SecureZIP for iSeries will access the selected member in the PKZTABLES file and parse them to an internal hexadecimal table for use in translation.

The following translation tables are included:

Table Name

Translation from

Translation to

Explanation

ASCIIISO EBCDIC ASCII - iso Translate Table

LATIN1 EBCDIC ASCII Latin Translate Table

NOOP NO-OP Translation Table Straight Hex

UKASCII EBCDIC UK ASCII Translate Table

UKASCIIE EBCDIC UK ASCII Translate Table-Euro

USASCII EBCDIC USA ASCII Translate Table

(Internal Default)

USASCIIE EBCDIC USA ASCII Translate Table-Euro

Standard Code Page Support with Tables Three data translation tables are available to assist with one or more of the latest standard EBCDIC text translation to ASCII. These tables were built to relate directly to IBM code pages numbers.

359

Code page tables available are:

Table Name

ASCII

Code Page

EBCDIC

Code Page

Explanation

PKZ819037 819 037 ASCII-819 <-> EBCDIC-037 Translation

PKZ819273 819 273 ASCII-819 <-> EBCDIC-273 Translation German

PKZ819277 819 277 ASCII-819 <-> EBCDIC-277 Translation Den/Nor

PKZ819278 819 278 ASCII-819 <-> EBCDIC-278 Translation Fin/Swe

PKZ819280 819 280 ASCII-819 <-> EBCDIC-0280 Translation Italy

PKZ819284 819 284 ASCII-819 <-> EBCDIC-284 Translation Spanish

PKZ819297 819 297 ASCII-819 <-> EBCDIC-297 Translation French

PKZ819500 819 500 ASCII-819 <-> EBCDIC-500 Translation ISO8859-1

PKZ819871 819 871 ASCII-819 <-> EBCDIC-871 Translation Icelandic

PKZ850037 850 037 ASCII-850 <-> EBCDIC-037 Translation

PKZ850284 850 284 ASCII-850 <-> EBCDIC-284 Translation Spanish

International Code Page Support Some data-interchange environments require specialized multi-language character translation support. SecureZIP for iSeries provides tables for character based data translation through translation tables that are also included in the PKZTABLES.

The tables for the following international code pages are provided in the SecureZIP for iSeries PKZTABLES as members TRTxxyy (where xx = “from” and yy = “to”).

Language EBCDIC ASCII EURO/ASCII FROM TO EURO

German 273 850* 858 EB AA AI

Spanish 284 850 858 EJ AA AI

Portuguese 282 850 858 EI AA AI

Italian 280 850 858 EG AA AI

Danish 277 850 858 EE AA AI

Norwegian 277 850 858 EE AA AI

Swedish 278 850 858 EF AA AI

Finnish 278 850 858 EF AA AI

360

French 297 850 858 EM AA AI

* IBM-850 = IBM-4946

These members are provided "as is.” It is the responsibility of the user to ensure that data translation mapping is in accordance with their business needs.

Translation Table Layout There are two translation tables in PKZTABLES. The first table is a translation from ASCII to EBCDIC. The second is EBCDIC to ASCII.

In each table there are 256 entries representing hex values from x’00’ thru x’FF’.

Each entry is represented as a 4-character field such as 0x00 and 0xFF.

On each line there must be 8 entries with each entry separated by a space. With 8 entries per line, there must be 32 lines of table entries for each table set, representing the 256 translation values.

The tables have embedded comments to help in their documentation.

In the table example below, to translate an ASCII character A (hexadecimal x’41’ or decimal value of ‘65’), go to entry 65 in the table (Line 8, entry 2) and find a hexadecimal x’C1’ which is the EBCDIC A.

See “Example of PKZTABLES (USASCII) Translation Table.”

Note: Do not alter any other members found in the PKZTABLES file or SecureZIP for iSeries may not function correctly.

Creating New Translation Table Members Take the following steps to define your own translation table:

1. Copy one of the distributed members in PKZTABLES to a member name of your choice.

2. Edit the new table using the OS/400 Source Entry Utility (SEU).

3. Change the values with respect to the layout describe above, making sure not to alter the overall table layout. If the overall layout is altered, SecureZIP for iSeries may not work correctly.

4. Save the member and test your changes.

Example of PKZTABLES (USASCII) Translation Table

/* PKZIP/400 Translate Table USASCII to EBCDIC */ /*00-07*/ 0x00 0x01 0x02 0x03 0x37 0x2D 0x2E 0x2F /*00-07*/ /*08-0f*/ 0x16 0x05 0x25 0x0B 0x0C 0x0D 0x0E 0x9F /*08-0f*/ /*10-17*/ 0x10 0x11 0x12 0x13 0xB6 0xB5 0x32 0x26 /*10-17*/ /*18-1f*/ 0x18 0x19 0x3F 0x27 0x1C 0x1D 0x1E 0x1F /*18-1f*/ /*20-27*/ 0x40 0x5A 0x7F 0x7B 0x5B 0x6C 0x50 0x7D /*20-27*/ /*28-2f*/ 0x4D 0x5D 0x5C 0x4E 0x6B 0x60 0x4B 0x61 /*28-2f*/ /*30-37*/ 0xF0 0xF1 0xF2 0xF3 0xF4 0xF5 0xF6 0xF7 /*30-37*/ /*38-3f*/ 0xF8 0xF9 0x7A 0x5E 0x4C 0x7E 0x6E 0x6F /*38-3f*/ /*40-47*/ 0x7C 0xC1 0xC2 0xC3 0xC4 0xC5 0xC6 0xC7 /*40-47*/ /*48-4f*/ 0xC8 0xC9 0xD1 0xD2 0xD3 0xD4 0xD5 0xD6 /*48-4f*/ /*50-57*/ 0xD7 0xD8 0xD9 0xE2 0xE3 0xE4 0xE5 0xE6 /*50-57*/

361

/*58-5f*/ 0xE7 0xE8 0xE9 0xBA 0xE0 0xBB 0xB0 0x6D /*58-5f*/ /*60-67*/ 0x79 0x81 0x82 0x83 0x84 0x85 0x86 0x87 /*60-67*/ /*68-6f*/ 0x88 0x89 0x91 0x92 0x93 0x94 0x95 0x96 /*68-6f*/ /*70-77*/ 0x97 0x98 0x99 0xA2 0xA3 0xA4 0xA5 0xA6 /*70-77*/ /*78-7f*/ 0xA7 0xA8 0xA9 0xC0 0x6A 0xD0 0xA1 0x07 /*78-7f*/ /*80-87*/ 0x68 0xDC 0x51 0x42 0x43 0x44 0x47 0x48 /*80-87*/ /*88-8f*/ 0x52 0x53 0x54 0x57 0x56 0x58 0x63 0x67 /*88-8f*/ /*90-97*/ 0x71 0x9C 0x9E 0xCB 0xCC 0xCD 0xDB 0xDD /*90-97*/ /*98-9f*/ 0xDF 0xEC 0xFC 0x4A 0xB1 0xB2 0x3E 0xB4 /*98-9f*/ /*a0-a7*/ 0x45 0x55 0xCE 0xDE 0x49 0x69 0x9A 0x9B /*a0-a7*/ /*a8-af*/ 0xAB 0x0F 0x5F 0xB8 0xB7 0xAA 0x8A 0x8B /*a8-af*/ /*b0-b7*/ 0x3C 0x3D 0x62 0x4F 0x64 0x65 0x66 0x20 /*b0-b7*/ /*b8-bf*/ 0x21 0x22 0x70 0x23 0x72 0x73 0x74 0xBE /*b8-bf*/ /*c0-c7*/ 0x76 0x77 0x78 0x80 0x24 0x15 0x8C 0x8D /*c0-c7*/ /*c8-cf*/ 0x8E 0x41 0x06 0x17 0x28 0x29 0x9D 0x2A /*c8-cf*/ /*d0-d7*/ 0x2B 0x2C 0x09 0x0A 0xAC 0xAD 0xAE 0xAF /*d0-d7*/ /*d8-df*/ 0x1B 0x30 0x31 0xFA 0x1A 0x33 0x34 0x35 /*d8-df*/ /*e0-e7*/ 0x36 0x59 0x08 0x38 0xBC 0x39 0xA0 0xBF /*e0-e7*/ /*e8-ef*/ 0xCA 0x3A 0xFE 0x3B 0x04 0xCF 0xDA 0x14 /*e8-ef*/ /*f0-f7*/ 0xE1 0x8F 0x46 0x75 0xFD 0xEB 0xEE 0xED /*f0-f7*/ /*f8-ff*/ 0x90 0xEF 0xB3 0xFB 0xB9 0xEA 0xBD 0xFF /*f8-ff*/ /* PKZIP/400 Translate Table EBCDIC to USASCII */ /*00-07*/ 0x00 0x01 0x02 0x03 0xEC 0x09 0xCA 0x7F /*00-07*/ /*08-0f*/ 0xE2 0xD2 0xD3 0x0B 0x0C 0x0D 0x0E 0xA9 /*08-0f*/ /*10-17*/ 0x10 0x11 0x12 0x13 0xEF 0xC5 0x08 0xCB /*10-17*/ /*18-1f*/ 0x18 0x19 0xDC 0xD8 0x1C 0x1D 0x1E 0x1F /*18-1f*/ /*20-27*/ 0xB7 0xB8 0xB9 0xBB 0xC4 0x0A 0x17 0x1B /*20-27*/ /*28-2f*/ 0xCC 0xCD 0xCF 0xD0 0xD1 0x05 0x06 0x07 /*28-2f*/ /*30-37*/ 0xD9 0xDA 0x16 0xDD 0xDE 0xDF 0xE0 0x04 /*30-37*/ /*38-3f*/ 0xE3 0xE5 0xE9 0xEB 0xB0 0xB1 0x9E 0x1A /*38-3f*/ /*40-47*/ 0x20 0xC9 0x83 0x84 0x85 0xA0 0xF2 0x86 /*40-47*/ /*48-4f*/ 0x87 0xA4 0x9B 0x2E 0x3C 0x28 0x2B 0xB3 /*48-4f*/ /*50-57*/ 0x26 0x82 0x88 0x89 0x8A 0xA1 0x8C 0x8B /*50-57*/ /*58-5f*/ 0x8D 0xE1 0x21 0x24 0x2A 0x29 0x3B 0xAA /*58-5f*/ /*60-67*/ 0x2D 0x2F 0xB2 0x8E 0xB4 0xB5 0xB6 0x8F /*60-67*/ /*68-6f*/ 0x80 0xA5 0x7C 0x2C 0x25 0x5F 0x3E 0x3F /*68-6f*/ /*70-77*/ 0xBA 0x90 0xBC 0xBD 0xBE 0xF3 0xC0 0xC1 /*70-77*/ /*78-7f*/ 0xC2 0x60 0x3A 0x23 0x40 0x27 0x3D 0x22 /*78-7f*/ /*80-87*/ 0xC3 0x61 0x62 0x63 0x64 0x65 0x66 0x67 /*80-87*/ /*88-8f*/ 0x68 0x69 0xAE 0xAF 0xC6 0xC7 0xC8 0xF1 /*88-8f*/ /*90-97*/ 0xF8 0x6A 0x6B 0x6C 0x6D 0x6E 0x6F 0x70 /*90-97*/ /*98-9f*/ 0x71 0x72 0xA6 0xA7 0x91 0xCE 0x92 0x0F /*98-9f*/ /*a0-a7*/ 0xE6 0x7E 0x73 0x74 0x75 0x76 0x77 0x78 /*a0-a7*/ /*a8-af*/ 0x79 0x7A 0xAD 0xA8 0xD4 0xD5 0xD6 0xD7 /*a8-af*/ /*b0-b7*/ 0x5E 0x9C 0x9D 0xFA 0x9F 0x15 0x14 0xAC /*b0-b7*/ /*b8-bf*/ 0xAB 0xFC 0x5B 0x5D 0xE4 0xFE 0xBF 0xE7 /*b8-bf*/ /*c0-c7*/ 0x7B 0x41 0x42 0x43 0x44 0x45 0x46 0x47 /*c0-c7*/ /*c8-cf*/ 0x48 0x49 0xE8 0x93 0x94 0x95 0xA2 0xED /*c8-cf*/ /*d0-d7*/ 0x7D 0x4A 0x4B 0x4C 0x4D 0x4E 0x4F 0x50 /*d0-d7*/ /*d8-df*/ 0x51 0x52 0xEE 0x96 0x81 0x97 0xA3 0x98 /*d8-df*/ /*e0-e7*/ 0x5C 0xF0 0x53 0x54 0x55 0x56 0x57 0x58 /*e0-e7*/ /*e8-ef*/ 0x59 0x5A 0xFD 0xF5 0x99 0xF7 0xF6 0xF9 /*e8-ef*/ /*f0-f7*/ 0x30 0x31 0x32 0x33 0x34 0x35 0x36 0x37 /*f0-f7*/ /*f8-ff*/ 0x38 0x39 0xDB 0xFB 0x9A 0xF4 0xEA 0xFF /*f8-ff*/ /* PKZIP/400 Translate Tables end */

362

G Implementation Considerations

SecureZIP for iSeries components have been structured and written for the iSeries platforms and iSeries servers. The code base includes support for the OS/400 operating system.

As with any product placed into production, familiarity with (and verification of) features is always highly recommended. Below is a list of key features that users of PKZIP should thoroughly understand.

Key Features • The commands PKZIP and PKUNZIP contain all parameters and options

required to use SecureZIP for iSeries. The parameters and options are in a format that provide a migration path toward the open systems environment. All parameters in the two commands are supported with the OS/400 help panels. The parameters and options should be reviewed to understand the features supported.

• With the IFS, long file names are supported for files, archive files, and list files.

• List files for inputting file selections and outputting selections is supported for both the QSYS library file system and the IFS.

• Archive files are supported in both the QSYS library file system and the IFS. By using the archive files within the IFS, performance is enhanced. CPU operation is more efficient and archive files are smaller. As a result, elapsed run time is reduced.

• Provides a quick and easy method for installing on the iSeries without running under the QSECOFR user or security authority.

• Using the parameter MSGTYPE, messages can be directed to a printer file, the message queue, or both.

• When archive files are created in the QSYS library file system, the record length can be defined to fit the customer environment.

• When a file is extracted to the QSYS library file system, and neither the file nor the extended attribute for the record length exists, the default file’s created record length can be defined externally.

363

• When compressing a file in text mode, you can define the record as a fixed-length record with trailing blanks that are based on the file’s record length description in the QSYS library file system.

• When selecting files for compression in the IFS, you can specify whether to search recursively through the directories for file selection, or to only search the currently specified directory.

• When extracting files with the PKUNZIP command, you can drop the path of files in the archive and use only the file name. This allows you to build the extracted file in new directories, libraries, and/or files. This applies to IFS and QSYS library file systems.

• When using files with the product, the attributes are stored in the archive to indicate how the file was stored (binary, text, text in EBCDIC, SAVF, or Database Services) and can be used when extracting files with FILETYPE(*DETECT).

• The PKUNZIP command allows for defining default paths and libraries for both IFS and QSYS library file systems.

• File selection has been written to provide additional file filtering controls. Individual file selection can be made using the FILE parameter and/or the “List File” (INCLFILE) which allows a list of files to be selected.

• File exclusion has been written to provide additional file filtering controls. Individual file exclusion can be made using the EXCLUDE parameter and/or the “List File” (EXCLFILE), which allows a list of files to be excluded.

• SecureZIP for iSeries is a licensed product, and without proper licensing, it can only be used to view archives. Licensing allows flexibility with the product features and hardware platforms. The license dataset must be defined and customized prior to use of the product.

• Extended attributes are stored within the archive directory.

• Note: These attributes are not published as part of a program control interface and may change between releases. Using the parameter TYPE(*VIEW) with VIEWOPT(*ALL) will report extended file information in the same report format order, regardless of the order that extended attributes are stored in the archive.

• SecureZIP for iSeries library can be renamed from the standard distribution name of PKW81051S to fit the operational environment.

• PKZIP and PKUNZIP commands can be executed without the product’s library being part of the library list.

364

H SPOOL Files Considerations

This appendix contains information on how SecureZIP for iSeries handles spool files in different scenarios that might be helpful to consider in planning for compressing spool files.

Spool File Selections Care should be taken when selecting spool files not to set all of the spool file selection parameters to *ALL, as this will select all spool files on your iSeries. This is why the default for the user ID is SFUSER(*CURRENT) to at least limit it to the current user in case a selection is not filled in correctly.

If a spool file is deleted after the selection but before the actual compression takes place, the PKZIP job will fail.

SPLF Attributes When a spool file is selected and the parameter EXTRAFL is coded *YES (the default), then the extended attributes listed below are stored in archive and can be viewed with PKUNZIP TYPE(*VIEW) VIEWOPT(*ALL). Also when the spool files are stored in the archive, the date and time for the file is the spool files creation date and time and can be viewed with PKUNZIP.

Extended Attributes:

• Description: The spool file description is built as follows:

"Job-Name/User-Name/#Job-Number/Spool-File-Name/Fspool-File-Number.Suffix" For Example: "MYJOB/BILLS#152681/INVOICE/F0021.SPLF"

• Spool file type: *SCS: SNA Character Stream, *IPDS: An intelligent printer data stream, *AFPDS: Advanced Function Print Data Stream, *USERASCII: An ASCII data stream user defined, *LINE: Line data that is very printer specific, and *AFPDSLINE: Mixed data (line data and AFPDS data).

• Target file created: Describes the target type file created during compression. SPLF: Spool Files, TXT: ASCII Text Conversion, and PDF: Portable Document Format.

• Number of pages contained in the spool file.

365

An example of the attributes view seen with –VIEWOPT(*ALL) for a spool file converted to a PDF might appear as follows:

Filename: CRTCM60.PDF Detected File type: Binary Created by: SecureZIP for iSeries 8.1 PKZIP 2.x compatible Minimum to Extract: PKZIP 2.0 Or Greater Compression method: Deflated [Fast] Date and Time 2003 Oct 17 07:22:00 Compressed size: 2316 bytes Uncompressed size: 8146 bytes 32-bit CRC value (hex): 40950039 Extended attributes: yes, [Length = 112] Spool File Type:*SCS, Target File:PDF, Nbr Of pages(3). SPLF Desc:EVWSS/EVWSS/#007892/CRTCM/F0060.PDF. File Comment:"none"

The preceding view comes from the following spool file:

5722SS1 V5R1M0 Work With Output Queue QPRINT2 in QGPL 11/19/02 14:08:53 Page 1 File User User Data Status Pages Cpy Form Tp Pty File Number Job Number Date Time CRTCM EVWSS RDY 3 1 *STD 5 60 EVWSS 007892 10/17/02 07:22:00

PDF Creation Attributes When creating a PDF, the attributes are also stored in the PDF document to help trace back what spool file they originated from.

• The date and time of the spool file creation will be the PDF date and time of creation.

• The author will be the user ID that created the spool file.

• The subject will be made up of the spool file name, number, and the job (number/user ID/job name).

366

An example of a PDF summary is:

367

I History of Changes

RELEASE 5.6 September 2003 • Support for ZIP64 archive formats to support large file system feature.

• Control over extra data to reduce total archive size. (New options in PKZIP parameter EXTRAFLD.)

• Warning when updating digitally signed archives.

• Ability to ignore case sensitivity when selecting files in the IFS. (New Option *IFS2 with parameter TYPFL2ZP).

• Ability to use CVTNAME when selecting spool files to change name in archive.

• New warning message AQZ0024 to monitoring when no files are selected.

• Ability to create and maintain self extracting archives. (New PKZIP parameter SELFXTRACT.)

• Ability to insert a path to the file names in archive. (New PKZIP parameter ISRTPATH.)

• New translating tables for code pages included in file PKZTABLES.

• Ability to handle extremely large spool file conversions to PDF or TEXT.

• Ability to convert a spool file to an ASCII Text document with ANSI control characters. The first character of every record contains an American National Standards Institute (ANSI) forms control character. (New option *TEXTFC in parameter SFTARGET.)

• More information with detail view of spool file in an archive.

• The ARCHIVE and FILE paths and file names has been expanded to 256 characters.

• The ARCHIVE will now accept imbedded spaces in the path and file name for archives in the IFS..

• A new PKZIP global setting to disallow wildcard selection is provided

• PKZIP will now post a standard description to archive document file descriptions for archives created in the /QDLS.

368

RELEASE 5.5 January 2003 • New parameter ADVCRYPT to specify encryption level.

• New parameter VPASSWORD which is required for advanced encryption and is used to verify with PASSWORD to ensure accuracy.

• Password now accepts up to 200 characters.

• Spool files can be archived or converted to a TEXT or PDF format.

• PKUNZIP now supports using a member *FIRST or *LAST for a member when using the QSYS file system.

• PKZIP now recognizes the older physical files with attributes of PF38 (System/38) physical files.

• Parameter CVTDATA is added to PKZIP and PKUNZIP commands and CVTNAME program changed to accept 4 variables (old file name, new file name, CVTFLAG, and CVTDATA).

• PKZIP and PKUNZIP will issues *STATUS message for completion messages so they can be monitored. The following message can now be monitored:

AQZ0012 - PKZIP ending with nothing to do for <&1>.

AQZ0020 - PKZIP completed successfully.

AQZ0022 - PKZIP completed with errors.

AQZ0037 - PKUNZIP completed successfully.

AQZ0038 - PKUNZIP completed with errors.

• Fix security authorization when creating a new directory or folder in the IFS so that authority is inherited from directory above.

• When only the file name is used in FILES parameter for selection, PKZIP was defaulting to *CURLIB. This has been revised per documentation to use *LIBL as the default.

• When creating a file in the integrated file system, the file will be created with attributes of directory that is created in plus owner of the PKUNZIP run.

• PKZIP revised to include files with attribute DDMF and file type DDM while searching for files in the selection parameters.

• Added translation code tables 850 ASCII and 037 EBCDIC to PKZIPTABLES file (PKZ850037).

• PKZCHGOWN CLP program "source" is provided in the source file QCLSRC file to assist customer who may want to change the owner of the object distributed.

• When creating files, PKUNZIP uses SIZE(*NOMAX) with CRTPF to avoid constant message replies.

• Added the informational program WHATOSV to distribution. WHATOSV shows OS Version, serial number, and process group required for licensing. To use CALL WHATOSV.

• EXDIR was expanded from 30 character to 224 characters to allow for more flexibility with the IFS.

369

• When getting the message AQZ0148 "Archive file empty", PKZIP will also issue the message AQZ0022 "PKZIP Completed with Errors" at the end of the run. The AQZ0022 is a message that can be monitored. The message AQZ0022 is now being issued as a diagnostic type message instead of a completion message.

• PKUNZIP revised to not use IFS Stat when checking the archives in the QSYS file system. This was preventing authority adoption for PKUNZIP archive files. PKUNZIP is now performing object and file checking.

• PKZIP revised random number for creation of the temporary archive name was improved to avoid duplication. The random routines now use the job number for initial seed.

• When extracting with PKUNZIP TYPE(*NEWER) and the files do not exist, extract the files as if they are the same as newer when files do exist.

• Improved performance extracting to a file that has a large number of members. Improved performance selecting files for compression when files have a large number of members.

• Expanded the field sizes of the ARCHIVE and FILES parameters to 140 characters in PKZIP and PKUNZIP commands to allow more folders in the path of IFS files.

• Added keyword ?MBR to parameter EXDIR in command PKUNZIP. If EXDIR is coded with keyword ?MBR and the file system is the QSYS library system PKUNZIP will use the member name for the file name. For example:

EXDIR('newlib/?MBR') and DROPPATH(*ALL) parameters are coded and the file name in archive is "mylib/myfile/mymbr", the file will be extract to the file "newlib/mymbr(mymbr)". This is valid only for TYPFL2ZP(*DB) files.

• Support of spool files along with text document conversion.

• New parameter DELIM was added to PKZIP to provide the ability to define the end-of-record characters at the end of a text record (such as CRLF, etc.).

• New install process from CD using LODRUN command.

RELEASE 5.5.1 – March 2003 • Resolved under rare conditions when extracting a text file from an archive

created in a UNIX environment, there may be 1- 2 invalid extra last text records..

• Added new error check for spool files: AQZ0301 Parameter SFTARGET(*SPLF) requires EXTRAFLD(*YES). Correct and rerun. AQZ0302 FILETYPE parameter must be (*DETECT) when compressing spool files.

• Improved page fitting during spool file conversion when using *PDFLETTER and PDFLEGAL as the option in the parameter SFTARGET.

370

RELEASE 5.5.2 – May 2003 • Under certain conditions when converting a spool file to a text or PDF file,

there are extraneous characters in some lines due to buffers not being cleared properly.

• Added message AQZ0304 to indicate the job in parameter SFJOBNAM cannot be found or is invalid when selecting a spool file.

• Added ability to have a GZIP archive file greater than 2 GB.

Appendix K 371

J Creating Commands with new defaults

There are times when some clients would like to change the defaults of the commands for their environment. This is why the source for the commands PKZIP, PKZSPOOL, and PKUNZIP are included in the distribution library in the QCMDSRC file. It is important that the sequences, values, and properties of the parameters do not change. To protect you ability to recover, it is suggested that you rename the previous command and command source and copy them before make any changes.

If you want to restrict where the commands can be performed then change the parameter ALLOW(*ALL) to the value you require. See IBM CL manuals or prompt CRTCM.

Below are sample statements to create the commands. In this example, the PKZIP library is PKW81051S.

Create PKZIP Command:

CRTCMD CMD(PKW81051S/PKZIP) PGM(PKW81051S/PKZIP) SRCFILE(PKW81051S/QCMDSRC) HLPPNLGRP(PKW81051S/ ZIPHLP) HLPID(*CMD)

Create PKZSPOOL Command

CRTCMD CMD(PKW81051S/PKZSPOOL) PGM(PKW81051S/PKZIP) SRCFILE(PKW81051S/QCMDSRC) HLPPNLGRP(PKW81051S/ ZIPHLP) HLPID(*CMD)

Create PKUNZIP Command:

CRTCMD CMD(PKW81051S/PKUNZIP) PGM(PKW81051S/PKUNZIP) SRCFILE(PKW81051S/QCMDSRC) HLPPNLGRP(PKW81051S/ UZIPHLP) HLPID(*CMD)

372

K Extended Attributes

This chapter reviews the extended attributes that SecureZIP for iSeries builds when using the parameters EXTRAFLD(*YES) or DBSERVICE(*YES). These extended attributes can be viewed for a file by using PKUNZIP with parameters TYPE(*VIEW) and VIEWOPT(*DETAIL) for the archive.

Within the ZIP archive are two directories that provide information about the files that are held within it. A local directory (included at the beginning of each file) contains information such as the file size and the date the file was zipped. The central directory (located at the end of the ZIP archive) lists the complete contents of the ZIP archive and is the primary source of information for UNZIP processing. In each directory there can exist extended data or attributes for the compressed files.

When EXTRAFLD(*YES) is specified, a set of basic attributes are created for each file in the archive. The type of attribute created depends on the type of file system (QSYS library file system or IFS) in which the file being compressed exists. The standard attributes for both systems are described below.

If the parameter DBSERVICE(*YES) is specified for the PKZIP command, and if the file being compressed is a physical file (PF-DTA or PF_SRC), then the basic extended attributes are created followed by the detailed database attributes. With the detailed database attributes, PKUNZIP can build and compile the DDS source file to recreate the database file (see DATABASE attributes). The database file will be compressed in the binary mode.

Standard QSYS Library File System Attributes When the files being compressed are from the QSYS library file system, the standard attributes created are described in the following tables.

For additional information, see the DSPFD command in the IBM manuals.

Physical Files (both Source and Data)

Attribute Description 1 Maximum Record Length Specifies the length (in bytes) of the records

stored in the physical file. 2 Library Text The text description of the library that the file

does exist.

373

3 File Text The text description of the File. 4 Member Text The text description of the member. 5 File Type Specifies whether each member of the

physical file being created contains data records or contains source records (statements. PF_SRC or PF_DTA.).

6 Source Type Code Specifies the source type of the member, such as, CLP, PF, LF, RPGLE, etc.

SAVF

Attribute Description 1 Library Text The text description of the library that the

SAVF exists. 2 File Text The text description of the SAVF.

Standard IFS Attributes When the files being compressed are from the integrated file system, the standard attributes for stream files are as described in the following table.

Attribute Description 1 Code Page 2 File creations date/time The date and time when the file was created. 3 File last access date/time The date and time when the file was last

accessed. 4 File last modification

date/time The data and time when the file was last modified.

Advanced Encryption Attributes When the files being compressed with advanced encryption, encryption attributes are added to the archive.

Attribute Description

1 Encryption Method/ Algorithm Indicates the Encryption Method. 2 Encryption Key Type The key type used with the encryption

algorithm. 3 Security Method Indicates whether a password, certificate, or

both password and certificate are in use.

DATABASE Attributes With the parameter DBSERVICE(*YES) in PKZIP, a special set of attributes are created for files that are physical files (both source and data types) in the QSYS library file system. These attributes can be used by PKUNZIP to create a database by building the DDS source and issuing the CRTPF command for the source.

374

These database attributes are described in the following tables.

File Physical Attributes For more information, see the CRTPF and CHGPF commands or IBM publications.

Attribute Description

1 File Record Format The name of the file’s record format. 2 File Record Text The Text description for the file’s format. 3 Maximum Number of

Members Specifies the maximum number of members that the physical file being created can have at any time.

4 Number Fields The number of fields in the database. 5 Number of keys The number of key fields in the database. 6 SIZE - nbr Records SIZE parameter option - The number of

records that can be inserted before an automatic extension occurs.

7 SIZE - increment value SIZE parameter option - Value for the number of additional records.

8 SIZE - number of increments SIZE parameter option - Maximum number of parts to be added automatically to the member.

9 Public Authority AUT - Specifies the authority given to users who do not have specific authority to the physical file. Note: If an authorization list was specified for the file then AUT is set to *CHANGED. See “Database Attributes Considerations.”

10 Record Description CCSID The coded character set identifier for the record description.

11 Delete Percent DLTPCT - Specifies the percentage of deleted records a file can contain before you want the system to send a message to the system history log.

12 Reuse deleted records REUSEDLT - Specifies whether deleted record space should be reused on subsequent write operations.

13 Access path size ACCPTHSIZ - Specifies the maximum size of auxiliary storage that can be occupied by access paths that are associated with keyed source physical files.

14 Access path maintenance MAINT - Specifies the type of access path maintenance used for all members of the physical file.

15 Access path recovery RECOVER - For files having immediate or delayed maintenance on their access paths, specifies when recovery processing of the file is done if a system failure occurs while the access path is being changed.

16 Allocate storage ALLOCATE - Specifies storage space is allocated for the initial number of records (SIZE parameter) for each physical file member when it is added.

375

Attribute Description 17 Force keyed access path FRCACCPTH - For files with keyed access

paths only, specifies access path changes are forced to auxiliary storage along with the associated records in the file whenever the access path is changed.

18 Record format level check LVLCHK - Specifies the record format level identifiers in the program are checked against those in the logical file when the file is opened.

19 Program describe File Defines whether file is external file type. 20 Triggers Available File had triggers defined. See “Database

Attributes Considerations.” 21 File SQL Table File is an SQL Table. 22 Constraints Available File had Constraints defined. See “Database

Attributes Considerations.” 23 File has Null Fields File contains fields which allow NULL

contents. See “Database Attributes Considerations.”

File Field Attributes See “iSeries e DDS Reference Publication No. RBAF-P000-00” for a description of the keywords.

Attribute Description

1 Field Name Field name. 2 Field Data Type Specifies the data type associated with the

field (such as, A-character, P-Packed, Decimal, etc.).

3 Field Length Specifies the field length for named field. 4 Number of Decimals Specifies the decimal placement within a

zoned decimal field and the data type of the field as it appears in your program.

5 Field Usage Specifies that a named field is an output-only or program-to-system field.

6 Field CCSID (CCSID) - Specifies a coded character set identifier for character fields.

7 Field Text (TEXT) - A text description (or comment) for the record format or field that is used for program documentation.

8 Column Headings (COLHDG) - Specifies column headings used as a label for this field by various iSeries file tools.

9 Keyboard Shift Character (REFSHIFT) - Specifies a keyboard shift for a field when the field is referred to in a display file or DFU operation.

10 Allow NULLS (ALWNULL) - To define this field to allow the null value.

11 Variable Length (VARLEN) - To define this field as a variable length field.

12 Alias (ALIAS) - Specifies an alternative name for the field.

13 Default Values (DFT) - Specifies a default value for a field.

376

Attribute Description 14 Edit Formatting values (EDTCDE, EDTWRD, DATFMT, DATSEP,

TIMFMT, TIMSEP) - Specifies editing for the field you are defining when the field is referenced later during display or printer file creation.

15 Validity Checking (CHECK, COMP, RANGE, etc.) - Specifies validity checking in display files.

16 Indicator for Double Precision An indicator for float type fields specifying single or double precision.

17 Allocated Length The allocated length in bytes for data types that use variable lengths.

Key Field Attributes See the IBM manual for the DDS description of keywords for KEYS.

Attribute Description 1 Key Field Name The field name of the key. 2 Type of Sequence Defines the type of key and the sequence of

the key.

Database Attribute Considerations Special database functionality and information such as triggers, file constraints, authorization lists, and alternate collating sequences are not stored in an archive.

1. If a file has fields that have the option ALWNULL, warning message AQZ0521 will be issued.

2. If the file contains triggers, warning message AQZ0518 will be issued. Any information about the triggers and associated programs are not stored in the archive.

3. If a file has file constraints, warning message AQZ0519 will be issued.

4. If an authorization list was specified for the file, then the AUT parameter is set to “*CHANGED.” The authorization list is not stored in the archive. It is up to the user to set the authorization list when extracted.

5. If a file has an alternate collating sequence, warning message AQZ0520 will be issued. The information about the alternate collating sequence is not stored the archive.

If the database’s triggers, file constraints, alternate collating sequence, and logical files are to be preserved, then save the database file, trigger programs (if they exist), and logical files to a SAVF. Then compress the SAVF.

Note: Using DBSERVICE(*YES) can increase the size of the archive because some databases may have hundreds of fields and attributes. If this archive will be used on a platform other than iSeries with SecureZIP for iSeries , these attributes are ignored and therefore should not be used.

377

Source File Considerations When compressing source files, the use of the archive file should be considered. By using the DBSERVICE(*NO), only the data is extracted in text mode. Other attributes such as the sequences numbers and change dates are not included. This would be the desired method if the source members are being transferred to another platform, or if the sequence number and changes dates are not important. This method would also give the best results for the total size of the archive.

If the sequence numbers and change dates are to be preserved, then you would use DBSERVICE(*YES) to store this source file as a database file. This would not work very well on non-EBCDIC platforms because the data is stored in binary mode with no EBCDIC to ASCII translation. The problem is that each member will have all available database attributes. This is still minimal because there are only three fields for a source database.

Spool File Attributes When the files being compressed are from a spool file, the standard attributes are:

Attribute Description 1 Spool File Type Device type SCS, AFP, etc. 2 Target Output Type The type of file that was archived or converted

(spool file, text, or PDF). 3 Internal Job and spool ID Internal Job and Spool codes controlling the

spool file. 4 Spool File description The description of the file using the file name,

file number, job, user and job number. 5 Pages Number of pages in the spool file. 6 Code Page The code page the was used to convert the

spool file to TEXT or PDF. 7 OUTQ The OUTQ and the OUTQ library the spool

file resided. 8 User ID The user who created the spool file

378

L FIPS-197 Certification of PKZIP for AES

Advanced Encryption Standard FIPS Validation PKZIP for OS/400 Version 5.5 and higher (which includes SecureZIP for iSeries) use AES, which is the official US Government standard for encryption. The AES algorithm was approved as the Federal Information Processing Standard by the Commerce Department on May 26th, 2002.

The National Institute of Standards and Technology (NIST) has announced approval of the Federal Information Processing Standard (FIPS) for the AES algorithm (see NIST AES FIPS Information at http://csrc.nist.gov/CryptoToolkit/aes/).

The PKZIP for OS/400 Version 5.5 implementation was validated in accordance with FIPS-197 for the Advanced encryption Standard. Information regarding the validation specification and certifications of PKWARE products can be found at http://www.csrc.nist.gov/cryptval/aes/aesval.html (certificate #63).

The AES Algorithm The Rijndael algorithm chosen uses a combination of advanced security, performance, efficiency, ease of implementation, and flexibility to make it the appropriate standard of advanced encryption for the AES.

Rijndael performs consistently in both hardware and software and in cross platform environments regardless of its use in feedback or non-feedback modes. Rijndael’s key setup time is very good, and its key agility is excellent. Memory requirements are very low, making it the first choice for restricted-space environments, in which it also demonstrates high performance. Power and timing attacks are easily defended against due to Rijndael's operations.

Note that the AES was intentionally developed to replace DES.

AES Key Sizes Currently, AES has three key sizes. They are: 128, 192, and 256 bits. Key sizes are depicted in the following decimal terms:

• 3.4 x 1038 possible 128-bit keys

379

• 6.2 x 1057 possible 192-bit keys

• 1.1 x 1077 possible 256-bit keys

In comparison, DES keys are only 56 bits, which means there are approximately 7.2 x 1016 possible DES keys. Therefore, there they are on the order of 1021 times more AES 128-bit keys than DES 56-bit keys.

380

M Contact Information

PKWARE, Inc. Web Site: www.pkware.com

For Licensing, please contact the Sales Division at 937-847-2374 or email PKSALES@PKWARE.COM.

For Technical Support assistance, please contact the Product Services Division at 937-847-2687 or visit the support web site.

PROBLEM REPORTING Providing appropriate documentation on the initial call for a problem expedites the analysis and resolution process. The following sections describe the type of information that should be supplied for each category of problem.

PROBLEM REPORTING (General) When reporting a problem regarding PKZIP for iSeries, please be prepared to provide the following information:

• The displayed output from CALL ziplib/WHATOSV or the details that WHATOSV provides

• Release level of the operating system

• Release level of PKZIP for iSeries being run

• A description of the process being run and any differentiating circumstances from job(s) that do run

• A display of the command problem with parameters

• A copy of the output and JobLog from the failing execution

• If run from a CL and practical, please include source listing of the CL

• If PKUNZIP is failing, provide the Output from the following:

PKUNZIP TYPE(*VIEW) VIEWOPT(*ALL)

381

• If requested by Technical Support, the display with various tracing options turned on

• If practical, please include the archive/input file involved in the failing execution

PROBLEM REPORTING (Licensing) When reporting a problem regarding licensing, please be prepared to provide the following information:

• The displayed output from CALL ziplib/WHATOSV

• A copy of the INSTPKLIC command and its parameters

• A copy of the output from the INSTPKLIC job

If the problem occurs in a PKZIP/PKUNZIP job then follow the steps outlined above for PKZIP for iSeries.

382

Glossary

This glossary provides definitions for items that may have been referenced in the PKZIP® documentation. It is not meant to be exhaustive. One Web site that provides excellent source documentation for computing terms is the IBM Terminology site:

http://www-306.ibm.com/ibm/terminology

Absolute Path Name

A string of characters that is used to refer to an object, starting at the highest level (or root) of the directory hierarchy. The absolute path name must begin with a slash (/), which indicates that the path begins at the root. This is in contrast to a Relative Path Name. See also Path Name.

AES

The Advanced Encryption Standard is the official US Government encryption stand for customer data.

American Standard Code for Information Interchange

The ASCII code (American Standard Code for Information Interchange) was developed by the American National Standards Institute for information exchange among data processing systems, data communications systems, and associated equipment and is the standard character set used on MS-DOS and UNIX-based operating systems. In a ZIP archive, ASCII is used as the normal character set for compressed text files. The ASCII character set consists of 7-bit control characters and symbolic characters, plus a single parity bit. Since ASCII is used by most microcomputers and printers, text-only files can be transferred easily between different kinds of computers and operating systems. While ASCII code does include characters to indicate backspace, carriage return, etc., it does not include accents and special letters that are not used in English. To accommodate those special characters, extended ASCII has additional characters (128-255). Only the first 128 characters in the ASCII character set are standard on all systems. Others may be different for a given language set. It may be necessary to create a different translation tables (see Translation Table) to create standard translation between ASCII and other character sets.

American National Standards Institute (ANSI)

An organization sponsored by the Computer and Business Equipment Manufacturers Association for establishing voluntary industry standards.

383

ANSI

See American National Standards Institute.

API

See Application Programming Interface, below.

Application Programming Interface

An interface between the operating system (or systems-related program) that allows an application program written in a high-level language to use specific data or services of the operating system or the program. The API also allows the user to develop an application program written in a high level language to access PKZIP data and/or functions of the PKZIP system.

Application System/400 (iSeries)

One of a family of general purpose systems with a single operating system (Operating System/400) that provides application portability across all models.

Archive

The act of transferring files from the computer into a long-term storage medium. Archived files are often compressed to save space.

An individual file or group of files which must be extracted and decompressed in order to be used.

A file stored on a computer network, which can be retrieved by a file transfer program (FTP) or other means.

The PKZIP file that holds the compressed/zipped data file.

ASCII

See American Standard Code for Information Interchange.

iSeries

See Application System/400, above.

iSeries Object

An object that exists in a library on the iSeries system and is represented by an object on the PC. For example, a user profile is an iSeries object represented on the PC by the user profile object.

Authorized Program Analysis Report (APAR)

A request for correction of a defect in a current release of an IBM supplied program.

384

Bandwidth

The capacity of a communications line, normally expressed in bits per second (bps). A lack of bandwidth is one of the prime motivations for using compression software.

Batch Job

A predefined group of processing actions submitted to the system to be performed with little or no interaction between the user and the system. This is in contrast to an Interactive Job.

Binary File

A file that contains codes that are not part of the ASCII character set. Binary files can utilize all 256 possible values for each byte in the file.

Bit

A contraction of binary digit. Either of the binary digits, 0 or 1. Compare with Byte.

Block

A group of records that are recorded or processed as a unit.

A set of adjacent records stored as a unit on a disk, diskette, or magnetic tape.

Byte

The smallest unit of storage that can be addressed directly.

A group of 8 adjacent bits. In the EBCDIC/ASCII coding system, 1 byte can represent a character. In the double-byte coding system, 2 bytes represent a character.

Code Page

A specification of code points for each graphic character set or for a collection of graphic character sets. Within a given code page, a code point can have only one specific meaning. A code page is also sometimes known as a code set.

Command Line

The blank line on a display console where commands, option numbers, or selections can be entered.

Control Language (CL) Program

A program that is created from source statements consisting entirely of control language commands.

385

CRC

See Cyclic Redundancy Check.

Cryptography

A method of protecting data. Cryptographic services include data encryption and message authentication.

In cryptographic software, the transformation of data to conceal its meaning; secret code.

The transformation of data to conceal its information content, to prevent its undetected modification, or to prevent its unauthorized use.

Current Library

The library that is specified to be the first user library searched for objects requested by a user. The name for the current library can be specified on the sign-on display or in a user profile. When you specify an object name (such as the name of a file or program) on a command, but do not specify a library name, the system searches the libraries in the system part of the library list, then searches the current library before searching the user part of the library list. The current library is also the library that the system uses when you create a new object, if you do not specify a library name.

Cyclic Redundancy Check (CRC)

A Cyclic Redundancy Check is a number derived from a block of data, and stored or transmitted with the data in order to detect any errors in transmission. This can also be used to check the contents of a ZIP archive. It's similar in nature to a checksum. A CRC may be calculated by adding words or bytes of the data. Once the data arrives at the receiving computer, a calculation and comparison is made to the value originally transmitted. If the calculated values are different, a transmission error is indicated. The CRC information is called redundant because it adds no significant information to the transmission or archive itself. It’s only used to check that the contents of a ZIP archive are correct. When a file is compressed, the CRC is calculated and a value is calculated based upon the contents and using a standard algorithm. The resulting value (32 bits in length) is the CRC that is stored with that compressed file. When the file is decompressed, the CRC is recalculated (again, based upon the extracted contents), and compared to the original CRC. Error results will be generated showing any file corruption that may have occurred.

Data Compression

The reduction in size (or space taken) of data volume on the media when performing a save or store operations.

Data Integrity

The condition that exists as long as accidental or intentional destruction, alteration, or loss of data does not occur.

386

Within the scope of a unit of work, either all changes to the database management systems are completed or none of them are. The set of change operations are considered an integral set.

DBCS

See Double-byte Character Set.

Double-byte Character Set (DBCS)

A set of characters in which each character is represented by 2 bytes. Languages such as Japanese, Chinese, and Korean, which contain more symbols than can be represented by 256 code points, require double-byte character sets. Because each character requires 2 bytes, the typing, displaying, and printing of DBCS characters requires hardware and programs that support DBCS. Four double-byte character sets are supported by the system: Japanese, Korean, Simplified Chinese, and Traditional Chinese. See also the Single-Byte Character Set (SBCS).

EBCDIC

See the Extended Binary Coded Decimal Interchange Code, below.

Encryption

The transformation of data into an unintelligible form so that the original data either cannot be obtained or can be obtained only by decryption.

Extended Attribute

Information attached to an object that provides a detailed description about the object to an application system or user.

Extended Binary Coded Decimal Interchange Code (EBCDIC)

The Extended Binary Coded Decimal Interchange Code is an 8-bit binary code for larger IBM mainframes in which each byte represents one alphanumeric character or two decimal digits. The single-byte structure has a range of X’00’ to X’FF’. Control commands are subset with a range of X’00’ to X’3F’ while graphic characters have a range from X’41’ to X’FE’. The space character is represented by a X’40’. EBCDIC is similar in nature to ASCII code, which is used on many other computers. When ZIP programs compress a text file, they translate data from EBCDIC to ASCII characters within a ZIP archive using a translation table.

File Transfer Protocol (FTP)

In TCP/IP, an application protocol used for transferring files to and from host computers. FTP requires a user ID and possibly a password to allow access to files on a remote host system. FTP assumes that the transmission control protocol (TCP) is the underlying protocol.

387

FTP

See File Transfer Protocol above.

GZIP

GZIP (also known as GNU zip) is a compression utility designed to utilize a different standard for handling compressed file data in an archive. Its main advantages over other compression utilities are much better compression and freedom from patented algorithms. It has been adopted by the GNU project and is now relatively popular on the Internet. Additional information can be found at http://www.gzip.org.

Host

The controlling or highest-level system in a data communications configuration. For example, an iSeries system is the host system for the work stations connected to it.

Integrated File System

A function of the operating system that provides storage support similar to personal computer operating systems (such as DOS and OS/2) and UNIX systems.

Interactive Job

A job started for a person who signs on to a work station and communicates (or “converses”) with another computing entity such as a mainframe or iSeries system. This is in contrast to a Batch Job.

Keyed Sequence

An order in which records are retrieved based on the contents of key fields in records. For example, a bank name and address file might be in order and keyed by the account number.

Keyword

A mnemonic (abbreviation) that identifies a parameter in a command.

A user-defined word used as one of the search values to identify a document during a search operation.

In COBOL, a reserved word that is required by the syntax of a COBOL statement or entry.

In DDS, a name that identifies a function.

In REXX, a symbol reserved for use by the language processor in a certain context. Keywords include the names of the instructions and ELSE, END, OTHERWISE, THEN, and WHEN.

In query management, one of the predefined words associated with a query command.

A name that identifies a parameter used in an SQL statement.

388

LAC

See License Authorization Code, below.

Lempel-Ziv (LZ)

A technique for compressing data. This technique replaces some character strings, which occur repeatedly within the data, with codes. The encoded character strings are then kept in a common dictionary, which is created as the data is being sent.

Library List

A list that indicates which libraries are to be searched and the order in which they are to be searched. The system-recognized identifier is *LIBL.

License Authorization Code (LAC)

The inserted code that is needed to unlock an iSeries licensed program.

Logical Partition

A subset of a single iSeries system that contains resources (such as processors, memory, and input/output devices). A logical partition operates as an independent system. If hardware requirements are sufficient, multiple logical partitions can exist within a system.

LZ

See the entry for Lempel-Ziv (LZ), above.

New ZIP Archive

A new ZIP archive is the archive created by a compression program when either an old ZIP archive is updated or when files are compressed and no ZIP archive currently exists. It may be thought of as the “receiving” archive. Also see Old ZIP archive.

Null Value

A parameter position within a record for which no value is specified.

n-way Processor Architecture

A processor architecture that provides expandability for future system growth by allowing for additional processors. To the user, the additional processors are transparent because they separately manage the work load by sharing the work evenly among the n-way processors.

Old ZIP Archive

An old ZIP archive is an existing archive which is opened by a compression program to be updated or for its contents to be extracted. It may be thought of as the “sending” archive. Also see New ZIP archive.

389

Operating System/400 (OS/400)

An IBM-licensed program that is as the primary operating system for an iSeries system.

OS/400

See Operating System/400, above.

Output Queue

An AS/400 object that contains entries for spooled output files to be written to an output device.

Packed Decimal Format

A decimal value in which each byte within a field represents two numeric digits except the far right byte, which contains one digit in bits 0 through 3 and the sign in bits 4 through 7. For all other bytes, bits 0 through 3 represent one digit; bits 4 through 7 represent one digit. For example, the decimal value +123 is represented as 0001 0010 0011 1111 (or 123F in hexadecimal).

Path Name

A string of characters used to refer to an object. The string can consist of one or more elements, each separated by a slash (/), and may begin with a slash. Each element is typically a directory or equivalent, except for the last element, which can be a directory or another object (such as a file).

A sequence of directory names followed by a file name, each separated by a slash.

In a hierarchical file system (HFS), the name used to refer to a file or directory. The path name must start with a slash (/) and consist of elements separated by a slash. The first element must be the name of a registered file system. All remaining elements must be the name of a directory, except the last element, which can be the name of a directory or file. See also Absolute Path Name and Relative Path Name.

The name of an object in the integrated file system. Protected objects have one or more path names.

Physical File

Describes how data is to be presented to (or received from) a program and how data is stored in the database. A physical file contains a single record format and at least one member.

Physical File Member

A named subset of the data records in a physical file. See also member.

390

Production Library

A library which contains objects needed for normal processing. This contrasts with a Test Library.

Program Temporary Fix (PTF)

A temporary solution to (or a bypass of) a problem that is necessary to provide a complete solution to correct a defect in a current unaltered release of a program. May also be used to provide an enhancement to a product before a new release of the product is available. Generally, PTFs are incorporated in a future release of the product.

PTF

See Program Temporary Fix, above.

QSYS

The library shipped with the iSeries system that contains objects, such as authorization lists and device descriptions created by a user, and the system commands and other system objects required to run the system. The system identifier is QSYS.

Qualified Name

The full name of the library that contains the object and the name of the object.

Record

A group of related data, words, or fields treated as a single unit, such as a name, address, and social security number.

Reduced Instruction Set Computer (RISC)

A RISC computer uses a small, highly efficient subset of the instructions available on a standard computer. This allows for rapid processing.

Relative Path Name

A string of characters that is used to refer to an object, starting at some point in the directory hierarchy other than the root. A relative path name does not begin with a slash (/). The starting point is frequently a user's current directory. This is in contrast to an Absolute Path Name. See also Path Name.

Return Code

A value generated by operating system software to a program to indicate the results of an operation by that program. The value may also be generated by the program and passed back to the operator.

391

RISC

See Reduced Instruction Set Computer, above.

SBCS

See Single-Byte Character Set.

Service Pack

The iSeries product has available a collection of code fixes that contain PC code. These fixes are contained in a single program temporary fix (PTF) which makes installation easier.

Single-Byte Character Set (SBCS)

A coded character set in which each character is represented by a one-byte code point. A one-byte code point allows representation of up to 256 characters. Languages that are based on an alphabet, such as the Latin alphabet (as contrasted with languages that are based on ideographic characters) are usually represented by a single-byte coded character set. For example, the Spanish language can be represented by a single-byte coded character set. See also the Double-Byte Character Set (DBCS).

Source File

A file of programming code that has not yet been compiled into machine language. A source file can be created by the specification of FILETYPE(*SRC) on the create command. A source file can contain source statements for such items as high-level language programs and data description specifications. Source files maintained on a PC typically use a .TXT as the extension. On a mainframe, source files are typically found in a partitioned data set or are maintained within a library management tool.

Spool File

Files that exist in an "output queue" which contain reports to printed on the AS/400 system. Theses files along with attributes can then be directed and transformed to a printer attached to your system.

Stream File

A data file that contains continuous streams of bits such as PC files, documents, and other data stored in iSeries folders. Stream files are well suited for storing strings of data such as the text of a document, images, audio, and video. The content and format of stream files are managed by the application rather than by the system.

System Library

The library shipped with the operating system that contains objects such as authorization lists and device descriptions created by a user. Also included are system commands and other system objects required to run the system. The system identifier is QSYS.

392

System Processor

The operating system logic that contains the processor function to translate and process OS/400 control language commands and programming language statements.

Time Stamp

A software mechanism for recording the current date and/or current time of day.

Translation Table

Translation tables are used by the PKZIP and PKUNZIP programs for translating characters in compressed text files between the ASCII character sets used within a ZIP archive and the EBCDIC character set used on IBM-based systems. These tables may be created and modified by the user as documented in the User's Guide.

Trigger

A set of predefined actions that run automatically whenever a specified action or change occurs, for example, a change to a specified table or file. Triggers are often used to automate environments, such as running a backup when a certain number of transactions are processed.

Truncate

To cut off or delete the data that will not fit within a specified line width or display. This may also be attributed to data that does not fit within the specified length of a field definition.

User Interface

The actions or items that allow a user to interact with (and/or perform operations on) a computer.

Variable-Length

A characteristic of a file in which the individual records (and/or the file itself) can be of varying length. See also Fixed-Length.

ZIP64

ZIP64 is reference to the archive format that supports more than 65,534 files per archive, uncompressed files greater than 4 Gig and archives greater than 4 Gig.

ZIP Archive

A ZIP archive is used to refer to a single file that contains a number of files compressed into a much smaller physical space by the ZIP software.

393

3270 Display Emulation

A personal computer-based program that allows a PC to perform like a 3270 display station or printer. The program will allow use of the various iSeries system functions.

5250 Emulation

A personal computer-based program that allows a PC to perform like a 5250 display station or printer. The program will allow use of the various iSeries system functions.

394

Index

/

/ file system, 63

3

3270 Display Emulation, 393 3DES, 16, 17

5

5250 Emulation, 393

A

About this Manual, 1 Absolute Path Name, 382 ADVCRYPT, 116, 181 AES, 17, 382 AES Algorithm, 378 AES FIPS Validation, 378 AES Key Sizes, 378 Alternate Install from SAVF with Non-Standard

Library Name, 46 American National Standards Institute, 382 American Standard Code for Information Interchange,

382 ANSI, 383 API, 383 Application Programming Interface, 383 Application System/400 (AS/400), 383 AQZ0001 - AQZ0799 Messages, 234 AQZ0012 - PKZIP ending with Nothing to do for,

232, 235 AQZ0020 - PKZIP Completed Successfully, 232, 236 AQZ0022 - PKZIP Completed with Errors, 232, 236 AQZ0024 - PKZIP Completing with a Warning. No

Files Selected, 232, 236 AQZ0037, 232, 238 AQZ0038 - PKUNZIP Completed with Errors., 232,

238 AQZ0043, 239 AQZ0044 - PKUNZIP Completed with Errors., 239 AQZ0045, 239 AQZ0046 - PKUNZIP Completed with Errors., 239 AQZ0047, 240 AQZ0048 - PKUNZIP Completed with Errors., 240 AQZ0049, 240 AQZ0050 - PKUNZIP Completed with Errors., 240

AQZ0143-00, 246 AQZ0262, 261 AQZ0800 - AQZ0899 *VIEW Display Messages, 288 AQZ8xxx configuration messages, 302 AQZ9xxx LICENSE Messages, 311 Archive, 383 ARCHIVE, 117, 156 Archive Placement (IFS or in a Library), 336 archives, 6

updating, 103 viewing, 28, 94, 103

ARCHTEXT, 118 AS/400, 383 AS/400 Object, 383 ASCII, 57, 383 AUTHCHK, 118, 157 authenticating, 97 authentication, 13, 14 authority settings, 58 Authorized Program Analysis Report (APAR), 383 AUTHPOL, 122, 160, 185

B

Bandwidth, 384 Batch Job, 384 Binary File, 384 binary records, 52 Bit, 384 Block, 384 Byte, 384

C

CERTDB, 191 certificate

stores, 25 certificate authority, 15, 20, 80 certificate locator database, 81, 85, 92 certificate revocation list store, 81 certificate revocation lists, 81, 100 certificate stores, 79, 80, 81, 85, 215

testing, 88 certificates, 14, 15, 76, 215

end entity, 16 locating, 79 root, 16

CERTSELT, 189 Code Page, 384 Command Line, 384

395

Commands, 152 Comment Control Card, 41 COMPAT, 123 COMPRESS, 124 Compressing, 230 Compressing a file, 231 Compressing a SAVF file, 67 Compressing SPOOL Files, 68 Compression, 5, 40 Compression Type Performance, 335 Conditional Use, 44 configuration profiles, 77 Control Language (CL) Program, 384 Conventions Used in this Manual, 2 CRC, 6, 13, 385 Creating Commands with new defaults, 371 Creating List Files, 356 Creating new Translation Table Members, 360 CRL. See certificate revocation lists CRL format, 217 cross-platform compatibility, 8, 229 CRTLIST, 124, 162 Cryptography, 385 CSCA, 193 CSCRL, 194 CSPRVT, 193 CSPUB, 192 CSROOT, 194 Current Library, 385 Customer Control Card, 41 CVTDATA, 125, 162 CVTFLAG, 125, 162 CVTNAME name conversion program, 349 CVTTYPE, 125, 163 CWRKPATH, 195 Cyclic Redundancy Check (CRC), 385

D

Data Compression, 385 data format, text vs. binary, 52 Data Integrity, 385 data security, 12, 22, 75 Data Type Selection, 336 Database Attribute Considerations, 376 DATABASE Attributes, 373 DATEAB, 126 DATETYPE, 126 DBCS, 386 DBSERVICE, 126 Decompression, 40 decrypting, 94 DELIM, 127 DES, 16 DFTARCHREC, 126 DFTDBRECLN, 163 directories, 62 DIRNAMES, 127 DIRRECRS, 127 Document Library Services file system, 63 Document Library Services file system (QDLS), 64 Double-byte Character Set (DBCS), 386

DROPPATH, 163

E

EBCDIC, 57, 386 ENCRYPOL, 131, 187 encryption, 12, 22, 24, 386

algorithms, 16 filename, 26, 102 methods, 23 passwords, 19, 24 recipient-based, 19, 24, 93 Windows compatibility, 23

Encryption Performance, 337 ENTPREC, 128, 164, 195 Escape Messages, 232, 236, 238, 239, 240 Example 1 - PKUNZIP Files to a New or Different

Library, 339 Example 2 - CLP with Override for Stdout and Stderr

to an OUTQ, 340 Example 3 - Creating an Archive in Personal Folders

(QDLS), 341 Example 4 - Processing Archive on a CD (QOPT),

342 Example 5 - Compressing files from a CD (QOPT),

343 Example 6 - Compressing CL with MSG Checking,

344 Example 7 - Compressing Spool Files Samples, 345 Example 8 - PKZSPOOL the last spool file of current

Job, 346 Example 9 - CL to submit a job to compress all spool

files for a job to a PDF, 346 Example of PKZTABLES (USASCII) Translation

Table, 360 Examples, 339 EXCLFILE, 132, 167 EXCLUDE, 133, 167 EXDIR, 168 EXRROPT, 132 Extended Attributes, 372, 386 Extended Attributes Selections, 337 Extended Binary Coded Decimal Interchange Code

(EBCDIC), 386 extended features, 30 Extracting, 230 extracting files, 55

IFS, 57 Extracting Records into a SAVF file, 67 extracting spool files, 58 extracting Windows text files, 54 EXTRAFLD, 133

F

Feature Control Card, 41 file attributes, 53 File Considerations, 7 file exclusion inputs, 50 File Field Attributes, 375 file names, 32 File Physical Attributes, 374 file processing support, 61

396

file selection and name processing, 48 file selection inputs, 48 File Transfer Protocol (FTP), 386 filename encryption, 102

GZIP, 229 FILES, 134, 168 FILESTEXT, 134 FILETYPE, 135, 169 FIPS, 16 FND, 136 FTP, 35, 387 FTRAN, 136, 169

G

GIGA ZIP, 40 Global settings, 45 Glossary, 382 GNU zip, 227 GZIP, 137, 387 GZIP archives, 228 GZIP Compressing, 230 GZIP Extracting, 230 GZIP processing, 227, 229 GZIP restrictions, 229

H

History of Changes, 367 Host, 387

I

IBM publications, 3 IFS File Handler, 40 IFS file system, 62, 63 IFS Summary, 67 IFSCDEPAGE, 137, 170 Implementation Considerations, 362 INCLFILE, 138, 170 Information on the Internet, 4 Input ZIP Archive files, 51 Install Basic, 42 Install Demo, 41 Install Single, 42 installation, 33 Installation Procedures, 35 Integrated File System, 387 Interactive Job, 387 interactive performance, 335 intermediate store, 81 International Code Page Support, 359

K

Key Features, 362, 364, 365 Key Field Attributes, 376 Keyed Sequence, 387 keys, 14, 18, 20

accessing, 76 Keyword, 387

L

LAC, 388 Large File Considerations, 7 Large File Support File Capacities, 7 Large File Support Summary, 7 LDAP, 79 LDAP certificate store, 81 LDAP directories, 80, 86 LDAP1, 196 LDAPACTV, 196 Library file system, 63 Library List, 388 License Authorization Code (LAC), 388 Licensed Product Features, 38 Licensing Requirements, 36 List Files, 61, 67, 124, 132, 138, 151, 162, 167, 170,

173, 356 List Files and their Usage, 356 local certificate store, 80, 84 Logical Partition, 388 LZ, 388

M

MD5, 13 memory errors, 348 Messages, 232 MONMSG, 232, 235, 236, 238, 239, 240 MSGTYPE, 138, 171

N

name conversion program CVTNAME, 349 name processing, 48 Network File System, 64 New Features, 10 New ZIP Archive, 388 NFS, 64 Non-Standard Library Name, 46 Notices, 1 Null Value, 388 n-way Processor Architecture, 388

O

OAEP processing, 24 Old ZIP Archive, 388 Open Systems file system, 64 operating environment, 44 Optical file system, 63 Optical File System (QOPT), 65 OS/400, 389 Other IFS Objects, 63 Output Queue, 389 OVERWRITE, 171 Overwriting Current SAVF File, 68

P

Packed Decimal Format, 389 PASSWORD, 138, 151, 171, 182 passwords, 19, 29 path name, 62, 389

397

absolute, 62 relative, 63

paths, 57 to certificate stores, 84

PDF Creation Attributes, 365 PEM format, 84, 217 performance considerations, 335 Physical File, 389 Physical File Member, 389 Physical Files (both Source and Data), 372 PING option, 87 PKBLDCDB command details, 204 PKBLDCDB command summary, 203 PKBLDCDB utility, 85 PKCFGSEC command, 77, 86 PKCFGSEC command details, 180 PKCFGSEC command summary, 176 PKCS#12 format, 84 PKCS#7 format, 81, 84, 217 PKI, 13, 14 PKLDAPTST command details, 200 PKLDAPTST command summary, 199 PKQRYCDB command details, 210 PKQRYCDB command summary, 210 PKSTORADM command details, 216 PKSTORADM command summary, 215 PKUNZIP Command, 152 PKUNZIP command details, 156 PKUNZIP command summary, 152 PKZCF1F file, 81 PKZCF1LCN file, 81 PKZCF1LEM file, 81 PKZCF1LPH file, 81 PKZDTA5 Data Area, 45 PKZIP command, 110 PKZIP command details, 116 PKZIP for DOS, 32 PKZIP library

renaming, 45 PKZSPOOL command, 110 PKZTABLES, 360 platform-specific differences, 31 Preface, 1 private key, 14, 15, 76, 86 private-key, 23 Processing with GZIP, 227 Production Library, 390 Program Temporary Fix (PTF), 390 PTF, 390 public key, 14, 15, 16, 76, 85

Q

QDLS, 63 QDLS file system, 64 QFileSvr.400, 64 QNetWare, 64 QNTC, 64 QOpenSys, 64 QOPT, 63, 65 QSYS, 390 QSYS file system, 61

QSYS library file system, 55 QSYS.LIB, 63 Qualified Name, 390

R

RC4, 18 recipients, 19, 23, 26, 79, 95

searching for, 79 Record, 390 Record Layouts, 40 Reduced Instruction Set Computer (RISC), 390 Related Publications, 3 Relative Path Name, 390 Release Licensing, 36 Release Summary, 10 Reporting, 42 Reporting Environment, 36 restoring the library, 35 Restrictions, 10 Return Code, 390 REVKEPOL, 189 RISC, 391 root, 63 root store, 81, 84 Running Without the Library in the Library List, 46

S

Sample CVTNAME, 350 Sample GZIP Processing, 231 SAVF, 67, 373 SAVF method, 32 SBCS, 391 SECTYPE, 180 SecureZIP

invoking, 31 Self Extracting, 40, 139, 245, 320 self-extracting archives, 71 SELFXTRACT, 139 Service Pack, 391 SFFORM, 140 SFJOBNAM, 141 SFQUEUE, 140, 172 SFSTATUS, 141 SFTARGET, 141 SFTGFILE, 142 SFUSER, 139 SFUSRDTA, 140 SHA-1, 13 signatures, 13 SIGNERS, 144 signing, 14, 15, 96, 99 SIGNPOL, 147, 183 Source File, 391 Source File Considerations, 377 SPLF Attributes, 364 SPLFILE, 143 SPLNBR, 143 SPLUSRID, 172 Spool File, 391 Spool File Attributes, 377 SPOOL File Selecting, 51

398

Spool File Selections, 364 spool files, 68 SPOOL Files Considerations, 364 Standard “IFS” Attributes, 373 Standard Code Page Support, 358 Standard QSYS Library File System Attributes, 372 Status Messages, 232, 235, 236, 238, 239, 240 STOREPATH, 149 Stream File, 391 stream files, 63 System Library, 391 System Processor, 392

T

temporary archive files, 71 test certificates, 87 text records, 52 Time Stamp, 392 TMPPATH, 149 TRAN, 150, 172 Translation Tables, 358, 360, 392 Trial Period, 36 Trigger, 392 Triple DES, 16 Truncate, 392 trust chain, 15 TSTCERTS program, 88 TYPARCHFL, 150, 173 TYPE, 116, 156, 180 TYPFL2ZP, 150, 173 TYPLISTFL, 151, 173

U

UDFS, 64

unloading from a CD ROM, 34 unloading from tape, 33 Updating License Files, 37 USASCII, 360 User Interface, 392 User-Defined File System, 64 Using QSYS.LIB Through the Integrated File System

Interface, 66

V

Variable-Length, 392 VERBOSE, 151, 173 View Demo, 42 View Single, 43 View Single with Exception, 43 VIEWOPT, 174 VIEWSORT, 174

W

Windows NT Server file system, 64

X

X.509, 15

Z

ZIP archives, 70, 71, 392 ZIP file format specification, 9 ZIP files, 52 ZIP Processing File Selection, 48 ZIP64, 7, 250, 299, 336, 367, 392 ZIP64 Processing Considerations, 336 ZPCA801x – ZPCA899x Messages, 321