IBM
zPDT Technology – Present and Future
Changes are coming!
by
C. Mike Hammock and Stan H. King
Information Technology Company
August 4, 2014
David L. Lawrence Convention Center
Room 316
� Trademarks
• SystemRedd, uPDT, Ultimate Personal Development Tool and zData
Appliance are trademarks of Information Technology Company, LLC.
• zOS, Rational, PartnerWorld, IBM, the IBM logo, and ibm.com are
trademarks or registered trademarks of International Business
Machines Corporation in the United States, other countries, or both.
These and other IBM trademarked terms are marked on their first
occurrence in this information with the appropriate symbol (® or ™),
indicating US registered or common law trademarks owned by IBM at
the time this information was published. Such trademarks may also be
registered or common law trademarks in other countries. A current list
of IBM trademarks is available on the Web at
http://www.ibm.com/legal/copytrade.shtml.
2
� Disclaimer
IBM’s statements regarding its plans, directions, and intent are subject to
change or withdrawal without notice at IBM’s sole discretion.
Photo of IBM 1090 and 1091 Tokens
3
� Technology Types (zPDT)
1090-Lxx
• Independent Software Vendors / Commercial Software Developers
• Must develop products for sale using System z technology targeted for
System z platforms
• Must be vetted by IBM in advance and recertified annually
• Must become members of IBM Partners In Development and
signatory to zDD terms and conditions
• Maximum of eight (8) CPs can be configured (CP, IFL, zIIP, zAAP)
• Can run Sysplex configurations
• Can run multiple guests under zVM
• Access to zOS (via ADCD media or LT media)
• Access to zVM and zVSE (via FTP download from IBM Dallas)
• For development, testing and training activities only; No production!
4
� Technology Types (RD&T)
1091-Lxx
• Rational product targeted towards corporate or in-house development
• Available to anyone wanting to program for System z
• No qualification requirements
• Maximum of 99 processor licenses per token and 8 CPs per instance
can be configured but impractical
• Access to zOS (via ADCD media)
• Not available with zVSE or zVM (yet!)
• Can run Sysplex configurations (only situation with zVM – special!)
• Different cost factor metrics based on user seats or capacity; generally
more expensive than zPDT
• For development, testing and training activities only; No production!
5
� State of the Technology
IBM zPDT 1090 Status
• Latest release: 1.5-47.14 (Driver 47.14.01)
• Architecture Set: EC12 equivalent
• Additional security for ADCD: “fingerprints”
• Future z360 compatibility
IBM Rational RD&T 1091 Status
• Latest release: 1.4-45.26 (Driver 45.26)
• Architecture Set: EC12 equivalent
• At least one release behind 1090
6
� zPDT V1 R5 Enhancements – GA5
zEC12 Crypto Emulation Enhancements
- Export Triple Date Encryption Standard (TDES) key under Advanced
Encryption Standard (AES) transport key
- Diversified Key Generation Cipher Block Chaining (CBC) support
- Initial PIN Encrypting KEY (IPEK) support
- Remote Key Export (RKX) key wrapping method support
- Integration of User Defined Extensions (UDX) into CCA
I/O Enhancements
3592 Tape Support
Coupling (CFLevel 19 SL30)
•Improved resilience and performance for exploitation of Thin Interrupts
Performance Updates
•Instruction execution
ADCD Security
•Media encryption and OS fingerprinting
7
� Acquiring the Technology
• For zPDT (1090), customers can DIY or purchase a complete
solution directly from the authorized IBM distributor. Technology
delivery is worldwide:
67% of customers select the DIY approach;
33% select a total solution.
• Rational RD&T (1091) customers can DIY or purchase a
complete solution directly from an IBM authorized Business
Partner:
25% of customers select the DIY approach;
75% select a total solution.
8
� Customer Requirements – Experiences
Factoid
• 25% : wanted a replicated production environment (subset or
complete) dedicated to development and under their control;
• 41% : were satisfied with the ADCD environment as installed from
DVD media, and only required minimal changes before taking over
administration;
• 35% : required extensive customization of the ADCD environment to
conform to corporate standards or project needs;
• 22% : require the use of DB2 and need additional configuration
including product enablement such as SMS, IOCDS, and DB2 LOG
MGMT;
• 100% : request basic configuration of the networking essentials
including the underlying Linux TCPIP and OS TCPIP (VM, VSE,
MVS), as well as TSO and OMVS.
9
� Using the Technology
DIY Implementations
• Consider it an appliance;
• Do not host other “apps” within the server Linux environment;
• As an appliance the version/flavor of Linux should not be a factor or
a decision element;
Problems can occur when supporting anything other than Red
Hat or SuSE;
Only Specific Linux versions tested by IBM and ITC;
IBM support limited to versions tested;
Why not to diverge
• Commonality aids support;
• No real benefit with alternate Linux flavors.
10
� Implementation Notes
• 3590 & 3592 tape support NOW finally works. Recently
certified by ITC;
• Going beyond 3-Way:
Some of the large ones: 5-Way, 6-Way, More!
• Trials and tribulations:
Performance and configuration issues;
Token update issues;
It is problematic trying to make your zPDT exactly like your
heavy-metal big box, too much is sometimes too much.
11
� Implementation Notes
• VMWare and KVM Testing Status
VMWare vSphere 5;
Red Hat Enterprise Virtualization (KVM/ RHEV-h) 6.1;
IBM HX5 blades for use with the zEnterprise BladeCenter
Extension (zBX) Model 003
• Benefits - Is there one?
No performance benefit
Marginal administrative benefit
• Drawbacks
Resource allocation and processing priority are major
factors to good performance; more is always better
Networking performance
12
� Recent Problems Encountered
• GA4
Innovation FDR Software – LRE CCW (fixed in GA5+)
SSI, zVM 6.3 (fixed)
ALCFBA non-standard size FBA unusable (fixed in GA5)
• GA5
zOS V1.11 Nucleus ABEND (fixed in 47.14)
zVSE no work!! (fixed in 47.14)
High volume FTP (Linux config resolution)
ALCFBA non-standard size FBA unusable (fixed in 47.14)
Locate Record data chaining problem (fixed via patch and
47.14.01)
13
� ADCD & 1090/1091 Changes
• zOS, zVM, zVSE Encrypted Delivery for Optical
Media
CustomPak and ServerPac installs not affected;
Decryption key will unlock specific volumes;
Decryption process will also “fingerprint” key files;
ADCD distribution will not run on real metal.
• New process for token authentication & processing
Multi-part response from update request
• Apparent changes in AWSCKD format
14
� New Token Update Process
How, why, what!
The following pages document the steps and variations between the
GA4 and GA5 1090 code authentication requests and update
processing. A similar process will be forthcoming for RD&T 1091.
Also included is a verification step that you can use to verify proper
update of the 1090/1091 token.
The decryption of ADCD content will be discussed. Currently all zOS
ADCD media starting with V2.1 must be processed in this fashion.
zVM and zVSE will be next to embrace this method.
15
� Steps to Install & Run z/OS 2.1
zPDT As
Action to accomplish Running? root?
Command to use
Get zPDT Driver 47.14.01 Either N/A Download from p390store.com
Move install file to /tmp and make Move file to /tmp
Either Either
executable chmod 775 z1090-1-5.47.14.01.x86_64
In /tmp
Execute the install program No Root
./z1090-1-5.47.14.01.x86_64
In /usr/z1090/bin
Request a license update file and send
Either Root ./Z1090_token_update –r
it to support@p390store.com
/path/company-name_token-serial.req
Receive and apply the license update. In /usr/z1090/bin
Remove the token for 30 seconds and No Root ./Z1090_token_update –u
reinsert. /path/company-name_token-serial.zip
Z1090_ADCD_install /scratch/z1res1.zPDT
Install the z/OS 2.1 RES volumes No Non-root
/zdisk/z1res1.ckd
Check status of token Yes Non-root token
In /usr/z1090/bin
Check license availability No Root
Z1090_token_update -- status
16
� Multi – Token Considerations #1
More zPDT users are implementing multiple processors utilizing
multiple tokens. This is valid, but there are some significant
considerations.
• Any token/license processing must be done with only a single token
inserted;
• Having more than one token installed will cause unpredictable
problems and may invalidate your token;
• When generating license request files: only have one token
inserted;
• When updating tokens: only have one token inserted;
• For most users this will mean having your zPDT system shut down
when doing token processing
17
� Multi – Token Considerations #2
• After unplugging/plugging multiple tokens they may be detected in a
different order;
• Plan on resetting the uim serial number: (as root)
cd /usr/z1090/bin
./uimreset -l
• Your system may now be using a different serial number so your
system z OS will see a different serial number!
If you use serial numbered OEM products, try swapping the
tokens
• Consolidate multiple tokens into one whenever possible it makes for
much easier administration.
18
� Restrictions
• Cannot run z/OS 2.1 on an older level of zPDT, must be GA5 or
newer;
• Cannot run ADCD distribution z/OS 2.1 on a real System z – It will
not run;
• Decrypted z/OS image is “fingerprinted” with your individual ID;
• Expect that future releases of zVM and zVSE will have similar
restrictions;
• Updating of 1090 code and licenses must be done with zPDT
instances stopped.
19
� Recommendations
• Stick with standard SuSE and Red Hat distributions of Linux
• Chose a robust x86 platform with multi-core CPU based on rule-of-
thumb: x86 cores needed ≥ # of 1090 CPs + 1 (at minimum)
• Chose RAID with cache to improve I/O performance and reliability
• Simplicity rules; start small and add complexity after confirming
operation (e.g. Sysplex, VM SSI, multi-stack shared TCPIP, etc.)
20
� Information Technology Company LLC
HQ in Falls Church, VA
Service Offices in Houston, TX; Raleigh, NC;
and Atlanta, GA
800-994-9441 / 703-237-7370
www.p390.com
21
